Monthly Archives: September 2017

Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads — 2.3 Million Infected

Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast’s own figures, 2.27 million ran the affected software, though the company said users should not panic.

The affected app, CCleaner, is a maintenance and file clean-up software run by a subsidiary of anti-virus giant Avast. It has 2 billion downloads and claims to be getting 5 million extra a week, making the threat particularly severe, researchers at Cisco Talos warned. Comparing it to the NotPetya ransomware outbreak, which spread after a Ukrainian accounting app was infected, the researchers discovered the threat on September 13 after CCleaner 5.33 caused Talos systems to flag malicious activity.

Further investigation found the CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.

CCleaner Windows app infected

Cisco Talos


The CCleaner app, designed to help users carry out good cyber hygiene, was itself infected.

The malware would send encrypted information about the infected computer – the name of the computer, installed software and running processes – back to the hackers’ server. The hackers also used what’s known as a domain generation algorithm (DGA); whenever the crooks’ server went down, the DGA could create new domains to receive and send stolen data. Use of DGAs shows some sophistication on the part of the attackers.

Downplaying the threat?

CCleaner’s owner, Avast-owned Piriform, has sought to ease concerns. Paul Yung, vice president of product at Piriform, wrote in a post Monday: “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.

“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”

Not all are convinced by the claims of Piriform, acquired by Avast in July. “I have a feeling they are downplaying it indeed,” said Martijn Grooten, editor of security publication Virus Bulletin. Of the Piriform claim it had no evidence of much wrongdoing by the hacker, Grooten added: “As I read the Cisco blog, there was a backdoor that could have been used for other purposes.

“This is pretty severe. Of course, it may be that they really only stole … ‘non-sensitive data’ … but it could be useful in follow-up targeted attacks against specific users.”

In its blog, Talos’ researchers concluded: “This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.”


Avast CTO: No need to panic


Avast chief technology officer Ondrej Vlcek said there was, however, little reason to panic. He told Forbes the company used its Avast security tool to scan machines on which the affected CCleaner app was installed (in 30 per cent of Avast installs, CCleaner was also resident on the PC). That led to the conclusion that the attackers hadn’t launched the second phase of their attack to cause more harm to victims.

“2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic,” Vlcek added. “To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.” He said Cisco Talos wasn’t the first to notify Avast of the issues, another unnamed third party was.

It’s unclear just who was behind the attacks. Yung said the company wouldn’t speculate on how the attack happened or possible perpetrators. For now, any concerned users should head to the Piriform website to download the latest software.


via:  forbes

Verizon Is Booting 8,500 Rural Customers Over Data Use, Including Some on ‘Unlimited’ Plans

Verizon has decided to abruptly cut off wireless internet to some 8,500 rural customers in 13 states, saying their heavy data use had made it impossible to profit off of the accounts—even though many of the users had purchased unlimited plans.

“Approximately 8,500 customers—using a variety of plans—were notified this month that we would no longer be their service provider after October 17th, 2017,” Verizon corporate communications director Kelly Crummey told BGR. “These customers live in 13 states (Alaska, Idaho, Iowa, Indiana, Kentucky, Maine, Michigan, Missouri, Montana, North Carolina, Oklahoma, Utah and Wisconsin) and in areas outside of where Verizon operates our own network.”

Letters Verizon is sending to the affected customers are blunt, to say the least.

“During a recent review of customer accounts, we discovered you are using a significant amount of data while roaming off the Verizon Wireless network,” Verizon wrote, according to Ars Technica. “While we appreciate you choosing Verizon, after October 17th, 2017, we will no longer offer service for the numbers listed above since your primary place of use is outside the Verizon service area.”

No option to continue, with or without reducing use of mobile data, was given.

Per BGR, the issue stems from Verizon’s LTEiRA program, in which the company pairs with 21 regional carriers to provide mobile access to rural regions. Verizon users get to jump on board those regional networks whenever they want, though when they use roaming data Verizon is responsible for paying the carriers’ fees.

While Verizon says some of the users were using as much as a terabyte of data monthly, one family reported they had been using less than 50 gigabytes of data across four lines every month on an unlimited data plan.

“Now we are left with very few choices, none of them with good service,” a member of the family told Ars Technica. “I guess small-town America means nothing to these people. It’s OK—though I live in a small town, I know a lot of people, and I’m telling every one of them to steer clear of Verizon.”

Verizon’s decision has ramifications for the regional carriers as well, which say the company encouraged them to build infrastructure to expand their service areas but is now backing out on the deal.

Though US telecoms have long gotten away with the digital equivalent of murder while providing terrible service, Verizon’s decision is particularly ominous given it could soon be given free license to treat rural customers even more poorly. The Federal Communications Commission and its Donald Trump-appointed chairman Ajit Pai have recently sought to slash the agency’s standards for what it considers acceptable access to broadband, including by allowing service providers to pass off mobile service as a replacement for home internet—a decision that would disproportionately impact poor Americans.


via:  gizmodo

Microsoft’s Azure ‘Confidential Computing’ Encrypts Data in Use

Early Access program under way for new Azure cloud security feature.

Microsoft is ramping up Azure data security with encryption of data while in use, a protection so far absent from the public cloud, the company announced today.

The new collection of features and services, called Azure “confidential computing,” is the product of joint collaboration among the Azure team, Microsoft Research, Windows, its Developer Tools group, and Intel, all of which have been building the technology for over four years. Microsoft is making the new features available to users via an Early Access program.

Confidential computing lets users process data in the cloud, knowing it’s under their control. The new Azure update arrives at a time when data breaches regularly make headlines and attackers find new ways to steal personally identifiable information (PII), financial data, and intellectual property.

Many businesses hesitate to move sensitive data to the cloud for fear it will be compromised while in use.

“While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data,” says Azure CTO Mark Russinovich in a blog post.

Data has to be “in the clear” for efficient processing. In confidential computing, it’s stored inside a Trusted Execution Environment (TEE). This ensures data and operations cannot be viewed from the outside, even if the attacker is using a debugger.

Microsoft uses enclaves to protect data in SQL Server, its own infrastructure, and blockchain financial operations, a technology known as the Coco Framework. The same tech will be applied to bring encryption-in-use to Azure SQL Database and SQL Server. This builds on the Always Encrypted capability, which encrypts sensitive data in an SQL database at all times by assigning computations on sensitive data to an enclave, where it is decrypted and processed.

Only authorized code is allowed to access the data inside an enclave. And if an attacker tries to manipulate the code, Azure denies the operations and disables the environment. TEE maintains this level of protection for as long as the code inside it is executed.

Microsoft says the ability to protect data in use can safeguard information from specific threats such as malicious insiders with administrative privilege or access to the hardware on which it’s processed. Confidential computing also protects against third parties accessing data without the owner’s consent, and malware designed to exploit bugs in the application, OS, or hypervisor, Microsoft says.

The platform Microsoft is building as part of confidential computing will let developers use multiple TEEs without requiring them to change code. At first Azure will support two: software-based Virtual Secure Mode (VSM) and hardware-based Intel SGX.

VSM is an enclave implemented by Hyper-V in Windows 10 and Windows Server 2016. Hyper-V prevents administrator code from running on a computer or server. Local and cloud-service administrators cannot see the contents in, or change the execution of, the VSM enclave.

The Intel SGX TEE has the first SGX-capable servers in the public cloud. Users will be able to leverage SGX enclaves if they don’t want their trust model to include Azure or Microsoft. Microsoft is working with both Intel and other partners to create and support more TEEs.

Microsoft foresees application of confidential computing in industries including finance, healthcare, and artificial intelligence. “In finance, for example, personal portfolio data and wealth management strategies would no longer be visible outside of a TEE,” says Russinovich.


via:  darkreading


Delta Basic Economy fares permit a larger carry-on bag, so the focus of this story is on American Airlines and United. If you think you can slip by undetected with you rollerboard, be prepared to pay up and lose every penny you saved by buying a Basic Economy fare in the first place.

Let’s first note that both American and United offer exceptions to their “no overhead bin space” Basic Economy policy. Should you have hold an airline-branded credit card, you can take a larger carry-on bag. If you have elite status, you can also take a larger carry-on bag onboard.

But if you don’t qualify for either exception, you’re not going to like the outcome if you’re caught at the gate. On both American and United, it is $25 to check a bag. But if you’re on a Basic Economy fare and you get caught at the gate, your fee is $50. Why? A $25 fee.

United calls it a gate-handling charge. American labels it a gate-service fee. It’s really a penalty on top of a fee.

Unlike others, who can check their bag without cost to their final destination if overhead bin space runs out, the very point of Basic Economy is to help avoid this problem in the first place. That means if you get caught with a bag, you are going to have to pay up.

A Painful Example

United does not allow online or mobile check-in if you purchase a Basic Economy fare and do not pay for a bag. While I’m sure that alleviates the issue for some, it is easy enough for a pair traveling together to take turns checking in while the other stands at a distance with both carry-on bags.

Vishnu Bhargava and his wife were flying on United from San Francisco to Boston in late July and didn’t notice the conditions of Basic Economy tickets. He checked in the night before, paid for one checked bag and planned to bring two carry-ons. He didn’t read the small print.

When they got to the gate, they were told their carry-on bags would have to be checked. His cost $50—the standard bag fee plus the gate handling charge. His wife’s was $60, since she had already checked one bag. United charges $35 for a second bag, plus the extra fee.

“I was shocked,” says Mr. Bhargava, a retired physician from India. “Whatever I saved with Basic Economy, I had to pay more. This fee is not at all fair.”

Oh, it’s fair. It may be stupid, but it’s certainly fair. As long as it was clearly disclosed, which leads me to my final point.

Disclosure Problems

When you buy a Basic Economy fare on, the restrictions could not be clearer. But when buying on many online travel agencies, the prohibitions are not clearly disclosed. Airlines must work with these travel agencies to ensure the restrictions on such fares are transparent. Otherwise, consumers have a right to get angry.


This reminds me of fare dodging on the trains in Germany, all of which run on an honor system. Sometimes you can get away without buying a ticket, but get caught and you’ll be slapped with an 80EUR fine…probably eating up all your cost savings and more.

If you’re going to buy a Basic Economy ticket on American or United and don’t qualify for a larger carry-on, check it before or leave it at home. If you get caught not only will you be paying more than a regular economy class fare…it will be embarrassing.


via:  liveandletsfly

FCC chairman voted to sell your browsing history; so we asked to see his

Thanks to the FCC chairman, internet providers can now sell Americans’ browsing histories for targeted advertising. ZDNet thought it was only fair to see his — so, we filed a Freedom of Information request.

he Federal Communications Commission has refused to turn over the internet browsing history of its chairman Ajit Pai, weeks after he rolled back rules that prevented internet providers from selling the browsing histories of millions of Americans.

In a response to a request filed by ZDNet under the Freedom of Information Act, the agency said Friday that it had “no responsive documents” to our request. The agency cited a similar decision filed with Homeland Security that found that the law doesn’t require a government agency to create a record in response to a request.

Specifically, we asked for the “web browsing history of all web and mobile browsers used by Ajit Pai on any government network or account,” from the date that the rules were formally revoked by Congress in late March.

The response from the FCC said: “Here, the agency does not have a record that reflects the Chairman’s web browsing history.”

In other words, Pai voted to allow internet providers to turn over your browsing history, but won’t let anyone see his.

Earlier this year, Pai launched his effort to roll back the Obama-era rules that toughened up privacy protections for every American with an internet connection.

But the rule rollback was met with considerable controversy and anger from privacy and rights groups, for fear that internet providers like AT&T, Comcast, and Verizon would be able to gather and sell data about your browsing history to marketers and other companies, including information on customer location, as well as as financial or health status information, and what people shop and search for.

AT&T, Comcast, and Verizon have all said they don’t collect personal information unless customers allow it or share it with third-parties. Critics noted that the named three don’t need the FCC rules to share customer data because they already operate their own advertising networks.

Following the FCC’s rollback, Congress had to vote to approve the changes into law. The measure was passed by the Senate, and later the House.

Though the telecoms and internet provider lobby was largely behind the effort to roll back the rules, it remains unclear how ordinary consumers benefit, if at all, from the changes.

When pressed by reporters, Marsha Blackburn (R-TN, 7th), the sponsor for the House bill, couldn’t say how her bill helps anyone other than the telecoms lobby. According to online publication Vocativ, Blackburn also received over $693,000 in campaign contributions from the telecoms lobby over her 14-year congressional career.

As a member of Congress, Blackburn is exempt from Freedom of Information requests.

You can read the full letter from the FCC below.

Federal Communications Commission
Washington, D.C. 20554

May 12, 2017
Mr. Zack Whittaker
28 B. 28th Street
10th Floor
New York, New York 10016

Re: FOIA Control No. 2017-000501

Dear Mr. Whittaker:

This is in response to your Freedom of Information Act (FOIA) request filed on
March 31, 2017, seeking "[t]he web browsing history of all web and mobile browsers
used by Ajit Pai, chairman of the Federal Communications Commission, on any
government network or account for the week beginning Tuesday, March 29[, 2017].(1)
The due date for FOIA 2017-501 is May 12, 2017(2) We are responding to you by this
deadline. As we explain in more detail below, we have no responsive documents to your

As court precedents make clear, the FOIA does not require an agency to create a
record to respond to a FOIA request.(3) Here, the agency does not have a record that
reflects the Chairman's web browsing history. As the Department of Homeland Security
(DHS) found in response to a similar request, "internet browser history. . . files are
presumably constantly changing, machine-readable files (not likely discrete 'documents'
separate from the given web browsing program used) that were automatically generated
based on the particular user's activity."(4) We agree with DHS that an agency is not
required to generate a discrete document that would reflect the internet browser history of
a certain time period or extract the residual data files automatically maintained by the

(1) See FOIAonline (FOIA Request 2017-000501 (submitted and perfected Mar. 31, 2017)).
(2) See email from Joanne Wall to Zack Whittaker (Apr. 27, 2017) (because of the need to consult with
multiple offices within the Commission, the Office of General Counsel extended the date for responding to
the FOIA request to May 12, 2017, pursuant to 47 C.F.R. § 0.461(g)(1)(i)).
(3)See Pollv. US. Office of Special Counsel, No. 99-402 1, 2000 WL 14422, at *5 n.2 (10th Cir. Jan. 10,
2000) (recognizing that FOIA does not require an agency "to create documents or opinions in response to
an individual's request for information") (quoting Hudgins v. IRS, 620 F.Supp. 19, 21 (D.D.C. 1985), affd,
808 F.2d 137 (D.C. Cir. 1987)).

(4)Letter from Curtis E. Renoe, Attorney Advisor, Office of the Administrative Law Judge, United States
Coast Guard, U.S. Dep't of Homeland Security (DHS), to Jason Smathers, MuckRock News, DHS Appeal
Number 2014-HQAP-00068 at 3-4 (July 18, 2014).

(5)1d. 3-4.

Pursuant to section 0.466(a)(5)-(7) of the Commission's rules, you have been
classified for fee purposes as category (2), "educational requesters, non-commercial
scientific organizations, or representatives of the news media."(6) As an "educational
requester, non-commercial scientific organization, or representative of the news media,
the Commission assesses charges to recover the cost of reproducing the records
requested, excluding the cost of reproducing the first 100 pages. We did not reproduce
any records and you will therefore not be charged any fees.

If you consider this to be a denial of your FOIA request, you may seek review by
filing an application for review with the Office of General Counsel. An application for
review must be received by the Commission within 90 calendar days of the date of this
letter.(7) You may file an application for review by mailing the application to the Federal
Communications Commission, Office of General Counsel, 445 12t1 St. SW, Washington,
DC 20554, or you may file your application for review electronically by e-mailing it to Please caption the envelope (or subject line, if via e-mail) and
the application itself as "Review of Freedom of Information Action."

If you would like to discuss this response before filing an application for review
to attempt to resolve your dispute without going through the appeals process, you may
contact the Commission's FOIA Public Liaison for assistance at:

FOIA Public Liaison
Federal Communications Commission, Office of the Managing Director,
Performance Evaluation and Records Management
44 l2 St., SW, Washington, DC 20554

If you are unable to resolve your FOIA dispute through the Commission's FOJA
Public Liaison, the Office of Government Information Services (OGIS), the Federal
(6) 47 C.F.R. § 0.466(a)(5)-(7).
(7) See 47 C.F.R. § 0.461(j), 1.115; 47 C.F.R. § 1.7 (documents are considered filed with the Commission
upon their receipt at the location designated by the Commission).
FOJA Ombudsman's office, offers mediation services to help resolve disputes between
FOIA requesters and Federal agencies. The contact information for OGIS is:

Office of Government Information Services
National Archives and Records Administration
8601 Adeiphi Road-OGIS
College Park, MD 20740-600 1

cc: FOIA Officer

via:   zdnet


Equifax confirms Apache Struts security flaw it failed to patch is to blame for hack

The company said the March vulnerability was exploited by hackers.


Equifax has confirmed that a web server vulnerability in Apache Struts that it failed to patch months ago was to blame for the data breach that affected 143 million consumers.

In a brief statement, the credit rating giant said:

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted.”

“We know that criminals exploited a U.S. website application vulnerability,” the statement added.

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

For its part, Equifax still has not provided any evidence to support the claim.

The cited Apache Struts flaw dates back to March, according to a public vulnerability disclosure. Patches were released for the vulnerability, suggesting that Equifax did not install the security updates.

Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications, including Equifax’s public website.

Earlier, unconfirmed reports had pointed to Struts as the root of the cyber attack. At least one of the reports, citing a research analyst from equity research firm Baird, was subsequently retracted.

The Apache Foundation, which maintains the Apache web software, said days ago in response to media reports — prior to any confirmation from the company — that at the time it was not clear if Struts was to blame for the cyber attack.

The company is said to have enlisted FireEye-owned Mandiant for its incident recovery.

Despite several requests over the past week, the company has not answered specific questions or responded to requests for comment.


via:  zdnet

Someone Is Learning How to Take Down the Internet – How worried should we be?

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it’s overwhelmed. These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.

This all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”

There’s more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.

Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

What can we do about this? Nothing, really. We don’t know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it’s possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the US decides to make an international incident over this, we won’t see any attribution.

But this is happening. And people should know.


This essay previously appeared on

Slashdot thread.

Podcast with Bruce Schneier on the topic.

CSO thread.


via:  schneier

Time Warner Cable exposes 4 million subscriber records – Yet another AWS config fumble

US cable giant the latest victim of S3 cloud security brain-fart.

Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech’s Bob Diachenko said.

“Not only could they access the documents, but any ‘authenticated users’ could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work.”

The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.

A spokesperson for TWC parent company Charter said the telly giant was aware of the cockup, and is notifying the customers who were exposed.

“Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them,” Charter said. “There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords.”

BroadSoft did not return a request for comment.

This wouldn’t be the first time errant settings on an AWS S3 instance have left records out in the open. Other poorly configured databases were blamed for leaking data on Chicago voters, Verizon subscribers, and even researchers with the Republican National Committee.


via:  theregister

Hackers Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses


Internet-of-things are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices. However, such devices could potentially be compromised by hackers.

There are, of course, some really good reasons to connect certain devices to the Internet.

Medical devices are increasingly found vulnerable to hacking. Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers after they were found vulnerable to hackers.

Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued.

An independent security researcher has discovered not just one or two, but eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump, which is manufactured by Minnesota-based specialty medical device maker Smiths Medical.

The devices are used across the world for delivering small doses of medication in acute critical care, such as neonatal and pediatric intensive care and the operating room.

Some of these vulnerabilities discovered by Scott Gayou are high in severity that can easily be exploited by a remote attacker to “gain unauthorized access and impact the intended operation of the pump.”

According to the ICS-CERT, “Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

The most critical vulnerability (CVE-2017-12725) has been given a CVSS score of 9.8 and is related to the use of hard-coded usernames and passwords to automatically establish a wireless connection if the default configuration is not changed.

But does everything need to be connected? Of course, not—especially when it comes to medical devices.

The high-severity flaws include:

  • A buffer overflow bug (CVE-2017-12718) that could be exploited for remote code execution on the target device in certain conditions.
  • Lack of authentication (CVE-2017-12720) if the pump is configured to allow FTP connections.
  • Presence of hard-coded credentials (CVE-2017-12724) for the pump’s FTP server.
  • Lack of proper host certificate validation (CVE-2017-12721), leaving the pump vulnerable to man-in-the-middle (MitM) attacks.

The remaining are medium severity flaws which could be exploited by attackers to crash the communications and operational modules of the device, authenticate to telnet using hard-coded credentials, and obtain passwords from configuration files.

These vulnerabilities impact devices that are running versions 1.1, 1.5 and 1.6 of the firmware, and Smiths Medical has planned to release a new product version 1.6.1 in January 2018 to address these issues.

But in the meantime, healthcare organizations are recommended to apply some defensive measures including assigning static IP addresses to pumps, monitoring network activity for malicious servers, installing the pump on isolated networks, setting strong passwords, and regularly creating backups until patches are released.



via:  thehackernews


IoT Device Hit by Credential Attack Every Two Minutes–Experiment Found

Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed.

Mainly targeting IP cameras, DVRs and routers that haven’t been properly secured, such botnets attempt to ensnare devices and use them for malicious purposes such as distributed denial of service (DDoS) attacks. Compromised IoT products are also used to scan the Internet for other vulnerable devices and add them to the botnet.

BASHLITE, Mirai, Hajime, Amnesia, Persirai, and similar botnets target DVR and IP camera systems via telnet or SSH attacks, and use a short list of commonly encountered login credentials, such as root: xc3511, root:vizxv, admin: admin, admin:default, and support:support.

According to recent research, there are nearly 7.5 million potentially vulnerable camera systems and around 4 million potentially vulnerable routers connected worldwide.

Prompted by recent news of a list of leaked login credentials associated with a set of thousands of IPs (mostly routers) being posted online, Johannes B. Ullrich, Ph.D., Dean of Research at SANS Technology Institute, exposed a DVR to the Internet for two days and recorded all attempts to login it.

According to him, the device used the root: xc3511 login pair and recorded a total of 1254 login attempts from different IPs over a period of 45 hours. Basically, someone or something would login to it every 2 minutes using the correct credentials, he says.

After performing a Shodan search, Ullrich retrieved information on 592 of the attacking devices, and reveals they were mainly coming from TP-Link, AvTech, Synology, and D-Link. The distribution of attacks matches that previously associated with Mirai, but the researcher notes that dozens of variants hit the device.

Last year, Ullrich performed a similar experiment and revealed that the DVR was being hit every minute and that multiple login pairs were being tried on each attack. His experiment and the emergency of Mirai brought to the spotlight the issue of weak credentials being used in IoT.

“So in short: 1,700 additional vulnerable systems will not matter. We do see a pretty steady set of 100,000-150,000 sources participating in telnet scans. This problem isn’t going away anytime soon,” Ullrich argues.

He also points out that, while malware such as BrickerBot attempted to break the vulnerable devices, the method isn’t effective either, because most of the impacted devices cannot be bricked by overwriting the disk, but only become temporarily unresponsive and recover after a reboot.

“Many of these devices are buggy enough, where the owner is used to regular reboots, and that is probably the only maintenance the owner will perform on these devices,” he says.



via:  securityweek