Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - December 19, 2014

Dec 19, 2014 1:37AM PST
12 million home and business routers vulnerable to critical hijacking hack

More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.

The vulnerability resides in "RomPager" software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices.

Researchers from Check Point's malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the "fortune" of an HTTP request by manipulating cookies. They wrote:

Continued : http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/

Related :
12 Million Home Routers Vulnerable to Takeover
Critical flaw on over 12M routers allows device hijacking, network compromise

Discussion is locked

- Collapse -
Researchers discover a flaw that could let anyone listen ..
Dec 19, 2014 1:49AM PST
German researchers discover a flaw that could let anyone listen to your cell calls

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale - even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world's cellular carriers to route calls, texts and other services to each other. Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world's billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes - such as keeping calls connected as users speed down highways, switching from cell tower to cell tower - that hackers can repurpose for surveillance because of the lax security on the network.

Continued : http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/
- Collapse -
Apple, Microsoft, GitHub Release Updates to Fix Critical ..
Dec 19, 2014 1:49AM PST
... Git Vulnerability

The distributed revision control system Git is affected by a serious vulnerability that could be exploited by an attacker to execute arbitrary commands and take over a developer's machine.

The flaw (CVE-2014-9390) affects all versions of the official Git client and related software that interacts with Git repositories. Git 2.2.1 has been released to address the issue, but updates have also been made available for older maintenance tracks (1.8.5.6, 1.9.5, 2.0.5, 2.1.4).

The vulnerability, which affects users running Windows and Mac OS X, was discovered by the developers of the cross-platform, distributed revision control tool Mercurial. They initially identified the security hole in Mercurial, but after further investigation, they determined that Git is affected as well.

Continued: http://www.securityweek.com/apple-microsoft-github-release-updates-fix-critical-git-vulnerability

Related:
Critical Git flaw allows attackers to compromise developers' machines
Critical Git bug allows malicious code execution on client machines
- Collapse -
New Zeus variant targets users of 150 banks
Dec 19, 2014 1:50AM PST

A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.

Chthonic, as the variant has been named by Kaspersky Lab researchers, shares a lot of similarities with previous Zeus variants.

".. Delivered via spam emails or downloaded via downloader malware already installed on the victims' machine, once installed Chthonic gets in touch with and identifies itself to a C&C server, from which it receives an extended loader with additional information, modules, a configuration file, etc.:"

"... "Web injections are Chthonic's main weapon: they enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim's phone number, one-time passwords and PINs, in addition to the login and password entered by the victim," the researchers explained.

Continued : http://www.net-security.org/malware_news.php?id=2934

- Collapse -
Misfortune Cookie: The Hole in Your Internet Gateway
Dec 19, 2014 2:29AM PST

[Related to the first post "12 million home and business routers vulnerable to critical hijacking hack"]

From the Check Point Research Group:

What is the Misfortune Cookie vulnerability?

Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over a residential gateway device and use it to attack the devices connected to it.

Researchers from Check Point's Malware and Vulnerability Research Group recently uncovered this critical vulnerability present on millions of residential gateway (SOHO router) devices from different models and makers. It has been assigned the CVE-2014-9222 identifier. This severe vulnerability allows an attacker to remotely take over the device with administrative privileges.

How many devices are affected?
To date, researchers have distinctly detected at least 12 million readily exploitable devices connected to the Internet across the globe, making this one of the most widespread vulnerabilities revealed in recent years.

How does it affect me?
If your gateway device is vulnerable, then any device connected to it - including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network - may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.

Is it that bad?
Yes.

Which models are affected? Am I affected?

Continued : http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/

- Collapse -
FBI: North Korea to Blame for Sony Hack
Dec 19, 2014 4:24AM PST

The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here's a brief look the FBI's statement, what experts are learning about North Korea's cyberattack capabilities, and what this incident means for other corporations going forward.

In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.

The FBI said it couldn't disclose all of its sources and methods, but that the conclusion was based, in part, on the following:

Continued : http://krebsonsecurity.com/2014/12/fbi-north-korea-to-blame-for-sony-hack/

- Collapse -
Staples: 6-Month Breach, 1.16 Million Cards
Dec 19, 2014 9:22AM PST

Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result.

KrebsOnSecurity first reported the suspected breach on Oct. 20, 2014, after hearing from multiple banks that had identified a pattern of credit and debit card fraud suggesting that several Staples office supply locations in the Northeastern United States were dealing with a data breach. At the time, Staples would say only that it was investigating "a potential issue" and had contacted law enforcement.

In a statement issued today, Staples released a list of stores (PDF) hit with the card-stealing malware, and the stores are not limited to the Northeastern United States.

Continued : http://krebsonsecurity.com/2014/12/staples-6-month-breach-1-16-million-cards/