Zoom sessions are protected by a six-digit password by default; however, Tom Anthony, researcher at SearchPilot, say that a weakness in this mechanism allows threat actors to perform dictionary attacks with all possible combinations of numbers and decrypt a password in a matter of a few minutes. 

The researcher reported the problem last April, attaching to his report a proof of concept based on Python, so the flaw was corrected a few days later. It should be noted that a six-digit password allows a total of one million possible combinations, which represents a minimal obstacle for hackers with sufficient knowledge and resources, as security testing course experts mentioned.

Zoom security teams forgot to set a maximum of attempts to enter the password, so threat actors could leverage Zoom’s web client (https://zoom.us/j/MEETING_ID) to send constant HTTP requests and decrypt the password.

In his proof of concept, the researcher proved able to access ongoing meetings once the password was decrypted. In addition, Anthony found that an identical procedure could be performed to access Zoom sessions scheduled for later hours, although this requires a list of 10 million possible combinations.

In addition, security testing course experts reported an error during the login detected when using the web client, which uses a temporary redirect to request customer consent about their terms of service. The token flaw could make it easier to exploit other malicious login mechanisms.

For security, Zoom disabled its web client until updates were released. The developers of the platform have recently worked on forced marches to correct all the reports they receive; while some of the issues reported to the company do not pose a risk to users, some flaws could compromise the sensitive information circulating on the platform.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.

The post Passwords for accessing private meetings in Zoom can be easily decrypted: New vulnerability found appeared first on Information Security Newspaper | Hacking News.

The X-Force research team, from the renowned technology firm IBM, released a report on finding a zero-day vulnerability in the firmware of TP-Link Archer C5 routers, version 4.

This is the first job developed on this flaw, present in the company’s solutions for home and business environments. According to researchers in ethical hacking, if exploited, this vulnerability would allow a remote threat actor to take control of device settings via Telnet to connect to a File Transfer Protocol server (FTP) over LAN or WAN.

Exploiting this vulnerability would give the attacker administrator privileges due to the characteristics inherent in these devices, so it is considered critical severity.

In addition, risk increases in enterprise environments, as routers often have guest WiFi enabled. A compromised device in an enterprise environment could be used by a hacker to infiltrate the company’s networks with relative ease, from where it could deploy some network recognition maneuvers and side channel attacks.

After the discovery, the IBM team of researchers reported the vulnerability to TP-Link according to the parameters set by the cybersecurity community. The company acknowledged the report and announced a number of measures to mitigate the risk of exploitation.

Simply put, vulnerable HTTP requests lead to the override of the device administrator password. When a shorter-than-expected string is sent as a user password, the password value is distorted in some non-ASCII bytes. On the other hand, when the string is too long, the password is completely overridden and replaced with an empty value. These devices have only one type of user (administrator with root privileges), so a hacker may take the administrator’s place to take control of the affected device.

To trigger the vulnerability and take control of the device, only sending the correct request is required, as shown in the following example. Arguably, there are two types of requests: safe and vulnerable. A non-vulnerable HTML request has two parameters: the TokenID and the JSESSIONID. However, CGI validation is only based on the reference’s HTTP headers. If this matches the IP address or associated domain, the router server recognizes it as valid.

If that referrer is removed from the header, the request will return a “Forbidden” response.

This issue affects HTTP POST and GET requests in the same way, overriding the administrator password when the string length exceeds the allowed number of bytes; this is, therefore, a kind of overflow failure, ethical hacking experts mention. 

Using the version number of the memory chip, the researchers found all the device firmware information. During the extraction of this information an RSA private key was found stored in memory. This key is used to encrypt and decrypt users’ passwords when accessing the router’s web interface.

After extracting the firmware, login data stored in the rootfs/etc folder was found. The default username and password were extremely weak. Leaving the default combination as is can allow access to an FTP server and grant access to the console.

With root access, the researchers gained some control over the binaries. With the help of some tools, static and dynamic analyses were performed to locate exactly where the vulnerability resided. Below is the relevant part of the parsed HTTP header seen in IDA:

The next step was to verify what happens to the password file when a vulnerable request is sent by using different string lengths, sending a password longer than the allowed number of characters.

The password is completely revoked and its value is empty. From this moment on, it is possible to access TELNET and FTP without any password, using only “admin” as the username, which is the only user available on the device by default.

International Institute of Cyber Security (IICS) ethical hacking specialists recommend that users who have not upgraded their systems go to TP-Link’s official site, where, in addition to updates ready to be installed, they will find other details available about the incident.

The post TP-Link routers allow anyone to change your WiFi password and steal your data appeared first on Information Security Newspaper | Hacking News.

With over 700 million records, this is one of the biggest loots of information ever found

Ethical hacking and network security experts from the International Institute of Cyber Security reported the finding of a gigantic database with more than 700 million email addresses in one of the most popular hacking forums on dark web, implying that cybercriminals have one of the largest stolen information banks ever known.

The database is composed of a total of 87 GB organized into 12k separate folders within a root folder called ‘Collection #1’. The database was first identified in the Mega cloud storage service, from where it was subsequently eliminated, to end up in a dark web forum.

Troy Hunt, network security expert, conducted an analysis of the database, discovering that it contains about one billion unique combinations of email addresses and passwords listed. After a debugging process, the database left about 773 million of unique email addresses, the largest stolen mail collection ever recorded in Have I Been Pwned, site managed by Hunt.

In addition, Hunt mentioned that they found 21 million of unique passwords in the database: “We found this information after implementing multiple cleanup processes, discarding passwords that were still in the form of hash, strings, control characters and SQL statement snippets,” the expert mentioned. 

Some files corresponding to other data breach incidents were included in this database, although researchers also found unregistered information. Network security experts agree that this information was widely circulated through various forums before it was discovered by Hunt.

“Obviously the huge amount of leaked data represents a greater number of people possibly affected,” Hunter said. “The more information available the cybercriminals got, the more likely it will be to succeed in their malicious campaigns”.

According to researchers, the compromised information could be used primarily to deploy credential stuffing attacks, which consists of the use of automated scripts to test thousands of username/password combination on a website. These attacks are often successful against users who use the same access codes for different services.

“Massive data breaches, as is the ‘Collection #1’ case, increase the traffic of bots in the login screens in multiple websites, because the hackers ride through enormous lists of stolen passwords”, mentions the expert in network security Ramid Essaid. “Any person or organization that uses login pages could become the next victim of a data breach”.

The post Millions of passwords exposed in dark web appeared first on Information Security Newspaper | Hacking News.

The password manager service exposed the data due to a poorly configured online bucket

Abine, developer of Blur, the password management service, has recently launched a security notice in which it reports that a file containing users’ sensitive data was exposed due to an oversight, report cybersecurity specialists from the International Institute of Cyber Security.

The exposed information would have been identified on September 13th, after Abine found a file with email addresses, information on the IP used by its clients to log into Blur, as well as encrypted information related with users’ passwords. Apparently, this file has been exposed since January 6th, 2018.

The main work of the Blur service is to ensure and enhance the Internet privacy experience of its users, offering password management services, as well as payment card, email addresses, and phone number protection and masking. For its part, Abine is responsible for encrypting passwords, using bcrypt and a single salt for each of its users. These unique features are present in the company’s exposed file, instead of the real passwords, according to experts in cybersecurity.

However, it is known that this user password-related information could help an attacker gain access to any online account protected by these services in the event that the user has linked those services using the same email address. According to the security alert published by Abine, until now there is no evidence that the sensitive data of any user has been compromised.

“We believe that the data of our users remain secured. There is no evidence suggesting that the data stored in Blur (protected payment cards, email and phones) have been compromised,” mentions a post on the Abine blog.

Cybersecurity experts point out that Abine has not provided further details about the incident, such as the exact number of victims or how the bucket was exposed in the first place. Early research suggests that a misconfigured Amazon S3 bucket contained the exposed file, so data from about 2.4 million users would have been exposed during the incident.

This incident represents a hard blow to Abine, because password management services are considered more reliable to manage a large number of access keys to different services without the need to memorize different keys or establish a same password for every platform, running as an additional security layer. As a security measure, the company suggests its users to enable two-factor authentication (2FA) and, if possible, reset all their passwords.

The post Abine exposes nearly 3 million users’ information appeared first on Information Security Newspaper | Hacking News.

This flaw would allow hackers to perform various malicious activities

Cybersecurity and ethical hacking experts from the International Institute of Cyber Security Report that a critical vulnerability present in about 20k routers from the manufacturer Orange has resulted in a SSID and WiFi passwords leaking. In addition to the information leaking devices, over 2k routers have been classified as being exposed to Internet attacks.

The company’s honeypots detected for the first time the attack traffic directed to the Orange Livebox ADSL modems. After conducting a search on Shodan, the cybersecurity expert Troy Mursch found that 19 490 devices of this type leaked their WiFi credentials in plain text.

According to the expert report, many of the devices that showed this WiFi password leaking use the same access keys for the device administration, or even lack a password set by the admin, so the attackers find the default passwords in a very easy way.

“The vulnerability would allow a remote attacker to access the compromised router and modify the device or firmware settings. In addition, attackers could get the phone number linked to the router and perform other hacking or social engineering activities,” said the cybersecurity expert.

According to Mursch’s report, most of the compromised routers are in Spain; in addition, the traffic of the attack has also been linked to an IP address associated to a client of the company Telefónica España.

“At the moment we do not know the reasons for the attack, although we find it interesting to discover that the source is in a nearby location, even though we thought it was a malicious actor in another country,” the expert mentioned. “This could allow attackers to connect to the WiFi network if they were closer to one of the indexed modems in the search on Shodan”.

The vulnerability, tracked as CVE-2018-20377, is already being investigated by Orange. Further company reports are expected over the next few days. For many cybersecurity experts, most home-use routers remain an important vector for deploying cyberattacks due to their limited security measures, so hackers can use these devices to build huge botnets. Recently, a group of researchers discovered a botnet composed of more than 100k compromised devices, mainly domestic-use routers.

The post Thousands of Orange routers are leaking WiFi passwords appeared first on Information Security Newspaper | Hacking News.

A specialist has found a new way to crack passwords on most modern routers

The cybersecurity and digital forensic expert Jens “Atom” Steube, who is known for having developed Hashcat, the popular cracking password tool, returns to the scene with the development of a new WiFi hacking method that allows finding the password for most currently used routers.

According to reports of specialists in digital forensics from the International Institute of Cyber Security, this attack technique works against the wireless network protocols WPA/WPA2 with roaming functions based on Pairwise Master Key identifier (PMKID) enabled. Steube discovered this attack variant while conducting an investigation related to the security protocol WiFi WPA3.

The technique allows attackers to retrieve Pre Shared Keys (PSK) and use them to hack the targeted WiFi network, thus accessing the victim’s Internet traffic data.

However, it differs from other WiFi hacking techniques; this attack does not require capturing a four-way LAN Extensible Authentication Protocol (EAPOL) authentication handshake. According to specialists in digital forensics from the International Institute of Cyber Security, this attack is carried out in the Robust Security Network Information Element (RSN IE), using a single EAPOL framework after requesting it from the access point.

“This attack variant was discovered incidentally while we were looking for ways to attack the new WPA3 security standard. On the other hand, hacking this new standard would be much more complex because of its modern key-setting protocol known as Simultaneous Authentication of Equals (SAE),” the expert mentioned.

According to Steube, the main difference between this new method and the rest of the known attacks is that this attack does not require the capture of the complete EAPOL binding protocol, because “it is done in the RSN IE element of a single EAPOL frame”.

The RSN protocol allows you to establish secure communications over 802.11 wireless networks. It uses the PMKID key to establish a connection between client and an access point. According to the expert’s report, the attack is carried out as follows:

• Run hcxdumptool to request the PMKID from the access point and return the frame received as a file (in pcapng format)

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

• Run the hcxpcaptool tool to convert the captured data from the pcapng format to a hash format accepted by Hashcat

$ ./hcxpcaptool -z test.16800 test.pcapng

• Start the Hashcat cracking tool (v 4.2.0 or higher versions) and decrypt it. The hash mode we need to use is 16800

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

This will restore the password of the victim’s WiFi network. Steube points out that he ignores in how many routers exactly this attack works, but he believes that the attack could be functional against all WiFi 802.11 i/p/q/r networks with roaming capabilities enabled. “In other words, the attack would work against most modern routers,” adds Steube.

The post A new WiFi hacking method for WPA/WPA2 appeared first on Information Security Newspaper | Hacking News.

A new malware variant has been discovered in China; this malicious program has infected over 100k devices in less than a week

Digital forensics specialists from the International Institute of Cyber Security report that a new variant of ransomware is quickly spreading in China. So far, the infection has already reached over 100k computers over the past four days due to a supply chain attack; the number of infected computers keeps growing along the hours.

What keeps attracting the attention of the cybersecurity community is that, unlike other malware variants, this new ransomware does not demand a ransom payment in Bitcoin. Instead, hackers demand victims a payment for 110 yen (about $16 USD), figure that must be transferred through WeChat Pay, a function to perform transactions through the most widely used messaging service in China.

Password theft

So far, the evidence suggests that this malicious program has only affected users in China, unlike similar outbreaks, such as WannaCry or NotPetya. In addition, this malware seems to have an additional password theft feature, for credentials used in services such as Alipay, Taobao, Tmall, AliWangWang and QQ. Apparently the ransomware steals access credentials to these platforms and sends them to a remote server.

According to reports of a China-based digital forensics firm, the operators of this campaign managed to deploy their attack by injecting malicious code into the EasyLanguage programming software, used by most of the app developers in China.

This program modified for malicious purposes was intended to inject the code of the ransomware into each app and software product compiled through EasyLanguage, making the virus spread incredibly quickly.

Over 100k users in China who installed any of the infected developments are now in a compromising situation. This ransomware strain has shown to be able to encrypt all files of the infected system, with the exception of files with gif, exe and tmp extensions.

Stolen digital signatures

To avoid antivirus solutions, hackers signed the malicious code with a seemingly reliable digital signature from Tencent Technologies, and they try not to encrypt files in specific directories, such as Tencent Games, League of Legends, tmp, rtl and program.

According to experts in digital forensics, once the ransomware encrypts the user’s files, a text file appears demanding the user to make the payment of 110 yen to the WeChat account linked to the malicious software. The attackers mention that the user only has a three-day deadline to make the payment and receive the keys to restore their files. If the ransom is not covered in the time marked by the attackers, the program starts an automatic process of deleting the encryption key from a remote server.

According to the collected evidence, the ransom note mentions that the files have been encrypted using the DES encryption algorithm, but in fact, the data is encrypted using an XOR cipher, a much less secure one that stores a copy of the encryption key in the victim’s system in the following location:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

A tool to remove encryption is already in development thanks to this information.  In addition, after receiving the reports of this attack campaign, WeChat suspended the account in which the attackers were receiving the ransom payment.

The post Thousands of PCs infected with new ransomware variant in China appeared first on Information Security Newspaper | Hacking News.

The number of internet-connected devices has risen as the IoT has become a greater presence in homes and workplaces. However, in the rush to get involved in the trend, some device manufacturers have released products with poor security, which in turn have been breached for malicious purposes including espionage and DDoS attacks.

Arguably it was the rise of the Mirai botnet — which was comprised of IoT devices such as routers and security cameras — that finally brought this security threat to public attention. The botnet was involved in a series of DDoS attacks that knocked some of the biggest internet services offline, including Netflix, the PlayStation Network, and Twitter.

Embarrassingly bad security

Now cybersecurity researchers at Symantec have revealed the most common passwords used on IoT devices are often weak, and thus susceptible to hackers. Researchers set up an IoT honeypot — which appears on searches as an open router — to observe attacks against IoT devices. The most common passwords used by attackers to gain brute-force access show that many systems lack even rudimentary security.

The top ten passwords used to access the honeypot are detailed in Syamtec’s Internet Security Threat Report for 2017. The most common is simply ‘admin’, accounting for 36.5 percent of all logins, while ‘root’ is used for a further 16 percent.

Next, ‘1234’, ‘12345’, and ‘123456’ account for about a quarter of attacks on the honeypot, while ‘password’ also ranks amongst the most commonly used passwords to access devices.

The default password for the Ubiquiti brand of routers, ‘ubnt’ features in the top ten, likely because routers were targeted following the revelation that an old vulnerability hadn’t been patched.

Other weak passwords used to breach IoT devices include ‘test’, ‘admin123’, and ‘abc123’.

Why do so many devices have such poor passwords?

First, users might not have any idea how to change them, Symantec suggests. And second, vendors are hard-coding usernames and passwords into devices without giving users the ability to change them.

“There are so many devices with poor security of default credentials, it just makes it so easy to launch massive scanning efforts and automatically add vulnerable devices to your botnet and use that as DDoS service for hire,” Symantec researcher Dick O’Brien told ZDNet.

“You can’t have hard-coded credentials in devices like that; you need to be able to make it apparent that the end user has to change the password on it,” he said. “Hopefully greater awareness is going to seep into the market in the coming year.”

Attacks on the increase

Greater security of IoT devices is going to be needed as more and more device enter the market, providing even more targets for cybercriminals.

Cyberattacks on Symantec’s honeypot almost doubled from January to December last year. An average of 4.6 unique IP addresses hit the honeypot every hour in January, rising to 8.8 in December, with an attack taking place every two minutes during peak times, such as when Mirai was expanding.

The threat of insecure IoT devices is a global problem too, with infected devices targeting the honeypot from across the globe. China accounted for over a quarter of IoT-based attacks, followed by the United States, Russia, and Europe.

These metrics measure the countries in which the IP address of the attacking device was based. However, that doesn’t necessarily mean the attackers themselves were based in these countries.

With billions more devices set to be connected to the internet by 2020, more must be done to ensure the security of IoT. “Currently, the poor security on IoT devices is just making life easier for cyber criminals,” Symantec warns.

‘Admin’, ‘root’, ‘124356’, ‘password’. No wonder there has been an endemic of cyberattackers hijacking Internet of Things (IoT) devices when default passwords are this poor and users aren’t bothering to change them — or worse, don’t have the option to.

The post Is ‘admin’ password leaving your IoT device vulnerable to cyberattacks? appeared first on Information Security Newspaper | Hacking News.

The database behind an internet-connected cuddly toy exposed the account information of over 800,000 users, while a database of over 2 million voice recordings of children and their parents was stored in a way which left them easily searchable on the internet.

Email addresses of over 820,000 users of the CloudPets were stored in a MongoDB database within a publicly facing network segment, which could be searched without any authentication by using the Shodan IoT search engine, according to the report from cybersecurity researcher Troy Hunt.

Many of the passwords for the CloudPets accounts were easily crackable because no rules for password strength were enforced, meaning they could be just one character long. As Hunt points out, even the company’s own ‘Getting Started’ video features a weak password — just ‘qwe’, a three character sequence made up of keys next to each other on a keyboard.

Many CloudPet users had mimicked the video, selecting ‘qwe’ as their password. Other poor passwords included ‘qwerty’, ‘password’, and ‘123456’.

Hunt said it was possible to access voice recordings from a database of 2.2 million files, exposing the conversations children and their parents had with the toys to strangers online.

“The services sitting on top of the exposed database are able to point to the precise location of the profile pictures and voice recordings of children,” said Hunt.

Despite cybersecurity researchers pointing out these flaws, Spiral Toys, which makes the CloudPet toys, denied that security was compromised.

“Were voice recordings stolen? Absolutely not,” Spiral Toys CEO Mark Myers told Network World. However, he did concede that the company should improve the password policy for CloudPets. “Maybe our solution is to put more complex passwords,” he said.

It’s not the first time toy manufacturers have been criticised for poor internet security in their products; just two weeks ago, German regulators warned that the My Friend Cayla doll could compromise the privacy of children.

Source:https://www.zdnet.com/

The post Stuffed toys database left personal data exposed, says security expert appeared first on Information Security Newspaper | Hacking News.