News & Updates

Enlarge (credit: 20th Century Fox)

Disney announced today that it will acquire a huge portion of 21st Century Fox in an all-stock deal valued at $52.4 billion. As part of the deal, Disney will own 21st Century Fox’s film and television studios, some of its cable networks, and international TV businesses, as well as popular titles including The Simpsons, X-Men, and Avatar. The deal represents a huge shift in content ownership in Hollywood, giving Disney even more titles, characters, and stories to build upon across all its existing properties and any new services the company debuts in the future.

Disney did not acquire all of 21st Century Fox—the deal focuses on the company’s entertainment businesses. 21st Century Fox announced plans to spin off its news and sports broadcasting businesses into a new company dubbed “Fox.” This company will focus on news and sports and will include Fox News Channel, Fox Business Network, FS1, FS2, among other properties.

If the deal gains regulatory approval, Disney’s already gigantic pool of content will expand even further. The company will own cable channels including National Geographic, FX Networks, Fox Sports Regional Networks, and international networks like Star TV and Sky. 21st Century Fox is expected to complete its acquisition of Sky, a popular network in the UK and Europe, by mid-2018. If and when it does so, Disney will own all of Sky.

Read 5 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / The iMac Pro. (credit: Samuel Axon)

Apple’s goal with professional hardware has always been to inspire creatives and developers to produce new things. That’s not an altruistic objective; the more creative things get made on Macs, the more other creatives and developers are drawn to the platform, and the more Macs are sold. To that end, the iMac Pro is available to order today, so we spoke with Apple and several third-party developers who were introduced to us by Apple. We learned more about the iMac Pro and how people expect to use it to improve performance or add new features to their applications.

Externally, the new iMac Pro is indistinguishable from the existing iMac, apart from its darker color. But inside, it is a much more powerful machine, with CPU options up to 18 cores and up to 128GB of RAM.

It’s still not upgradeable in any significant way, apart from external GPUs. And of course, it starts at $5,000. Still, Apple has made a compelling case for the device by allowing the use cases to speak for themselves. We’ll go over the specifics about the machine and then explore some of the use cases we saw.

Read 46 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations.

Fortinet provided security updates for its next-generation endpoint protection FortiClient product that address a serious information disclosure vulnerability.

The flaw, tracked as CVE-2017-14184, could be exploited by an attacker to obtain VPN authentication credentials.

FortiClient is a powerful product that includes many components and features such as web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features.

Experts at SEC Consult discovered security flaws that can be exploited to access VPN authentication credentials associated with the product.

“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the project description published by SEC Consult.

SEC Consult rated the issue as “high severity”, while Fortinet has assigned it a 4/5 risk rating.

The first issue is related to the fact that the VPN credentials are stored in a configuration file, on both Linux and macOS systems, and in the registry on Windows. This means that for an attacker the configuration files are easily accessible.

The second issue is related to the fact that decryption key for credentials is hardcoded in the application and it’s the same for all the Fortinet installs. An attacker can find the key and decrypt the passwords.

“FortiClient stores the VPN authentication credentials in a configuration file (on Linux or Mac OSX) or in registry (on Windows). The credentials are encrypted but can still be recovered since the decryption key is hardcoded in the program and the same on all installations. Above all, the aforementioned storage is world readable, which actually lays the foundation for the credential recovery.” continues the analysis published by SEC Consult.

FortiClient flaws

The flaws are very insidious especially in enterprise environments when an insider with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account.

“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the advisory published by Fortinet.

SEC Consult has developed a proof-of-concept (PoC) tool that leverages on these issued to recover passwords, the company plans to release it in the future giving the users the time to update their FortiClient installs.

According to Fortinet the flaw affects FortiClient 5.6.0 and earlier for Windows and Mac, and version 4.4.2334 and earlier of the SSL VPN client for Linux. Android and iOS apps are not impacted.

Versions FortiClient 5.6.1 for Windows and Mac, and FortiClient 4.4.2335 for Linux, running FortiOS 5.4.7 fixed the problems.

Below the Vendor contact timeline:

2017-08-30: Contacting vendor through [email protected]
2017-09-19: Contacting vendor again due to lost message
2017-09-20: Vendor confirmed and assigned CVE-2017-14184 to the issues
2017-10-19: Vendor requested to postpone the release date
2017-11-02: Vendor informed the fix for Windows and OS X was done
2017-11-22/23: Vendor released 5.6.1 for OS X and 5.6.2 for Windows
2017-12-08: Vendor informed that the fix for Linux is available together with FortiOS release version 5.4.7
2017-12-13: Public disclosure of advisory

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini

(Security Affairs – Mirai botnet, DDoS)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post FortiClient improper access control exposes users’ VPN credentials appeared first on Security Affairs.

Source: Security affairs

Video shot by Joshua Ballinger, edited and produced by Jing Niu and David Minick. Click here for transcript. (video link)

In pulling together our interviewee list for “The Greatest Leap,” we knew we wanted to talk not just to the luminaries who made Project Apollo a reality 50 years ago, but also to modern-day astronauts. After all, the NASA we have today owes its existence to the space race of the 1950s and ’60s, and in many ways, it’s still the same agency that put people on the Moon. (Though, as we all sit here on Earth without a moonbase above our heads, it’s clear that the agency lacks the followthrough many people expected it to have.)

We were exceptionally lucky to be able to sit down for an hour or so with Victor Glover, an accomplished aviator and test pilot who became an astronaut four years ago. Glover’s perspective on the current state of the astronaut corps and the way NASA operates provides a fascinating window into what it’s like to be an astronaut now—and what it might have been like to train for that voyage from the Earth to the Moon.

Read on Ars Technica | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.

Section 1634 of the bill prohibits the use of security software and services provided by security giant Kaspersky Lab, the ban will start from October 1, 2018.

Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.

SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.

(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

          (1) Kaspersky Lab (or any successor entity);
          (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
          (3) any entity of which Kaspersky Lab has majority ownership.

(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”

Senator Jeanne Shaheen joyed for the news, asserting that the US Government gathered all necessary evidence to motivate such decision.

“The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.” commented Shaheen.

Sen. Shaheen is the author of a letter recently sent to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”

Kaspersky Lab issued the following statement about the Section 1634.

“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks.” reads the statement issued by Kaspersky.

“Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”

kaspersky lab CEO

In September, the U.S. DHS ordered federal agencies to stop using Kaspersky software and service.

The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

Recently the UK’s National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky software and services by government agencies.

The CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, wrote to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including anti-virus (AV) software.

The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the UK intelligence and security agency.

The letter warns against software made in hostile states, specifically Russia, as the Prime Minister’s Guildhall speech set out, the Government of Moscow is acting against the UK’s national interest in cyberspace.

Kaspersky has repeatedly denied the accusations and it announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini 

(Security Affairs – Kaspersky Lab, Cyber espionage)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post Trump signed a bill prohibiting the use of Kaspersky Lab product and services appeared first on Security Affairs.

Source: Security affairs

Bezel-less displays have dominated the smartphone arena this year and there have been a lot of launches sporting taller displays. One of them is the OUKITEL MIX 2 that is grabbing a lot of eyeballs recently mainly because of its design and the fact that it is available for such a low price. Besides the […]

The post OUKITEL MIX 2 Shows Off its Dual-Camera Prowess in a Video appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

Security researchers at Trend Micro have publicly disclosed an unpatched zero-day flaw in the firmware of AT&T DirecTV WVB kit after manufactured failed to patch it

Security researchers at Trend Micro have discovered an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after the manufacturer failed to patch this flaw over the past few months.

The issue affects a core component of the Genie DVR that’s shipped free of cost with DirecTV. The flaw can be easily exploited by attackers to gain root access to the device, posing millions DirecTV service users at risk.

The vulnerability resides in WVBR0-25, a Linux-powered wireless video bridge manufactured by Linksys.

DirecTV Wireless Video Bridge WVBR0-25 allows the Genie DVR to communicate over the air with customers’ Genie client boxes that are plugged into their TVs in the same home.

The Trend Micro expert Ricky Lawshae analyzed the kit and discovered that Linksys WVBR0-25 doesn’t implement any authentication to access internal diagnostic information from the device’s web server.

The expert discovered that accessing the wireless bridge’s web server on the device it was possible to see a text streaming.

“I started out by trying to browse to the web server on the device. I expected to find a login page of some sort. What I found instead was a wall of text streaming before my eyes.” wrote Ricky Lawshae.

DirecTV WVB kit hacking

The output of several diagnostic scripts was containing a lot of information about the DirecTV Wireless Video Bridge, including the WPS pin, running processes, connected clients, and much more.

A deeper analysis of the scripts revealed that the device was accepting commands remotely with a “root” access, meaning that an attacker could have taken full control over it.

“The return value also showed the device had happily executed my new commands and executed them as the root user, too! No login prompt. No input sanitization.” continues the analysis.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point that I became pretty frustrated,”  

“The vendors involved here should have had some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent these simple yet impactful bugs from reaching unsuspecting consumers.”

Lawshae also published a video PoC demonstrating how to easily get a root shell on the DirecTV wireless box in less a few seconds.

The vulnerability was promptly reported by the ZDI Initiative to Linksys more than six months ago, but the vendor had yet not fixed the problem, for this reason, the expert opted to publicly disclose the zero-day vulnerability.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini

(Security Affairs – AT&T DirecTV WVB kit, hacking)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post Experts disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit appeared first on Security Affairs.

Source: Security affairs

The U.S. federal officials have arrested three hackers who have pleaded guilty to computer-crimes charges for creating and distributing Mirai botnet that crippled some of the world’s biggest and most popular websites by launching the massive DDoS attacks last year.

According to the federal court documents unsealed Tuesday, Paras Jha (21-year-old from New Jersey), Josiah White (20-year-old


Source: http://feeds.feedburner.com/TheHackersNews

Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this easy-to-exploit flaw over the past few months.

The problem is with a core component of the Genie DVR system that’s shipped free of cost with DirecTV and can be easily exploited by hackers to gain root access and take


Source: http://feeds.feedburner.com/TheHackersNews

The US DoJ announced plea agreements for Paras Jha, Josiah White, and Dalton Norman, 21 for creating and operating the dreaded Mirai botnet.

US authorities charge three men with developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

According to documents released by the US Department of Justice (DOJ), the three men are Paras Jha, Josiah White, and Dalton Norman.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet.

The Mirai bot was first spotted by the malware researchers MalwareMustDie in August 2016, the malicious code was developed to target IoT devices.

Dyn DNS service mirai-botnet ddos

The IoT malware runs a brute force password attack via telnet using a list of default credentials to gain access to the target device.

mirai-botnet-test-2

Once the Mirai component gains access to the target IoT device, it connects out to download the full virus and runs it. Then it starts sending out SYN packets at a high rate of speed, looking for other potential victims.

The Mirai botnet peaked a size of over 300,000 infected devices, mainly composed of DVRs, security cameras, and routers.

The three men advertised the botnet on hacking forums, as a DDoS-for-hire service, but only Jha also used it to blackmail a hosting company.

 

According to court documents, the three men used the Mirai botnet to make money through “click fraud” activity. The botnet was used to emulate the behavior of real users clicking on an advertisement for the purpose of artificially generating profits for operators.

The three also generated some $180,000 from the scheme in bitcoin.

The Mirai botnet was also used against the website of the popular investigator Brian Krebs that was able to identify Jha and White as the operators of the botnet.

The three face possible prison terms and monetary fines.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Criteo.DisplayAd({
“zoneid”: 1082811,
“async”: false});

Pierluigi Paganini

(Security Affairs – Mirai botnet, DDoS)

Criteo.DisplayAd({
“zoneid”: 1063289,
“async”: false});

Criteo.DisplayAd({
“zoneid”: 321967,
“async”: false});

The post US DoJ charges 3 Men with developing and running the Mirai Botnet appeared first on Security Affairs.

Source: Security affairs