Tech News

Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email. The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoos bug bounty program. The flaw allowed an attacker to read a victims email or create a virus infecting Yahoo Mail accounts among other things. Unlike other email phishing scams and ransomware attacks, there was no need for the hacker to send a virus or trick the victim into clicking a specific link. Attackers would just send the email to victims, and be able to access their account if it was opened. Last year, Pynnonen had reported another serious bug to Yahoo that allowed an attacker to take over any users account by using the same XSS vulnerability. According to him the impact of this bug was the same as last years XSS issue. The bug in this case resided in the emails HTML filtering code. When someone sends an email with different kinds of attachments, Yahoo uses a filtering process to inspect the "raw" HTML of that email, which normally keeps malicious code at bay. An investigation however, showed that attackers could easily bypass that filtration process by sending a YouTube link in the email that allows the hacker to execute JavaScript code and read users emails. The report of the critical flaw comes just months after the tech giant admitted that a massive data breach in 2014 gave access to the personal information of more than 500 million user accounts. The attack gave hackers access to names, email addresses, telephone numbers, encrypted and unencrypted security questions and answers, dates of birth, and encrypted passwords of users. The company later blamed the attack on state-sponsored parties but did not name any country.

Flaw allows hackers to execute arbitrary shell commands on affected devices. Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over. An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but did not hear back. The issue stems from improper input sanitization in a form in the routers web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device. The U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS). Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400 and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgears Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500 and R9000. Users can check if their models are affected by accessing the following URL in a browser when connected to their local area network (LAN): http://[router_ip_address]/w . If this shows any information other than a error or a blank page, the router is likely affected.

Is it wrong to hack back - to counter-cyber-attack when you have become a victim? The presumed answer is yes. In the US alone, the Department of Justice calls hacking back “likely illegal”; the Federal Bureau of Investigation “cautions” victims against it; and White House officials call it “a terrible idea.” But none has clearly declared it illegal. The law has not caught up with technology here - whether in the US or other geographies - and we do not have a test-case in court yet. In the meantime, we can look toward ethics for guidance, which surprisingly might permit hacking back. If cyber-attacks are a law enforcement issue, the usual solution is to let the authorities handle it. They would work to capture the suspects, put them on trial, and punish them if found guilty. To circumvent this process seems to be vigilantism, which threatens the rule of law and therefore civil societys foundation. But when cyber-attackers continue to elude identification - forget about capture and prosecution - does it still make sense to defer to the authorities? Help is not on the way. For instance, the FBI said this about ransomware, or malicious software that locks down a users system until money is extorted. “To be honest, we often advise people to just pay the ransom," they said. If the wheels of justice are systematically stuck, then it may not be vigilantism to take action against your attacker. Part of our social contract to create and abide by government is to give up our natural powers to take justice into our own hands, in exchange for a more reliable and fair legal system. Arguably, our obligation to defer to law enforcement is suspended, on this particular issue of cyber-attacks, if they can not uphold their end of the bargain.

Capcom has apologised to Street Fighter V players after it was caught installing a backdoor on Windows systems as part of its most recent title update. As with many PC games, Street Fighter V suffers from piracy and cheaters - the platforms perennial problems. Unlike most, however, the latest attempt to fix the problem came in the form of a title update bundling a Windows driver - capcom.sys - which disables selected system security features and provides publisher Capcom with administrator-level privileges to the entire operating system and all its files. The problems began with a security update released on September 22nd containing what Capcom described as an "updated anti-crack solution." In its announcement, the company claimed that that software was not DRM, but was designed such that it "prevents certain users from hacking the executable. The solution also prevents memory address hack [sic] that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet." Sadly, the update did significantly more than Capcom promised. In a thread on social networking site reddit, users tore down the code included with a kernel-level Windows driver file bundled with the software and discovered that it disabled the Supervisor Mode Execution Protection (SMEP) functionality of affected systems, forced the game to elevate its privileges and run at administrator level, and provided Capcom with complete and unrestricted access to the entire host system. In short: its a backdoor, and one which actively harms the overall security of players systems. Although the code in the driver disables SMEP only long enough to run a chunk of its own code and then re-enables the functionality, the damage is severe: using the driver, any unprivileged process on the system - including malware - can have its code executed at kernel level without question. Capcom, for its part, has apologised and promised to undo the damage caused. "We are in the process of rolling back the security measures added to the PC version of Street Fighter V," the company claimed in a statement on the matter. "After the rollback process to the PC version, all new content from the September update will still be available to players. We apologise for the inconvenience." Those who wish to ensure their systems security are advised to check for the driver "capcom.sys" even after the update which should remove it is installed.

DE-CIX questions legality of government tapping its system. The worlds largest internet exchange point is suing the German government for tapping its communications systems. DE-CIX runs a number of critical exchange points – most of them in Germany, but with others in France, Spain and the United States – and has sued the German interior ministry over orders from the German security services to allow them to tap its exchange centers. The goal of the lawsuit, filed in federal court in Leipzig, is to reach a "judicial clarification" over whether the German governments actions are legal, the company said (in German), and "in particular, legal certainty for our customers and our company."

Now available on the stable release version, users will have five locations globally to choose when using the VPN which features 256-bit AES encrypted connections. If privacy when surfing the World Wide Web is something you value, then using a virtual private network (VPN) to obscure your surfing patterns is a must. While most VPNs either require a subscription fee or installing additional software on your PC, Operas latest update to its stable desktop browser version adds VPN functionality for free and turning it on is as simple as clicking a button. Powered by Opera subsidiary SurfEasy, the VPN uses a 256-bit AES encrypted connection and does not log your browsing history. Users can choose from five server locations: Canada, Germany, the Netherlands, Singapore and the United States, or let the browser select the most optimal server. The free VPN for its desktop browser follows the companys previous announcement back in April where this feature was made available on the developer version of its browser. The company also introduced a mobile VPN service for both iOS and Android. Other new features in the updated browser include Chromecast support, automatic battery saving for unplugged laptops and support for RSS feeds with the newsreader feature. Opera says the VPN should be fast enough for watching video in HD (thats 1,280x720 pixels) but will also depend on the users location to the VPN server. Opera says this depends on the network situation as well, as most video sites have adaptive streaming protocol built-in. The updated Opera browser can be downloaded here: http://www.opera.com/computer/