Security News

Microsoft has released its monthly security update for February 2018, addressing a total of 50 CVE-listed vulnerabilities in its Windows operating system, Microsoft Office, web browsers and other products. Fourteen of the security updates are listed as critical, 34 are rated as important, and 2 of them are rated as moderate in severity.

The critical update patches serious security flaws in Edge browser and Outlook client, an RCE in Windows’ StructuredQuery component, and several memory corruption bugs in the scripting engines used by Edge and Internet Explorer.

Critical Microsoft Outlook Vulnerability

One of the most severe bugs includes a memory corruption vulnerability (CVE-2018-0852) in Microsoft Outlook, which can be exploited to achieve remote code execution on the targeted machines.

In order to trigger the vulnerability, an attacker needs to trick a victim into opening a maliciously crafted message attachment or viewing it in the Outlook Preview Pane. This would allow the arbitrary code inside the malicious attachment to execute in the context of the victim’s session.If the victim is logged on with administrative user rights, the attacker could take control of the affected system, eventually allowing them to install programs, create new accounts with full user rights, or view, change or delete data.

“What’s truly frightening with this bug is that the Preview Pane is an attack vector, which means simply viewing an email in the Preview Pane could allow code execution,” explained the Zero Day Initiative (ZDI).

“The end user targeted by such an attack doesn’t need to open or click on anything in the email – just view it in the Preview Pane. If this bug turns into active exploits – and with this attack vector, exploit writers will certainly try – unpatched systems will definitely suffer.”

The second Outlook vulnerability (CVE-2018-0850), rated as important, is a privilege escalation flaw that can be leveraged to force the affected version of Outlook to load a message store over SMB from a local or remote server.

Attackers can exploit the vulnerability by sending a specially crafted email to an Outlook user, and since the bug can be exploited when the message is merely received (before it is even opened), the attack could take place without any user interaction.

“Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email,” Microsoft explains in its advisory. “This update addresses the vulnerability by ensuring Office fully validates incoming email formatting before processing message content.”

Both the Outlook vulnerabilities have been discovered and reported to the tech giant by Microsoft’s researcher Nicolas Joly and former Pwn2Own winner.

Critical Microsoft Edge Vulnerability

Another critical flaw, which is an information disclosure vulnerability (CVE-2018-0763), resides in Microsoft Edge that exists due to Microsoft Edge’s improperly handling of objects in the memory.

An attacker can exploit this vulnerability to successfully obtain sensitive information to compromise the victim’s machine further.

“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability,” Microsoft explains.

“However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker’s site.”

Other critical issues include several Scripting Engine Memory Corruption vulnerabilities in Microsoft Edge that could be exploited to achieve remote code execution in the context of the current user.

Microsoft Edge flaw (CVE-2018-0839), rated as important, is an information disclosure vulnerability that exists due to Microsoft Edge improper handling of objects in the memory.

Successful exploitation of the bug could allow attackers to obtain sensitive information to compromise the user’s system further.

Internet Explorer also got a patch to address an information disclosure vulnerability (CVE-2018-0847), rated important, that would let a webpage use VBScript to fetch stored information from memory.

Publicly Disclosed Vulnerability Before Being Patched

Although the list of patched vulnerabilities does not include any zero-day flaws, one of the security flaws (CVE-2018-0771) in Microsoft Edge was publicly known before the company released patches, but was not listed as being under active attack.

Listed as Moderate, the issue is a Same-Origin Policy (SOP) bypass vulnerability which occurs due to Microsoft Edge’s improper handling of requests of different origins.

The vulnerability could allow an attacker to craft a webpage to bypass the SOP restrictions and get the browser to send data from other sites–requests that should otherwise be ignored due to the SOP restrictions on place.

Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

 

The information contained in this website is for general information purposes only. The information is provided by The Hacker News and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The FTC is warning users to read the fine print and do their homework before purchasing a VPN app as users could be opening themselves up to the very exploits they are looking to avoid.

The consumer protection agency cited a report which studied 300 VPN apps and found that many of the applications didn’t use encryption and requested sensitive information or unexpected privileges. Some of the apps even sold user information to third parties to serve advertisements or to analyze user data to see how people are using particular sites and services.

Before downloading a VPN application, the agency recommends users research the VPN app they are looking to download to make sure the app will deliver the security and privacy that it promises. That includes reviewing the permissions that the app will request during installation or at the time of use. Users should be concerned if an app requests particularly sensitive permissions such as permission to read text messages.

These kinds of action put a user at risk of exposing their information to the very forces that lead to their initial decision to use a VPN such as seeking anonymity.

Consumers should also understand that VPN apps generally don’t make users entirely anonymous.

“Instead, the app will typically obscure the content of your traffic from your internet service provider or public Wi-Fi provider, shifting trust from those networks to the VPN app provider,” the report said. “In addition, sites you visit may be able to determine that you are using a VPN app, and can still use any identifying information you directly share with them (for example, filling out a form with your email address) to track you.”

Even VPN’s promoted by trusted brands could circumvent the purpose of their use, NordVPN researchers warn. Earlier this month, the firm reported that Facebook’s Onavo VPN collected user data.

“The purpose of a VPN is to provide its users with online privacy and security by encrypting all data exchanged between a user’s device and a VPN server. Reputable VPNs do not keep any user logs,” NordVPN Chief Management Officer Marty P. Kamden said in a Feb. 15 press release. “Unfortunately, Facebook’s VPN seems to do the opposite – its goal is data collection, while it’s disguised as a privacy tool”

While the VPN establishes an encrypted tunnel to reroute the traffic, researchers noted that a privacy focused VPN will never monitor the online habits of its users by keeping activity logs, even under the guise of using the data to help improve services.

Kamden said this discredits VPNs and deprives people of online protection that they need especially when using a VPNs in countries where the freedom of speech is restricted. The problem ultimately stems from users not knowing how or where the data is ultimately used.

 

The information contained in this website is for general information purposes only. The information is provided by SC Magazine and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The unidentified attackers found their way in through cracks in Tesla’s cloud environment, according to a report issued by RedLock security on February 20. The miners were able to gain access via an unprotected Tesla Kubernete console—an open source system that manages applications. Included on this console were the access credentials to Tesla’s Amazon Web Service. Once they obtained access to the console, the attackers were able to run scripts that allowed them to stealthily mine cryptocurrency

RedLock Vice President Upa Campbell told Motherboard over the phone that crypto mining incidents have increased in tandem with rising cryptocurrency prices.
“As the values of crypto currencies rise we are seeing an epidemic,” Campbell said.
Campbell also said that for some hackers, crypto mining may offer easier profits than more traditional data extraction.
“It used to be lucrative for hackers to steal a companies data but hackers will always take the path of least resistance,” she said. “Cryptojacking is a lot easier because they get into the environment and simply leverage the computer systems to generate money.”

In an interview with Fortune, RedLock CEO Varun Badhwar said that the attackers used the cryptocurrency mining pool protocol Stratum to launch the attack. The exact type and amount of currency mined from Tesla remains unknown, as does the the total time with which the attackers had access.
In an email to Motherboard a Tesla spokesperson said that they did not think this attack would directly affect Tesla customers, since the accessible data was from test cars and not customers.
“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it,” the spokesman said. “The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

 

The information contained in this website is for general information purposes only. The information is provided by Motherboard Vice and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Meeting at the Munich Security Conference the trio of spooks also pushed for an agreement on cross-border information sharing in order to monitor suspect terrorists. Spy chiefs from Britain, France, and Germany today warned their intelligence co-operation post-Brexit was ‘indispensable’ in an unprecedented intervention. Alex Younger, the head of MI6, and his European counterparts met in public for the first time to stress the necessity of their close ties when Britain leaves the UK. Germany’s BND President Bruno Kahl and France’s DGSE chief Bernard Ernie joined forces to pressure Brussels over the need for continued security links.

On the eve of Theresa May’s speech in Munich on security, the trio also pushed for an agreement on cross-border information sharing in order to monitor suspect terrorists. In a warning shot to Brussels ahead of crucial negotiations, they said the failure to be able to mount a collective modern response to modern threats would ‘lead to even greater risk’.

A modern response would include technological innovation, hybrid capabilities and the ability to be more creative and more agile to counter growing threats. Following a top-secret trilateral meeting in Germany, they stressed the need for close ties on international terrorism, illegal migration, proliferation and cyber attacks.

 

The information contained in this website is for general information purposes only. The information is provided by Dailymail and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

“I don’t want to live in a world where younger generations grow up without privacy.”

Last year, a vigilante hacker broke into the servers of a company that sells spyware to everyday consumers and wiped their servers, deleting photos captured from monitored devices. A year later, the hacker has done it again.

Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners’ and children’s phones in order to spy on them. This software has been called “stalkerware” by some. This spyware allows people to have practically full access to the smartphone or computer of their targets. Whoever controls the software can see the photos the target snaps with their phone, read their text messages, or see what websites they go to, and track their location.

A Retina-X spokesperson said in an email Thursday that the company hasn’t detected a new data breach since last year. Friday morning, after the hacker told us he had deleted much of Retina-X’s data, the company again said it had not been hacked. But Motherboard confirmed that the hacker does indeed have access to its servers.

Friday, Motherboard created a test account using Retina-X’s PhoneSheriff spyware in order to verify the hacker’s claims. We downloaded and installed PhoneSheriff onto an Android phone and used the phone’s camera to take a photo of our shoes.

“I have 2 photos of shoes,” the hacker told us moments later.

The hacker also described other photos we had on the device, told us the email account we used to register the account, and then deleted the data from our PhoneSheriff account.

“None of this should be online at all,” the hacker told Motherboard, claiming that he had deleted a total of 1 terabyte of data.

“Aside from the technical flaws, I really find this category of software disturbing. In the US, it’s mainly targeted to parents,” the hacker said, explaining his motivations for going after Retina-X. “Edward Snowden has said that privacy is what gives you the ability to share with the world who you are on your own terms, and to protect for yourself the parts of you that you’re still experimenting with. I don’t want to live in a world where younger generations grow up without that right.”

In the first Retina-X data breach last year, the hacker was able to access private photos, messages, and other sensitive data from people who were monitored using one of Retina-X’s products. The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app of PhoneSheriff, one of Retina-X’s spyware products. The API key and the credentials were stored in plaintext, meaning the hacker could take them and gain access to the server.

This time, the hacker said the API key was obfuscated, but it was still relatively easy for him to obtain it and break in again. Because he feared another hacker getting in and then posting the private photos online, the hacker decided to wipe the containers again.

Shortly after Motherboard first reported the Retina-X breach in February of last year, a second hacker independently approached us, and said they already had been inside the company’s systems for some time. The hacker provided other internal files from Retina-X, some of which Motherboard verified at the time.

Answering a series of questions about what Retina-X changed after last year’s hack, a spokesperson wrote in an email that “we have been taking steps to enhance our data security measures. Sharing details of security measures could only serve to potentially compromise those efforts.”

“Retina-X Studios is committed to protecting the privacy of its users and we have cooperated with investigating authorities,” the spokesperson wrote. “Unfortunately, as we are well aware, the perpetrators of these egregious actions against consumers and private companies are often never identified and brought to justice.”

At the end of 2016, the hacker gained access to the servers of Retina-X, which makes several spyware products, and started collecting data and moving inside the company’s networks. Weeks later, the hacker shared samples of some of the data he accessed and stole with Motherboard. But he didn’t post any of it online. Instead, he wiped some of the servers he got into, as the company later admitted in February of 2017.

The new alleged hack comes just a few days after the hacker resurfaced online. At the beginning of February, the hacker started to dump online some of the old data he stole from Retina-X in late 2016. The hacker is now using a Mastodon account called “Precise Buffalo” to share screenshots recounting how he broke in, as well as raw data from the breach, though no private data from victims and targets.

In February of 2017, a Motherboard investigation based on data provided by hackers showed that tens of thousands of people—teachers, construction workers, lawyers parents, jealous lovers—use stalkerware apps. Some of those people use the stalkerware apps to spy on their own partners without their consent, something that is illegal in the United States and is often associated with domestic abuse and violence.

Retina-X was not the only spyware company hacked last year. Other hackers also breached FlexiSpy, an infamous provider of spyware that has actively marketed its apps to jealous lovers. At the time, the hackers promised that their two victims—FlexiSpy and Retina-X—were only the first in line, and that they would target more companies that sell similar products.

 

The information contained in this website is for general information purposes only. The information is provided by Motherboard Vice and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.