Posted by Jing Wang on Feb 18
DLGuard SQL Injection Security Vulnerabilities
Exploit Title: DLGuard /index.php c parameter SQL Injection Security
Vulnerabilities
Product: DLGuard
Vendor: DLGuard
Vulnerable Versions: v4.5
Tested Version: v4.5
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang…
Posted by Jing Wang on Feb 18
*CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site
Scripting) Security Vulnerabilities*
Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site
Scripting) Security Vulnerabilities
Product: InstantForum.NET
Vendor: InstantASP
Vulnerable Versions: v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0
Tested Version: v4.1.3 v4.1.1 v4.1.2
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability…
Possible 2016 Republican presidential candidate Jeb Bush has has had to retroactively redact over 12,000 personal details from emails published in the name of transparency
The post 12,000 exposed to possible ID theft after Jeb Bush publishes emails appeared first on We Live Security.
Posted by Juan Martinez on Feb 18
Hi, I turn to you because I want to make public a bug, a web server called
Trade Winds, by which much compromising information of internal servers
exposed … Through a Dork on google: inurl: cgi-shl / twserver.exe run?.
They are vulnerable server, injecting this url: http:
//victim/cgi-shl/twserver.exe run (example: CityInfo?). Which brings us
back an error with this data: TradeWinds: Environment variables sent by
Microsoft-IIS / 6.0…
Posted by agoraagoraagora on Feb 18
Ladies and gentlemen
Boys and girls
It come to our attention that a brave warrior for the people Ross
William Ulbricht was unlawfully convicted by the corporation known as
the American government.
This mockery of justice has not gone unnoticed.
In order to protect the next generation of darknet markets we will be
disclosing vulnerabilities for these sites in order to make these
sites safer from attack.
To start, the Agora Marketplace…
US newspaper The New York Times has published a fascinating news story about what could be the largest bank robbery in history. According to the article, the thieves have stolen at least $300 million but this figure could be triple that amount, reaching almost $1 billion.
In order to carry it out, the thieves used malware to infect employees’ computers, compromise them and give the cyber-criminals access to the internal network. In this way the attackers studied the internal functioning of the bank’s daily routines, so that the transfers they planned to make did not attract any attention and blend in with the normal daily operations.
Today a report will be published that will clarify some of the questions surrounding the attack. I was struck by the way the article begins, with what seems like the beginning of a Hollywood story: an ATM in Kiev started “spitting out” cash without anyone touching it.
The most surprising aspect is not the act itself. A cash machine is just a computer and attacking it so that it can obey commands not given by the bank is perfectly possible. However, if one thing does not make sense, it is that the criminals even bothered to carry out this attack when they are capable of stealing millions of dollars without attracting any attention using transfers.
The answer to this mystery is simple. It is not a robbery but hundreds of them. Multiple banks from different countries are victims of the attack and in each one they have carried out the attacks that best adjusted to the level of comprise they achieved, according to what they were able to access, etc. In those in which they were able to carry out transfers and send money abroad, that is what they did. If they could not do this but were able to hack the cash machines, they took the money in this way.
Cyber-criminals have compromised 100 banks in 30 countries. According to the information published so far, some employees received emails that infected their computers with malware. Once a computer has been compromised it is relatively easy –for them at least– to move across the internal network, compromising more computers and gaining access to all of the resources they need. When they had control of the key computer, they installed a Trojan which gave them full access to it.
In the light of the data published, it is clear that the losses that a robbery like this can generate are huge, and it is very noteworthy that an attack of this kind had gone unnoticed for so long (they had been working on it since the end of 2013). The banks I know take security very seriously. I have no doubt that they all had some kind of security solution installed and a team to make sure that it was operating correctly. Neither do I doubt that it was insufficient, although that is easy to say when we have just seen the magnitude of the attack.
What should they do? Is there any way to stop all of these attacks? No system is perfect or 100% attack proof. However, there are some measures that are relatively easy to implement that significantly increase security, preventing attacks like this.
Firstly, in a bank it is very debatable that any employee should be able to install and run (consciously or not) any software that has not been previously approved by the security team. Simply preventing the installation of unauthorized software will eliminate the majority of attacks carried out.
Remember that this attack has been described by a representative of the company investigating it as “one of the most sophisticated attacks the world has seen to date”, and the attackers still needed to send an email and an employee to open it and run the attachment (or click on a link).
You might think that the attack could have used an unknown vulnerability to compromise the computer, which has been done in the past and is perfectly plausible. In this case, simply visiting a website could compromise the computer. However, if you have a system that monitors the behavior of the processes running on each computer, these types of attacks can be detected. If the browser process, for example, downloads and tries to run an unknown program, automatically block it and problem solved.
Some readers could think that if it were that easy all large companies would use this type of system, if not on all computers at least on those that can access critical data and should be well protected. Unfortunately, there are very few solutions of this type on the market. Whitelisting-based applications, which basically only allow known files to be run, are very awkward to use in the day to day and on top of that, once they let a process run (the Internet browser, for example), they do not monitor it.
What is left? Well, from my 16 years of experience in the IT security world I can assure you that it is time to get serious. We must forget about fear and back disruptive technology that allows us to control everything that happens on our networks. They must be flexible enough to give me the option to “lock down” the network and not allow anything unknown to be installed or run, or to be a little more open provided that we have timely information on what is happening in the network.
This set of technologies and services, which we have been working on for more than 2 years, is available with Panda Advance Protection Service.
With the information that I now have on what is the largest bank robbery in history, I can say that if any one of the 100 banks affected had used Panda Advance Protection Service, they would have been protected and the attackers would probably not have been able to steal a penny.
The post The largest bank robbery in history appeared first on MediaCenter Panda Security.
Chromium: Multiple vulnerabilities
DLGuard version 4.5 suffers from a path disclosure vulnerability.
Most of us have seen Hollywood movies where hackers trace and spy on mobile devices even though they are switched off. Like most things in spy movies, we disregard it as fiction.
However, a recent malware discovered by the AVG mobile security team may change this preconception.
This malware hijacks the shutting down process of your mobile, so when the user turns the power off button to shut down their mobile, it doesn’t really shut down.
After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on.
While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user.
How does this happen?
First, we have to analyze in detail, the shutting down process.
On Android devices, when the power off button is pressed it will invoke the interceptKeyBeforeQueueing function of the class interceptKeyBeforeQueueing. interceptKeyBeforeQueueing will check if the power off button is pressed and go to certain process.
When the power button is released, intereceptPowerKeyUp is invoked and it will trigger a runnable to continue.
So according to above code snippet, we could see that in LONG_PRESS_POWER_GLOBAL_ACTIONS switch, some actions will be done after power off button is released. showGlobalActionsDialog is what we care about, which will open a dialog for your to select actions, such as power off, mute or airplane mode.
So if you select power off option, mWindowManagerFuncs.shutdown will be called.
But mWindowManagerFuncs is an interface object. It will actually call the thread ShutDownThread’s shutdown function. ShutDownThread.shutdown is the real entry point of the shutting down process. It will shut down radio service first and invoke the power manager service to turn the power off.
So finally in power manager service, a native function is called to turn the power off.
Now we have understood the whole process of shutting down your mobile. So if we want to hijack the power off process, we definitely need to interfere before mWindowManagerFuncs.shutdown as that shuts down the radio service.
Now let’s turn back to the malware which executes a similar attack.
First, it applies for the root permission.
Second, after root permission is acquired, the malware will inject the system_server process and hook the mWindowManagerFuncs object.
Third, after the hook, when you press the power button, a fake dialog will pop up. And if you select power off option, it will display a fake shut down animation, leaving the power on but the screen off.
Last, in order to make your mobile look like really off, some system broadcast services also need to be hooked.
Let’s see some examples:
Luckily, this malware has been detected by AVG. And next time if you want to make sure your mobile is really off, take the battery out.
AVG Mobile Malware Research team
The Internet of Things is here to stay. Soon, all of our home appliances will be virtually linked. Televisions, clocks, alarms, cars and even fridges will be connected to the Internet and will know almost everything about you to make life easier. Cisco believes that in 2020 there will be more than 50 billion connected devices and a report by the Pew Research Center says that by 2025 we will be used to them knowing our habits.
Despite the advantages that they will offer users, manufacturers and even carriers, there is another group that could benefit from the information we transmit: cyber-criminals. If the Internet is no longer restricted to your computer or phone, and even your fridge knows what you have to buy or your pacemaker informs your hospital of how your heart is beating, a new world of possibilities opens up to cyber-criminals.
The US Federal Trade Commission (FTC) has also raised concerns over the privacy problems related to all devices being connected, and has asked manufacturers to make a special effort not to forget the importance of security. “[The Internet of Things] has the potential to provide enormous benefits for consumers, but it also has significant privacy and security implications,” warned FTC Chairwoman Edith Ramírez during the Consumer Electronics Show.
Ramírez advised connected device manufacturers to adopt three measures to make devices less vulnerable:
These attacks could have various targets: firstly, to steal specific user data and secondly to cause harm to device manufacturers. Similarly, an intelligence agency could be interested in spying on certain information. According to experts there are various attacks that could become common:
To improve security, authentication methods must be adequate, adopting stronger passwords so that both the credentials and the data are correctly encrypted. In addition, security problems could arise in the network. Many devices, such as televisions, connect via Wi-Fi and so manufacturers should adopt strong encryption algorithms. Secondly, special care should be taken with the software and firmware on these devices; they should be able to update and each update must incorporate security mechanisms.
The Internet of Things has many benefits, now it just needs to be completely secure for users.
The post The vulnerable Internet of Things: Security when everything is connected appeared first on MediaCenter Panda Security.
