As involved as that process was, getting unauthorized code covertly installed into an official operating system and keeping it there for years would appear to be an even more complicated—and brazen—undertaking. This 2013 article published by Der Spiegel reported that an NSA operation known as FEEDTHROUGH worked against Juniper firewalls and gave the agency persistent backdoor access.
Source: “Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic | Ars Technica
The security bug relates to the fact that the AVG antivirus creates a memory space with full RWX (read-write-execute) privileges where it normally runs. For that particular version of the AVG antivirus, this memory space was not randomized and was often shared with other applications, like, for example, Acrobat Reader or the enSilo product that collided with the antivirus.
If an attacker knew about the antivirus’ predictable behavior and where this address space was, they could force their malicious code to execute inside that memory address and have the same privileges as the antivirus process (which is system-level).
Source: AVG, McAfee, Kaspersky Fix Common Vulnerability in Their Antivirus Products
One of the vulnerabilities is located in the tool’s help system and allows users with limited Windows accounts to start an instance of Internet Explorer with administrator privileges by clicking on URLs in help pages. That’s because Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.
Source: Lenovo patches serious vulnerabilities in PC system update tool
In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software, a first-of-its-kind move, according to Korea University law professor Park Kyung-sin. The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app, which is free.
Source: APNewsBreak: South Korea-backed app puts children at risk – Houston Chronicle
Children’s phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents. Even worse, they found that many weaknesses could be exploited at scale, meaning that thousands or even all of the app’s 380,000 users could be compromised at once.
Paul Stone and Alex Chapman of Context Information Security in the U.K. took a long look at the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL. While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could with some work tamper with the unencrypted communication and inject a malicious homegrown update.
Source: Manipulating Microsoft WSUS to Own Enterprises | Threatpost | The first stop for security news
The spyware is delivered either via the aforementioned app, or via an SMS or email that contain a specially crafted URL that will trigger exploits for several vulnerabilities in the default browsers of Android versions 4.0 Ice Cream Sandwich to 4.3 Jelly Bean.
This will allow the attacker to gain root privilege, and allow the installation of a shell backdoor and RCS Android.
Source: Hacking Team’s RCS Android: The most sophisticated Android malware ever exposed
Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.
Source: DEF CON SOHOpelessly Broken Router Hacking Contest | Threatpost | The first stop for security news
Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.
This is why admin access to a SOHO router should only be accessible from the LAN side and not the WAN side. Making admin changes should happen rarely. One of the biggest things a malicious actor can do is point DNS requests to their malicious server allowing them to divert all LAN traffic to wherever they want. Devices typically get a DNS address when they obtain an IP address from the router via DHCP.
Kicking the SOHO router seems to be a hot topic today. From: The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica
The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.
We have published a technical report, Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, which has specifics on these attacks, details on how we broke the most common 512-bit Diffie-Hellman group, and measurements of who is affected. We have also published several proof of concept demos and a Guide to Deploying Diffie-Hellman for TLS.
Source: Logjam: How Diffie-Hellman Fails in Practice
What should I do?
If you run a server…
If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.
Basically, by generating a specially crafted SSL certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will. With our finding, we rushed to create a script that exploits the bug over a network interface. As SSL is a security best practice and is utilized in almost all apps in the Apple app store, the attack surface is very wide.
via “No iOS Zone” – A New Vulnerability Allows DoS Attacks on iOS Devices ».
This exploit only crashes a device making it unusable. There is no mention of making end to end encrypted communications vulnerable. By moving outside the range of the access point the IOS device automatically connected to should break the connection bringing the phone back to normal.
Devices with wifi left on will try and connect themselves to any open access point. While this shouldn’t be a problem attacks like this can happen. I would classify this attack more of an irritant than anything serious.
Code always has flaws, and those flaws are easy for bad guys to find. But if your computer has deliberately been designed with a blind spot, the bad guys will use it to evade detection by you and your antivirus software. That’s why a 3-D printer with anti-gun-printing code isn’t a 3-D printer that won’t print guns—the bad guys will quickly find a way around that. It’s a 3-D printer that is vulnerable to hacking by malware creeps who can use your printer’s “security” against you: from bricking your printer to screwing up your prints to introducing subtle structural flaws to simply hijacking the operating system and using it to stage attacks on your whole network.
via How Laws Restricting Tech Actually Expose Us to Greater Harm | WIRED.
This amounts to a criminal sanction for telling people about vulnerabilities in their own computers. And because today your computer lives in your pocket and has a camera and a microphone and knows all the places you go; and because tomorrow that speeding car/computer probably won’t even sport a handbrake, let alone a steering wheel—the need to know about any mode that could be exploited by malicious hackers will only get more urgent. There can be no “lawful interception” capacity for a self-driving car, allowing police to order it to pull over, that wouldn’t also let a carjacker compromise your car and drive it to a convenient place to rob, rape, and/or kill you.