Tech News

Several Seagate wireless hard-drives have been found to be affected by multiple vulnerabilities, the CERT Coordination Center of the Software Engineering Institute at Carnegie Mellon University warns. The first one allows an attacker to access undocumented Telnet services by using root as both username and password. The second one allows an attacker to download files stored in the device. The third one allows him (or her) to upload files onto the device, and if they are malicious, they could end up compromising other endpoints when opened. An attacker that wishes to exploit these bugs must be within range of the devices wireless network. Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL with firmware versions 2.2.0.005 and 2.3.0.014 have been confirmed to be affected, and its possible that other products might be vulnerable, as well. Seagate has released firmware (v3.4.1.105) to plug the holes, and users are advised to update it as soon as possible. There is no evidence that attackers have been exploiting the holes in attacks in the wild

A website in Russia has been caught exploiting a serious zero-day vulnerability in Mozillas Firefox browser, prompting the open-source developer to deliver an emergency update that fixes the flaw. The bug in a built-in PDF reader allowed attackers to steal sensitive files stored on the hard drives of computers that used the vulnerable Firefox version. The attack was used against both Windows and Linux users, Mozilla researcher Daniel Veditz wrote in a blog post published Thursday. The exploit code targeting Linux users uploaded cryptographically protected system passwords, bash command histories, secure shell (SSH) configurations and keys. The attacker downloaded several other files, including histories for MySQL and PgSQL and configurations for remina, Filezilla, and Psi+, text files that contained the strings pass and access in the names. Any shell scripts were also grabbed.

Major cloud services such as Box, Google Drive, Dropbox and Microsoft OneDrive are at risk of man-in-the-cloud (MITC) cyber attacks, according to a research paper published by Imperva. The firm said at the Black Hat security conference in Las Vegas that cloud-based businesses are vulnerable to exploitation by hackers, even claiming that data can be accessed without needing usernames or passwords. Imperva revealed that if hackers gain access to a users authentication token, a unique log-in file, they can steal data and even inject malware or ransomware into an account. The research team explained that hackers are able to insert an internally developed tool named Switcher into a system through a malicious email attachment or a drive-by download that uses a vulnerability in browser plug-ins. From an attackers point of view, there are advantages in using this technique. Malicious code is typically not left running on the machine, and the data flows out through a standard, encrypted channel. In the MITC attack, the attacker does not compromise explicit credentials, the report stated. Furthermore, this method of hacking works in such a way that end users may not be aware that their account has been compromised.

It is a truism that all software has bugs and security holes. It is another that license agreements invariably make software vendors immune to liability for damage or losses caused by such flaws. But, to my surprise, Black Hats founder and keynote speaker are arguing that software product liability, presumably mandated by governments, is inevitable. If they are right, a seismic change is on the horizon. I do not see a way forward without software liability, said Jeff Moss aka Dark Tangent. As software eats the world, industries which are already subject to liability are becoming software companies: Moss called Airbus, Boeing, and Tesla manufacturers of moving data centers. The recent Jeep hack highlights the extent to which vehicle manufacturers have become software companies, and vulnerable to software flaws. But traditional software companies are immune to liability. It is not, Moss argues, a level playing field. Market forces will drive us to software liability, he claims. Keynote speaker (and lawyer) Jennifer Granick similarly believes the Internet of Things will lead to industries accustomed to liability becoming software companies, which will lead to software liability.

The vulnerability was introduced in 1997, but has remained hidden until now. A design flaw in the x86 processor architecture dating back almost two decades could allow attackers to install a rootkit in the low-level firmware of computers, a security researcher said Thursday. Such malware could be undetectable by security products. The vulnerability stems from a feature first added to the x86 architecture in 1997. It was disclosed Thursday at the Black Hat security conference by Christopher Domas, a security researcher with the Battelle Memorial Institute. By leveraging the flaw, attackers could install a rootkit in the processors System Management Mode (SMM), a protected region of code that underpins all the firmware security features in modern computers. Once installed, the rootkit could be used for destructive attacks like wiping the UEFI (Unified Extensible Firmware Interface) the modern BIOS or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure.

Yahoos top websites fell victim to a malvertising attack within the companys ad network, although Yahoo will not reveal the number of people who may have been affected. Hackers exploited Adobe Flash software to conduct the attack. Malware was spread through Yahoos ads for a week, according to a senior security researcher at Malwarebytes, the security firm that first learned of the attack. More than 100 million people visit Yahoos new sites per month. Yahoo said it has curbed the attack that began on July 28. As soon as we learned of this issue, our team took action to block this advertiser from our network, a Yahoo spokesperson said in a statement. Jerome Segura, a senior security researcher at Malwarebytes, said hackers used a bug in Adobe Flash, which streams audio and video. This [is] one of the largest malvertising attacks we have seen recently, Segura said. Yahoo claimed the scale of the attack was initially blown out of proportion. We take all potential security threats seriously, the companys spokesperson said, according to The Hill. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue. Yahoos contemporary, Google, fell victim to a large malvertising attack earlier this year. Hackers were found to be using Googles advertising service, DoubleClick, to launch attacks on visitors from other websites. Google responded by announcing it would encrypt all DoubleClick ads. Yahoo also said in April that it would encrypt its ad network connections. The company said it has already installed end-to-end encryption for its Yahoo Mail. Online advertisers have received encouragement from top US senators to solidify their networks in order to protect online consumers from malvertising attacks. We must understand the security and privacy hazards consumers face in online advertising and make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online, said Sen. John McCain, who, with then-Sen. Carl Levin, released a report in 2014 that urged online advertisers to take action. Malvertising efforts reached more than 2 million users in June, a record according to security firm Invincea. The Adobe Flash-enabled attack, meanwhile, has led to a renewed call for the service to be disabled on personal computers short of the outright retirement of Flash.