Miscreants sweep internet for unpatched Cisco kit, fears over bugged Chinese parts, Roger Stone nabbed...

...PHP's PEAR sabotaged for months, and more from the world of infosec


Roundup This week we saw Hadoop hacks, Exchange exploits, and Deadpool besting scammers.

Here's some more computer security news to round off your week...

Alarms sounded over incoming Cisco attacks

Earlier this week, Cisco cleaned up a series of security flaws in its routers. Now, admins are being urged to apply those fixes as soon as possible now that exploits for two flaws in particular are public.

A security dev going by the name of David Davidson has provided proof-of-concept code that leverages a data-disclosure vulnerability (CVE-2019-1653) in the RV320 WAN router, and extracts various configuration files and other information from the machine. You don't have to be authenticated, you just have to be able to reach the router's web-based management portal. This is useful for checking whether or not a device is vulnerable, and whether Cisco's patch actually works.

The code also achieves remote code execution as root on the router (exploiting CVE-2019-1652) if you know any valid login creds for the box. You can always try to crack the passwords fetched via the info-disclosure bug, or brute-force or guess them.

What's more, botnet watcher Troy Mursch has spotted miscreants scanning the public internet for vulnerable RV320 routers. This means we now have both working exploits and people trying to find vulnerable devices.

If you're an admin at a company running one or more of these Cisco WAN routers, you will want to make sure all of the boxes have the latest patches installed, and you should probably do it ASAP.

Adobe Experience Manager gets patched up

While not as prominent as other products like Create Cloud or Flash, Adobe's Experience Manager is a well-used CMS and forms platform. So anyone running it will want to make sure they have installed the patches Adobe posted earlier this week.

The update patches up cross-site scripting and information disclosure flaws in Experience Manager and one cross-site scripting vulnerability in Experience Manager Forms. Updating to the latest version will apply all of the needed patches.

Credit for discovering the Forms bug was given to researcher Adam Willard.

In brief... Millions of loan and mortgage documents were accidentally exposed to the public internet via a poorly secured database, TechCrunch reports. The system has since been secured.

The PHP Extension and Application Repository (PEAR) was hacked, and go-pear.phar was maliciously tampered with. Anyone who downloaded that software manager between July 2018 and January 2019 may have fetched a poisoned version. "If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If different, you may have the infected file," the PEAR team warned this week.

Google has removed two programs from its Android Play Store – Currency Converter and BatterySaverMobi – that contained online-bank-account-raiding Trojan Anubis. Interestingly, the malware also detects the phone's motion sensors for movement: if any is detected, it continues on, and if not, then it figures it's being analyzed in an emulator, and kills itself.

Girl Scouts and HPE to offer cyber-security merit badge

HPE is going to be teaching Girl Scouts how to manage an entirely new type of cookie, as the enterprise tech giant announced this week it would work with the young women's group to offer a new cybersecurity badge.

The patch will be offered through the Girl Scout Juniors (age 9-11) program and will be focused on how scouts can protect themselves online and steer clear of identity theft and financial fraud schemes.

"Girls are going online earlier and earlier, and it’s especially crucial that they are equipped with the knowledge and tools they need to be savvy consumers, to protect themselves, their identity and data," said CEO Lidia Soto-Harmon of Girl Scouts Nation's Capital.

In addition to the patch, the Girl Scouts and HPE are going to develop an online game that centers around how to deal with online scams and privacy protection.

Washington DC worries over bugged Chinese rail cars

Security paranoia is nothing new in the US capital, but this latest episode of infosec scrutiny might be a bit much even for Washington, DC.

A report from NextGov examines how Senators have become concerned that the planned overhaul of the District's metro rail system with new carriages could put national security at risk.

Four Senators have signed a letter asking the head of the Washington Metropolitan Area Transit Authority to develop a plan to make sure that the agency does not end up purchasing cars from Chinese companies that might be bugged by that country's government.

The agency is reportedly planning to amend its request for proposals to include a requirement that the cars be built to NIST information security standards.

National intelligence advisers urge US to push hard on cybersecurity

While it is no secret that the US government is trying to improve its cybersecurity protections and practices, a key report this week signaled an even greater urgency is needed.

The National Intelligence Service has released its first report in four years on the US security threat landscape, and cyber looks to be a top priority.

For the first time the report places cybersecurity intelligence alongside areas like counterterrorism and counterintelligence, a signal that, at least as far as intelligence officials are concerned, data protection is now every bit as important as securing physical securities and guarding against spies.

"We face significant changes in the domestic and global environment; we must be ready to meet 21st century challenges and to recognize emerging threats and opportunities," the report reads.

"To navigate today’s turbulent and complex strategic environment, we must do things differently."

Trump man hauled in on charges of WikiLeaks dealing

A key figure in Donald Trump's presidential run has been cuffed and accused by the FBI of lying to Congress about the campaign's use of stolen Democratic party emails to derail rival Hillary Clinton's bid for the White House.

Roger Stone was cuffed early Friday morning after being indicted on seven charges related to the ongoing Mueller probe into the 2016 White House race. Specifically, he was charged with one count of obstruction of an official proceeding, five counts of false statements, and one count of witness tampering.

Among the allegations is the claim that Stone was part of the chain of intelligence between the Trump administration and WikiLeaks, which allegedly obtained sensitive Democratic party documents from Russian agents. Those documents – emails lifted from the Clinton campaign and DNC by Kremlin hackers – were credited with helping, in part, Trump win the 2016 election.

It should be noted that WikiLeaks has categorically denied the emails came from Russia. Stone denies any wrongdoing.

CitizenLab creeped out by government surveillance

Digital rights and research group CitizenLab says it has been the target of surveillance, possibly from the shadowy Israeli digital intelligence firm NSO Group.

The research foundation revealed on Friday that two of its investigators had been approached by people who were trying to collect sensitive personal information by creating fake companies and identities. On both occasions, CitizenLab said, it sniffed out the operations and confronted the individuals.

While Citizen Lab says it can't definitively tie the operation to NSO Group, it has a pretty strong hunch the company is in some way connected. Researchers were asked about antisemitism at the non-profit and whether this would have sparked interest in investigations.

"This failed operation against two Citizen Lab researchers is a new low. Citizen Lab research is public, and the evidence that we use to draw our conclusions is public as well," CitizenLab said.

"We have always welcomed debate and dialogue about our work, but we condemn these sinister, underhanded activities in the strongest possible terms. Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere." ®

Similar topics


Other stories you might like

  • IPSE: More than a third of freelancers have quit contracting since IR35 reforms

    Exodus, movement of the people... to the Middle East or elsewhere

    More than a third (35 per cent) of contractors in the UK have become permanent employees, retired, shifted to work overseas or are "simply not working" since IR35 tax legislation was revised earlier this year.

    This is according to the Association of Independent Professionals (IPSE) which found 35 per cent fewer freelancers among those it surveyed since 6 April when the government pushed through the delayed reform.

    "This research shows the devastating impact the changes to IR35 have had on contractors, needlessly compounding the financial damage of the pandemic," said Andy Chamberlain, director of policy at IPSE. "Now, just when contractors are needed the most - amid mounting labour shortages across the UK and particularly in haulage - government decisions have drive out a third of the sector."

    Continue reading
  • New Relic guzzles down CodeStream to help devs jump straight from app error telemetry to offending code

    'I can debug production from the IDE,' said CS boss Peter Pezaris

    Observability company New Relic has acquired CodeStream, specialists in developer collaboration, with the aim being to connect observability data with code in the development environment.

    CodeStream, founded in 2017 by Peter Pezaris, adds instant developer communication to coding environments. For example, a developer puzzling over some code written by a colleague can click next to that code, type a message to the other dev, and they will receive it either in the IDE if they happen to be working on the same project, or in a messaging tool such as Slack, complete with a reference to the code in question. They reply, and a discussion begins.

    Although it may seem a small thing, given that they could just use Slack (or any number of other messaging services) directly, the context and convenience makes it a worthwhile collaboration tool. CodeStream also integrates with pull requests from GitHub, GitLab, BitBucket, and issue management from Jira, Trello and others.

    Continue reading
  • Analogue tones of a ZX Spectrum Load set to ride again via podcast project

    Remember the R Tape Loading Error?

    The glory days of audio-cassette loading are set to return in the coming weeks, with retro fans to be treated to a broadcast for them to hit Play and Record to.

    Audio cassettes were the medium of choice for software back when Sinclair and Commodore's 8-bit hardware ruled the roost. The floppy disk seemed impossibly glamorous for the average home computer user and code was instead delivered via audio.

    While the sound of those files was unintelligible for most, for some enthusiasts it was possible to discern the type of data being loaded. Right up until the all-too-common R Tape Loading Error (which usually seemed to come right at the end of a lengthy period staring at a loading screen).

    Continue reading

Biting the hand that feeds IT © 1998–2021