STE WILLIAMS

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

Taiwanese network kit maker DrayTek has ‘fessed up to a vulnerability in a large number of its routers which could allow miscreants to hijack internet traffic or steal personal data.

The flaw means attackers could remotely alter DNS settings on 28 Vigor model routers. DrayTek has released a series of firmware updates addressing the issue.

Users have complained about the problem for the last week on the AbuseIPDB forum. One noted the zero-day attack had infiltrated their servers, CRM and workstations.

“We now cannot log in as it is obvious this zero-day attack has changed our passwords including our VPN accounts [that] our remote users use to log in to the environment.”

DrayTek routers are considered high end in the UK – retailing at around £200, more than twice the price of garden-variety alternatives – and are mostly used by businesses. In 2015, BT’s Openreach accredited DrayTek for use of its very-high-bit-rate digital subscriber line 2 (VDSL2) fibre-to-the-cabinet products.

One business customer, who discovered his router was open to the vulnerability, told El Reg: “DrayTek routers are really expensive compared with other makes, they have an awful lot of features on them and this is the first known exploit I’ve come across.”

In a statement, the company said:

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.

In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router.

The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.

Until you have the new firmware installed, you should check your router’s DNS settings on your router and correct them if changed (or restore from a config backup).

A survey by Broadband Genie recently found the vast majority of punters are potentially leaving themselves exposed by failing to change the password and security setting on their routers. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/21/draytek_fesses_up_to_security_vuln_in_large_number_of_routers/

  • 21/05/2018
  • adm

Penetration tester pokes six holes in Dell EMC’s RecoverPoint products

Infosec outfit Foregenix has uncovered six vulnerabilities in Dell EMC’s data protection platform RecoverPoint, three of which have been fixed.

Paul Taylor, a senior penetration tester at Foregenix, found five zero-day vulnerabilities in RecoverPoint devices, as well as an insecure configuration option.

The flaws, one of which is of critical severity, affected all versions of RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 5.1.1.3.

The critical vulnerability allowed unauthenticated remote code execution with root privileges. If an attacker had visibility of RecoverPoint on the network, or local access to it, they could gain complete control over RecoverPoint and its underlying Linux operating system.

Foregenix has reported all six vulnerabilities to Dell EMC. At the time of writing Dell EMC had issued CVE notices for three of the flaws and included them in an advisory published today. Details are as follows:

  • Critical unauthenticated remote code execution with root privileges via unspecified attack vector (CVE-2018-1235, CVSS 9.8, critical severity) – permits an attacker with visibility of a RecoverPoint device on the network to gain complete control over the underlying Linux operating system
  • Admin CLI arbitrary file read (CVE-2018-1242, CVSS 6.7, medium severity) – an attacker with access to the boxmgmt administrative menu can read files from the file system which are accessible to the boxmgmt user
  • LDAP credentials in Tomcat log file (CVE-2018-1241, CVSS 6.2, medium severity) – in certain conditions, RecoverPoint will leak plaintext credentials into a log file
  • World-readable log contains password hash (CVE not issued at time of writing) – RecoverPoint is shipped with a system password hash stored in a world-readable file
  • Hardcoded root password (CVE not issued at time of writing) – RecoverPoint uses a hardcoded root password which can only be changed by contacting the manufacturer
  • LDAP credentials sent in cleartext (CVE not issued at time of writing) – an insecure configuration option permits LDAP credentials sent by the RecoverPoint to be intercepted by an attacker

Foregenix has provided more information about these vulnerabilities here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/21/dell_emc_recoverpoint_flaws/

  • 21/05/2018
  • adm

Penetration tester pokes six holes in Dell EMC’s RecoverPoint products

Infosec outfit Foregenix has uncovered six vulnerabilities in Dell EMC’s data protection platform RecoverPoint, three of which have been fixed.

Paul Taylor, a senior penetration tester at Foregenix, found five zero-day vulnerabilities in RecoverPoint devices, as well as an insecure configuration option.

The flaws, one of which is of critical severity, affected all versions of RecoverPoint prior to 5.1.2 and RecoverPoint for Virtual Machines prior to 5.1.1.3.

The critical vulnerability allowed unauthenticated remote code execution with root privileges. If an attacker had visibility of RecoverPoint on the network, or local access to it, they could gain complete control over RecoverPoint and its underlying Linux operating system.

Foregenix has reported all six vulnerabilities to Dell EMC. At the time of writing Dell EMC had issued CVE notices for three of the flaws and included them in an advisory published today. Details are as follows:

  • Critical unauthenticated remote code execution with root privileges via unspecified attack vector (CVE-2018-1235, CVSS 9.8, critical severity) – permits an attacker with visibility of a RecoverPoint device on the network to gain complete control over the underlying Linux operating system
  • Admin CLI arbitrary file read (CVE-2018-1242, CVSS 6.7, medium severity) – an attacker with access to the boxmgmt administrative menu can read files from the file system which are accessible to the boxmgmt user
  • LDAP credentials in Tomcat log file (CVE-2018-1241, CVSS 6.2, medium severity) – in certain conditions, RecoverPoint will leak plaintext credentials into a log file
  • World-readable log contains password hash (CVE not issued at time of writing) – RecoverPoint is shipped with a system password hash stored in a world-readable file
  • Hardcoded root password (CVE not issued at time of writing) – RecoverPoint uses a hardcoded root password which can only be changed by contacting the manufacturer
  • LDAP credentials sent in cleartext (CVE not issued at time of writing) – an insecure configuration option permits LDAP credentials sent by the RecoverPoint to be intercepted by an attacker

Foregenix has provided more information about these vulnerabilities here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/21/dell_emc_recoverpoint_flaws/

  • 21/05/2018
  • adm

‘Roaming Mantis’ Android Malware Evolves, Expands Targets

Roaming Mantis has evolved rapidly, adding geographies, platforms, and capabilities to its original scope.

The trend of malware that evolves and adapts continues with the so-called Roaming Mantis malware targeting Android devices, which has broadened both its geographic range and its functional scope.

In its new form, it’s ticking off boxes for almost all the most popular malware trends. Mobile malware? Check. Roaming Mantis (also called XLoader and MoqHao by researchers) is malware that targets Android devices (though the latest version includes phishing modules aimed at iOS users, as well.

Cryptojacking? Check. The latest evolution of the malware adds cryptocurrency mining to the banking trojan payload of the original.

International scope? Check. While the original Roaming Mantis was a creature of southeast Asia, the new version has support for 27 different languages to allow for a much wider circulation.

DNS hijacking? Another check. Roaming Mantis uses DNS hijacking to spread from one victim to another throughout a growing infection.

Rapid evolution? The final check. In less than a month, Roaming Mantis has broadened its capabilities and enhanced its evasion techniques. It shows all the signs of being the product of a well-funded professional malware development organization, which adds weight to the tick mark in the final check box.

For more, read here, here, here, and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/roaming-mantis-android-malware-evolves-expands-targets/d/d-id/1331850?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 21/05/2018
  • adm

‘Roaming Mantis’ Android Malware Evolves, Expands Targets

Roaming Mantis has evolved rapidly, adding geographies, platforms, and capabilities to its original scope.

The trend of malware that evolves and adapts continues with the so-called Roaming Mantis malware targeting Android devices, which has broadened both its geographic range and its functional scope.

In its new form, it’s ticking off boxes for almost all the most popular malware trends. Mobile malware? Check. Roaming Mantis (also called XLoader and MoqHao by researchers) is malware that targets Android devices (though the latest version includes phishing modules aimed at iOS users, as well.

Cryptojacking? Check. The latest evolution of the malware adds cryptocurrency mining to the banking trojan payload of the original.

International scope? Check. While the original Roaming Mantis was a creature of southeast Asia, the new version has support for 27 different languages to allow for a much wider circulation.

DNS hijacking? Another check. Roaming Mantis uses DNS hijacking to spread from one victim to another throughout a growing infection.

Rapid evolution? The final check. In less than a month, Roaming Mantis has broadened its capabilities and enhanced its evasion techniques. It shows all the signs of being the product of a well-funded professional malware development organization, which adds weight to the tick mark in the final check box.

For more, read here, here, here, and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/roaming-mantis-android-malware-evolves-expands-targets/d/d-id/1331850?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 21/05/2018
  • adm

Google to Delete ‘Secure’ Label from HTTPS Sites

Google acknowledges HTTPS as the Internet standard with plans to remove ‘secure’ from all HTTPS sites.

Google plans to remove the “secure” label from HTTPS websites starting in September 2018, a move intended to acknowledge HTTPS as the standard for browser security. Users should expect all the sites they visit to be secured with HTTPS, the company reported last week.

Earlier this year, Google announced plans to mark all HTTP sites as “not secure” and alert users when they visit unencrypted pages. Previously, HTTP usage was too high to brand all unsecured pages with a warning. Now HTTPS is more common so Google is making it the standard by flagging unencrypted websites and removing secure indicators from encrypted ones.

“I like the idea of assuming a ‘secure’ setting by default and training users to accept a secure, default setting,” says Dr. Engin Kirda, co-founder and Chief Architect at Lastline. “I expect users will be more likely to take ‘not secure’ warnings more seriously rather than actively check that a website is secure, as in the past.”

The change will come into effect in Chrome 69. Read more details here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/google-to-delete-secure-label-from-https-sites/d/d-id/1331851?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 21/05/2018
  • adm

Google to Delete ‘Secure’ Label from HTTPS Sites

Google acknowledges HTTPS as the Internet standard with plans to remove ‘secure’ from all HTTPS sites.

Google plans to remove the “secure” label from HTTPS websites starting in September 2018, a move intended to acknowledge HTTPS as the standard for browser security. Users should expect all the sites they visit to be secured with HTTPS, the company reported last week.

Earlier this year, Google announced plans to mark all HTTP sites as “not secure” and alert users when they visit unencrypted pages. Previously, HTTP usage was too high to brand all unsecured pages with a warning. Now HTTPS is more common so Google is making it the standard by flagging unencrypted websites and removing secure indicators from encrypted ones.

“I like the idea of assuming a ‘secure’ setting by default and training users to accept a secure, default setting,” says Dr. Engin Kirda, co-founder and Chief Architect at Lastline. “I expect users will be more likely to take ‘not secure’ warnings more seriously rather than actively check that a website is secure, as in the past.”

The change will come into effect in Chrome 69. Read more details here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/google-to-delete-secure-label-from-https-sites/d/d-id/1331851?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 21/05/2018
  • adm

Dark Reading Conference Call for Speakers Closes Friday

Don’t be shy, security practitioners. Share your best practices at our 2nd annual INsecurity Conference, to be held Oct. 23-25 in Chicago.

Calling all security pros: the Call for Speakers for Dark Reading’s second annual INsecurity Conference closes this Friday, May 25th.

We’re moving to Chicago for INsecurity this year, Oct. 23-25, and we want to bring all the ideas for security best practices with us. Figured out some foolproof end-user awareness training program and chopped down your phishing problems? Lay it on us. Survived a massive identity management overhaul and want to save other people the pain you suffered? We’d appreciate your service. Have you got a big idea about cloud, appsec, incident response, mobile security, intelligence analysis, malware defense, risk management, compliance, endpoint security, or any other topic in security that you think your blue-team colleagues must hear? We want to know.

You can choose from two types of session formats: track session or hot topic. A track session is generally a more traditional podium-and-PowerPoint style. A hot topic session is a moderated discussion with attendees, where the speaker will provide a short introduction to the topic and then will act as moderator, guiding the discussion toward constructive, useful conclusions.

Proposals will be chosen on the basis of their usefulness to an audience of IT and security professionals and the ability of the speaker to show practical experience on the topic. No vendor product presentations will be accepted in this call for speakers, though there will be vendor presentations in the exhibit hall.

More information about the INsecurity program, as well as registration for the conference Oct. 23-25 at the Sheraton Chicago will be posted soon. Check out https://insecurity.com/2018-call-speakers to submit your abstracts now. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/dark-reading-conference-call-for-speakers-closes-friday/d/d-id/1331853?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 21/05/2018
  • adm

Dark Reading Conference Call for Speakers Closes Friday

Don’t be shy, security practitioners. Share your best practices at our 2nd annual INsecurity Conference, to be held Oct. 23-25 in Chicago.

Calling all security pros: the Call for Speakers for Dark Reading’s second annual INsecurity Conference closes this Friday, May 25th.

We’re moving to Chicago for INsecurity this year, Oct. 23-25, and we want to bring all the ideas for security best practices with us. Figured out some foolproof end-user awareness training program and chopped down your phishing problems? Lay it on us. Survived a massive identity management overhaul and want to save other people the pain you suffered? We’d appreciate your service. Have you got a big idea about cloud, appsec, incident response, mobile security, intelligence analysis, malware defense, risk management, compliance, endpoint security, or any other topic in security that you think your blue-team colleagues must hear? We want to know.

You can choose from two types of session formats: track session or hot topic. A track session is generally a more traditional podium-and-PowerPoint style. A hot topic session is a moderated discussion with attendees, where the speaker will provide a short introduction to the topic and then will act as moderator, guiding the discussion toward constructive, useful conclusions.

Proposals will be chosen on the basis of their usefulness to an audience of IT and security professionals and the ability of the speaker to show practical experience on the topic. No vendor product presentations will be accepted in this call for speakers, though there will be vendor presentations in the exhibit hall.

More information about the INsecurity program, as well as registration for the conference Oct. 23-25 at the Sheraton Chicago will be posted soon. Check out https://insecurity.com/2018-call-speakers to submit your abstracts now. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/dark-reading-conference-call-for-speakers-closes-friday/d/d-id/1331853?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 21/05/2018
  • adm

ZipperDown catches 16,000 iOS apps with their pants down

These days, there seem to be two types of security vulnerabilities – those with alarming names and eye-catching logos, and those that make do with mere CVE numbers.

The latest example of the naming trend is ZipperDown, uncovered by Chinese jailbreakers Pangu Lab, affecting iOS apps and possibly some Android ones too.

The company offers only minimal detail on the flaw beyond, describing it as:

A common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected apps.

This sounds like trouble but this time the eye-catching bit is the number of apps the company believes might suffer from it – 15,978 (9.5%) of 168,951 iOS Apps in the App Store, a collection of computer programs that have been downloaded about 100 million times.

They admit this is a guesstimate due to the impossibility of checking such a large number of apps individually.

As for other platforms:

We have confirmed that many popular Android apps have similar issues. We will release more results for Android apps in future.

The company manually verified that a number of Chinese apps are affected including Weibo, MOMO, NetEase Music, QQ Music and Kwai, while Instagram, Pandora, Dropbox, Amazon and a Google app or two are on the long list.

Working out which apps are affected will require developers to carry out manual checks, app-by-app.

On the face of it while ZipperDown sounds like a big issue, as flaws-with-their-own-names go this one is probably a bit second division.

As Pangu Lab alludes to in its advisory, exploiting it appears to require control of a Wi-Fi network, for example using a compromised public hotspot. That’s not hard to imagine happening but still limits the chances of compromise for most users.

The company also admits:

The sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.

An unsettling aspect of the alert is that while the company has kept the guts of the flaw to itself (to give app developers time to check for the problem and fix it), further details seem to be known elsewhere, with some claiming the problem is a path traversal issue in a utility called ZipArchive.

If that’s true, exploits might not be far off. App makers need to check their software for the issue and correct it as soon as possible.

Whatever else it is, ZipperDown is an unusual flaw. With so many apps apparently affected, and so many app developers needing to be informed, responsible disclosure becomes a huge communications issue. As much as we might dislike the trend for PR-first vulnerability naming, perhaps giving this flaw a fancy name and its own badge was the right attention-grabbing tactic in this case.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/h-oKgeaoCSM/

  • 21/05/2018
  • adm