Cyber Security news for the month of January, 2017.
Netgear Launches Bug Bounty Program
Networking equipment provider Netgear announced on Thursday the launch of a bug bounty program focusing on the company’s products, particularly routers, security cameras and mesh Wi-Fi systems.
With the aid of Bugcrowd, Netgear will run two types of responsible disclosure programs: a program offering Bugcrowd kudos points, and one offering cash rewards.
In the case of Arlo products, the bug bounty program covers firmware, web management interfaces, client apps and cloud infrastructure.
The list of vulnerabilities covered by the bug bounty program also includes SQL injection, information disclosure, stored cross-site scripting, cross-site request forgery and open redirect issues.
“As the innovative leader in connecting the world to the internet, Netgear must earn and maintain the trust of their users by protecting the privacy and security of their data. Being proactive when it comes to security is fundamental to Netgear’s approach,” said Netgear vice president of information technology Tejas Shah.
“By adding a managed bug bounty program through Bugcrowd, we are adding one more layer to our security program.”
Netgear’s decision to launch a bug bounty program comes after researchers reported finding numerous vulnerabilities in the company’s products.
FTC Issues Public Challenge to Improve IoT Patching
The U.S. government agency announced the kickoff of the FTC IoT Home Inspector Challenge, a prize contest open to the public with the goal of coming up with a patching solution fit for consumer-grade connected devices used in the home.
Entrants have until May 22 to submit a detailed paper explaining a tool that consumers can use to protect devices running vulnerable software.
Ruth Yodaiken, data protection attorney with the FTC’s division of privacy and identity protection, said the agency as far back as 2013 has been concerned with the security homebound Internet of Things devices.
In the past, it has taken action against some companies for a lack of security mechanisms and protection in devices.
Entries should focus on patching, and the agency also singled out the problem posed by hard-coded default or weak passwords such as those guarding devices exploited by the Mirai malware.
“Such a tool might be a physical device that the consumer adds to his or her home network that checks and installs updates for other IoT devices on that home network. It might be an app or cloud-based service that allows consumers to submit IoT device model numbers, and, based on that input, provides information on how the consumer can install updates,” the FTC said.
ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt
Late Saturday evening, breach notification service LeakedSource announced the addition of 1,503,707 ESEA records to their database.
The leaked records include registration date, city, state, last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID. However, in all, there are more than 90 fields associated with a given player record in the ESEA database.
The LeakedSource spokesperson said that the ESEA hack was part of a ransom scheme, as the hacker responsible demanded $50,000 in payment.
In exchange for meeting their demands, the hacker would keep silent about the ESEA hack and help the organization address the security flaw that made it possible.
In their previous notification, ESEA said they learned about the incident on December 27, but make no mention of any related extortion attempts.
Salted Hash has reached out to press contacts at ESEA, as well as those for Turtle Entertainment, the parent company listed on the ESEA website.
The statement also confirms the affected user count of 1.5 million, and stressed the point that ESEA passwords were hashed with bcrypt.
After Lawsuits and Denial, Pacemaker Vendor Finally Admits Its Product Is Hackable
St. Jude Medical was quick to issue a statement patting itself on the back for patching its systems against “Highly unlikely medical device cyber risks”: “There has been a great deal of attention on medical device security and it’s critical that the entire industry continually enhances and improves security while bringing advanced care to patients,” said cyber security expert Ann Barron DiCamillo, former director of U.S. CERT and advisor to St. Jude Medical’s Cyber Security Medical Advisory Board.
“Today’s announcement is another demonstration that St. Jude Medical takes cyber security seriously and is continuously reassessing and updating its devices and systems, as appropriate. “Granted St. Jude Medical had previously received a bit of a nudge, and this isn’t the first time the company’s name has appeared in lights for the wrong reason.
Security startup MedSec resorted to some creative tactics last year when it began shorting St. Jude Medical stock to try and highlight the company’s abysmal security, after the traditional vulnerability reporting process failed to get the company’s attention.
At the time, MedSec Chief Executive Officer Justine Bone stated that the company consistently did little to nothing when vulnerabilities were reported: “As far as we can tell, St. Jude Medical has done absolutely nothing to even meet minimum cybersecurity standards, in comparison to the other manufacturers we looked at that have made efforts,” Bone said.
“St. Jude Medical’s first response was an outright denial, followed by a lawsuit against MedSec for “trying to frighten patients and caregivers.”
” Fast forward a few months, and St. Jude Medical is now trying to hold itself up as the poster child for proactive security and accountability.
Reported “backdoor” in WhatsApp is in fact a feature, defenders say
The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook’s WhatsApp messaging service allows attackers to intercept and read encrypted messages.
At issue is the way WhatsApp behaves when an end user’s encryption key changes.
Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread. Tobias Boelter, a Ph.D. candidate researching cryptography and security at the University of California at Berkeley, told the Guardian that the failure to obtain a sender’s explicit permission before using the new key challenged the often-repeated claim that not even WhatsApp or its owner Facebook can read encrypted messages sent through the service.
He first reported the weakness to WhatsApp last April.
Boelter went on to contrast the way WhatsApp handles new keys with the procedure used by Signal, a competing messaging app that uses the same encryption protocol.
WhatsApp, on the other hand, by default trusts the new key with no notification-and even when that default is changed, it notifies the sender of the change only after the message is sent.
Moxie Marlinspike, developer of the encryption protocol used by both Signal and WhatsApp, defended the way WhatsApp behaves.
Absent control over a WhatsApp server, an attack would require abusing something like the SS7 routing protocol for cellular networks to intercept SMS messages.
The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.
WhatsApp users should strongly consider turning on security notifications by accessing Settings > Account > Security.
GoDaddy revokes 9,000 SSL certificates wrongly validated by code bug
GoDaddy was obliged to revoke thousands of SSL certificates on Tuesday as the result of an unspecified software bug.
Due to a software bug, the recently issued certificate for your domain was issued without proper domain validation, and in accordance with industry standards as a Certificate Authority, we will need to revoke your certificate as a precautionary measure.
An affected website’s HTTPS encryption will still work even if its GoDaddy-issued certificate is revoked.
GoDaddy, which is issuing these replacement certificates free of charge, apologized to customers for the hassle caused by the slip-up in its notification email.
In a blog post, GoDaddy said the bug was introduced six months ago on July 29 and impacted less than two per cent of the SSL certificates issued from July 29, 2016, to Jan. 10, 2017.
GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process.
“In a typical process, when a certificate authority, like GoDaddy, validates a domain name for an SSL certificate, they provide a random code to the customer and ask them to place it in a specific location on their website,” it said.
Critical WebEx Extension Vulnerability Allows Code Execution
Google Project Zero researcher Tavis Ormandy has discovered a critical remote code execution vulnerability in the Cisco WebEx browser extension.
While analyzing the WebEx extension for Chrome, which has roughly 20 million active users, Ormandy noticed that it works on any URL that contains a “Magic” pattern.
This allows an attacker to execute arbitrary code on the targeted WebEx user’s system by getting them to access a specially crafted website.
Ormandy said the fix was acceptable, but pointed out that the vulnerability could still be exploited silently through a potential cross-site scripting flaw on webex.com.
Even without the XSS, an attacker can still execute arbitrary code as long as the victim clicks “OK” when they are prompted to allow a WebEx meeting to launch on the malicious website.
Mozilla representatives said they were unhappy with Cisco’s fix and pointed out that webex.com does not use HTTP Strict Transport Security and Content Security Policy.
As a result, both Google and Mozilla have decided to remove the WebEx extension from their stores until Cisco releases a proper fix.
Contact Rigid Bits for all of your Cyber Security needs. Let us help protect your network!