You need to patch your Samba installation as soon as possible
23.11.2017 securityaffairs Vulnerebility
The major Linux distributions rolled out security fixes for a use-after-free error, tracked as CVE-2017-14746, affecting all versions of SAMBA since 4.0.
The major Linux distributions (Red Hat, Ubuntu, Debian and others) rolled out security patches for a use-after-free error, tracked as CVE-2017-14746, affecting all versions of SAMBA since 4.0.
Administrations have to apply the fixes to their distributions, another possibility consists in turning off SAMBA 1, and operation that could hide some difficulties.
According to the project’s advisory, an attacker can use a malicious SMB1 request to control the contents of heap memory via a deallocated heap pointer.
“All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the server.” reads the advisory.
The patch to fix the issue is available at the following URL:
The versions 4.7.3, 4.6.11 and 4.5.15 have been issued to address the vulnerability.
The maintainers of the project have also issued patches for older versions at:
The advisory includes also a workaround, it consists in preventing SMB1 access to the server by setting the parameter:
server min protocol = SMB2
to the [global] section of your smb.conf and restart smbd.
Unfortunately, the advisory warns of problems, older clients to be unable to connect to the server.
Administrators running vulnerable versions are advised to apply the patch as soon as possible.
There is also another flaw, tracked as CVE-2017-15275, that affects all the versions from 3.6.0 onwards that has been fixed by Samba.
According to the advisory, the server may return the contents of heap allocated memory to the client revealing “password hashes or other high-value data”.
“There is no known vulnerability associated with this error, but uncleared heap memory may contain previously used data that may help an attacker compromise the server via other methods. Uncleared heap memory may potentially contain password hashes or other high-value data.” reads the advisory.
Patched versions have been made available here.
Intel potvrzuje: v Management Engine jsou vážné bezpečnostní díry
23.11.2017 Root.cz Zranitelnosti
Intel potvrdil, že bezpečnostní audit provedený na jeho procesorech odhalil vážné bezpečnostní hrozby. Ty mohou vést až ke spuštění cizího nepodepsaného kódu hluboko v procesoru, kde na něj operační systém nevidí.
Když pánové Maxim Goryachy a Mark Ermolov ze společnosti Positive Technologies oznámili, že na prosincové konferenci Black Hat odhalí bezpečnostní slabiny v procesorech Intel, nechal jejich výrobce udělat velký audit technologií Intel Management Engine (ME), Intel Trusted Execution Engine (TXE) a Intel Server Platform Services (SPS).
Výsledkem je objevení většího množství bezpečnostních chyb uvnitř firmware, který běží na novějších procesorech. V těch je hluboko (ring –3) ukrytý operační systém MINIX, který provádí spoustu činností a dovoluje počítač spravovat na dálku. Goryachy a Ermolov tvrdí, že jimi objevené chyby dokáží ovládnout počítač i ve vypnutém stavu.
Problém přitom postihuje poměrně širokou škálu procesorů, konkrétně těch s firmwarem ME verzí 11.0, 11.5, 11.6, 11.7, 11.10 a 11.20, firmware SPS verze 4.0 a TXE verze 3.0. Verze jednotlivých komponent je obvykle možné najít v BIOS/UEFI, kde pravděpodobně najdete jen jednu z těchto technologií.
ME je možné najít na klientských stanicích a levných serverech bez samostatného řídicího rozhraní (IPMI). SPS je pak přítomno ve velkých serverech s tímto rozhraním a TXE je určeno především pro tablety a zařízení s nízkým příkonem.
Nebezpečné rozhraní je možné najít na následujících procesorech:
6th, 7th & 8th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor E3–1200 v5 & v6 Product Family
Intel® Xeon® Processor Scalable Family
Intel® Xeon® Processor W Family
Intel® Atom® C3000 Processor Family
Apollo Lake Intel® Atom Processor E3900 series
Apollo Lake Intel® Pentium™
Celeron™ N and J series Processors
Podle Intelu je možné chyby zneužít k lokálnímu napadení počítače a spuštění libovolného kódu mimo dosah uživatele a operačního systému. Je také možné zhoršit stabilitu počítače nebo způsobit pád operačního systému.
Intel vydal testovací utilitu pro Linux a Windows, která prozkoumá váš hardware a software a pomůže vám odhalit bezpečnostní problémy v konkrétním počítači.
Výrobci už začali vydávat aktualizace firmware : Dell Client, Dell Server, Intel® NUC, Intel® Compute Stick a Intel® Compute (stránka podpory Intel), Lenovo. Oprava spočívá v aktualizaci BIOS/UEFI, který se při startu postará o nahrání opraveného firmware do procesoru.
Více informací zatím k dispozici není, podle Intelu jde o proaktivní řešení, které má za cíl významně zlepšit bezpečnost. Detaily budeme pravděpodobně znát až po konferenci Black Hat, zatím jen víme, že je ohroženo poměrně velké množství počítačů nejrůznějších typů a určení, protože v nich běží proecsory Intel.
Thoughts on the latest Intel ME vulnerabilities: based on public information, we have no real idea how serious this is yet. It could be fairly harmless, it could be a giant deal.
11:01 PM - Nov 20, 2017
7 7 Replies 158 158 Retweets 201 201 likes
Twitter Ads info and privacy
Dobrou zprávou je, že podle dostupných informací je ke zneužití chyb potřeba mít fyzický přístup k počítači. Intel ale poznamenává, že teoreticky může přijít nový vektor útoku, který dovolí zaútočit s administrátorskými právy v operačním systému. Vzhledem k tomu, že některé zde zmíněné problémy dovolují si práva navýšit, je možné, že bude stačit běžný uživatelský účet, ze kterého pak povede cesta dál.
Remotely Exploitable Flaw Found In HP Enterprise Printers—Patch Now
23.11.2017 thehackernews Vulnerebility
Security researchers have discovered a potentially dangerous vulnerability in the firmware of various Hewlett Packard (HP) enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely.
The vulnerability (CVE-2017-2750), rated as high in severity with 8.1 CVSS scale, is due to insufficiently validating parts of Dynamic Link Libraries (DLL) that allows for the potential execution of arbitrary code remotely on affected 54 printer models.
The security flaw affects 54 printer models ranging from HP LaserJet Enterprise, LaserJet Managed, PageWide Enterprise and OfficeJet Enterprise printers.
This remote code execution (RCE) vulnerability was discovered by researchers at FoxGlove Security when they were analyzing the security of HP's MFP-586 printer (currently sold for $2,000) and HP LaserJet Enterprise M553 printers (sold for $500).
According to a technical write-up posted by FoxGlove on Monday, researchers were able to execute code on affected printers by reverse engineering files with the ".BDL" extension used in both HP Solutions and firmware updates.
"This (.BDL) is a proprietary binary format with no publicly available documentation," researchers said. "We decided that reverse engineering this file format would be beneficial, as it would allow us to gain insight into exactly what firmware updates and software solutions are composed of."
Since HP has implemented the signature validation mechanism to prevent tampering with the system, the researchers failed to upload a malicious firmware to the affected printer.
However, after some testing researchers said that "it may be possible to manipulate the numbers read into int32_2 and int32_3 in such a way that the portion of the DLL file having its signature verified could be separated from the actual executable code that would run on the printer."
The researchers were able to bypass digital signature validation mechanism for HP software "Solution" package and managed to add a malicious DLL payload and execute arbitrary code.
FoxGlove Security has made the source code of the tools used during its research available on GitHub, along with the proof-of-concept (PoC) malware payload that could be remotely installed on the printers.
The actions performed by their proof of concept malware are as follows:
It downloads a file from http[://]nationalinsuranceprograms[.]com/blar
Executes the command specified in the file on the printer
Waits for 5 seconds
FoxGlove Security reported this remote code execution vulnerability to HP in August this year, and the vendor fixed the issue with the release of new firmware updates for its business and enterprise printers.
To download the new firmware update, visit the HP website in your web browser, and select Support from the top of the page and select Software & drivers. Now, enter the product name or model number in the search box, then scroll down in the search results to firmware and download the necessary files.
Google gathers Android users’ location data even when location services are disabled
23.11.2017 securityaffairs Android
Google is secretly gathering location data from billions of Android users, the news is disconcerting and once again raise the debate about user’s privacy.
The disconcerting discovery was made by researchers from Quartz.
Big G has been caught collecting location data on every Android device owner in the past 11 months. The worse news is that the Google is gathering location data even when location services are completely disabled.
“Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.” states Quartz.
The experts discovered that Android smartphones have been collecting the addresses of nearby cellular towers, an information that could be used to track the location of mobile devices with the “Cell Tower Triangulation” technique.
When an Android device is within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected via a WiFi network or cellular data network.
A source familiar with the matter said Quartz that the cell tower addresses were being sent to Google after a change in early 2017 to the Firebase Cloud Messaging service.
The Firebase Cloud Messaging service is the component responsible for collecting location data that manages push notifications and messages on the operating system, unfortunately it cannot be disabled.
“Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google.” continues Quartz media.
“Devices with a cellular data or WiFi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a WiFi network, they will send the tower addresses to Google even if they don’t have SIM cards installed.”
Quartz contacted Google for a comment and a spokesman for the company replied that the location-sharing practice was implemented to improve its service.
“We began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery.” said Google spokesperson.
“It has pretty concerning implications,” explained Bill Budington, a software engineer at the Electronic Frontier Foundation. “You can kind of envision any number of circumstances where that could be extremely sensitive information that puts a person at risk.”
According to the experts there is no doubt, the fact that the Google Android system is collecting location data is a complete violation of user’s privacy.
Why Google collects data from Android devices when all location services are disabled?
“We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points, and cell towers.”
Google declared that never used or stored this location data it collected and that it is now taking steps to end this practice.
According to Google, Android phones will no longer collect location data by the end of this month.
Many vendors will release fixes for flaws in the Intel Management Engine
23.11.2017 securityaffairs Vulnerebility
Almost any PC vendor announced the imminent release of fixes for the flaws in Intel Management Engine, but many of them will be available only in 2018.
Intel has started to issue security updated to fix multiple flaws in Intel’s CPUs, unfortunately many of them will not be available to the end-users until 2018.
The tech giant has fixed multiple vulnerabilities in Intel’s Management Engine, Server Platform Services, and Trusted Execution Engine.
An attacker can exploit the vulnerabilities to remotely access the vulnerable machine and perform in a stealth way malicious activities, including to deliver a malware.
This type of flaws is very insidious because any countermeasure implemented at the operating system level is not able to detect malicious operation because Active Management Technology (AMT) has direct access to the computer’s network hardware. Malicious traffic is routed directly to the Management Engine and passed on to AMT, but the local OS never sees it.
The flaws were first found by the experts at the security firm Positive Technologies that published a detailed analysis of the attack scenarios.
Almost any PC vendor announced the imminent release of security fixes, but many of them still haven’t distributed them.
Acer announced the future availability of the security updates for 240 models, far more than ten models listed in the Lenovo’s advisory.
Panasonic announced the availability of the fixes for six models by the end of January 2018, while Dell will release the updates between Christmas and February 2nd, 2018, on February 2, in fact, the vendor plans to address the problems for four models.
Fujitsu distributed the patches for Japanese and EMEA customers, there no info related to the release date for clients in the rest of the world.
Good news for HPE customers, the company has already made the fixes available.
The time necessary to release the fixes is not surprising, patch management is a complex and time consuming activity, especially when the updates must be distributed to a large number of machines.
Intel, for example, will not able to fix its NUC, ComputeStick and ComputeCard products, before December 2017.
Other PC makers have not published advice related to the Intel flaws and the availability of security patches.
Consider also the many flawed CPUs were currently used in other appliances, including network attached storage.
Crooks set up a fake Symantec Blog to spread the macOS Proton malware
23.11.2017 securityaffairs Apple
A new strain of the notorious macOS Proton malware is spreading through a blog spoofing the legitimate blog of the security firm Symantec.
The attackers used the same domain registration information of the original site, except for the email address.
The SSL digital certificate for the site is a legitimate certificate issued by Comodo instead of the Symantec’s certificate authority.
The attackers created a the fake blog symantecblog[dot]com that mirrored content from the original website. The experts from Malwarebytes discovered that a post about a new version of CoinThief malware was promoting the application called “Symantec Malware Detector,” that was used to distribute the OSX.Proton.
“The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good imitation of the real Symantec blog, even mirroring the same content. The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway,” reads the analysis published by Malwarebytes.
Threat actors spread links to the fake blog on Twitter using both fake and legitimate compromised accounts. The Symantec Malware Detector application acts like a dropper.
The malicious Symantec Malware Detector application displays a simple window with the Symantec logo requiring the authorization to perform a system check.If the victim agrees to run the check, the admin password is requested, allowing the malware stealing the password. Next, the app displays a progress bar to trick victims into believing that it is scanning the computer, instead it is installing the Proton malware in the background.
Once installed, the Proton malware gathers user information, such as the admin password and other personally-identifying information (PII). The malicious code saves all data to a hidden file.
“The malware also captures and exfiltrates things like keychain files, browser auto-fill data, 1Password vaults, and GPG passwords. Since the malware has phished the user’s password, the hackers will be able to decrypt the keychain files at a minimum.” continues the analysis.
Once this “dropper” app has been run, the following paths are created on the target system:
The Proton executable is dropped in the .random directory and is kept running by the com.apple.xpcd.plist launch agent. The stolen data is stored in the. cachedir folder.
In order to prevent future infections, Apple has revoked the certificate used to sign the malware.
“Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected,” states the report.
Experts believe that the Proton malware will continue to circulate, Macs will continue to be the targets of an increasing amount of malware.
Over 400 Popular Sites Record Your Every Keystroke and Mouse Movement
23.11.2017 thehackernews Hacking
How many times it has happened to you when you look for something online and the next moment you find its advertisement on almost every other web page or social media site you visit?
Web-tracking is not new.
Most of the websites log its users' online activities, but a recent study from Princeton University has suggested that hundreds of sites record your every move online, including your searches, scrolling behavior, keystrokes and every movement.
Researchers from Princeton University's Centre for Information Technology Policy (CITP) analyzed the Alexa top 50,000 websites in the world and found that 482 sites, many of which are high profile, are using a new web-tracking technique to track every move of their users.
Dubbed "Session Replay," the technique is used even by most popular websites, including The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, and WordPress, to record every single movement a visitor does while navigating a web page, and this incredibly extensive data is then sent off to a third party for analysis.
"Session replay scripts" are usually designed to gather data regarding user engagement that can be used by website developers to improve the end-user experience.
However, what's particularly concerning is that these scripts record beyond the information you purposely give to a website—which also includes the text you type out while filing a form and then delete before hitting 'Submit.'
"More and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers," Princeton researcher Steven Englehardt wrote in a blog post under the No Boundaries banner.
"Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behaviour."
Most troubling part is that the information collected by session replay scripts cannot "reasonably be expected to be kept anonymous." Some of the companies that provide session replay software even allow website owners to explicitly link recordings to a user's real identity.
Services Offering Session Replay Could Capture Your Passwords
The researchers looked at some of the leading companies, including FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and Yandex, which offer session replay software services, and found that most of these services directly exclude password input fields from recording.
However, most of the times mobile-friendly login forms that use text inputs to store unmasked passwords are not redacted on the recordings, which ends up revealing your sensitive data, including passwords, credit card numbers, and even credit card security codes.
This data is then shared with a third party for analysis, along with other gathered information.
"We found at least one website where the password entered into a registration form leaked to SessionCam, even if the form is never submitted," the researcher said.
The researchers also shared a video which shows how much detail these session recording scripts can collect on a website's visitor.
World's Top Websites Record Your Every Keystroke
There are a lot of significant firms using session replay scripts even with the best of intentions, but since this data is being collected without the user's knowledge or visual indication to the user, these websites are just downplaying users' privacy.
Also, there is always potential for such data to fall into the wrong hands.
Besides the fact that this practice is happening without people's knowledge, the people in charge of some of the websites also did not even know that the script was implemented, which makes the matter a little scary.
Companies using such software included The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, WordPress, Samsung, CBS News, the Telegraph, Reuters, and US retail giant Home Depot, among many others.
So, if you are logging in one of these websites, you should expect that everything you write, type, or move is being recorded.
Uber in Legal Crosshairs Over Hack Cover-up
23.11.2017 securityweek Hacking
Two US states on Wednesday confirmed they are investigating Uber's cover-up of a hack at the ride-sharing giant that compromised the personal information of 57 million users and drivers.
Uber purportedly paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year.
That decision evidently came despite a promise by the firm to "adopt leading data security protection practices" in a settlement with New York attorney general Eric Schneiderman.
Schneiderman and his counterpart in Connecticut, George Jepsen, on Wednesday told AFP that Uber is the target of probes in their states over the hidden hack.
"None of this should have happened, and I will not make excuses for it," Uber chief executive Dara Khosrowshahi, who took over at the company in August, said Tuesday.
Two members of the Uber information security team who "led the response" that included not alerting users about the data breach were let go from the San Francisco-based company effective Tuesday, according to Khosrowshahi.
The Uber chief said he only recently learned that outsiders had broken into a cloud-based server used by the company for data and downloaded a "significant" amount of information.
Stolen files included names, email addresses, and mobile phone numbers for riders, and the names and driver license information of some 600,000 drivers, according to Uber.
Uber paid the hackers $100,000 to destroy the data, not telling riders or drivers whose information was at risk, according to a source familiar with the situation.
Co-founder and ousted chief Travis Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Khosrowshahi learned of the incident, the source confirmed.
In early 2016, Schneiderman announced a settlement with Uber stemming from an investigation into the company's handling and protection of riders' personal information.
The probe was prompted by word of a hack, and by reports that Uber executives were able to track the locations of riders in real-time using a tool known internally as "God View."
The settlement required Uber to better protect rider data, and pay $20,000 for failing to tell drivers about the 2014 data breach in a timely manner.
Experts found a way to exploit HP Enterprise printers to hack into company networks
23.11.2017 securityaffairs Hacking
Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers.
HP dedicates significant efforts in designing secure printing systems, a recent marketing campaign launched by the firm shows the dangers of vulnerable printers for corporate networks.
HP launched new enterprise LaserJet printers back in 2015 and introduced several security improvements across the time.
Experts from FoxGlove Security tested an HP PageWide Enterprise 586dn multi-functional printer (MFP) and an HP LaserJet Enterprise M553n printer.
HP printers hacking
The team used a hacking tool dubbed PRET (PRinter Exploitation Toolkit) developed by researchers from Ruhr-Universität Bochum in Germany.
At the time, the tool was used by the author to find security vulnerabilities in 20 printer models manufactured by Dell, Brother, Konica, Samsung, HP, OKI, and Lexmark.
The printers were affected by flaws related to common printing languages, PostScript and PJL, used in most laser printers. The flaws are not a novelty, according to the experts, they have existed for decades.
Now experts from FoxGlove used the PRET tool to find a path traversal flaw that allowed them to access the content of any print job, including those jobs protected by a PIN code. The same team found vulnerabilities that can be exploited by attackers to manipulate the content of print jobs and reset devices to factory settings.
In order to find a remote code execution (RCE) the researchers reverse engineered the firmware extracted from the HP printer, bypassing anti-tampering mechanisms implemented by the vendor.
The team analyzed firmware updates and HP Software Solutions discovering they leverages the OXP platform and SDK to extend a printer’s functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that must be digitally signed.
“PJL is a language that computers will speak with the printer when submitting print jobs. This language has also been extended to have the ability of performing some administrative tasks.” stated the analysis published by the experts.
“One of the capabilities of PJL is very limited management of files on the printer. For example, it is possible to store and delete files, but only in a very specific location, a small “jail” on the filesystem that it should not be possible for a user speaking PJL to escape from:”
The experts failed to upload a malicious firmware to the device due to the signature validation checks, but they devised possible attack vectors.
“A BDL file modified in this way was uploaded to the printer and confirmed working, however no malicious changes to code could be implemented just yet. When we tried to replace any of the DLL files in the ZIP we began getting DLL signature validation errors.” continues the analysis.
The researchers succeeded in cracking signature validation for Solutions files and uploading a malicious DLL and execute arbitrary code.
The experts shared the source code of the tools used during the tests, including the proof-of-concept (PoC) malware the exploited.
The team reported the discovery to HP on August 21 and the tech giant is committed to release a security update this week.
ERPScan Launches AI-Driven SAP Security Platform
22.11.2017 securityweek Cyber
ERPScan, a company that specializes in security solutions for SAP and Oracle enterprise resource planning (ERP) products, announced this week the launch of a new AI-driven cybersecurity platform for SAP systems.
The new product, ERPScan SMART Cybersecurity Platform for SAP, is designed to help organizations prevent, detect, and respond to threats targeting their SAP systems.
The platform’s assessment module allows security teams to identify vulnerabilities, custom code issues, misconfigurations, and segregation of duties (SoD) violations that could introduce risks. The prevention component enables employees to address issues and apply virtual patches.
The SMART Cybersecurity Platform for SAP includes modules for detecting malware and other malicious activity, and helps incident response teams quickly obtain information needed to contain a breach. The product also provides C-level executives and managers a comprehensive view of their organization’s security posture.
According to ERPScan, the platform leverages machine learning, specifically deep learning, to create a baseline for normal user behavior, which it then uses to detect potentially malicious activity carried out by both insiders and external entities.
The new platform combines the functionality of existing ERPScan SAP tools with machine learning and new modules for detection, response and monitoring.
“This solution is a real breakthrough for us,” said Alexander Polyakov, founder and CTO of ERPScan. “We spent the last two years on developing a solution that would be able to not only cover all areas of SAP cybersecurity, but also be intuitive by adding machine learning and adaptive interfaces. Our secret team of data scientists and machine learning experts battled with the experienced Research team and taught the system to detect advanced attacks and anomalous user behavior. Now we are ready to present the new generation of SAP cybersecurity products, and it's so exciting.”
Polyakov told SecurityWeek that the product is currently being tested by some early adopters, and expects it to become generally available in the second half of January 2018.
ERPScan has made significant contributions to improving SAP security, not only through its products, but also by informing the vendor of many vulnerabilities discovered by its researchers.
Apple Patches USB Code Execution Flaw in macOS
22.11.2017 securityweek Apple
One of the vulnerabilities addressed by Apple in its latest set of security patches for macOS is an arbitrary code execution flaw, which could be exploited via malicious USB devices.
Discovered by Trend Micro security researchers and reported to Apple in April this year, the issue resides in fsck_msdos, a system tool designed to check for and fix errors in devices formatted with the FAT filesystem.
The security researchers discovered that because the tool is automatically invoked by macOS when a device using the FAT filesystem (such as a USB disk or an SD card) is inserted, a security bug could allow malicious devices to execute arbitrary code when they are connected to a Mac.
The vulnerability is created by a memory corruption issue and its exploitation could lead to an attacker taking full control of a vulnerable system, Trend Micro says.
“We do not believe that this attack has been used in the wild. We strongly recommend that users update their software to address this flaw, as well as the others that were part of this update cycle,” the security researchers note.
Trend Micro found that malicious code could modify a byte containing the high bits of a memory address with an arbitrary value and set it to point to another address.
“If the target address is sprayed with a malformed dosDirEntry structure, arbitrary code execution is now possible. This can potentially allow an attacker to take over the vulnerable device,” the security researchers note.
Tracked as CVE-2017-13811, the vulnerability was addressed by Apple with the release of macOS High Sierra 10.13.1 (and Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan), which resolved nearly 150 vulnerabilities, including three KRACK-related flaws.
Trend Micro explains that fsck_msdos is used in other BSD-based operating systems, as well as in Android. Because of that, other vendors were also informed of the vulnerability, including Google.
However, it appears that the issue won’t be resolved in Android, because “fsck_msdos runs under a very restricted SELinux domain.” Nevertheless, Google is apparently looking into addressing the bug in a future release of the operating system, the researchers note.
To mitigate the impact of this vulnerability, IT administrators are advised to restrict USB access to devices, especially considering that this is a method frequently used by malware to enter targeted systems. They should also consider physical controls for especially sensitive devices.
'Advanced' Cyber Attack Targets Saudi Arabia
22.11.2017 securityweek BigBrothers
Saudi authorities said Monday they had detected an "advanced" cyber attack targeting the kingdom, in a fresh attempt by hackers to disrupt government computers.
The government's National Cyber Security Centre said the attack involved the use of "Powershell", but it did not comment on the source of the attack or which government bodies were targeted.
"The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia," the agency said in a statement, adding the attack sought to infiltrate computers using email phishing techniques.
Saudi Arabia has come under frequent cyber attacks, including "Shamoon", the aggressive disc-wiping malware employed in attacks against the Saudi energy sector in 2012.
Saudi Aramco, the world's biggest oil company, was among the firms hit by Shamoon, in what is believed to be the country's worst cyber attack yet.
US intelligence officials at the time said they suspected a link to the kingdom's regional rival Iran.
Hostingu Czechia od firmy ZONER unikly přihlašovací údaje zákazníků
22.11.2017 Lupa.cz Incidenty
Brněnský hosting Czechia.com, který patří pod firmu ZONER, oznámil únik dat svých zákazníků. Šlo o přihlašovací údaje k e-mailovým schránkám a webhostingovým službám. Jak velké části klientů se problém týkal, firma zatím nezveřejnila. Únik se týká i slovenské hostingovky Slovaknet, která také patří pod ZONER. Případ vyšetřuje policie.
Podle vyjádření firmy únik zřejmě souvisí s pokusem zaměstnance jednoho ze zákazníků o průnik na backend hostingu:
Koncem roku 2013 jsme zjistili podezřelou aktivitu na dedikovaném serveru jednoho z našich zákazníků. Na základě provedené analýzy jsme konstatovali pokus o útok na náš backend zaměstnancem daného zákazníka, ale neměli jsme žádné indicie nebo důkazy o tom, že by se udál závažný bezpečnostní incident a došlo k ukradení jakýchkoliv dat. … V letošním roce jsme zjistili, že bezpečnostní incident související s podezřelou aktivitou na zákaznickém serveru znamenal únik dat (v podobě, která neumožňuje jejich přímé zneužití). Okamžitě jsme Policii ČR podali trestní oznámení a bylo zahájeno vyšetřování. Současně Policie ČR učinila opatření vedoucí k ochraně zcizených dat a zamezila dalšímu přístupu k nim.
V uniklých datech podle firmy nebyly žádné osobní údaje a uniklá hesla byla zahashována algoritmem SHA-1. Podle firmy to znamená, že je nejde jednoduše prolomit, což je ale přinejmenším hodně optimistické tvrzení (o relativní snadnosti prolamování zahashovaných hesel podrobněji čtěte v Jak jsem crackoval hesla z úniku Mall.cz bezpečnostního experta Michala Špačka).
„Nezaznamenali jsme masové pokusy o zneužití uniklých dat,“ tvrdí ZONER. Údaje ze seznamu uniklých dat podle firmy momentálně stále používá asi 7 % zákaznických účtů. Firma podle svých slov dotyčné zákazníky kontaktuje a pomáhá jim údaje změnit.
Firmě jsme poslali řadu doplňujících dotazů, do textu je doplníme, jakmile dostaneme odpovědi.
Uber tajil masivní únik 57 milionů záznamů. Hackerům zaplatil za mlčení
22.11.2017 Živě.cz Incidenty
Bývalý šéf Uberu chtěl ututlat závažný únik dat. Bál se poškození pověsti Uberu a zabezpečení jeho služeb. Nyní se případ provalil. Před rokem hackeři ze serverů Uberu odcizili údaje o 57 milionech zákazníků a o 600 tisících řidičů Uberu.Vnik do databáze byl možný kvůli chybě administrátorů, kteří přístupové údaje omylem zveřejnili na GitHubuBývalé vedení dvěma hackerům zaplatilo 100 tisíc dolarů za mlčenlivost a smazání získaných dat. Nový šéf Uberu Dara Khosrowshahi útok oznámil. Omluvil se a ujistil zákazníky i řidiče, že podle analýz nedošlo k žádnému zneužití uniklých dat.
Společnost Uber, která provozuje stejnojmennou platformu pro sdílení jízd, se stala v roce 2016 terčem kybernetických útočníků. Ze serverů odcizili údaje o 57 milionech zákazníků a o 600 tisících řidičů Uberu. Předchozí výkonný ředitel však celý incident utajil a informace vyplavaly na povrch až nyní. Upozornil na to CNet.
Nový šéf Uberu Dara Khosrowshahi včera vydal prohlášení, ve kterém uvedl, že firma zaznamenala neoprávněný vstup do systému v listopadu 2016. Podle výsledků vyšetřování začaly útoky už o měsíc dříve.
Hackeři za tento čas stihli získat databázi obsahující 57 milionů záznamů o zákaznících, mezi nimiž figurují jména, e-mailové adresy a telefonní čísla. Kromě toho uniklo i 600 tisíc čísel řidičských průkazů patřících řidičům ze Spojených států.
Ostatní informace, jakými jsou například historie polohy, čísla platebních karet a bankovních účtů, data narození či čísla sociálního zabezpečení, prý zločinci nezískali.
Přístupové údaje na GitHubu
Khosrowshahi navíc přiblížil i to, jak k útokům došlo. Podle jeho slov nebyla zneužita žádná bezpečnostní slabina v podnikovém systému, ani v infrastruktuře. Problémem bylo pravděpodobně selhání jednotlivce, který neúmyslně uložil administrátorská data do cloudové služby třetí strany.
Bezpečnostní společnost Sophos byla konkrétnější a na svém webu uvedla , že vývojáři Uberu vložili na GitHub spolu se zdrojovými kódy i přístupové pověření k serverům. Hackeři to zřejmě zjistili, a tak využili příležitosti. Server byl spuštěn v cloudové službě Amazon Web Services (AWS), na kterém se nacházely databáze s osobními údaji.
Útočníci si vydělali
Podobný typ úniku uživatelských dat není v současnosti ničím neobvyklým. Tento se však liší v tom, jak se tehdejší vedení Uberu k bezpečnostnímu incidentu postavilo. Útok se snažilo utajit a dvojici hackerů zaplatili 100 tisíc amerických dolarů za to, že odcizenou databázi odstraní. Firma následně sepsala s útočníky dohodu o utajení a celý incident byl zamaskovaný jako součást programu Bug Bounty (vyplácení odměn za nalezení chyb).
V souvislosti s uvedenou kauzou bylo propuštěno i několik zaměstnanců, kteří na ní měli největší podíl. Konkrétně má jít o ředitele počítačové bezpečnosti, jeho zástupce a právníka.
Uber ujišťuje všechny uživatele a řidičů, že aktuálně neexistuje žádný důkaz o zneužití uniklých dat. Přesto byli řidiči zapojeni do programu, který je má ochránit před úvěrovými podvody a před odcizením identity.
After Getting Hacked, Uber Paid Hackers $100,000 to Keep Data Breach Secret
22.11.2017 thehackernews Incindent
Uber is in headlines once again—this time for concealing last year's data breach that exposed personal data of 57 million customers and drivers.
On Tuesday, Uber announced that the company suffered a massive data breach in October 2016 that exposed names, e-mail addresses and phone numbers of 57 million Uber riders and drivers along with driver license numbers of around 600,000 drivers.
However, instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information, according to a report published by Bloomberg.
Uber said none of its own systems were breached, rather two individuals outside the company inappropriately accessed and downloaded 57 million Uber riders' and drivers' data that was stored on a third-party cloud-based service.
The cyberattack exposed the names and driver license numbers of some 600,000 drivers in the United States, and the names, emails, and mobile phone numbers of around 57 million Uber users worldwide, which included drivers as well.
However, the company said other personal details, such as trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth, were not accessed in the attack.
Uber Hid 57 Million User Data Breach For Over a Year
According to Bloomberg report, former Uber CEO Travis Kalanick learned of the cyber attack in November 2016, when the company was negotiating with the Federal Trade Commission (FTC) on a privacy settlement.
So, the company chose to pay the two hackers $100,000 to delete the stolen information and keep quiet about the incident and finally agreed to the FTC settlement three months ago, without admitting any wrongdoing.
Uber Technologies Inc. only told the FTC about the October 2016 data incident on Tuesday, when the breach was made public by Bloomberg.
However, this secret payment eventually cost Uber security executives their jobs for handling the incident.
Now Uber CEO Dara Khosrowshahi has reportedly asked for the resignation of Uber Chief Security Officer Joe Sullivan, and one of his deputies, Craig Clark, who worked to keep the attack quiet.
"None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.
"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Uber is notifying regulatory authorities and offering affected drivers free credit monitoring and identity theft protection.
The company also says that it is monitoring the affected accounts for fraudulent activity and that riders do not need to take any action against this incident. It's likely that Uber will be forcing its customers to reset their passwords for its app.
ProtonMail Launches Encrypted Contacts Manager
22.11.2017 securityweek Safety
Swiss-based encrypted email services provider ProtonMail announced on Tuesday the launch of a new tool designed to help users securely manage their contacts.
According to the vendor, the new ProtonMail contacts manager has been in development for more than a year and it adds powerful functionality for managing the address book.
What makes ProtonMail Contacts highly secure is the fact that it uses zero-access encryption. This means contact information is encrypted and it can only be decrypted by the user – not even ProtonMail can access the data.
The company says the new encrypted contacts manager is ideal for journalists and other individuals for whom it’s critical that contact information is protected.
ProtonMail noted that the new feature secures phone numbers, physical addresses and other information added by the user, but it does not use zero-access encryption for email addresses as it would break email filtering functionality and it wouldn’t represent a significant privacy improvement considering that the service needs to know the recipient’s email address in order to deliver messages.
On the other hand, the new ProtonMail Contacts tool does provide some protection for email addresses by using digital signatures to verify their integrity. The digital signatures mechanism, which provides a cryptographic guarantee that contact data hasn’t been tampered with, covers all the information stored in the address book, not only email addresses. If the application detects an invalid signature, it displays an error message to alert the user.
“This is a big security benefit for many reasons,” ProtonMail said in a blog post. “For example, if an attacker wanted to intercept the communications between you and a sensitive contact, one way to do it could be to secretly change the email address or phone number you have saved for that contact, such as changing john.smith(at)protonmail.com to john.snnith(at)protonmail.com, which might escape your notice.”
The new contacts manager relies on new private and public key pairs for each account. The private key is generated based on the user’s password and it’s stored on the client side, preventing ProtonMail from gaining access to the encryption key. The same key pair is used both for encrypting contact information and digital signing.
The new contacts manager is currently only available for the web version of ProtonMail, but it will soon be added to the iOS and Android apps as well. Future versions of the tool will also allow users to store keys created for sending PGP-encrypted messages, ProtonMail said.
The source code for ProtonMail’s web client, including the contacts manager, is available on GitHub.
ProtonMail Contacts – ProtonMail launches world’s first encrypted contacts manager
22.11.2017 securityaffairs Safety
ProtonMail launched ProtonMail Contacts, the world’s first contact manager with both zero-access encryption and digital signature verification.
ProtonMail is announcing today the launch of the world’s first encrypted contacts manager that also features digital signature verification. Starting immediately, the new contacts manager is available to all of ProtonMail’s 5 million users around the world.
The development and launch of this feature was driven by the feedback that the company received from many of its users in the investigative journalism space. “Last year, we had the unique opportunity to meet with many of our users in the field at the Second Asian Investigative Journalism Conference in Kathmandu, Nepal, and one message that we heard over and over again was the need for better ways to protect sources,” says ProtonMail co-founder Dr. Andy Yen, “the new encrypted contacts manager today is the result of over one year of research and development into how we can best meet the needs of the thousands of activists, journalists, and dissidents who rely on ProtonMail to protect their privacy.“
In addition to protecting sensitive contact details with zero-access encryption (meaning that ProtonMail itself cannot decrypt the data, and cannot reveal the private contact details to third parties), ProtonMail’s new contact manager also utilizes digital signatures to verify the integrity of contacts data. This provides a cryptographic guarantee that nobody (not even ProtonMail), has tampered with the contacts data.
“Combining encryption with digital signatures provides powerful protection that guarantees not only the privacy, but also the authenticity of the contacts saved in ProtonMail, and reduces the need to trust ProtonMail, as even we cannot access or change this information without your knowledge,” says Dr. Yen. In line with standard company practice, the software behind ProtonMail’s encrypted contacts manager is fully open source.
-> For more details about ProtonMail’s encrypted contacts manager, please refer to our launch blog post here: https://protonmail.com/blog/encrypted-contacts-manager/
-> The link to this press release can be found here: https://protonmail.com/blog/contacts-press-release/
-> ProtonMail’s media kit can be found here: https://protonmail.com/media-kit/
U.S. charges Iranian state-sponsored hacker over ‘Game of Thrones’ HBO hack
22.11.2017 securityaffairs BigBrothers
US Department of Justice charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones’ HBO Hack, he also worked with the Iranian Military.
The United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO Hack. On Tuesday, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.
The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data, unless HBO paid a $6 million ransom in Bitcoin.
“Behzad Mesri, an Iranian national who had previously hacked computer systems for the Iranian military, allegedly infiltrated HBO’s systems, stole proprietary data, including scripts and plot summaries for unaired episodes of Game of Thrones, and then sought to extort HBO of $6 million in Bitcoins.” said U.S. Attorney Joon H. Kim. “Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice. American ingenuity and creativity is to be cultivated and celebrated — not hacked, stolen, and held for ransom. For hackers who test our resolve in protecting our intellectual property — even those hiding behind keyboards in countries far away — eventually, winter will come.”
Behzad Mesri, who is still at large, is an Iran-based hacker who also goes online with the moniker Skote Vahshat.
Mesri faces seven counts in the United States, including wire fraud, aggravated identity theft and four counts of computer fraud.
The DoJ accused the man of being the mastermind behind the cyber attacks against HBO from May to August, he stole scripts and plot summaries for then unaired episodes of the “Game of Thrones” series, and multiple other shows.
Mersi compromised multiple user accounts belonging to HBO employees and other authorized users, in this way he accessed the company servers and stole confidential and proprietary information.
“Over the course of several months, MESRI used that unauthorized access to steal confidential and proprietary information belonging to HBO, which he then exfiltrated to servers under his control.” states the press release published by the US Department of Justice.
“Through the course of the intrusions into HBO’s systems, MESRI was responsible for stealing confidential and proprietary data belonging to HBO, including, but not limited to: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of “Barry,” “Ballers,” “Curb Your Enthusiasm,” “Room 104,” and “The Deuce;” (b) scripts and plot summaries for unaired programming, including but not limited to episodes of “Game of Thrones;”(c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the “Stolen Data”).”
According to the US prosecutors, Mesri previously conducted computer attacks on behalf of the Iranian military that targeted nuclear software systems and Israeli infrastructure.
Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.
“MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.” continues the DoJ.
“At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.”
More Industrial Products at Risk of KRACK Attacks
22.11.2017 securityweek Attack
An increasing number of vendors have warned customers over the past weeks that their industrial networking products are vulnerable to the recently disclosed Wi-Fi attack method known as KRACK.
The KRACK (Key Reinstallation Attack) flaws affect the WPA and WPA2 protocols and they allow a hacker within range of the targeted device to launch a man-in-the-middle (MitM) attack and decrypt or inject data. A total of ten CVE identifiers have been assigned to these security bugs.
The vulnerabilities impact many products, including devices designed for use in industrial environments. The first industrial solutions providers to warn customers about the KRACK attack were Cisco, Rockwell Automation and Sierra Wireless.
Cisco said the flaws affect some industrial routers and access points, for which the company has released updates. Rockwell and Sierra Wireless have also identified impacted products and provided patches and mitigations.KRACK affects industrial products
Other industrial solutions providers have come forward in the past weeks to admit that their products are affected.
Siemens said the KRACK vulnerabilities affect some of its SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS products. The company is working on releasing updates that will address the security holes and, in the meantime, it has provided some mitigations.
Swiss-based ABB informed customers that TropOS broadband mesh routers and bridges running Mesh OS 8.5.2 or prior are also vulnerable to KRACK attacks. ABB has yet to release patches, but it did provide workarounds and mitigations.
German industrial automation firm Phoenix Contact also confirmed that three of the KRACK flaws affect some of its BL2, FL, ITC, RAD, TPC and VMT products. The company said the impact is limited for some of its products, and pointed out that in many cases the attacker would have to be inside the plant in order to conduct an attack.
Phoenix is working on patching the vulnerabilities in affected products. The vendor has advised customers using devices running Windows to install the security updates provided by Microsoft.
Lantronix informed customers that several of its wireless connectivity solutions are impacted by KRACK, including PremierWave ethernet-to-WiFi gateways, WiPort wireless ethernet bridges, MatchPort programmable embedded device servers, xPico embedded IoT WiFi modules, SGX IoT device gateways, and WiBox wireless device servers.
The company has released a patch for PremierWave 2050. For the other products, fixes are expected to become available by the end of the year.
Some Johnson Controls products may also be vulnerable to KRACK attacks. The company’s product security and incident response team (PSIRT) is currently assessing the impact of these flaws.
Kaspersky Lab’s ICS-CERT team pointed out that while KRACK attacks can be launched against industrial control systems (ICS) -- for example, some PLCs use Wi-Fi for remote management -- the biggest risk is to network communication devices, smartphones and tablets used by engineers and operators for remote access to ICS.
“In most cases KRACK attacks present virtually no risk to those large industrial and critical infrastructure systems that do not use 802.11 technologies. Today, such systems constitute an absolute majority,” explained Ekaterina Rudina, senior system analyst in Kaspersky’s ICS-CERT team. “Even in cases where these technologies may be used, physical restrictions on access to the controlled zone (e.g., a specific manufacturing unit) would prevent an attack from being carried out.”
“The main risk zone still encompasses those industrial sectors the security of which is given a lower priority than that of critical infrastructure systems and where using wireless technologies to upgrade systems or meet industrial network maintenance needs has become necessary but where compliance with the ‘best practices’ supported by major vendors is not possible because the changes required are too complicated or too costly,” Rudina added.
Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016
22.11.2017 securityaffairs Incindent
Unbelievable: Uber concealed data breach that exposed 57 Million records in 2016 and paid hackers to delete stolen records.
Uber CEO Dara Khosrowshahi announced on Tuesday that hackers broke into the company database and accessed the personal data of 57 million of its users, the bad news is that the company covered up the hack for more than a year.
The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the Uber development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.
“Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.” states Bloomberg.
In a statement on Tuesday, Khosrowshahi said the intruders accessed cloud-hosted data stores:
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.” reads a CEO’s statement.
“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.”
The situation is more unbelievable, rather than to notify the data breach to customers and law enforcement as is required by the California’s data security breach notification law, the Uber’s chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed. It is a good way to hide the payment, Uber is running a bug bounty program to encourage white hat hackers to responsibly disclose vulnerabilities affecting its services.
“Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a “bug bounty” — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.” reported The New York Times“
“The details of the attack remained hidden until Tuesday. The ride-hailing company said it had discovered the breach as part of a board investigation into Uber’s business practices.”
As a result of the new board investigation Sullivan and one of his lieutenants were ousted.
The CEO explained that such kind of thing will not happen again in the future because Uber put the customers’ security and trust as the pillar of its business.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” added Khosrowshahi.
The CEO added that forensics experts haven’t found evidence that data were downloaded, anyway the company is monitoring the affected account for fraudulent activities.
Below the list of actions the company has taken in response to the incident:
I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward. Effective today, two of the individuals who led the response to this incident are no longer with the company.
We are individually notifying the drivers whose driver’s license numbers were downloaded.
We are providing these drivers with free credit monitoring and identity theft protection.
We are notifying regulatory authorities.
While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
The New York Attorney General Eric Schneiderman has also launched an investigation into Uber data breach.
This isn’t the first time the company has experienced security breaches, it suffered the first data breach in May 2014, but the event was discovered on February 2015.
In the attack, the names and driver’s licenses of more than 50,000 of the company’s drivers were compromised.
At the time, the giant announced a data breach that resulted in unauthorized access to the driver partner license numbers of roughly 50,000 of its drivers.
In June 2016, security experts from the Integrity firm have found more than a dozen flaws in the Uber website that could be exploited by hackers to access driver and passenger data. The researchers discovered a total of security 14 issues, four of which cannot be disclosed.
Uber má problém: útočníci mu ukradli data uživatelů a firma to zkusila zatajit
22.11.2017 Lupa.cz Kriminalita
První špatná zpráva zní, že se útočníci koncem roku 2016 dostali k datům 57 milionů zákazníků a řidičů dopravní firmy Uber. Je tu ale druhá, ještě mnohem horší novina: Uber se tento incident pokusil před zákazníky i regulačními úřady skrýt a nikoho o to neinformoval. Za mlčení dokonce útočníkům zaplatila 100 tisíc dolarů.
Uber teď únik potvrdil na svém blogu. „Postiženy byly účty cestujících po celém světě. Konkrétně nám unikla jména, e-mailové adresy a čísla na mobil. Naši externí forenzní experti nezjistili, že by došlo taky k úniku záznamů o poloze, čísel platebních karet, čísel bankovních účtů, čísel sociálního zabezpečení nebo dat narozen,“ informuje dnes.
Nedávno jmenovaná nová ředitelka Uberu Dara Khosrowshahi k tomu dodává, že za únikem stojí dva lidé, kteří v roce 2016 získali přístup k databázi uložené v cloudovém úložišti třetí strany, které Uber používá. Útočníci se tak dostali mimo jiné ke jménům a číslům řidičských průkazů asi 600 tisíc řidičů Uberu v USA. A také ke kontaktním údajům zmíněných 57 milionů uživatelů.
Jak to konkrétně proběhlo? Podle agentury Bloomberg se dva lidé dostali na soukromou stránku Uberu na GitHubu, kterou používají vývojáři Uberu (firma neupřesnila, jak k ní získlai přístup, GitHub prý nicméně vylučuje, že by došlo k narušení jeho bezpečnosti).
Na GitHubu dva útočníci získali přihlašovací údaje do cloudové služby Amazonu, kterou firma používala. A v cloudu pak našli zmíněnou databázi s informacemi o uživatelích a řidičích. Podle Uberu pak měli firmě poslat e-mail, ve kterém žádali peníze. Uber se pak s nimi domluvil, že ukradená data smažou, a za to že budou o incidentu mlčet, jim zaplatil 100 tisíc dolarů.
Hackeři ukradli Uberu data 57 miliónů zákazníků a řidičů
22.11.2017 Novinky/Bezpečnost Kriminalita
Hackeři loni v říjnu ukradli alternativní taxislužbě Uber data 50 miliónů zákazníků a sedmi miliónů řidičů. V úterý místního času (v noci na středu SELČ) to oznámil šéf Uberu Dara Khosrowshahi s tím, že se to dozvěděl teprve nedávno. Incident přitom společnost rok tajila a hackerům zaplatila 100 000 dolarů (asi 2,2 miliónu korun), aby data vymazali a o útoku mlčeli, napsala agentura Bloomberg.
„Nic z toho se nemělo stát a já to nebudu omlouvat,” uvedl Khosrowshahi, který se generálním ředitelem Uberu stal letos v září. „Měníme způsob našeho podnikání,” dodal.
Ukradená data zahrnují jména zákazníků, jejich adresy, mobilní telefony a e-mailové adresy. V případě řidičů útočníci získali i jejich řidičské průkazy a další informace. Uber nicméně ujišťuje, že neunikla čísla platebních a kreditních karet, bankovních účtů, data narození, místa jízdy nebo čísla sociálních pojistek.
Khosrowshahi uvedl, že podle zjištění firmy se k datům uloženým na cloudových serverech jiné společnosti využívaných Uberem dostali dva útočníci. Ti podle něj nepronikli do firemního systému a datové infrastruktury Uberu.
Společnost ihned podnikla bezpečnostní opatření, útočníky identifikovala a získala od nich ujištění, že ukradená data byla zničena, uvedl Khosrowshahi.
Jaké triky zkoušejí počítačoví piráti před Vánocemi
22.11.2017 Novinky/Bezpečnost Kriminalita
Nejdůležitějším obdobím v roce jsou pro kybernetické zločince Vánoce. Před samotnými svátky jde totiž často obezřetnost stranou a lidé jsou schopni se nachytat i na nejrůznější phishingové podvody, kterých by si za jiných okolností všimli.
Viry se maskují
Internetem kolují aktuálně desetitisíce nejrůznějších virů. Ty dokážou odposlouchávat uživatele na dálku, monitorovat jeho práci, ale klidně i šikovně obejít ověřovací mechanismy v internetovém bankovnictví.
Takové nezvané návštěvníky bylo možné v počítači ještě před pár lety rozeznat, protože první škodlivé programy byly naprogramovány tak, aby mazaly data, nebo dokonce zablokovaly celý operační systém.
Moderní viry se ale snaží zůstat co nejdéle v anonymitě a potají otevírají zadní vrátka pro kybernetického útočníka.
Odhalit takové smetí pomáhají programy, z nichž každý se specializuje na něco jiného. Některé si dovedou poradit s trojskými koni či spywarem, další zase detekují takzvané keyloggery (programy zaznamenávající stisk kláves).
Cena takovýchto aplikací se zpravidla pohybuje od 500 do několika tisíc korun. Vedle toho ale existují také bezplatné alternativy, které nejčastěji firmy nabízejí pouze k vyzkoušení a zaplatit chtějí až za pokročilejší verzi. Ale i proto, aby v nich mohly zobrazovat reklamu a tím vydělávat peníze.
Výsledky testů bezplatných a placených aplikací se různí, v některých dokonce zdarma dostupné aplikace vyhrávají nad placenými.
Na PC by měl být nainstalován vždy jen jeden bezpečnostní program svého druhu. Dva antiviry na disku dokážou udělat pěknou neplechu. Totéž platí také o firewallech i antispywarech.
Scénáře phishingových útoků jsou si velmi podobné. Podvodníci lákají na předvánoční půjčky či na slevy elektroniky a šperků – od uživatelů se snaží vylákat hotovost, stejně jako jejich citlivé údaje, které pak na černém trhu velkou cenu.
Velké oblibě se mezi kyberzločinci těší také slevové kupóny. Na podvodných stránkách se často objevuje možnost bezplatného získání kupónu, pokud se uživatel zaregistruje. Místo skutečné slevy ale lidé v podobných případech pouze riskují zneužití svých osobních údajů.
E-mailová schránka bude smazána
Počítačoví piráti se snaží zaskočit uživatele novým trikem. Internetem se začala šířit podvodná zpráva, ve které kyberzločinci uživatelům vyhrožují, že jejich e-mailová schránka bude smazána. E-mail je psán anglicky, ale distribuován již byl podle informací Novinek také mezi české uživatele.
Na první pohled se může zdát, že tato zpráva byla automaticky vygenerována kancelářským balíkem Microsoft Office. Právě na to ale počítačoví piráti sázejí – že se uživatelé leknou loga amerického softwarového gigantu a na trik jim skočí.
Ukázka podvodného e-mailu
Ve zprávě se totiž píše, že heslo k e-mailovému účtu uživatele bylo kompromitováno. A proto bude celá e-mailová schránka smazána. Jedinou možností, jak tomu zabránit, je údajně ověřit poštovní schránku pomocí přiloženého odkazu.
Jde ale samozřejmě o klasickou phishingovou zprávu, počítačoví piráti totiž doslova loví důvěřivé uživatele na udičku jako ryby. Prostřednictvím podvodného odkazu se z nich snaží vylákat skutečné přihlašovací údaje k jejich e-mailové schránce.
Ty mají totiž na černém trhu doslova cenu zlata. Na e-maily jednotlivých uživatelů jsou totiž velmi často napojeny další internetové služby – například nejrůznější sociál ní sítě, ale v některých případech klidně i bankovní účty.
Trojský kůň změní PIN a zašifruje data
Na chytré telefony s operačním systémem Android cílí trojský kůň zvaný DoubleLocker, před kterým varovala antivirová společnost Eset. Ta upozornila, že tento nezvaný návštěvník dokáže změnit na mobilním zařízení přístupový PIN kód a navíc ještě zašifrovat uložená data. Za jejich zpřístupnění pak požaduje výkupné.
DoubleLocker se tedy na napadeném zařízení chová úplně stejně jako vyděračské viry, které jsou označovány souhrnným názvem ransomware.
„DoubleLocker zneužívá služby Android Accessibility, což je oblíbený trik mezi kybernetickými zločinci.
Trojský kůň změní PIN a zašifruje data.
FOTO: Mario Anzuoni, Reuters
Jakmile je podvodná aplikace spuštěna, zažádá si o aktivaci služby zpřístupnění, která se v tomto případě vydává za aplikaci Google Play Service,“ přiblížili bezpečnostní experti útok škodlivého kódu.
Problém nastane ve chvíli, kdy uživatel na svém zařízení potvrdí aktivaci této služby. Útočník tak totiž získá administrátorská práva k zařízení, tedy jinými slovy může s napadeným přístrojem dělat na dálku prakticky cokoliv.
Podle bezpečnostních expertů se tento malware šíří především v Evropě a Turecku. Konkrétně byl jeho výskyt zaznamenán v Polsku a Německu, ojediněle pak v Bělorusku a Estonsku. Uživatele v České republice zatím nenapadl.
Bankovní účty pod palbou počítačových pirátů
Počítačoví piráti neustále hledají cesty, jak se dostat na cizí bankovní účty. Tentokrát to zkoušejí přes zasílání zabezpečené zprávy uživatelům. Samozřejmě jde ale o podvod. Před novým typem útoku varovala Česká spořitelna.
Phishingový útok, při kterém počítačoví piráti doslova loví důvěřivé uživatele na udičku jako ryby, cílí právě na klienty spořitelny. Jeho cílem je vylákat přihlašovací údaje k internetovému bankovnictví, tedy ke službě Servis 24.
Podvodné bankovnictví imitující službu Servis24.
FOTO: Česká spořitelna
„Vy máte nové zprávy on-line. Chcete-li zobrazit svou zabezpečenou zprávu, přihlaste se do služby Internetového bankovnictví,“ tvrdí podvodníci vydávající se za bankéře v e-mailu, který v posledních dnech koluje českým internetem.
Pozornější uživatelé si na první pohled mohou všimnout, že zpráva je psaná s chybami a některá slova jsou dokonce špatně vyskloňovaná. Odkaz v e-mailu navíc nevede na oficiální stránky služby Servis 24, nýbrž na podvodný web, což je patrné z adresního řádku.
Po přihlášení kyberzločinci důvěřivcům tvrdí, že je potřeba aktualizovat kontaktní informace – právě to měla být ona důležitá zpráva. Pokud to důvěřivci skutečně udělají, jsou již jen krůček od vybílení bankovního účtu. Se znalostí telefonního čísla je totiž pro podvodníky hračkou vylákat od lidí potvrzovací SMS zprávu, pomocí které mohou například provádět peněžní transakce. V ohrožení jsou přitom i jedinci, kteří nemají na bankovním účtu příliš mnoho financí. Útočníci mohou touto cestou sjednat bez vědomí majitele klidně i půjčku. A tyto peníze následně vyberou.
Chytré spotřebiče mohou napadnout hackeři
Trouby, lednice, pračky, klimatizace, ale například také inteligentní vysavače – všechna tato zařízení se dnes dají připojit na dálku ke smartphonu. Bezpečnostní společnost Check Point však nyní objevila závažnou zranitelnost v chytrých domácích spotřebičích od LG, které mohou snadno zneužít počítačoví piráti. Spotřebiče jednoduše ovládnou na dálku.
Bezpečnostní chybu obsahovala obslužná mobilní aplikace LG SmartThinQ.
FOTO: archív výrobce
Chyba se týká obslužné aplikace LG SmartThinQ, kterou k ovládání svých chytrých spotřebičů používají milióny lidí z různých koutů světa. „Zranitelnost v této mobilní a cloudové aplikaci umožnila výzkumnému týmu společnosti Check Point přihlásit se vzdáleně do cloudové aplikace SmartThinQ, převzít kontrolu nad uživatelským účtem LG a získat kontrolu nad vysavačem a jeho integrovanou videokamerou,“ uvedl Oded Vanunu, ředitel výzkumu produktových zranitelností ve společnosti Check Point.
„Jakmile dojde k převzetí kontroly nad konkrétním účtem LG, jakékoli LG zařízení propojené s daným účtem může být ovládáno útočníky – včetně robotických vysavačů, ledniček, trub, praček, sušiček a klimatizací,“ zdůraznil Vanunu. Zranitelnost HomeHack umožňuje útočníkům například špehovat domácnost uživatelů prostřednictvím videokamery v robotickém vysavači. Útočníci mohou také ovládat jakékoliv zařízení LG SmartThinQ, například vypínat a zapínat myčky na nádobí, pračky atd.
V současnosti je již k dispozici aktualizace, která bezpečnostní chybu aplikace LG SmartThinQ opravuje. V ohrožení jsou nicméně stále uživatelé, kteří používají starší verzi aplikace od LG. Bezpečná je podle zástupců výrobce verze 1.9.20 a novější.
Uber Hacked: Information of 57 Million Users Accessed in Covered-Up Breach
22.11.2017 securityweek CyberCrime
Uber Covered Up Massive Hack in 2016 for More Than a Year
Uber said Tuesday that hackers accessed the personal data of 57 million of its users in a breach that had been covered up by the company for more than a year.
Stolen information included the names, email addresses and mobile phone numbers of customers around the world, while the names and driver’s license numbers of roughly 600,000 of its drivers in the United States were accessed.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” Uber CEO Dara Khosrowshahi, wrote in a blog post Tuesday, adding that the incident did not breach Uber’s corporate systems or infrastructure.
According to a report from Bloomberg, attackers obtained credentials from a private GitHub site used by Uber’s software developers, which were used to access data stored on an Amazon Web Services (AWS) account.
Uber reportedly paid $100,000 to the hackers as a ransom payment in order to limit fallout from the breach. The company did not provide any details on such payment, but said “we subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
Uber said that two employees “who led the response to the incident" are no longer with the company. While the company did not provide names, some reports indicate that Chief Security Officer Joe Sullivan has been let go. Uber hired Sullivan, Facebook's former security chief, as its first ever Chief Security Officer in April 2015.
SecurityWeek has contacted Uber for comment on the ransom payment and Sullivan’s rumored departure.
“Today’s incident at Uber is an example of how unprotected machine identities can lead to data breaches. Access to cloud services, such as like Amazon AWS, are secured with SSH keys that are often outside the control of security teams,” Kevin Bocek, chief security strategist for Venafi, told SecurityWeek. “Unfortunately, we frequently seen SSH keys that provide access to AWS left unprotected in GitHub. Without robust SSH intelligence and strong security controls malicious actors can abuse these keys while flying under the radar of most other security controls,” Bocek added.
“The Uber breach is staggering not so much in its magnitude, but more so in the extensive efforts the company seems to have made in concealing the breach in violation of their customers’ trust and perhaps laws that require disclosure,” John Gunn, Chief Marketing Officer at Vasco Data Security, told SecurityWeek.
Uber does run a bug bounty program to encourage security researchers to responsibly disclose vulnerabilities found in across its services.
In June 2016, Researchers from Portugal-based security consulting and audit firm Integrity identified more than a dozen vulnerabilities in Uber websites and services, including issues that could have been exploited to access driver and passenger information.
In 2015, Uber disclosed two security incidents: one where an unauthorized party gained access to the driver’s license numbers of roughly 50,000 drivers, and a software bug that exposed the personal details of hundreds of U.S. drivers.
Has Everyone Really Been Hacked?
22.11.2017 securityweek Hacking
There is little doubt that fear sells security products, hikes law enforcements agency (LEA) budgets and sells newspapers. Both the security industry and government agencies benefit from sensational headlines; leaving people wondering what the real truth may be. So when UK newspaper The Times ran a headline, 'Everyone has been hacked, say police', it leaves the question, is this just more scaremongering or a true reflection on the state of security?
To my knowledge and belief, I have not been hacked (yet) -- so the headline is patently untrue. But I (and indeed everyone) am frequently targeted; I'm fairly certain I have dozens of unclicked malicious links and files in my mail system. Here's the first method of scaremongering: security vendors, LEAs and parts of the media will often claim, 'millions of users hit by new malware'. The truth is most likely that millions of users have been targeted or can potentially be affected, not that millions of users have been infected.
The Times headline is very clear: everyone has been hacked. But this is not what the police actually said. According to The Times' own report, "Virtually everyone in the country is likely to have had their personal data hacked and placed for sale on the dark web, police have said."
This is bad enough, but it is not the same as being personally hacked. What the police (in this case Peter Goodman, the National Police Chiefs' Council lead for cybercrime and the Chief Constable for Derbyshire) is saying is that everybody will have had some personal data taken by cybercriminals via third party breaches (such as Yahoo, LinkedIn, TalkTalk and more recently Equifax). Whether the amount of personal data stolen in this way is more or less than the personal data we willingly give to Google, Microsoft and Facebook is a separate -- but equally valid -- question.
Nor do we know what personal data has been stolen -- some personal data is clearly more valuable to cybercriminals (and dangerous to us) than other personal data. However, we should never dismiss any data loss as being unimportant. Cybercriminals, and especially state-affiliated criminals, have as much ability to use big data correlation and analysis as the big security vendors and government agencies. Little bits of data from different sources can be matched together to form a surprisingly detailed picture of us.
The question then remains, how accurate is the police view that we have all been affected by third-party data loss?
Chris Morales, head of security analytics at Vectra, comments, "Anyone who has performed any online transaction has personal data on the internet. Even worse, personal information exists in locations people are not even aware of or have any control over.
Equifax impacted more than 145 million consumers. Of those, around 700,000 were believed to be in the UK. That is just one recent breach.
Based on data reported from breachlevelindex.com [a site sponsored by Gemalto], there have been 9,198,580,293 data records lost or stolen since 2013. That's more data records than people in the world. For the UK specifically, they report a number of 137,516,163 records stolen since 2013, double the population. Therefore, it is a reasonable assumption to make that everyone has been hacked and some more than once." (Notice that Morales accepts the Times' use of the term 'hacked'.)
Chris Roberts, chief security architect at Acalvio, takes a similar stance. "Healthcare has lost between 600 and 700 million records since we started counting," he told SecurityWeek. "That's almost twice the population of the United States. Between all the various high visibility breaches and government losses, it's arguable that everyone's data is already out there. Finally, the quantity of credit cards that are breached on an annual basis would arguably demonstrate that almost everyone has had financial breaches."
Ilia Kolochenko, disagrees with the headline, but agrees with the content. "Digitization has become an inalienable part of our everyday lives," he told SecurityWeek. "Even people who have never used a PC or a smartphone have their personal data stored and processed somewhere. Cybercrime is skyrocketing, and the vast majority of digital systems have been breached. However, I think that it's technically incorrect to say that every person was hacked, as our common notion of "hack" implies at least some motive and targeting. Otherwise, we can reasonable say that every person in the world has been hacked many times over."
He has concerns over the headline, but has no issue with the content. "In the matter of general awareness, such announcements are beneficial, as many people still seriously underestimate the growing hydra of cybercrime. Hopefully, the government will finally allocate additional resources that are necessary to fight cybercrime on national and international levels. Right now, law enforcement is seriously under-equipped with technology, qualified personnel and financial resources to prevent, investigate and prosecute digital crime."
The general consensus is that (apart from the headline), the views of Peter Goodman do not represent scaremongering. Stephen Burke, founder and CEO of Cyber Risk Aware adds a rider: "There is a high percentage of people that have been affected by cybercrime -- however, it would be unfair to say that everyone has been a victim. It's possible they could be by virtue of the data that is readily available online and the data that they give out via social media and to companies who handle billing. If this were the case, then there would be too much data for hackers to handle."
Nevertheless, statistics suggest that everyone, from corporate manager to stay-at-home mum and her kids, have had personal data stolen by cybercriminals. Goodman has his own solution: "Mr Goodman said that providing lifetime security for digital devices should be mandatory," says the Times.
That's a big, and frankly unrealistic ask. "We have learned prevention is never going to be enough and at some point it is realistic to assume a breach will occur," said Morales. "At that point, we must be better prepared to detect and respond to the breaches that do happen and that can cause the most damage. The goal should be to reduce the impact of those breaches."
The implication is clear. Just as business is exhorted to plan its response to an inevitable breach, individuals need to plan a response to the seemingly inevitable misuse of their stolen personal data.
macOS Malware Spread Via Fake Symantec Blog
22.11.2017 securityweek Apple
A newly observed variant of the macOS-targeting Proton malware is spreading through a blog spoofing that of legitimate security company Symantec.
The actor behind this threat created symantecblog[dot]com, a good imitation of the real Symantec blog, and even mirrored content from the original. On this blog, a post about a new version of CoinThief, a piece of malware from 2014, promotes an application called “Symantec Malware Detector,” while in fact distributing OSX.Proton instead.
The domain’s registration information appears to be legitimate, with the same name and address as those used by Symantec, but the email address shows that something is off. Furthermore, the certificate used for the site is a legitimate SSL certificate issued by Comodo and not by Symantec’s own certificate authority.
Links to the fake blog have been spreading on Twitter via both fake and legitimate accounts, Malwarebytes reports. It is possible that the actor behind this campaign used stolen passwords to access legitimate accounts and promote their malicious post. However, it is also possible that people were tricked into promoting the link.
When first run, the Symantec Malware Detector application displays a very simple window, using the Symantec logo, claiming to require authorization to perform a system check. Should the potential victim close the window at this point, the malware won’t be installed, the researchers say.
Should the user agree to run the check, the admin password is requested, a step that results in the malware stealing the password. Next, the app displays a progress bar claiming to be scanning the computer, but Proton is installed in the background.
The Symantec Malware Detector application is nothing more than a malware dropper, and all users who have downloaded it are advised to delete it and attempt to disinfect their systems.
The malware immediately starts gathering user information, such as the admin password and other personally-identifying information (PII), and saves all data to a hidden file. Keychain files, browser auto-fill data, 1Password vaults, and GPG passwords are also harvested.
The Proton executable is dropped in the .random directory and is kept running by the com.apple.xpcd.plist launch agent. The stolen data is stored in the .cachedir folder.
“Fortunately, Apple is aware of this malware and has revoked the certificate used to sign the malware. This will prevent future infections by the Symantec Malware Detector. Revoking the certificate will not, by itself, do anything to protect a machine that is already infected,” the security researchers explain.
Proton has been designed to steal login credentials and affected users are advised to take emergency actions post-infection. They should consider all of their online passwords as compromised and change all of them, while also setting up a different password for each site and storing all of them in a password manager. The master password should not be stored in the keychain or anywhere else on the computer. Enabling two-factor authentication should also minimize the impact.
This incident, the researchers note, shows the danger of fake news being used to spread malware. Due to the increased prevalence of adware for macOS, many users are looking to download malware removal tools, and cybercriminals are attempting to take advantage of that.
“Proton has been circulating for quite some time after its initial appearance in March. It has previously been distributed via a compromise of the Handbrake application and a similar compromise of a couple Eltima Software applications. It is highly likely that Proton will continue to circulate, and similar incidents will continue to occur,” Malwarebytes concludes.
Code Execution Flaw Found in HP Enterprise Printers
22.11.2017 securityweek Vulnerebility
Researchers have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. The vendor claims to have already developed a patch that will be made available to customers sometime this week.
Back in 2015, HP announced the launch of new enterprise-grade LaserJet printers fitted with security features designed to block malicious actors from breaching a company’s network. Roughly one year later, the company also announced several security improvements to its Managed Print Services.
The tech giant claims it provides “the world’s most secure printing” and a recent marketing campaign run by the company shows how printers from other vendors can allow hackers to cause significant damage to an organization.
Researchers at FoxGlove Security wanted to put HP’s claims to the test so they acquired an HP PageWide Enterprise 586dn multi-functional printer (MFP), currently sold for $2,000, and an HP LaserJet Enterprise M553n printer, which costs roughly $500.HP Printer
The experts started testing the devices using PRET (PRinter Exploitation Toolkit), a tool developed by researchers from Ruhr-Universität Bochum in Germany. When PRET was introduced, its creators claimed to have used it to find vulnerabilities in 20 printers and MFPs from HP, Brother, Lexmark, Dell, Samsung, Konica, OKI and Kyocer.
FoxGlove used PRET to find a path traversal flaw that allowed them to access the content of any print job, including PIN-protected jobs. PRET also helped it discover vulnerabilities that can be exploited to manipulate the content of print jobs, and reset devices to factory settings and implicitly remove the admin password.
However, the researchers’ goal was to find a vulnerability that could be exploited for remote code execution (RCE). In order to achieve this, they extracted the printer operating system and firmware and reverse engineered them. HP has implemented some mechanisms to prevent tampering with the system, but the experts managed to bypass them and gain access to files.
They then analyzed firmware updates and HP Software Solutions, which use the OXP platform and SDK to extend a printer’s functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that needs to have a valid signature.
They failed to upload a malicious firmware to the device due to the signature validation mechanism, but they have proposed some possible attack vectors in case others want to continue the research. On the other hand, they did crack signature validation for Solutions files and they managed to upload a malicious DLL and execute arbitrary code.
FoxGlove Security has made available the source code of the tools used during the research, including proof-of-concept (PoC) malware.
The code execution vulnerability was reported to HP on August 21 and the company has promised to release a patch this week.