Osram ‘Smart Light’ Bugs Could Allow Corporate Wi-Fi Access

Security researchers have revealed several major vulnerabilities in Osram Lightify smart lighting systems which could allow remote hackers to launch browser-based attacks and even access corporate networks.

Osram, which sells both Home and Pro products, claims it agreed to testing of its Lightify products by Rapid7.

One of the most serious of the nine vulnerabilities discovered by Rapid7 research lead, Deral Heiland, is a cross-site scripting flaw in the web management interface of the Pro product which could allow an attacker to launch browser-based attacks.

“This vulnerability allows a malicious actor to inject persistent JavaScript and HTML code into various fields within the Pro web management interface. When this data is viewed within the web console, the injected code will execute within the context of the authenticated user,” explained the firm in a blog post.

“As a result, a malicious actor can inject code which could modify the system configuration, exfiltrate or alter stored data, or take control of the product in order to launch browser-based attacks against the authenticated user’s workstation.”

Another potentially dangerous vulnerability is CVE-2016-5056, which could allow remote attackers to access corporate wireless networks and from there go on to attack high value resources.

The problem lies with the system’s use of weak default WPA2 pre-shared keys (PSKs) – using only an eight character PSK and only drawing from “0123456789abcdef.”

Rapid7 was able to crack the code in less than six hours, and in one case under three hours, gaining access to the cleartext WPA2 PSK.

Heiland claimed the bugs he found show “we need to build better policy around managing the risk and develop processes on how to deploy these technologies in a manner that does not add any unnecessary risk.”

Osram explained in a statement sent to Infosecurity that the majority of bugs would be patched in the next version update, planned for August.

It added:

“Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in Osram’s area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.”

Thomas Fischer, global security advocate at Digital Guardian, argued that IoT devices are often produced with “simplified hardware” which keep costs down but also means they “lack basic principals of integrity and failover.”

“Companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there’s a much higher chance mistakes will be made and vulnerabilities missed,” he added.

“It is critical that organizations developing IoT technologies – and even those selling them – ensure these products have been developed, built and sold with security in mind.”


Source: Info Security Magazine

Carding and PayPal Accounts Are Most Common Products on Dark Web Marketplaces

A six-month investigation of 17 popular Dark Web and Deep Web hacking and cyber-crime marketplaces has revealed which of the illegal products exchanged on these portals today are the most popular.

The study, carried out by Ericsson Marin, Ahmad Diab, and Paulo Shakarian from Arizona State University, involved scraping these 17 websites at different times, in order to create a portfolio of the products sold on them.

Scraped sites included Dark Web marketplaces accessible only via a Dark Web connection, but also Deep Web marketplaces, the ones available on the public Internet, but where search engines are blocked from entering, usually via password-protected accounts.

Carding products are the most popular items

Once the researchers managed to get access and scrape these websites, they gathered all the data and used both manual and automated procedures to classify the details in different categories, per marketplace, and per author.

The result of their work is the image at the end of this article, which shows the most popular products sold on these types of cyber-crime portals.

The final top 10 is made up of carding products, PayPal-related items, cashing credit cards, PGP tools, Netflix-related items, general hacking tools, data dumps, Linux-related products, email hacking tools, and network security tools.

Of course, other categories such as bulletproof VPNs, RATs, botnets, phishing kits, exploit kits, and keyloggers are also included.

Researchers found over 8,000 illegal product offerings

Researchers also say that they’ve observed a high degree of reposting between these marketplaces, even if many have specific policies that prohibit such behavior from their vendors.

Further, the study reveals that most marketplaces are usually specialized on a few product categories, which buyers can find in abundance on their site, with very few all-in-one portals to choose from.

In total, the researchers say they found over 8,000 different illegal products exchanged on these 17 websites.

By Catalin Cimpanu

Source: Softpedia

Android App Stole User Photos for Over a Year

A malicious Android application that was posing as a development tool was stealing users’ media files for over a year, researchers at Symantec warn.

The offending software was being distributed via Google Play, the official app storefront for Android, where it was posing as a development tool called “HTML Source Code Viewer,” published by Sunuba Gaming. The application had between 1,000 and 5,000 downloads when researchers discovered its nefarious activities.

Instead of offering development capabilities to unsuspecting users, the program was grabbing photos and videos from the compromised devices and was sending them to a remote server, Symantec researchers discovered.

To ensure that it could perform its malicious activities unhindered, the program requested a series of permissions that should have tipped users off on its hidden agenda. These include the ability to open network connections, access to information about networks, the permission to read from external storage, and the permission to write to external storage.

This is the second media-stealing app that was found in Google Play over the course of a month, after a piece of software called Beaver Gang Counter was found in late June to be engaging into similar behavior. That application, however, was targeting photos and videos from the popular social media app Viber.

The newly discovered malicious program, on the other hand, is targeting all of user’s personal photos and videos by searching for the files stored in  “/DCIM/Camera” and “/DCIM/100LGDSC/” folders, which are the standard locations for this type of content. All of these files were then uploaded to a web server hosted on proqnoz.info, researchers say.

What’s more worrying than the fact that the server contains a great deal of personal photos and videos stolen from victims is that some of these files are dated as far back as March, 2015. “This personal media could be used for blackmailing, ransomware attacks, identity theft, pornography, and other forms of victimization,” Symantec’s Shaun Aimoto explains.

The security researchers also discovered that the attacker’s server is hosted in Azerbaijan and that the malicious application is targeting Gingerbread and newer versions of Android. Google was informed on the nefarious activities the HTML Source Code Viewer application was engaged into and has removed it from Google Play.

By SecurityWeek News

Source: http://www.securityweek.com/android-app-stole-user-photos-over-year

Rival Cyber-Gang Leaks Private Keys of Chimera Ransomware

Creators of the rival Petya and Mischa ransomware programmes have leaked the private keys of Chimera ransomware.

According to Mischa developers, they gained access to large parts of the system used by Chimera’s creators earlier this year and as a result obtained Chimera’s source code and integrated some of it into their own project.

A person going by the handle of JanusSecretary, known as the author of Petya, tweeted Chimera keys in a bid to stifle ransomware competition.

Malwarebytes spotted the leak and reported that Mischa shares some components with Chimera. There is no confirmation that the newly leaked RSA keys actually work to decrypt files affected by Chimera.

“Checking if the keys are authentic and writing a decryptor will take some time – but if you are a victim of Chimera, please don’t delete your encrypted files, because there is a hope that soon you can get your data back,” Malwarebytes researchers said

By Dannielle Correa

Source: http://www.scmagazine.com/rival-cyber-gang-leaks-private-keys-of-chimera-ransomware/

Petya, Mischa Ransomware Now Available as a Service

Ransomware-as-a-Service (RaaS) has become a very popular business model over the past several months, and the actor(s) behind Petya and Mischa ransomware families have adopted the service model.

After testing the RaaS model with a limited amount of high volume distributors, the Petya and Mischa operators have decided to make the service publicly available. Following this move, any criminal wannabe can become an official distributor for the ransomware, which is expected to result in a spike in infection campaigns featuring these two malware variants.

In March, Petya caught researchers’ attention because it wasn’t encrypting user files, as other ransomware families out there, but was instead encrypting the entire hard drive by taking over the boot sequence. Following deeper analysis, researchers discovered that the malware was performing a two-step encryption and that it was encrypting the hard disk after forcing a reboot.

Given that this step (the reboot) could have been easily prevented, the ransomware’s authors decided to up the ante and added a second payload into the mix, Mischa. Unlike Petya, but very much like other similar malware, this threat was encrypting users files one by one. It would start its routine only after the reboot, thus acting as a failsafe should Petya’s encryption fail. The duo has already inspired copycats in the form of Satana ransomware, which performs both encryption routines.

Despite this upgrade, Petya still used weak encryption, but its operators managed to fix that a couple of weeks ago, which might also explain the timing of the RaaS becoming publicly available.

Petya/Mischa operators ask potential affiliates to send in a small amount of Bitcoins to register, to “discourage time-wasters and kiddies,” Bleeping Computer notes. The operators say they would reimburse their affiliates in the first revenue share payment and promise substantial profits, based on the payment volume the affiliates can generate.

On the Petya RaaS welcome screen, the actor explains that the revenue percentage affiliates get starts at 25% for payment volumes lower than 5 Bitcoin per week, but that it can go to as much as 85% for payment volumes of at least 125 Bitcoin. This revenue model will certainly look highly appealing to many, and the distribution of Petya and Mischa is expected to ramp up soon.

To further ensure the success of their RaaS, the author of Petya has published the private keys of the Chimera ransomware online. The developer admitted to using parts of the Chimera source code in Mischa, and also noted on Pastebin that he released the keys so that anti-virus companies can create decryptors for the older threat.

According to Malwarebytes Labs researchers, checking if the keys are authentic and writing a decryptor will be a time consuming operation. However, users who have had their files encrypted by Chimera now have a hope that they could get their data back without paying the ransom.

By SecurityWeek News

Source: http://www.securityweek.com/petya-mischa-ransomware-now-available-service

Russian Site Deer.io is ‘One-Stop Shop’ for Cyber Crime

Cyber situational awareness company Digital Shadows has unearthed an “all-in-one” outsourced online shop for cyber-criminals looking for low-cost entry methods to sell their ill-gotten assets.

The firm estimates the total number of shops hosted on Russian-language site Deer.io to be close to 1000, the majority of which selling products that are stolen or from compromised accounts. This is despite administrators insisting they warn their hosted shops not to sell illegal goods and deny all responsibility for any illegal items advertised.

However, the site has been detected as advertised on well-known criminal forums such as Xeksek, AntiChat, Zloy and Exploit, raising suspicions that organizers may be willing to turn a blind eye to some activity and listings.

“This is the continuation of a trend that we’ve been seeing for some time where the barriers to entry for cyber-criminals continue to be lowered,” James Chappell, founder and CTO of Digital Shadows, told Infosecurity. “In particular, this development improves the ability for criminals to sell much more readily.”

Deer.io offers services such as technical hosting including anonymity and security, payment handling, website design and distributed denial of service protection; things that hackers with little or no technical expertise often struggle to orchestrate themselves, so by providing them Deer.io is likely to be very attractive to users with low-technical capabilities, says Digital Shadows.

Chappell explained that this is the first time they have come across this type of ‘all-in-one’ outsourced online shop which provides hosting, design and a payment solution.

“It’s fair to say that the fact that all of these support services are wrapped into a one-stop shop marks a change and is a step up in terms of maturity in the marketplace. It’s also interesting to note that this exists on the surface web, which is a reminder that the dark web does not monopolize criminality.”

Deer.io also clearly seems to be a successful, profitable setup, claiming to have helped to generate more than 240 million rubles (RUB) (around $3.8 million USD) for its customers since at least October 2013. It charges a monthly fee of 500 RUB (approximately $8) to provide customer service and product development, and was observed giving prompt responses to queries. The breadth of offerings and responsiveness almost certainly contribute to the apparent popularity of the service.

Furthermore, the automatic payment system provided – available for Webmoney, Yandex Money and QIWI – enables transactions to occur 24/7 without requiring constant vendor attention.

“The ‘hands off’ nature of the way shops are run simply means criminal transactions can continue uninterrupted. The site seems to have focused on a high level of customer service,” Chappell added.


Source: http://www.infosecurity-magazine.com/news/russian-site-deerio-onestop-shop/

Anonymous Breaches Turkish Natural Gas Company

A new blow has been made in the ongoing fight between the Turkish state and hacktivist groups. Anonymous, the nebulous hacking collective has posted what it claims to be internal data from a Turkish gas and energy company, Izmir Gaz.

The data, stolen from www.izmirgaz.com.tr, was posted on 20 July and includes an array of information including the passwords for nearly 500 users, subscriber details, budgetary information and a host of other entries.

A statement given by Anonymous under the heading OpTurkey reads: “Recent events show the suppression of education and the media in Turkey, these practices are undemocratic and give us the idea the citizens in Turkey are being indoctrinated. Yes, Erdogan was democratically elected but democratic values go beyond the electoral system. Opposition should always have a voice and the free flow of information should be encouraged.”

This attack seems to be targeted, albeit in an unclear direction, toward the Turkish premier Recep Tayyip Erdogan, a markedly divisive character in Turkey as well as the wider world.

In a blog post, someone purporting to have had a hand in the publication stated two reasons for the hack. First was that the company owners have “good relations” with Erdogan. The second is that Izmir, where the company is based, is where Prime Minister Binali Yildirim was elected.

The post added, “We didn’t publish any data about citizens. We are sorry we didn’t remove their payments/bills because we had to work fast.”

On Tuesday, Wikileaks released a tranche of documents promising to damn the Turkish premiere. The nearly 300,000 emails come from the AKP, Turkey’s ruling party and large as the disclosure is, it is not yet clear what the significance of the leak will be.

Anonymous’ statement expresses clear support for Wikileaks: “We ask of the people in Turkey to take interest in in the material Wikileaks is about to release and to not dismiss it because a leader tells them to dismiss it.” The statement further adds that Anonymous will be attempting to translate the 300,000 emails and 500,000 documents.


Source: http://www.scmagazineuk.com/anonymous-breaches-turkish-natural-gas-company/

LastPass Password Manager “Zero-Day” Bug Hits the News

A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.

LastPass is a password vault which pulls user passwords from a secure area and auto fills credentials for you. The system uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to protect the valuable data stored within, but according to Google Project Zero hacker Tavis Ormandy, the software contains a “bunch of critical problems” which could put user accounts at risk.

On Tuesday, the white hat researcher revealed on Twitter that he was exploring LastPass security, claiming that it only took a “quick look” to find “obvious” security problems.

According to The Register, millions of users may be at risk until the problem is patched — and it only takes a visit to a malicious website to become a victim. If an attacker is able to compromise a LastPass account, this gives them access to a treasure trove of credentials for other online services.

Ormandy has sent a report detailing the zero-day and any other critical security issues the researcher found. However, no technical details have been released or are likely to be until LastPass has replicated Ormandy’s findings and patched any problems.

The researcher, who has found critical problems and security failures in software including Symantec products and Avast solutions is setting his sights on 1Password next.

LastPass said in a blog post:

An attacker would need to successfully lure a LastPass user to a malicious website. Once there, Ormandy demonstrated that the website could then execute LastPass actions in the background without the user’s knowledge, such as deleting items. As noted below, this issue has been fully addressed and an update with a fix was pushed for all Firefox users using LastPass 4.0.”


Source: http://www.zdnet.com/article/lastpass-zero-day-vulnerability-remotely-compromises-user-accounts/

Possible breach at GunMag Warehouse

A third-party provider is being blamed for a possible breach into customer transactions at GunMag Warehouse, according to The Firearms Blog.

The breach seemed to affect Reddit users who ordered rifle magazines (the ammunition-storing component, not the print product) from the distributor of print magazines for “the shooting community.”

Some customers reported transactions on their credit card statements of anywhere from 28 cents to thousands of dollars after Reddit online transactions purchasing a six-pack of rifle magazines, Hexmag AR-15.

Michael Lambka, president of GunMag Warehouse, apologized for the security incursion and said his company hired cybersecurity experts at Securi who isolated and patched a flaw in a third-party module update on the e-commerce platform.

Credit card information is not stored on servers of GunMag Warehouse, he added. Additional security measure have been put in place “to ensure our site has redundant security points.” he said.


Source: http://www.scmagazine.com/possible-breach-at-gunmag-warehouse/article/511780/

Flaws in Wireless Keyboards Let Hackers Snoop on Everything You Type

With an antenna and wireless dongle worth a few bucks, and a few lines of Python code, a hacker can passively and covertly record everything you type on your wireless keyboard from hundreds of feet away. Usernames, passwords, credit card data, your manuscript or company’s balance sheet — whatever you’re working on at the time.

It’s an attack that can’t be easily prevented, and one that almost nobody thought of — except the security researchers who found it.

Security firm Bastille calls it “KeySniffer,” a set of vulnerabilities in common, low-cost wireless keyboards that can allow a hacker to eavesdrop from a distance.

Here’s how it works: a number of wireless keyboards use proprietary and largely unsecured and untested radio protocols to connect to a computer — unlike Bluetooth, a known wireless standard that’s been tried and tested over the years. These keyboards are always transmitting, making it easy to find and listen in from afar with the right equipment. But because these keystrokes aren’t encrypted, a hacker can read anything on a person’s display, and directly type on a victim’s computer.

The attack is so easy to carry out that almost anyone can do it — from petty thieves to state-actors. Marc Newlin, a researcher at the company who was credited with finding the flaw said it was “pretty alarming” to discover.

“A hacker can ‘sniff’ all of the keystrokes, as well as inject their own keystrokes on the computer,” he explained on the phone this week. The researchers found that eight out of 12 keyboards from well-known vendors — including HP, Kensington, and Toshiba — are at risk of eavesdropping, but the list is far from exhaustive.

The scope of the problem is so large that the researchers fully expect that “millions” of devices are vulnerable to this new attack. Worst of all? There’s no fix.

“I think a lot of consumers reasonably expect that the wireless keyboard they’re using won’t put them at risk, but consumers might not have a high awareness of this risk,” he said.

Ivan O’Sullivan, the company’s chief research officer, admitted that the ease of this attack had him unsettled. “As a consumer, I expect that the keyboard that I buy won’t transmit my keystrokes in plain-text.”

“We were shocked. And consumers should be, too,” he said.

This isn’t the first time wireless devices have put their users at risk. Bastille was the company behind the now-infamous MouseJack flaw, which let hackers compromise a person’s computer through their wireless mouse. Even as far back as 2010, it was known that some keyboards with weak encryption could be easily hacked.

Over half a decade later, Newlin said he was hopeful that his research will make more people aware, but he doesn’t think this problem “will be resolved.”

“Most of the vendors have not responded to our disclosure information,” he said. “Many of the vendors haven’t responded past an acknowledgement, or they haven’t responded at all to our inquiries.”

Though not all wireless keyboards are created equal and many are not vulnerable to the eavesdropping vulnerability, there is an easy fix to a simple problem.

“Get a wired keyboard,” the researchers said.


Source: http://www.zdnet.com/article/millions-of-wireless-keyboards-at-risk-of-spying-by-hackers-in-new-attack/