ccnafr - Slashdot User

Submission + - Malware found preinstalled in classic push-button phones sold in Russia (therecord.media) 1

Submitted by Anonymous Coward on Sunday September 05, 2021 @10:58AM

An anonymous reader writes: A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.

In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.

ValdikSS, who set up a local 2G base station in order to intercept the phones’ communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser.

A fifth phone, the Inoi 101, was also tested, but the devices did not exhibit any malicious behavior.

Submission + - Google is working on an HTTPS-Only Mode for Chrome (therecord.media) 1

Submitted by Anonymous Coward on Wednesday June 30, 2021 @09:58AM

An anonymous reader writes: Following in the footsteps of browsers like Mozilla Firefox and Microsoft Edge, Google Chrome is also in line to receive an HTTPS-Only Mode that will upgrade all unencrypted HTTP connections to encrypted HTTPS alternatives, where possible.

Currently, the new Chrome HTTPS-Only Mode is still under development in Chrome Canary distributions. Work is being done to add specific settings in the browser’s interface, and no actual HTTP-to-HTTPS functionality is currently present. The feature is expected to be ready for Chrome 93, set to be released later this fall.

In a report last month analyzing the rollout of its HTTP-Only Mode, Mozilla said Firefox upgraded HTTP traffic to HTTPS only for 3.5% of web pages, as 92.8% were loading via HTTPS connections already.

Submission + - GitHub investigating crypto-mining campaign abusing its server infrastructure (therecord.media)

Submitted by Anonymous Coward on Sunday April 04, 2021 @06:27AM

An anonymous reader writes: Code-hosting service GitHub is actively investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to implant and abuse the company’s servers for illicit crypto-mining operations, a spokesperson told The Record today. The attacks have been going on since the fall of 2020 and have abused a GitHub feature called GitHub Actions, which allows users to automatically execute tasks and workflows once a certain event happens inside one of their GitHub repositories.

Hackers have been filing malicious pull requests with random projects that contain malicious GitHub Actions. If a target project contains automated workflows to process incoming pull requests, the malicious GitHub Action tells the project to start up a VM, and download and run a cryptominer, which effectively abuses GitHub's cloud infrastructure for the attacker.

Submission + - Google collects 20 times more telemetry from Android devices than Apple from iOS (therecord.media)

Submitted by Anonymous Coward on Tuesday March 30, 2021 @05:54PM

An anonymous reader writes: Academic research published last week looked at the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS. The study unearthed some uncomfortable results. For starters, Prof. Leith said that “both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option].” Furthermore, “this data is sent even when a user is not logged in (indeed even if they have never logged in),” the researcher said.

But while the Irish researcher found that Apple tends to collect more information data types from an iOS device, it was Google that collected “a notably larger volume of handset data. During the first 10 minutes of startup the Pixel handset sends around 1MB of data is sent to Google compared with the iPhone sending around 42KB of data to Apple,” Prof. Leith said.

“When the handsets are sitting idle the Pixel sends roughly 1MB of data to Google every 12 hours compared with the iPhone sending 52KB to Apple i.e., Google collects around 20 times more handset data than Apple.”

Submission + - IPv4 Parsing Flaw in NPM Netmask Could Affect 270,000 Apps 1

Submitted by chicksdaddy on Tuesday March 30, 2021 @05:29PM

chicksdaddy writes: Independent security researchers analyzing the widely used open source component netmask have discovered security vulnerabilities that could leave more than a quarter million open source applications vulnerable to attack, according to a report released Monday, The Security Ledger reports. (https://securityledger.com/2021/03/critical-flaws-found-in-widely-used-netmask-open-source-library/)

According to a report by the site Sick Codes (https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/) the flaws open applications that rely on netmask to a wide range of malicious attacks including Server Side Request Forgeries (SSRF) and Remote- and Local File Includes (RFI, LFI) that could enable attackers to ferry malicious code into a protected network, or siphon sensitive data out of one. Even worse, the flaws appear the stretch far beyond a single open source module, affecting a wide range of open source development languages, researchers say.

Netmask (https://www.npmjs.com/package/netmask) is a widely used package that allows developers to evaluate whether a IP address attempting to access an application was inside or outside of a given IPv4 range. Based on an IP address submitted to netmask, the module will return true or false about whether or not the submitted IP address is in the defined “block.” According to the researcher using the handle “Sick Codes,” (https://www.twitter.com/sickcodes), the researchers discovered that netmask had a big blind spot. Specifically: it evaluates certain IP addresses incorrectly: improperly validating so-called “octal strings” rendering IPv4 addresses that contain certain octal strings as integers. For example, the IP4 address 0177.0.0.1 should be evaluated by netmask as the private IP address 127.0.0.1, as the octal string “0177” translates to the integer “127.” However, netmask evaluates it as a public IPv4 address: 177.0.0.1, simply stripping off the leading zero and reading the remaining parts of the octal string as an integer.

The implications for modules that are using the vulnerable version of netmask are serious. According to Sick Codes, remote attackers can use SSRF attacks to upload malicious files from the public Internet without setting off alarms, because applications relying on netmask would treat a properly configured external IP address as an internal address. Similarly, attackers could also disguise remote IP addresses local addresses, enabling remote file inclusion (RFI) attacks that could permit web shells or malicious programs to be placed on target networks. But researchers say much more is to come. The problems identified in netmask are not unique to that module. Researchers have noted previously that textual representation of IPv4 addresses were never standardized (https://blog.dave.tf/post/ip-addr-parsing/), leading to disparities in how different but equivalent versions of IPv4 addresses (for example: octal strings) are rendered and interpreted by different applications and platforms.

Submission + - SPAM: Hackers are selling more than 85,000 MySQL databases on a dark web portal

Submitted by Anonymous Coward on Friday December 11, 2020 @05:34AM

An anonymous reader writes: For the past year, hackers have been breaking into MySQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back. If database owners don't respond and ransom their data back in nine days, the databases are then put up on auction on a dark web portal.

This portal currently lists data from more than 85,000 MySQL servers, each for a price of only $550/database.
Link to Original Source

Submission + - Cluster of 295 Chrome Extensions Caught Hijacking Google and Bing Search Results (zdnet.com)

Submitted by Anonymous Coward on Wednesday August 05, 2020 @05:25AM

An anonymous reader writes: More than 80 million Chrome users have installed one of 295 Chrome extensions that have been identified to hijack and insert ads inside Google and Bing search results.

The malicious extensions were discovered by AdGuard, a company that provides ad-blocking solutions, while the company's staff was looking into a series of fake ad-blocking extensions that were available on the official Chrome Web Store. AdGuard says that most of the extensions (245 out of the 295 extensions) were simplistic utilities that had no other function than to apply a custom background for Chrome's "new tab" page. In addition to the 295 cluster, AdGuard also found a large number of copycat extensions that cloned popular add-ons to capitalize on their brands, and then load malicious code that performed ad fraud or cookie stuffing.

The list of the 295 Chrome extensions can be found here.

Submission + - Linux team approves new terminology, bans terms like 'blacklist' and 'slave' (zdnet.com)

Submitted by Anonymous Coward on Saturday July 11, 2020 @03:01PM

An anonymous reader writes: Linus Torvalds approved on Friday a new and more inclusive terminology for the Linux kernel code and documentation. Going forward, Linux developers have been asked to use new terms for the master/slave and blacklist/whitelist terminologies. Proposed alternatives for master/slave include:

primary/secondary
main/replica or subordinate
initiator/target
requester/responder
controller/device
host/worker or proxy
leader/follower
director/performer
Proposed alternatives for blacklist/whitelist include:

denylist/allowlist
blocklist/passlist

Submission + - New 'Spectra' Attack Breaks the Separation Between Wi-Fi and Bluetooth (zdnet.com)

Submitted by Anonymous Coward on Thursday May 21, 2020 @05:09PM

An anonymous reader writes: Academics from Germany and Italy say they developed a new practical attack that breaks the separation between Wi-Fi and Bluetooth technologies running on the same device, such as laptops, smartphones, and tablets. Called Spectra, this attack works against "combo chips," specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others.

More particularly, the Spectra attack takes advantage of the coexistence mechanisms that chipset vendors include with their devices. Combo chips use these mechanisms to switch between wireless technologies at a rapid pace. The new Spectra attack allows attackers to break the barrier between these technologies to launch DoS, RCE, or information disclosure attacks.

Submission + - Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache (zdnet.com)

Submitted by Anonymous Coward on Wednesday May 06, 2020 @12:03PM

An anonymous reader writes: The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned. The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin. Data contains names, phone numbers, national IDs, and home addresses among others, and is believed to have originated from Jazz, a local mobile provider. The incident is already under investigation in Pakistan, where the Pakistan Telecommunication Authority (PTA) and the Federal Investigation Agency (FIA) are looking into the matter since last month when the hacker first tried to sell the entire 115 million batch on a hacker forum.

Submission + - HPE Says Firmware Bug Will Brick Some SSDs Starting With October 2020 (zdnet.com) 1

Submitted by Anonymous Coward on Wednesday March 25, 2020 @08:20AM

An anonymous reader writes: Hewlett Packard Enterprise (HPE) issued a security advisory last week warning customers about a bug in the firmware of some SAS SSDs (Serial-Attached SCSI solid-state drives) that will fail after reaching 40,000 hours of operation — which is 4 years, 206 days, and 16 hours after the SSD has been put into operation.

HPE says that based on when affected SSDs have been manufactured and sold, the earliest failures are expected to occur starting with October this year. The company has released firmware updates last week to address the issue. HPE warns that if companies fail to install the update, they risk losing both the SSD and the data. "After the SSD failure occurs, neither the SSD nor the data can be recovered," the company explained.

Submission + - Modern RAM used for computers, smartphones still vulnerable to Rowhammer attacks (zdnet.com)

Submitted by Anonymous Coward on Thursday March 12, 2020 @09:02AM

An anonymous reader writes: According to new research published today, modern RAM cards are still vulnerable to Rowhammer attacks despite extensive mitigations that have been deployed by manufacturers over the past six years. These mitigations, collectively referred to as Target Row Refresh (TRR), are a combination of software and hardware fixes that have been slowly added to the design of modern RAM cards after 2014 when academics disclosed the first-ever Rowhammer attack.

But in a new research paper titled today and titled "TRRespass: Exploiting the Many Sides of Target Row Refresh," a team of academics from universities in the Netherlands and Switzerland said they developed a generic tool named TRRespass that can be used to upgrade the old Rowhammer attacks to work on the new-and-improved TRR-protected RAM cards. The new upgraded attacks work on both DIMM and LPDDR4 memory types, and can be used to retrieve encryption keys from memory, or escalate an attacker's access right to sudo/SYSTEM-level.

Submission + - Windows 7 bug prevents users from shutting down or rebooting computers (zdnet.com) 2

Submitted by Anonymous Coward on Saturday February 08, 2020 @11:05AM

An anonymous reader writes: A weird bug of unknown origins has been hitting Windows 7 computers this week, according to multiple reports online. Windows 7 users have been reporting that they are receiving a popup message that reads "You don't have permission to shut down this computer" every time they attempt to shut down or reboot their systems.

Windows 7 reached official end of life (EOL) on January 14, 2020 and is not scheduled to receive new fixes. Last month, Microsoft made an exception to this rule when it provided a fix for a bug that broke wallpaper display for Windows 7 users. Seeing that rebooting or shutting down your computer is a more important OS feature than wallpaper support, Microsoft will most likely need to make a another exception and deliver a second post-EOL update pretty soon.

Submission + - Chrome Web Store Flooded With Fraudulent Transactions (zdnet.com)

Submitted by Anonymous Coward on Wednesday January 29, 2020 @08:24AM

An anonymous reader writes: The Google security team has indefinitely suspended the publishing or updating of any commercial Chrome extensions on the official Chrome Web Store following a spike in the number of paid extensions engaging in fraudulent transactions. Google said the wave of fraudulent transactions began earlier this month. Google engineers described the fraudulent transactions as happening "at scale."

"This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse," said Simeon Vincent, Developer Advocate for Chrome Extensions at Google.

The ban on publishing or updating impacts all paid extensions. This includes Chrome extensions that require paying a fee before installing, extensions that work based on monthly subscriptions, or Chrome extensions that use one-time in-app purchases to get access to various features. Existing commercial extensions are still available for download via the official Chrome Web Store, however, extension developers can't push new updates.

Submission + - 20 Low-End VPS Providers Shutting Down in a 'Deadpooling' Scam (zdnet.com)

Submitted by Anonymous Coward on Sunday December 08, 2019 @08:53AM

An anonymous reader writes: At least 20 web hosting providers have hastily notified customers today, Saturday, December 7, that they plan to shut down on Monday, giving their clients two days to download data from their accounts before servers are shut down and wiped clean. No refunds are being provided. As several users have pointed out, the VPS providers don't list physical addresses, don't list proper business registration information, and have no references to their ownership.

A source in the web hosting industry who wanted to remain anonymous told ZDNet that what happened this weekend is referred to as "deadpooling" — namely, the practice of setting up a small web hosting company, providing ultra-cheap VPS servers for a few dollars a month, and then shutting down a few months later, without refunding customers. "This is a systemic issue within the low-end market, we call it deadpooling," the source told us. "It doesn't happen often at this scale, however."

The 20 companies are: ArkaHosting, Bigfoot Servers, DCNHost, HostBRZ, HostedSimply, Hosting73, KudoHosting, LQHosting, MegaZoneHosting, n3Servers, ServerStrong, SnowVPS, SparkVPS, StrongHosting, SuperbVPS, SupremeVPS, TCNHosting, UMaxHosting, WelcomeHosting, X4Servers

Slashdot Top Deals