(credit: Shadow Brokers)

In what security experts say is either a one-of-a-kind breach or an elaborate hoax, an anonymous group has published what it claims are sophisticated software tools belonging to an elite team of hackers tied to the US National Security Agency.

In a recently published blog post, the group calling itself Shadow Brokers claims the leaked set of exploits were obtained after members hacked Equation Group (the post has since been removed from Tumblr, but a cached version here was still available as this post was going live). Last year, Kaspersky Lab researchers described Equation Group as one of the world's most advanced hacking groups, with ties to both the Stuxnet and Flame espionage malware platforms. The compressed data accompanying the Shadow Broker post is slightly bigger than 256 megabytes and purports to contain a series of hacking tools dating back to 2010. While it wasn't immediately possible for outsiders to prove the posted data—mostly batch scripts and poorly coded python scripts—belonged to Equation Group, there was little doubt the data have origins with some advanced hacking group.

Not fully fake

"These files are not fully fake for sure," Bencsáth Boldizsár, a researcher with Hungary-based CrySyS who is widely credited with discovering Flame, told Ars in an e-mail. "Most likely they are part of the NSA toolset, judging just by the volume and peeps into the samples. At first glance it is sound that these are important attack related files, and yes, the first guess would be Equation Group."

Read 6 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: Ron Amadeo)

An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.

As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.

"The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted," Lookout researcher Andrew Blaich told Ars. "If there's somewhere they're going to that they don't want tracked, always ensure they're encrypted."

Read 5 remaining paragraphs | Comments


(credit: HEI Hotels & Resorts)

The chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels—HEI Hotels & Resorts—said this weekend that the payment systems for 20 of its locations had been infected with malware that may have been able to steal tens of thousands of credit card numbers and corresponding customer names, expiration dates, and verification codes. HEI claims that it did not lose control of any customer PINs, as they are not collected by the company’s systems.

Still, HEI noted on its website that it doesn’t store credit card details either. “We believe that the malware may have accessed payment card information in real-time as it was being inputted into our systems,” the company said.

The breach appears to have hit 20 HEI Hotels, and in most cases, the malware appears to have been active from December 2, 2015 to June 21, 2016. In a few cases, hotels may have been affected as early as March 1, 2015. According to a statement on HEI’s website, the malware affected point-of-sale (POS) terminals at the affected properties, but online booking and other online transactions were not affected.

Read 4 remaining paragraphs | Comments


I was trolling through the readme">Plan security settings for VBA macros in Office 2016

A quick check immediately followed, I dont see any new registry keys that allow this control. ">HKCU\Software\Microsoft\Office\15.0\Word\Security Shows only the previous Trusted Documents and Trusted Locations branches. No problem though, its very common for registry keys to not be present until you add them. (a missing key is a default value).

Also, and more importantly, there are no corresponding updates to the Office 2013 ADMX files, so you wont be seeing any new settings in your group policy screen for Office 2013.

You can (and should) put these macro limit controls in for Office 2016, but as far as I can see, thats an entirely different branch in both Group Policy and in the Registry. Office 2013 apps wont read Office 2016 settings, and vice versa. So the Office 2013 settings you had 30 days ago are still the only ones that are easy to get to.

Its great to see where Microsoft is going with this, but I think we">Disable all without notification: If you dont use macros in your organization, disable them and DONT give your users the ability to bypass this setting.
Disable all except digitally signed macros: This is a more complex route - youll need to sign all docs with macros in them. This isnt such a big deal really though - most organizations with macros have either static code, or a small number of macros maintained by a small number of people. In addition, most of us have private CA servers now for our wireless infrastructure.
So to go forward with signed macros, whats required in advance is some training for your 2 or 3 macro authors on how to sign their code (or do it for them if changes are very seldom).

Office 2016 has these settings, as well as Block Macros from running in Office files from the Internet. This one is essentially the easy button that will shut down lots of the ransomware infections were seeing these days.

Im waiting with anticipation for this same easy button in GPO for Office 2013 to match this update (and Office 2016)! If it doesnt come, I might write one and post it here (I really hope it doesnt come to that though).

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Taser Axon Dock (Body-Worn Camera Docking Station) v3.1 - Authentication Bypass

LAS VEGAS—On a raised floor in a ballroom at the Paris Hotel, seven competitors stood silently. These combatants had fought since 9:00am, and nearly $4 million in prize money loomed over all the proceedings. Now some 10 hours later, their final rounds were being accompanied by all the play-by-play and color commentary you'd expect from an episode of American Ninja Warrior. Yet, no one in the competition showed signs of nerves.

To observers, this all likely came across as odd—especially because the competitors weren't hackers, they were identical racks of high-performance computing and network gear. The finale of the Defense Advanced Research Projects Agency's Cyber Grand Challenge, a DEFCON game of "Capture the Flag," is all about the "Cyber Reasoning Systems"(CRSs). And these collections of artificial intelligence software armed with code and network analysis tools were ready to do battle.

Inside the temporary data center arena, referees unleashed a succession of "challenge" software packages. The CRSs would vie to find vulnerabilities in the code, use those vulnerabilities to score points against competitors, and deploy patches to fix the vulnerabilities. Throughout the whole thing, each system had to also keep the services defined by the challenge packages up and running as much as possible. And aside from the team of judges running the game from a command center nestled amongst all the compute hardware, the whole competition was untouched by human hands.

Read 43 remaining paragraphs | Comments

Stash v1.0.3 CMS - SQL Injection Vulnerability
PayPal Inc BB #127 - 2FA Bypass Vulnerability
OpenCart Cross Site Scripting Vulnerability (product_id - GET)
Linksys E1200 and E2500 (Missing authorization on parental control)
Linksys E2500 and E1200 (Unauth Command Injection)
Reflected Cross Site Scripting (XSS) Vulnerability in nopcommerce 3.70
[SECURITY] [DSA 3648-1] wireshark security update
WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity
Internet Storm Center Infocon Status