By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Cybersecurity is in a terrible state, possibly the worst it's ever been. Literally not a day goes by without another report of a security breach or a data spill or a hack spilling corporate secrets. There is plenty of blame to go around, of course. Let's start with the obvious ones, the crooks and scammers – from petty criminals to organized crime – who are able to extort us with ransomware or steal corporate data or our credit-card details with phishing attacks. Few police forces have the time, money and skill to catch these groups or bring them to justice. Then there are state-backed hackers who switch between espionage and cyber warfare – and the governments that either turn a blind eye to their activities or positively encourage them. Who else to blame? Perhaps the tech companies that are desperate to rush a new product to market to beat their rivals, and think that cutting corners on testing security is a good way to do it. And it's not just startups, either; witness the constant stream of security patches that flow from all the big tech companies every month, fixing problems with software that simply wasn't secure enough when it was sold. What about the enterprise? There are software patches for all of the most regularly abused software flaws, just as there was a patch for the flaw that allowed WannaCry to spread. And yet those flaws go unpatched because firms don't want to spend the time and money fixing those flaws and patching those systems. Follow up on OUR FORUM.

Those who remember earlier days of the internet are familiar with the “Nigerian Prince letter,” also known as the 419 scam. While that fraud typically runs from personal email accounts, another one uses an official Nigerian government website to host a phishing page for the DHL international courier service. Nigeria has a large culture of fraud, which is defined in the country's criminal code at number '419,' under Chapter 38: Obtaining Property by false pretenses; Cheating," but this is ridiculous. For over two weeks, the Nigerian National Assembly (NASS) site has been serving a fraudulent page that asks for DHL account credentials. This is just a landing location, most likely pushed through spam. The phishing resource is "u.php" and it is present on multiple legitimate websites that have been hacked to host it. We also found it on domains that look like they've been registered specifically for DHL phishing purposes. At the moment of writing, loading most of them triggered the "Deceptive site" warning in Chrome and Firefox, but not all of them have been indexed as unsafe, yet. Security researcher MalwareHunterTeam found the phishing page on the NASS website and noticed a history of malicious URLs available on the official domain. Read more on OUR FORUM.

TP-Link's SR20 Smart Home Router is impacted by a zero-day arbitrary code execution (ACE) vulnerability which allows potential attackers on the same network to execute arbitrary commands as disclosed on Twitter by Google security developer Matthew Garrett. Garrett disclosed the ACE 0-day after TP-Link did not provide a response during the 90 days since his report and, as he explained in the Twitter thread, the zero-day stems from the fact that "TP-Link routers frequently run a process called "tddp" (TP-Link Device Debug Protocol) as root" which has been previously found to contain multiple other vulnerabilities. TDDP allows running two types of commands on the device: type 1 which do not require authentication and type 2 which ask for administrator credentials. As detailed by Garret, the vulnerable router exposes a number of type 1 commands, with one of them—command 0x1f, request 0x01—"appears to be for some sort of configuration validation," allowing would-be attackers to send a command containing a filename, a semicolon, and an argument to initiate the exploitation process. This will instruct the TP-Link router to the machine sending the specially crafted request over Trivial File Transfer Protocol (TFTP). Once connected to the potential attacker's machine, the SR20 smart hub "requests the filename via TFTP, imports it into a LUA interpreter and passes the argument to the config_test() function in the file it just imported. The interpreter is running as root." Next, the os.execute() method will allow unauthenticated attackers to execute any command they want as root, leading to a full take over of any compromised TP-Link SR20 devices. For more visit OUR FORUM.

Six months after Microsoft first released Windows 10 1809 to the mainstream, that Windows 10 feature update from last fall finally been deemed as ready for broad deployment. On March 28, Microsoft officials said they would be changing the Windows 10 release information page to note that it was ready for rollout by the vast majority of customers, including businesses. Microsoft finalized the code for Windows 10 1809, also known as the Windows 10 October 2018 Update, in September 2018 and started to roll it out to consumers on October 2, 2018. Shortly after mainstream rollout began, Microsoft had to pull Windows 10 1809 -- and its Server equivalent, Windows Server 2019/1809 -- because of a bug that caused some users to lose their data and encounter issues involving ZIP compressed files. In mid-November 2018, Microsoft re-released Windows 10 1809 and Windows Server 2019, taking a very cautious and slow approach to making them available to mainstream users. Microsoft restarted its support timeline clock, making November 13 as the revised start of servicing date for both the Semi-Annual Channel and Long-Term Servicing Channel for the products. Microsoft officials recently announced that, as of Windows 10 1903, they would be discontinuing the Semi-Annual Channel Targeted (SAC-T) designation which some businesses were using as part of the way they roll out feature updates to Windows 10. Microsoft officials publicly said they dropped SAC-T because they're trying to align the way they talk about Windows 10 and Office 365 servicing. Today in a very short blog post about the broad-deployment status for 1809, Microsoft officials did note that they'd "continue to communicate for future releases the transition from targeted to broad deployment status." Further details posted on OUR FORUM.

Federal Reserve Bank (FRB) systems are exposed to an increased risk of unauthorized access because of security weaknesses found in the U.S. Treasury Department's computing systems according to a management report issued by the U.S. Government Accountability Office (GAO). GAO used "an independent public accounting (IPA) firm, under contract, to assist with information system testing, including follow-up on the status of FRBs’ corrective actions to address control deficiencies contained in our prior years’ reports that were not remediated as of September 30, 2017." As part of its audit for the fiscal year that ended on September 30, 2018, performed an extensive review of all computing system controls over key financial systems maintained and operated by FRBs connected to the Schedule of Federal Debt. During the fiscal year 2018 audit, GAO found "one new information system general control deficiency" affecting configuration management which is designed to block unauthorized or untested modifications to critical information on computing systems. GAO also discovered two not yet addressed deficiencies found in the prior year in information system controls over key financial systems, operated by FRBs and also relevant to the Schedule of Federal Debt. Fiscal Service's information system controls were also found to contain deficiencies which, when taken into account with previously unearthed unresolved control deficiencies, collectively classify as a significant flaw in internal control over Schedule of Federal Debt's financial reporting. Visit OUR FORUM to learn more.

An academic study that analyzed 82,501 apps that were pre-installed on 1,742 Android smartphones sold by 214 vendors concluded that users are woefully unaware of the huge security and privacy-related threats that come from pre-installed applications. Researchers found that many of these pre-installed apps have access to very intrusive permissions out of the box, collect and send data about users to advertisers, and have security flaws that often remain unpatched. On top of this, many pre-installed apps (also referred to as bloatware) can't be removed, and also use third-party libraries that secretly collect user data from within benign-looking and innocently-named applications. The study is, by far, one of the most complex endeavors of its kind, and included both an analysis of device firmware, app behavior, and the internet traffic the apps generated. One of the first things that researchers spotted was the incessant use of third-party libraries (or software development kits --SDKs) inside many pre-installed applications. While using an SDK to simplify the coding of basic tasks is commonplace in the web, desktop, and mobile development community, researchers noted that the most commonly encountered third-party libraries were all advertising and user tracking-related. Learn more in-depth details on OUR FORUM.

 

GTranslate