Slashdot Mirror

secwatcher shares a report from Threatpost: A popular smartwatch that allows parents to track their children's whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children. Researchers at Pen Test Partners revealed vulnerabilities in the watch (sold in Australia) on Monday, which could enable hackers to track children's location, spoof the child's location or view personal data on the victims' accounts. The parent company of the TicTocTrack watch, iStaySafe Pty Ltd., has temporarily restricted access to the watch's service and app while it investigates further. Researchers found that the service's back end does not make any authorization attempt on any request -- besides the user having a valid username and password combination. That means that an attacker who is logged into the service could remotely compromise the app and track other accounts that are based in Australia.

The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features. The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data -- including the children's location, parent's full names, phone numbers and other personal identifiable information. Researchers with Pen Test Partners collaborated with security researcher Troy Hunt to test the attack. Hunt uploaded a video showing how the smartwatch vulnerability could be exploited to call his daughter -- and how her smartwatch would answer automatically without any interaction needed from her end.

The surveillance tool dubbed "Exodus" has been ported to the Apple iOS ecosystem. According to Threatpost, the spyware "can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices." From the report: Earlier this month, word came that Google had booted a raft of Exodus-laden apps. According to Lookout Security, it turns out that iOS versions had become available outside the App Store, through phishing sites that imitate Italian and Turkmenistani mobile carriers. These are notable in that they abused the Apple Developer Enterprise program. According to Lookout and other research from Security Without Borders, the spyware appears to have been under development for at least five years. It's a three-stage affair, starting with a lightweight dropper that then fetches a large second-stage payload that contains multiple binaries with most of the spy goods housed within them. Finally, a third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on a targeted device. In delving into the technical details, Lookout saw evidence of a fairly sophisticated operation, suggesting that it may have been initially marketed as a legitimate package for the government or law-enforcement sectors.

In order to spread the iOS app outside of the official App Store, the cybercriminals abused Apple's enterprise provisioning system, which allowed them to sign the apps using legitimate Apple certificates. Lookout's analysis found that the iOS variant is a bit cruder than its Android counterpart, and it lacks the ability to exploit device vulnerabilities. However, the apps were still able to use documented APIs to exfiltrate contacts, photos, videos and user-recorded audio recordings, device information and location data; and, it offered a way to perform remote audio recording, though this required push notifications and user interaction. The good news is that Apple has revoked the affected certificates for this particular crop of apps.

"Threatpost has a link to some recent research about ways web pages can exploit browser extensions to steal information or write files," writes Slashdot reader jbmartin6. "Did we need another reason to be deeply suspicious of any browser extension? Not only do they spy on us for their makers, now other people can use them to spy on us as well. The academic paper is titled 'Empowering Web Applications with Browser Extensions' (PDF)." From the report: "An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application," researchers wrote. They added, "Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another... APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications."

The researcher behind the paper focused on a specific class of web extension called "WebExtensions API," a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious. While it seems voluminous, they noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, "browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions."

"Threatpost has a link to some recent research about ways web pages can exploit browser extensions to steal information or write files," writes Slashdot reader jbmartin6. "Did we need another reason to be deeply suspicious of any browser extension? Not only do they spy on us for their makers, now other people can use them to spy on us as well. The academic paper is titled 'Empowering Web Applications with Browser Extensions' (PDF)." From the report: "An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application," researchers wrote. They added, "Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another... APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications."

The researcher behind the paper focused on a specific class of web extension called "WebExtensions API," a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious. While it seems voluminous, they noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, "browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions."

secwatcher quotes a report from Threatpost: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack. "The team was able to escape the container and run code remotely right on the host, which has obvious security implications," wrote researchers in a technical write-up posted Monday.

Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, "CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed," reports Threatpost. "It also estimates the domain receives 100,000 monthly site visitors."

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature.

According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.

Earlier this week software developer Tim Cotten discovered a serious glitch in Gmail. An anonymous reader quotes BleepingComputer: Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.... Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details.... Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination. "Wrong again! Gmail is at a complete loss at what to do!" Cotten writes in a blog post that details his new finding....

Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."

"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."

Threatpost reported Tuesday that Google "did not respond to a request for comment."

According to industry-watchers, Ford is looking to profit off the data it can collect from its 100 million customers. In addition to the data collected from its infotainment systems and mobile apps, "Ford's CEO recently suggested that the data collected by the company's financial services arm also represents a valuable, low-overhead asset," reports Threatpost. From the report: "We have 100 million people in vehicles today that are sitting in Ford blue-oval vehicles," said Ford CEO Jim Hackett during a Freakonomics Radio podcast. "The issue in the vehicle, see, is: We already know and have data on our customers. By the way, we protect this securely; they trust us. We know what people make. How do we know that? It's because they borrow money from us. And when you ask somebody what they make, we know where they work, you know. We know if they're married. We know how long they've lived in their house because these are all on the credit applications. We've never ever been challenged on how we use that. And that's the leverage we got here with the data."

The comments, which were amplified by several auto-industry sources and the Detroit Free Press, sparked alarm in the Twitterverse. Against the backdrop of privacy disasters at Facebook and other stalwarts of the internet economy, the fear for many is that Ford sees selling access to consumers based on their lifestyle as a way forward. Is Ford considering selling consumer data as a revenue stream? Hackett stopped short of saying that -- and indeed, the data could instead simply be useful to the company internally, as a way to increase the value (and profit) of its other businesses.

secwatcher shares a report from Threatpost: A design flaw affecting all in-display fingerprint sensors -- that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack -- has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication. In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent's Xuanwu Lab which is credited for first identifying the flaw earlier this year. Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors. That includes current models of Huawei Technologies' Porsche Design Mate RS and Mate 20 Pro model phones. Researchers said that many more cellphone manufacturers are impacted by the issue. The most popular phone in the U.S. that is impacted by this vulnerability is the OnePlus 6T. "[A]ll an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil," reports Threatpost. "By placing the reflective material over a residual fingerprint on the phone's display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint."

According to a study from Gemini Advisory, some 60 million U.S. cards were compromised in the past 12 months. "Of those, 93 percent were EMV chip-enabled," reports Threatpost. "Also, crucially, 75 percent, or 45.8 million, were records stolen from in-person transactions." From the report: These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants, the likes of which continue to make headlines. Further results show that the U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records. In the past 12 months, about 15.9 million compromised non-U.S. payment cards were posted for sale on the underground, split between 11.3 million card-not-present (online transaction) records and 4.6 million card-present records, of which 4.3 million were EMV enabled. This means that the theft level of EMV-enabled card data in the U.S. is 868 percent higher than the rest of the world combined.

The reason for this state of affairs, according to Gemini, is the lack of U.S. merchant compliance -- too many of them still use the mag-stripe function at PoS terminals. Gemini also said that card-present data "is also collected via a more manual method by skimmer groups, who are utilizing custom made hardware known as 'shimmers' to record and exfiltrate data from ATMs and POS systems. The firm also found that while most large U.S. merchants have fully transitioned to EMV, gas pump terminals and small/medium size businesses are emerging as the main targets for cybercriminals going forward.

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

secwatcher shares a report from Threatpost: A passcode bypass vulnerability in Apple's new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone. The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple's latest iOS 12 beta and iOS 12 operating systems. Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and "office clerk" based in Spain who has also found previous iPhone hacks.

Rodriguez posted a video of the bypass on his YouTube channel under the YouTube account Videosdebarraquito, where he walks viewers through a complicated 37-step bypass process in Spanish. Threatpost has independently confirmed that the bypass works on a number of different iPhone models including Apple's newest model iPhone XS. The process involves tricking Siri and Apple's accessibility feature in iOS called VoiceOver to sidestep the device's passcode. The attack works provided the attacker has physical access to a device that has Siri enabled and Face ID either turned off or physically covered (by tape, for instance).

secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. The Verge: "Their focus is on the design of the system and not on exploitation. Please, we need to stop just spot-fixing bugs and learn from them, and act on that," he told a packed audience. Per Beer, Apple researchers are not trying to find the root cause of the problems. "Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could [have] found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn't they report it?" He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability. In a provocative call to Apple's CEO Tim Cook, Beer directly challenged him to donate $2.45 million to Amnesty International -- roughly the equivalence of bug bounty earnings for Beer's 30-plus discovered iOS vulnerabilities.

secwatcher writes from a report via Threatpost: Cisco Talos researchers found flaws located in Samsung's centralized controller, a component that connects to an array of IoT devices around the house -- from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices. "Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities," researchers said in a report. Threatpost goes on to detail the "multiple attack chain scenarios." Thankfully, Samsung has since patched the bugs. "We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue," a Samsung spokesperson told Threatpost. "All active SmartThings Hub V2 devices in the market are updated to date." The company released a firmware advisory for Hub V2 devices on July 9th.

Slashdot reader lod123 quotes ThreatPost: At least 25,936 malicious apps are currently using one of Facebook's APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address. Trustlook discovered the malicious apps using a formula, which created a risk score for apps based on more than 80 pieces of information for each app, including permissions, libraries, risky API calls and network activity... A malicious app (with a risk score above 7) "might be doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls," a spokesperson told Threatpost...

To be fair, Facebook is not the only company with its APIs embedded in malicious applications... "The problem, for the most part, is that this is data that is provided when their login is used elsewhere. The API is simply passing through intelligence it has gathered from their profile," said Chris Roberts, chief security architect at Acalvio, via email. "LinkedIn, Google and Twitter, among others, have similarly flawed APIs that can be used to harvest information both about you (the target) and possibly associated individuals...depending upon queries and other developer privileges that are being exploited."
A Trustlook spokesperson summarized their position after the report. "Just as Coke does not want its ads running on certain websites, Facebook should not want malicious app developers using its APIs."

lod123 shares a report from Threatpost: Nearly a half-million pacemakers are up for a firmware update to address potentially life-threatening vulnerabilities. Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices -- a.k.a., pacemakers. About 465,000 patients are affected. The update will strengthen the devices' protection against unauthorized access, as the provider said in a statement on its website: "It is intended to prevent anyone other than your doctor from changing your device settings." The update comes after 2016 claims by researchers that the then-St. Jude's cardiac implant ecosystem was rife with cybersecurity flaws that could result in "catastrophic results."

lod123 shares a report from Threatpost: Android phone-maker BLU Products agreed to a proposed settlement on Tuesday with the Federal Trade Commission, over allegations it allowed the third-party firm Adups Technology to collect detailed consumer data from users without their consent. In an administrative complaint filed earlier this week against BLU and the company's co-owner and president Samuel Ohev-Zion, the FTC accused the firm of sharing with China-based Adups the full contents of their users' text messages, real-time cell tower location data, call and text-message logs, contact lists, and applications used and installed on devices.

Ultimately, the FTC is alleging Ohev-Zion and BLU violated the FTC Act's section pertaining to "deceptive representation regarding disclosure of personal information." The proposed settlement will be made final after a 30-day public comment period. In its proposed complaint, the FTC said Florida-based BLU contracted with Adups to issue security and operating system updates to millions of phones sold by the firm through Amazon, Best Buy and Walmart. In addition to allegedly failing to protect consumer privacy, the FTC asserts that BLU failed "to adequately assess the privacy and security risks of third-party software installed on BLU devices" resulting in "common security vulnerabilities that could enable attackers to gain full access to the devices." Security researchers at Kryptowire first reported in 2016 that several models of BLU phones actively transmitted user and device information to Adups.

lod123 shares a report from Threatpost: As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to 'hack back' with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill. Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.

Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows "active defense measures that are designed to prevent or detect unauthorized computer access." In a letter to the governor, the two argued that S.B. 315 "will make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions," and that "provisions such as this could easily lead to abuse and be deployed for anti-competitive, not protective purposes." They added: "On its face, this provision broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity... [B]efore Georgia endorses the 'hack back' authority in 'defense' or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy." Tripwire also filed a letter with the governor's office: "[A]ccording to the wording of S.B. 315, well-intentioned ('white-hat') researchers could be subject to civil or criminal prosecution when following industry best practices in investigating a website for protection from a potential cyber-attack. It is our firm belief that an explicit exception is required to exclude prosecution when the party in question is acting in good-faith to protect a business or their customers from attack. Without this exclusion, S.B. 315 will discourage good actors from reporting vulnerabilities and ultimately increase the likelihood that adversaries will find and exploit the underlying weaknesses."

lod123 shares a report from Threatpost: Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. With the updates, Uber's HackerOne bug bounty policies more thoroughly outline "good-faith vulnerability research and disclosure," and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers "to hunt for bugs, not user data."

One newly outlined policy makes it clear that Uber won't take legal action against researchers -- as long as they report vulnerabilities with no strings attached. "You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached," the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.

lod123 shares a report from Threatpost: A leaky Mongo database exposed personal information, including scanned passports and driver's licenses, of 25,000 investors and potential investors tied to the Bezop cryptocurrency, according to researchers. Kromtech Security said that it found the unprotected data on March 30, adding that it included a treasure-trove of information ranging from "full names, (street) addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver's licenses and other IDs," according to the researchers. Kromtech researchers, in their overview of the results of its investigation, said that Bezop.io, the organization behind the currency, immediately secured the data after being notified. Bezop is one of over 1,000 cryptocurrencies in a crowded playing field vying for investor attention. According to Kromtech, the list of 25,000 people included both current and prospective investors promised Bezop cryptocurrency in exchange for promoting the cryptocurrency on social media.

New submitter lod123 writes: A malicious proof-of-concept Amazon Echo Skill shows how attackers can abuse the Alexa virtual assistant to eavesdrop on consumers with smart devices -- and automatically transcribe every word said. Checkmarx researchers told Threatpost that they created a proof-of-concept Alexa Skill that abuses the virtual assistant's built-in request capabilities. The rogue Skill begins with the initiation of an Alexa voice-command session that fails to terminate (stop listening) after the command is given. Next, any recorded audio is transcribed (if voices are captured) and a text transcript is sent to a hacker. Checkmarx said it brought its proof-of-concept attack to Amazon's attention and that the company fixed a coding flaw that allowed the rogue Skill to capture prolonged audio on April 10.

Dangerous_Minds shares a report from ThreatPost: Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet. In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com Tony Blackham said a file containing the user data was publicly exposed on a RootsWeb server. On Wednesday, Ancestry.com told Threatpost it believed the data was exposed on November 2015. The data resided on RootsWeb's infrastructure, and is not linked to Ancestry.com's site and services. Ancestry.com said RootsWeb has "millions" of members who use the site to share family trees, post user-contributed databases and host thousands of messaging boards. The company said RootsWeb doesn't host sensitive information such as credit card data or social security numbers. It added, there are no indications data exposed to the public internet has been accessed by a malicious third party. The company declined to specify how and why the data was stored insecurely on the server. "Approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers," Blackham wrote.

Mozilla has issued a critical security update to its popular open-source Thunderbird email client. From a report The patch was part of a December release of five fixes that included two bugs rated high and one rated moderate and another low. Mozilla said Thunderbird, which is also serves as a news, RSS and chat client, the latest Thunderbird 52.5.2 version released last week fixes the vulnerabilities. The most serious of the fixes is a critical buffer overflow bug (CVE-2017-7845) impacting Thunderbird running on Windows operating system. The bug is present when "drawing and validating elements with angle library using Direct 3D 9," according to the Mozilla Foundation Security Advisory. US-Cert said it encourages users and administrators to review the patch and apply the necessary update.

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.

dustman81 writes: AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password exposed to the internet via SSH, a HTTP server with little authentication which allows command injection, and an internet exposed service which exposes internal clients to external attacks. Information security consulting and software development firm Nomotion reports the findings in their blog: "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshell' client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic. Although no clear evidence was found suggesting that this module is actually being used currently, it is present, and vulnerable. Aside from the most dangerous items listed above, the cshell application is also capable of many other privileged actions. The username for this access is remotessh and the password is 5SaP9I26." The report continues to detail the other vulnerabilities: Default credentials 'caserver' https server NVG599; Command injection 'caserver' https server NVG599; Information disclosure/hardcoded credentials; and Firewall bypass no authentication.

Further reading: FierceTelecom; The Register

Leaks of personal and business information from unsecured Amazon S3 buckets are piling up. From a report: The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Security found a publicly accessible bucket containing business and personal data, including contracts and agreements between hotels, customers and Groupize, Kromtech said. The data included some credit card payment authorization forms that contained full payment card information including expiration data and CVV code. The researchers said the database stored in S3 contained numerous folders, below; one called "documents" held close to 3,000 scanned contracts and agreements, while another called all_leads had more than 3,100 spreadsheets containing critical Groupize business data including earnings. There were 37 other folders in the bucket containing tens of thousands of files, most of them storing much more benign data.

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "
The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."

"Guido Vranken recently published 4 security vulnerabilities in OpenVPN on his personal blog," writes long-time Slashdot reader randomErr -- one of which was a critical remote execution bug. Though patches have been now released, there's a lesson to be learned about the importance of fuzzing -- bug testing with large amounts of random data -- Guido Vranken writes: Most of these issues were found through fuzzing. I hate admitting it, but...the arcane art of reviewing code manually, acquired through grueling practice, are dwarfed by the fuzzer in one fell swoop; the mortal's mind can only retain and comprehend so much information at a time, and for programs that perform long cycles of complex, deeply nested operations it is simply not feasible to expect a human to perform an encompassing and reliable verification.
ZDNet adds that "OpenVPN's audits, carried out over the past two years, missed these major flaws. While a handful of other bugs are found, perhaps OpenVPN should consider adding fuzzing to their internal security analysis in the future."

Guido adds on his blog, "This was a labor of love. Nobody paid me to do this. If you appreciate this effort, please donate BTC..."

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

msm1267 writes: EternalBlue, the NSA-developed attack used by criminals to spread WannaCry ransomware last month, has been ported to Windows 10 by security researchers. The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks. These mitigations were introduced prior to a March security update from Microsoft, MS17-010, and any computer running Windows that has yet to install the patch is vulnerable. You can read the researchers' report here (PDF), which explains what was necessary to bring the NSA exploit to Windows 10.

msm1267 quotes a report from Threatpost: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent Shadow Brokers dump. Researchers said the attackers behind today's outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA. Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they've recorded more than 45,000 infections so far on their sensors, and expect that number to climb. Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems. An anonymous Slashdot reader adds: Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers. The ransomware's name is Wana Decrypt0r, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or WCry. The ransomware is using the ETERNALBLUE exploit, which uses a vulnerability in the SMBv1 protocol to infect vulnerable computers left exposed online. Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it. Until now, the ransomware has laid waste to many Spanish companies, healthcare organizations in the UK, Chinese universities, and Russian government agencies. According to security researchers, the scale of this ransomware outbreak is massive and never-before-seen.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.

Slashdot reader msm1267 quotes ThreatPost: Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device. The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models -- manufactured by the same company but sold under different names -- are also vulnerable.

They contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone's filesystem and modify its root password... Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device's live feed or the drone's open ports.

An anonymous reader quotes ThreatPost: A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release.

hypercard writes: Researchers from West Point recently presented research on a real-time passive analysis of Netflix traffic. The paper, entitled "Identifying HTTPS-Protected Netflix Videos in Real-Time" is based on research conducted by Andrew Reed, Michael Kranch and Benjamin Klimkowski. The team's technique demonstrates frighteningly accurate results based solely on information captured from TCP/IP headers. Even with the recent upgrade to HTTPS, their technique was effective at identifying the correct video with greater than 99.99 percent accuracy against their database of over 42,000 videos. "When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream," the paper reads. However, there are important points to note. First, the attack described only applies to streams still using Silverlight. Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time. Netflix has reacted positively to the team's research and acknowledged the issue as a known drawback to processing video streams with HTTPS.

"Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots," writes ThreatPost. An anonymous reader quotes their report: Researchers at Palo Alto Networks this week said that in mid-January, an unknown number of developers were targeted with emails purporting to be job offers. The attachments instead carried malicious .doc files containing an embedded macro. The macro executed a PowerShell command that would grab malware from a command and control site and execute it... [Senior threat researcher Brandon] Levene said it's unknown how widespread the January campaign was or why developers were targeted, but given the vast number of projects hosted on the platform, it would likely be an attractive target for either criminals and nation-state attackers.
Levene said the PowerShell script drops a binary named Dimnie, which has been around since 2014 but before January targeted primarily Russian-speaking targets. Someone who received two different emails said they appeared to be hand-crafted, according to Ars Technica, and referenced data changed that same day. They believe this suggests "a focused campaign explicitly targeting targets perceived as 'high return investments,' such as developers (possibly working on popular/open source projects)."

America's Department of Homeland Security issued a new warning this week. An anonymous reader quotes IT World: Companies that use security products to inspect HTTPS traffic might inadvertently make their users' encrypted connections less secure and expose them to man-in-the-middle attacks, the U.S. Computer Emergency Readiness Team warns. US-CERT, a division of the Department of Homeland Security, published an advisory after a recent survey showed that HTTPS inspection products don't mirror the security attributes of the original connections between clients and servers. "All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected," US-CERT said in its alert.
Slashdot reader msm1267 quotes Threatpost: HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server... The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.

Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to." An anonymous reader quotes Threatpost: The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.

"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."

"Deadlines imposed by browser makers deprecating support for the weakened SHA-1 hashing algorithm have arrived," writes Slashdot reader msm1267. "And while many websites and organizations have progressed in their migrations toward SHA-2 and other safer hashing algorithms, pain points and potential headaches still remain." Threatpost reports: Starting on Jan. 24, Mozilla's Firefox browser will be the first major browser to display a warning to its users who run into a site that doesn't support TLS certificates signed by the SHA-2 hashing algorithm... "SHA-1 deprecation in the context of the browser has been an unmitigated success. But it's just the tip of the SHA-2 migration iceberg. Most people are not seeing the whole problem," said Kevin Bocek, VP of security strategy and threat intelligence for Venafi. "SHA-1 isn't just a problem to solve by February, there are thousands more private certificates that will also need migrating"...

Experts warn the move to SHA-2 comes with a wide range of side effects; from unsupported applications, new hardware headaches tied to misconfigured equipment and cases of crippled credit card processing gear unable to communicate with backend servers. They say the entire process has been confusing and unwieldy to businesses dependent on a growing number of digital certificates used for not only their websites, but data centers, cloud services, and mobile apps... According to Venafi's research team, 35 percent of the IPv4 websites it analyzed in November are still using insecure SHA-1 certificates. However, when researchers scanned Alexa's top 1 million most popular websites for SHA-2 compliance it found only 536 sites were not compliant. The article describes how major tech companies are handling the move to SHA-2 compliance -- including Apple, Google, Microsoft, Facebook, Salesforce and Cloudflare

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.

msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it's a classic case of users accidentally oversharing. Neis isn't convinced and says Box.com's so-called Collaboration links shouldn't have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove of confidential data and fodder for phishing scams.

Reader msm1267 writes: Researchers at IOActive today disclosed vulnerabilities in Panasonic Avionics In-Flight Entertainment Systems that were reported to the manufacturer close to two years ago. The flaws could be abused to manipulate in-flight data shown to passengers, or access personal information and credit card data swiped at the seat for premium entertainment or Internet access. Given that the firmware is customizable and used by dozens airlines in hundreds of aircraft models, the researchers said it's almost impossible to determine whether the vulnerabilities no longer exist across the board. IOActive said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to passenger entertainment domains. Whether an attacker could cross those domains and affect critical avionics systems would depend on specific devices and configurations, IOActive said, given that a physical path could exist that connects those systems through satellite communications terminals that provide in-flight updates to critical systems. The concern is that whether in some configurations, IFEs would share access to these devices and provide the physical path an attacker would need to reach critical systems. As for the vulnerabilities in passenger systems, IOActive said there is a lack of authentication and encryption between an on-board server and clients at passenger seats. This could allow an attacker on board to send commands to the IFE system to manipulate what's displayed to passengers, or read payment card data swiped at seats.

msm1267 quotes ThreatPost: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It's a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability.

The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications... According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn't exercise due diligence on the software libraries used in their project.
That seems like a one-sided take, so I'm curious what Slashdot readers think. Does code reuse endanger secure software development?

msm1267 quotes Kaspersky Lab's ThreatPost: A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years. Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introd in August 2011.

A patch was pushed to the mainline Linux kernel December 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes. The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.
"Basically it's a bait-and-switch," the researcher told Threatpost. "The bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react."

msm1267 quotes a report from Threatpost: A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data. Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they're likely vulnerable. Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria. According to a post published to the Full Disclosure mailing list, the vulnerability (CVE-2016-4484) affects packages 2.1 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs -- a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven't tested them yet. The report adds: "The problem stems from the incorrect handling of a password check when a partition is ciphered with LUKS, or Linux Unified Key Setup, a disk encryption specification that's standard for Linux. Assuming an attacker has access to the computer's console, when presented with the LUKS password prompt, they could exploit the vulnerability simply by pressing 'Enter' over and over again until a shell appears. The researchers say the exploit could take as few as 70 seconds. After a user exceeds the maximum number of three password tries, the boot sequence continues normally. Another script in the utility doesn't realize this, and drops a BusyBox shell. After carrying out the exploit, the attacker could obtain a root initramfs, or rescue shell. Since the shell can be executed in the initrd, or initial ram disk, environment, it can lead to a handful of scary outcomes, including elevation of privilege, information disclosure, or denial of service."