Posted by RedTeam Pentesting GmbH on Oct 08
Advisory: Buffalo LinkStation Authentication Bypass
An authentication bypass vulnerability in the web interface of a Buffalo
LinkStation Duo Network Attached Storage (NAS) device allows
unauthenticated attackers to gain administrative privileges. This puts
the confidentiality and integrity of the stored data as well as the
integrity of the device configuration at high risk.
Details
=======
Product: Buffalo LinkStation Duo (LS-WXL), LS-CHL(v2),…
Drupal version 8.0.0 Beta 14 suffers from a cross site scripting vulnerability. Drupal’s sad fix was to simply throw an .htaccess file in place to block access to the file.
Samsung denies that Samsung Pay has been affected by an attack on LoopPay, a startup that it recently acquired to develop its mobile payment system.
The post Samsung reassures customers that Samsung Pay is safe appeared first on We Live Security.
In order to help make Google Play a safer place for Android users, ESET continues to monitor the official Android app market for malicious or potentially unwanted applications. Another threat has been detected.
The post Android AdDisplay using anti-bouncer technique appeared first on We Live Security.
Researchers at Zimperium, a specialist cybersecurity company, has announced that it has found another major vulnerability in the Android operating systems that many of us use on our mobile devices.
A blog post published by Zimperium says “Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files.” Nearly every single device since Android 1.0, released in 2008, is affected according to the blog post. The researchers were able to exploit the flaw in devices running Android 5.0 and later, and conceptually nearly every single device since Android 1.0 (2008) could be affected. According to Zimperium, earlier devices could be impacted through media players and instant messenger that use the Stagefright library.
Media files carry additional information called metadata, which is processed when the file is opened or previewed. This means the video or audio file on the device would not even need to be opened by the user for the attack to occur. Once the device was infected, the most likely method an attacker would use would be via a web browser.
How might this happen in a real environment?
Zimperium has said that they notified Google’s Android Security team in August, and that Google responded quickly to try and fix it. They’ve also said that full technical details of the exploit will not be released publicly until Google has confirmed that the issue has been fixed and is available to users.
Bugs and vulnerabilities in operating systems are not uncommon. This exploit highlights the need for users to ensure that their devices are running the very latest version of their operating system and applications.
Unfortunately, unlike the first time Stagefright appeared, when disabling the automatic retrieval of MMS messages could prevent your device from being infected, this time we need to wait for the update from Google, our phone carrier as well as our handset manufacturers to make it available to us.
In the meantime there are some precautions you can take:
Remember, the most important thing you can do is keep your operating system and apps up to date. For that extra layer of protection, download AVG AntiVirus for Android to help protect your devices against malicious phishing sites.
Follow me on Twitter @TonyatAVG
Staying safe and protected online as an enterprise is growing in importance and recognition. We look at whether business security needs to be simpler?
The post Business security: Is simpler better? appeared first on We Live Security.
Earlier this week, CERT-RO organized its 5th Annual Conference in Bucharest focusing on “Global trends in Cybersecurity”. Avira team members had the pleasure of attending the event not only as guests but also as sponsors and speakers.
The post Global Trends in Cybersecurity: What I learned from the CERT-RO conference appeared first on Avira Blog.
Besides radars, cameras, or a GPS system, Google decided that its driverless car would also have a powerful eye mounted on top of the vehicle which is capable of 360 degree vision. LIDAR (Light Detection and Ranging), the aforementioned eye, is capable of measuring distances thanks to a laser light which creates a 3D map of all that surrounds the vehicle.
Despite this technology allowing the car to hit the roads, driverless, without committing any of the errors that befall human drivers, the manufacturers of these autonomous cars aren’t claiming victory just yet as the LIDAR sensors aren’t fully bulletproof. Jonathan Petit, a security expert, has demonstrated their vulnerabilities by showing that they could be easily tricked by external sources.
The investigator managed to fool the sensor by using a laser pen and a pulse generator, which he also claims could be swapped for a Raspberry Pi or an Arduino. So, to trick a smart car, all you need to do is spend around 60 dollars (about 53 euro).
With this system, potential attackers could make the car believe that there is a wall, a person, or another car beside it, obliging it to reduce its speed. They could also send it false signals leading the car to stop itself completely for fear of crashing with these non-existent objects.
While the radars operate on private frequencies, which makes the less vulnerable, Petit was easily able to record and imitate the laser pulses emitted by the LIDAR system. He was able to make various copies of the false obstacles and even move them, thus confusing the sensor and making it believe that the illusion was real from distances of 20 to 350 meters.
Petit will present the details of his investigation at the upcoming Black Hat Europe conference, which takes place in Amsterdam in November. For the moment, however, all that he has revealed is that one of the main selling points of these cars is vulnerable.
Google’s driverless car uses the LIDAR technology of a company called Velodyne, which is based in Silicon Valley and has developed a device capable of storing more than a million pieces of data per second, allowing the car to continue its journey without incident.
This invention doesn’t come cheap, though. Each unit costs 85,000 dollars (around 75,000 euro) and this investigation shows that a high price doesn’t necessarily mean high security protection – even the most expensive ones are at risk.
Although attacks are limited to a specific device for the time being, this expert argues that all manufacturers should keep security in mind and take necessary steps to avoid any dangers on the roads. “If a self-driving car has poor inputs, it will make poor driving decisions,” claims Petit.
The problem could be resolved with a stronger detection system: “A strong system that does misbehavior detection could cross-check with other data and filter out those that aren’t plausible. But I don’t think carmakers have done it yet. This might be a good wake-up call for them.”
It’s not just Google that has tested out these LIDAR systems – the likes of Mercedes, Lexus, and Audi have also tried out prototypes on their cars, which means they also need to keep in mind any potential security risks if they want their driverless cars to become the next step in automobiles.
The post All it takes is a laser pen to confuse the so-called “smart car” appeared first on MediaCenter Panda Security.
Avira is proud to be speaking at this year’s Live Event in Berlin, a conversion rate optimization conference aimed at online marketers passionate about AB testing.
The post Avira at The Live Event in Berlin appeared first on Avira Blog.