Lucian Constantin

Author Archives: Lucian Constantin

At least 700,000 routers given to customers by ISPs are vulnerable to hacking

More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.Most of the routers have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn’t new and has been reported by multiple researchers since 2011 in various router models.Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.To read this article in full or to leave a comment, please click here

At least 700,000 routers given to customers by ISPs are vulnerable to hacking

More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.Most of the routers have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn’t new and has been reported by multiple researchers since 2011 in various router models.Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.To read this article in full or to leave a comment, please click here

OpenSSL fixes serious denial-of-service bug, 11 other flaws

The mystery high-severity flaw that people were expected to be fixed in OpenSSL is no Heartbleed, but it is serious and users should update.Earlier this week, the OpenSSL Project advised users that patches scheduled to be released Thursday will address several security flaws, one of which was classified as high severity. The announcement gave rise to speculation and some people thought the upcoming vulnerability might have wide-ranging impact, on par with the critical Heartbleed flaw disclosed last April, which affected Web servers, client software, mobile apps and even hardware appliances.To read this article in full or to leave a comment, please click here

IT manager gets certificate for Microsoft domain, tries to report it but gets in trouble

After a security enthusiast discovered a loophole that allowed him to register a valid SSL certificate for Microsoft’s live.fi domain, he tried to responsibly disclose the issue. But instead of thanks he got locked out of his email, phone, Xbox and online storage accounts.The issue was discovered by a Finnish man who works as an IT manager for a company in the industrial sector. He talked to the IDG News Service, but requested anonymity.Microsoft’s Outlook.com email service allows users to have multiple email addresses called aliases under a single account. At the moment, the service only allows aliases to be created on the @outlook.com domain, but several months ago more domains were available.To read this article in full or to leave a comment, please click here

EMET security tool updated to prevent VBScript God Mode attacks

Microsoft updated its Enhanced Mitigation Experience Toolkit (EMET), a free exploit prevention tool, to protect against attacks that attempt to bypass Internet Explorer’s sandbox using VBScript.Microsoft first released EMET 5.2 last week, but re-released it Monday to fix issues that some customers experienced when running the tool in conjunction with Internet Explorer 11 on Windows 8.1.The new version offers protection against so-called VBScript God Mode attacks, which rely on a method documented last year that can bypass anti-exploitation mechanisms like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and Control-Flow Integrity (CFI).To read this article in full or to leave a comment, please click here

Microsoft blacklists fraudulently issued SSL certificate

Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.The improperly issued certificate could be used to spoof content, launch phishing attacks, or perform man-in-the-middle HTTPS interception against the live.fi and www.live.fi Web properties, Microsoft said in a security advisory Monday.The company updated the Certificate Trust List (CTL) included in Windows in order to blacklist the fraudulent certificate. Systems running Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2 will receive the update automatically and transparently.To read this article in full or to leave a comment, please click here

Yahoo’s new on-demand password system is no replacement for two-factor authentication

In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones.If this sounds like a two-factor authentication system where users need to provide one-time codes sent to their mobile phones in addition to their static passwords, it’s not. Yahoo already had that option.Instead, the new log-in mechanism, which is based on what Yahoo calls on-demand passwords, still relies on a single factor, the user’s phone number.Yahoo users—only those based in the U.S. for now—can turn on the new feature from their account security settings on Yahoo’s site. They will need to provide a phone number and then confirm that they have access to it by inputting a verification code sent to them via SMS.To read this article in full or to leave a comment, please click here

Don’t trust other people’s USB flash drives, they could fry your laptop

Have you ever heard stories about malicious USB thumb drives frying laptops and thought they were far fetched? An electronics engineer heard them too, and then set out to create a prototype.The “USB Killer” device was created by a do-it-yourself hardware enthusiast who described his project, complete with pictures and technical details, on a Russian blogging platform in February. An English-language version was posted on a different site earlier this week.The malicious USB thumb drive uses an inverting DC-to-DC converter to draw power from the computer’s USB port in order to charge a capacitor bank to -110 Volts (negative voltage). The power is then sent back into the USB interface via a transistor and the process is repeated in a loop.To read this article in full or to leave a comment, please click here

New ransomware program targets gamers

A new malware program attempts to extort money from gamers by encrypting game saves and other user-generated files for popular computer games.The new threat, which claims to be a variant of the notorious CryptoLocker ransomware, targets 185 file types, over 50 of which are associated with computer games and related software.This is the first ransomware program to specifically target games, according to researchers from security firm Bromium, which recently found it. It was distributed via a drive-by download attack from a compromised website that directed users to the Angler exploit kit.The malicious program encrypts game saves, maps, profiles, replays, mods—in other words, custom content that users would not be able to recover by simply reinstalling the game.To read this article in full or to leave a comment, please click here

Code name found in Equation group malware suggests link to NSA

As security researchers continue to analyze malware used by a sophisticated espionage group dubbed the Equation, more clues surface that point to the U.S. National Security Agency being behind it.In February, Russian antivirus firm Kaspersky Lab released an extensive report about a group that has carried out cyberespionage operations since at least 2001 and possibly even as far back as 1996. The report detailed the group’s attack techniques and malware tools.The Kaspersky researchers have dubbed the group Equation and said that its capabilities are unrivaled. However, they didn’t link the group to the NSA or any other intelligence agency, despite similarities between its tools and those described in secret NSA documents leaked by Edward Snowden.To read this article in full or to leave a comment, please click here

Windows PCs remained vulnerable to Stuxnet-like LNK attacks after 2010 patch

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.To read this article in full or to leave a comment, please click here

Snowden docs show CIA’s attempts to defeat Apple device security

Researchers sponsored by the U.S. government have reportedly tried to defeat the encryption and security of Apple devices for years.Several presentations given between 2010 and 2012 at a conference sponsored by the U.S. Central Intelligence Agency described attempts to decrypt the firmware in Apple mobile devices or to backdoor Mac OS X and iOS applications by poisoning developer tools.Abstracts of the secret presentations were among the documents leaked by former U.S. National Security Agency contractor Edward Snowden to journalists and were published Tuesday by The Intercept.To read this article in full or to leave a comment, please click here

Tool allows account hijacking on sites that use Facebook Login

A new tool allows hackers to generate URLs that can hijack accounts on sites that use Facebook Login, potentially enabling powerful phishing attacks.The tool, dubbed Reconnect, was released last week by Egor Homakov, a researcher with security firm Sakurity. It takes advantage of a cross-site request forgery (CSRF) issue in Facebook Login, the service that allows users to log in on third-party sites using their Facebook accounts.Homakov disclosed the issue publicly on his personal blog in January 2014, after Facebook declined to fix it because doing so would have broken compatibility with a large number of sites that used the service.To read this article in full or to leave a comment, please click here

Cyberespionage arsenal could be tied to French intelligence agencies

A collection of computer Trojans that have been used since 2009 to steal data from government agencies, military contractors, media organizations and other companies is tied to cyberespionage malware possibly created by French intelligence agencies.Researchers from several antivirus companies have found links between the malware programs, which they call Babar, Bunny, Casper, Dino, NBot and Tafacalou. Some share the same command-and-control servers and some use the same implementations for Windows process listing, process blacklisting or export hashing.In January, German news magazine Der Spiegel published several secret documents about the malware activities of the U.S. National Security Agency and its closest partners, the intelligence agencies of the U.K., Canada, Australia and New Zealand—collectively known as the Five Eyes intelligence alliance.To read this article in full or to leave a comment, please click here

Police arrest man in UK over US Defense Department network intrusion

British law enforcement agencies arrested a 23-year-old man suspected of being involved in a hacking attack last year against a satellite communications system operated by the U.S. Department of Defense.The network intrusion occurred on June 15 and resulted in data being stolen from Enhanced Mobile Satellite Services (EMSS), a system operated by the U.S. Defense Information Systems Agency (DISA) that provides U.S. troops and other DoD employees with global communication capabilities, including data transfers and voice calls.The stolen data included contact information for about 800 people, like names, titles, email addresses and phone numbers, as well as the identifying numbers (IMEIs) for 34,400 devices, the U.K. National Crime Agency (NCA) said Friday in a press release.To read this article in full or to leave a comment, please click here

Windows systems are also vulnerable to FREAK attacks

A cryptographic library used in all Windows versions is affected by a recently disclosed vulnerability in SSL/TLS implementations that allows man-in-the-middle attackers to force clients and servers to use weak encryption. Internet Explorer and other programs using the library are affected.The FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability stems from a decision made in the 1990s to limit the strength of RSA encryption keys to 512 bits in SSL (Secure Sockets Layer) implementations intended for export in order to meet U.S. government rules on exports of encryption systems.Those “export” cipher suites are no longer used today, but a team of researchers recently discovered that many servers still support them and some SSL/TLS clients, including Web browsers, can be forced to accept them because of bugs in the crypto libraries they rely on.To read this article in full or to leave a comment, please click here

Adobe invites help hunting vulnerabilities in its online services

Adobe Systems launched a new program that encourages security researchers to find and report vulnerabilities in the company’s websites and other online services.Unlike companies like Google, Mozilla, Facebook or Twitter that pay monetary rewards for vulnerabilities found in their Web properties, Adobe’s program only promises public recognition for such contributions.“Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score,” said Pieter Ockers, the security program manager at Adobe, in a blog post Wednesday.To read this article in full or to leave a comment, please click here

Some Bitdefender products break HTTPS certificate revocation

Aggressive adware applications that break the trust between HTTPS (HTTP Secure) websites and users have been at the center of controversy lately. But over the past week, HTTPS interception flaws of varying severity were also found in security programs, with products from antivirus vendor Bitdefender being the latest example.Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.To read this article in full or to leave a comment, please click here

Europol and security vendors disrupt massive Ramnit botnet

European law enforcement agencies seized command-and-control servers used by Ramnit, a malware program that steals online banking credentials, FTP passwords, session cookies and personal files from victims.Ramnit started out in 2010 as a computer worm capable of infecting EXE, DLL, HTM, and HTML files. However, over time it evolved into an information-stealing Trojan that’s distributed in a variety of ways.Ramnit is capable of hijacking online banking sessions, stealing session cookies which can then be used to access accounts on various sites, copying sensitive files from hard drives, giving attackers remote access to infected computers and more.To read this article in full or to leave a comment, please click here

Facebook fixed 61 high-severity flaws last year through its bug bounty program

As a result of reports received through its bug bounty program Facebook confirmed and fixed 61 high-severity vulnerabilities last year, almost 50 percent more than in 2013.Since 2011, the company has been paying monetary rewards to researchers who report flaws that could compromise the integrity or privacy of user data or could enable access to systems within its infrastructure.While the minimum reward is US$500, there is no upper limit. The company decides how much to pay depending on a bug’s severity and sophistication. The program doesn’t cover only the facebook.com site and related services, but also other products that Facebook created or acquired, like Instagram, Parse, Onavo, Oculus, Moves and osquery.To read this article in full or to leave a comment, please click here