Sprint security lapse gave access to Sprint staff portal

TechCrunch has confirmed that the provider was using two sets of easily-guessed logins that let a security researcher access a company portal with access to customer data.

Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher navigated to pages that could have allowed access customer account data.

The researcher would only have needed an account holder’s phone number and a four-digit PIN to access their data, change plans or swap devices, and there was no limit on the number of PIN guesses.

In a statement, Sprint confirmed that the expert used “legitimate credentials” to get in. It promptly changed the passwords and vowed to “research this issue” in a bid to avoid a repeat.

Android crypto-mining is infecting Amazon Fire TVs and Fire Sticks

Crypto-mining android malware is infecting Amazon Fire TV and Fire Stick devices and causing them to go to Borksville.

If you’ve loaded any apps onto your Amazon Fire TV or Fire TV Stick that let you watch pirated movies and TV shows, you could be at risk from a cryptocurrency-mining Android virus.
AFTVnews reports that the virus — a malware worm variant dubbed ‘ADB.Miner’, is installing itself on Amazon gadgets as an app called ‘Test’ under the package name ‘com.google.time.time.’ Once it’s infected a device, it eats up resources mining cryptocurrency — devices will become slow, video playback will stop abruptly and a notification saying “Test” with the green Android robot icon will appear randomly on screen.

The virus is not specifically targeting Fire TV devices, but they’re vulnerable because of their Android-based operating system.

The good news is that your Amazon Fire TV device is safe from the threat if you’ve never messed around with its developer settings. However, if you’ve allowed ADB debugging or apps from unknown sources, your device is at risk — switch both to off.

If you suspect you’ve already been infected, AFTVNews recommends that, first of all, you head into your gadgets’ settings and ensure both aforementioned options are set to ‘off’.

The report also recommends that you perform a full factory reset of your Amazon device, but if you can’t bear the thought of starting from scratch, you can also download an app called ‘Total Commander’ from the Amazon app store that will allow you to uninstall the ADB.Miner malware.

Alternatively, you can install a modified version of the malware, which updates the virus to a version that turns off the miner — again, not ideal, but it appears to have fixed the issue for people who weren’t able to remove the malware entirely. This XDA post shows you how, but you should definitely only try this if you’re sure you know what you’re doing.

TeleGrab steals swipes Telegram cache and key files

Researchers have discovered a malware in the end-to-end encrypted instant messaging service Telegram that seeks to collect cache and key files from.

Cisco Talos researchers Vitor Ventura and Azim Khodjibaev dubbed the malware Telegrab.

They analyzed two versions of it. The first one, discovered on April 4, 2018, only stole browser credentials, cookies, and all text files it can find on the system. The second one, spotted less than a week later, is also capable of collecting Telegram’s desktop cache and key files and login information for the Steam website.

To steal Telegram cache and key files, the malware is not taking advantage of software flaws. The malware is capable of targeting only the desktop version of the popular messenger because it does not support Secret Chats and does not have the auto-logout feature active by default.

This means that the attacker can use those stolen files to access the victim’s Telegram session, contacts and previous chats.

Telegrab is distributed via a variety of downloaders, and it checks if the victim’s IP address is part of a list that includes Chinese and Russian IP addresses, along with those of anonymity services in other countries. If it is, it will exit.

It also doesn’t have a persistence mechanism, so it won’t work after a system reboot.

The stolen data and files are exfiltrated to one of five pCloud account. They are not encrypted, so technically anyone who has the credentials to those accounts or gets their hands on them can access this information.

“The malware samples analysed are not particularly sophisticated but they are efficient,” the researchers noted.

“Notably the Telegram session hijacking is the most interesting feature of this malware, even with limitations this attack does allow session hijacking and with it the victim’s contacts and previous chats are compromised.”

 

Email encryption flaw ‘EFAIL’ gives hackers full access to your email

On the victim’s end, the email client first decrypts the second part and then combines all three into one email. It then converts everything into an URL form starting with the hacker’s address and sends a request to that URL to retrieve the nonexistent image. The hacker receives the image request, which contains the entire decrypted message. 

CBC/CFB gadget attacks which resides within the PGP and S/MIME specifications, affecting all email clients. In this case, the attacker locates the first block of encrypted plaintext in the stolen email and adds a fake block filled with zeroes. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. When the victim’s client opens the message, the plaintext is exposed to the hacker. 

 

The Efail report lists additional steps users can take to reduce the likelihood of falling prey to encryption attacks — namely, decrypting S/Mime and PGP outside email clients in a separate application and disabling HTML rendering altogether. But the researchers cautioned that since attacks could become increasingly sophisticated in future, strategies which bolster OpenPGP and S/Mime standards are required for a long term fix.

Russia demands Apple pull Telegram for iPhone from App Store

Russia’s telecomunications regulator, Roskomnadzor, sent orders to both Apple and Google on Tuesday, asking them to halt local downloads of the popular secure messaging app Telegram.

Roskomnadzor had already began blocking access to Telegram on Monday following a Friday court ruling, according to Reuters. While Telegram is a non-profit service developed by a largely Russian team — including heads Pavel and Nikolai Durov — Russia’s domestic spy agency, the FSB, ordered the company to hand over encryption keys last year, as required by Russian law.

Pavel Durov has refused to do so, arguing that “privacy is not for sale,” and that “human rights should not be compromised out of fear or greed.” He noted that Telegram has “the luxury of not caring about revenue streams or ad sales,” although he is also aiming to expand the service into a blockchain economic system for its users, and recently launched an initial coin offering to raise the needed money.

Some Russians may still be able to access Telegram by way of virtual private networks, but the government has the authority to shut them down if they support access to banned services.

As of this writing Telegram still appears to be on the Russian App Store, though that may be short-lived.

Critical vulnerability opens Cisco switches to remote attack

A critical vulnerability affecting many of Cisco’s networking devices could be exploited by unauthenticated, remote attackers to take over vulnerable devices or trigger a reload and crash.

The flaw was discovered by Embedi researchers nearly a year ago. It is a stack-based buffer overflow vulnerability present in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software.

The vulnerability can be exploited by by sending a crafted Smart Install message to an affected device on TCP port 4786.

Embedi researchers confirmed that the flaw is found in Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches, but that a slew of other devices are potentially vulnerable.

Cisco says that it affects devices that are running a vulnerable release of Cisco IOS or IOS XE Software and have the Smart Install client feature enabled.

Cisco says that the vulnerability is not actively exploited in the wild, but as information about it and Proof-of-Concept code has now been published network administrators would do well to install the released security updates as soon a possible.

 

Drupal CMS vulnerability allows hackers to gain complete control of your website

A vulnerability discovered in a popular content management system ( Drupal ) could leave nearly 1 million websites open to attack if left unpatched.

The vulnerability enables various attack points and could grant hackers complete control of a website. The vulnerability exists within Drupal 6.x, Drupal 7.x, and Drupal 8.x.

The vulnerability relates to a conflict between how PHP handles arrays in parameters, and Drupal’s use of the hash (#) in at the beginning of array keys to signify special keys that typically result in further computation, leading to the ability to inject code arbitrarily, according to Drupal’s security advisory. Exploiting this vulnerability does not require any authentication, only visiting a page with a maliciously-crafted URL is necessary.

Jasper Mattsson of development house Druid found the vulnerability in Drupal, dubbed as SA-CORE-2018-002, as part of Drupal’s routine security examination. The Drupal team doesn’t go into specifics but merely state that hackers could compromise a Drupal-based site. So far, there is no known exploit to take advantage of this vulnerability, thus site-based sabotage is merely theoretical for now. 

Based on the company’s in-house scoring system, here is what the vulnerability covers: 

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

 

Here is  Drupal’s update schedule to fix the vulnerability: 

Version  Status  Solution 
Drupal 6.x  End of Life  Contact a D6LTS vendor 
Drupal 7.x  Active  Upgrade to Drupal 7.58 or
install this patch. 
Drupal 8.3.x  Not supported  Upgrade to Drupal 8.3.9 or
install this patch. 
Drupal 8.4.x  Not supported  Upgrade to Drupal 8.4.6 or
install this patch. 
Drupal 8.5.x  Active  Upgrade to Drupal 8.5.1 or
install this patch. 

 

 

Atlanta government computers hit by ransomware, demand $51,000 in Bitcoin

On Thursday, March 22, that hackers attacked the city’s network system and encrypted data. Hackers reportedly used the SamSam ransomware and demand around $51,000 in Bitcoin to unlock the city’s seized computers.

Atlanta is currently working with the Department of Homeland Security, the FBI, Microsoft, and Cisco cybersecurity officials to determine the scope of the damage and regain control of the data held hostage. 

SamSam, it’s part of a family of malware has been active against many government and healthcare systems since late 2015. It then encrypts that key with RSA 2048-bit encryption to make the files utterly unrecoverable. In January, Talos noted that its makers had already netted over $325,000 in ransom sent to one bitcoin wallet. This particular attack isn’t spreading on the level of 2017’s NotPetya/WannaCry, but its apparent ability to target critical systems where the owners are likely to pay makes it even more troublesome, spreading first through vulnerable servers and then onto Windows desktops.

The Atlanta government said it will be open for business in the morning, and that infrastructure like public safety, water and the airport are unaffected.

 

Telegram loses Supreme Court appeal over encryption keys in Russia

Telegram has lost a Supreme Court appeal in Russia, and been ordered to share its encryption keys with KGB successor, the Federal Security Service (FSB).

Telegram was ordered to comply with a 2016 law that requires messaging services to provide the FSB with the ability to decrypt messages. Russia claimed that the app was used to plan terrorist attacks and that the request was in the name of national security. Telegram argued that this was unconstitutional, and refused. The FSB disagreed, suggesting that as collecting data would still require a court order, holding encryption keys did not violate the constitution.

Telegram once again plans to appeal the Supreme Court’s decision, so this case isn’t over. If the service loses, then it risks a hefty fine and a possible ban from Russia.