Cross-site scripting (XSS) vulnerability in the Nessus Web UI in SOPHOS UTM before 9.353 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
Monthly Archives: February 2016
CVE-2016-2071
Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 11.x before 11.0 Build 64.34, 10.5 before 10.5 Build 59.13, and 10.5.e before Build 59.1305.e allows remote attackers to gain privileges via unspecified NS Web GUI commands.
CVE-2016-2072
The Administrative Web Interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 11.x before 11.0 Build 64.34, 10.5 before 10.5 Build 59.13, 10.5.e before Build 59.1305.e, and 10.1 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
CVE-2016-2396
The GMS ViewPoint (GMSVP) web application in Dell SonicWALL GMS, Analyzer, and UMA EM5000 7.2, 8.0, and 8.1 before Hotfix 168056 allows remote authenticated users to execute arbitrary commands via vectors related to configuration input.
CVE-2016-2397
The cliserver implementation in Dell SonicWALL GMS, Analyzer, and UMA EM5000 7.2, 8.0, and 8.1 before Hotfix 168056 allows remote attackers to deserialize and execute arbitrary Java code via crafted XML data.
Adobe Flash H264 File Causes Stack Corruption
The included flv file causes stack corruption when loaded into Flash. To use the PoC, load LoadMP42.swf?file=lownull.flv from a remote server.
Adobe Flash H264 Parsing Out-Of-Bounds Read
There is an out-of-bounds read in H264 parsing and a fuzzed file is included in this archive. To load, load LoadMP4.swf with the URL parameter file=compute_poc.flv from a remote server.
Judge Orders Apple to Unlock iPhone Used by San Bernardino Shooters
The Tech Giant Apple has come into an entangled situation which could be a potential security threat for Apple users in near future: Help the FBI Unlock an iPhone.
The US Magistrate Judge Sheri Pym has ordered Apple to provide a reasonable technical assistance in solving a critical case of Syed Farook; who with his wife Tashfeen Malik planned a coordinated “2015 San Bernardino attack” that killed 14 people injured 22.
As part of the investigation, the Federal Bureau of Investigation (FBI) had seized the Farook’s iPhone 5C that would be considered as an insufficient evidence until and unless the iPhone gets unlocked by any means.
Previously, Apple had made several crystal clear statements about its Encryption Policy, stating that even the company is not able to decrypt any phone data as the private key lies at the user’s end.
A similar problem encountered three years back with Lavabit, who was forced to shut down its services soon after when FBI demands SSL keys to snoop the emails.
However, despite forcing or ordering Apple to break the encryption and unlock the suspect’s iPhone, judges have ordered the company to find an alternative way to unlock iPhone, keeping data intact.
Can Apple Unlock iPhone? Yes, Here’s How:
From iOS 8, Apple added a data security mechanism called Data Protection, which uses 256-bit AES Encryption key to encrypt everything on the device.
Here the passcode a user enters is itself used as part of the encryption key and thus, it is impossible for an attacker or even Apple itself to unlock iPhone until the user re-inputs the passcode.
Besides Data Protection, Apple offers “Auto-Destruct Mode” security feature that will erase all the data on the iPhone if an incorrect password is entered 10 times concurrently, making the data unrecoverable.
So, Judge Pym wants Apple to come up with an alternative that should increase the brute force attempts from 10 to millions, in order to prevent the data from getting self-destructed.
Apple has not yet confirmed whether it is possible to write such a code that can bypass iOS Auto-Destruct feature.
But, if it’s possible, it would provide an alternative backdoor mechanism to every law enforcement and intelligence agency to unlock iPhone by simply brute forcing 4-6 Digit Pins effectively within few hours.
Here we support Apple policy not to help break its users’ encryption, because once a master key is created to unlock that particular iPhone, we’re sure that the US government will misuse this power and demand for the key again and again in near future for unlocking other phones.
Apple Rejects FBI Demands
Apple has dismissed the court order to unlock San Bernardino gunman Syed Rizwan Farook’s iPhone.
Here’s what Apple CEO Tim Cook said in a statement:
“The United States government has demanded that Apple takes an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.”
“We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.”
Kaspersky Lab North America Promotes Jon Whitlock to Senior Vice President, Marketing
Instagram Adds Two-Step Verification to Prevent Account from being Hacked
Hijacking an online account is not a complicated procedure, not at least in 2016.
Today, Instagram confirmed that the company is in the process to roll out two-factor authentication for its 400 Million users.
It is impossible to make your online accounts hack-proof, but you can make them less vulnerable.
Then what you can do to protect yourselves from hackers?
Several companies provide more enhanced steps like Encrypted Channel Services, Security Questions, Strict Password Policy and so on.
But, what would you do if a hacker had somehow managed to access your accounts’ passwords?
Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match.
Hence the concept of Two-Factor Authentication (2FA) born out!
Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking.
2-Factor Authentication or two-step verification is an additional security mechanism that certifies the user is legit after clearing dual identification step i.e. a randomly generated security code would be provided to the user via call/SMS for authentication.
2-Factor Authentication eliminates the hackers to intrude into your online accounts (even if they have your usernames and passwords).
Now, the Multimedia sharing Giant Instagram also joined the league by implementing two-step verification.
Better late than Never:
However, the decision to roll out 2FA feature could be criticized as it’s parent company Facebook had already implemented it five years back.
The current users could not expect the new two-step verification feature to get released soon, as the company had mentioned that they would slowly release the phone verification feature.
But yes, there is good news for Singapore Residents. As the first roll would be out for Singaporeans.
Earlier, Instagram hacking was a deja vu as many videos and images of celebrities leaked online in the yesteryears.
Hackers could create havoc such as hijacking or deletion of Instagram Accounts, flooding the account with illegit contents and much more. Taylor Swift was one of such victims of the Instagram hack.
To save yourself from hackers you are recommended to enable 2-Factor Authentication when the Instagram security feature as soon as rolls for your country.
