Enlarge / Account recovery programs like this one from United Airlines pose a significant threat to users. (credit: Dan Goodin)

Facebook is unveiling a new service that remedies one of the biggest headaches facing online users today—the forgotten password.

Starting Tuesday, Facebook will offer a service that allows users who lose their GitHub login credentials to securely regain access to their accounts. The process takes only seconds and uses a handful of clicks over encrypted HTTPS Web links. To set it up, Facebook users create a GitHub recovery token in advance and save it with their Facebook account. In the event they lose their GitHub login credentials, they can reauthenticate to Facebook and request the token be sent to GitHub with a time-stamped signature. The token is encrypted so Facebook can't read any of the personal information it stores. After the request is sent, the GitHub account is restored. With the exception of Facebook's assertion that the person recovering the GitHub account is the same person who saved the token, Facebook and GitHub don't share any personal information about the user.

The service is designed to eliminate the hassle and significant insecurity found in most account recovery systems that exist now. One common recovery method involves answering security questions. Many of the questions—for instance, "What is your favorite sport?" and "What is your favorite pizza topping?" asked by United Airlines—are easily guessed. That leaves people susceptible to account takeovers. Other methods, such as delivering security tokens by e-mail or SMS text message, lack the kind of end-to-end encryption that's increasingly expected for secure communications.

Read 2 remaining paragraphs | Comments

Netgear WNR2000 Multiple Security Vulnerabilities
JasPer 'jpc_dec.c' Null Pointer Dereference Denial of Service Vulnerability
JasPer CVE-2016-8883 Denial of Service Vulnerability
CubeCart CVE-2017-2098 Directory Traversal Vulnerability
Huawei OceanStor 5800 CVE-2016-5822 Remote Denial of Service Vulnerability

(credit: ogglog)

Networked digital video recorders have been harnessed for all sorts of ill intent over the past few months, including use in a botnet that disrupted large swaths of the Internet. But a different sort of malware hit the DVRs used by the District of Columbia’s closed-circuit television (CCTV) surveillance system just one week before Inauguration Day. The Washington Post reports that 70 percent of the DVR systems used by the surveillance network were infected with ransomware, rendering them inoperable for four days and crippling the city’s ability to monitor public spaces.

The CCTV system, operated by the District’s Metropolitan Police Department and supported by the DC Office of the Technology Officer (OCTO), began to be affected on January 12. Police noticed they could not access video from four DVRs. Washington DC Chief Technology Officer Archana Vemulapalli told the Post that two forms of malware were found on the four systems, and a system-wide sweep discovered additional DVR clusters that were infected.

The infections were limited to the local networks that the DVRs ran on, and this ransomware did not extend to the District’s internal networks. While the investigation is ongoing, the malware likely was able to take over the systems because each site was connected to the public Internet for remote access. Vemulapalli told the paper no ransom was paid and the system was restored to full functionality before Inauguration Day.

Read 1 remaining paragraphs | Comments

tcpdump Multiple Buffer Overflow Vulnerabilities
[security bulletin] HPESBMU03701 rev.1 - HPE Smart Storage Administrator, Remote Arbitrary Code Execution
Skype for Windows CVE-2016-5720 Untrusted Search Path vulnerability
Zimbra Collaboration Suite CVE-2016-3401 Unspecified Security Vulnerability
ASUS RT-N56U CVE-2017-5632 Unspecified Denial of Service Vulnerability
Sophos Web Appliance CVE-2016-9554 Remote Command Injection Vulnerability
MuJS CVE-2017-5628 Integer Overflow Vulnerability
Artifex MuJS 'mujs/jsrun.c' Integer Overflow Vulnerability
Sophos Web Appliance CVE-2016-9553 Multiple Remote Command Injection Vulnerabilities
Moment.js CVE-2016-4055 Remote Denial of Service Vulnerability
Secunia Research: libarchive "lha_read_file_header_1()" Out-Of-Bounds Memory Access Denial of Service Vulnerability
Piwigo CVE-2017-5608 Cross Site Scripting Vulnerability
IBM BladeCenter Advanced Management Module CVE-2016-8232 Cross Site Scripting Vulnerability
RETIRED: ownCloud DLL Loading Local Code Execution Vulnerability
jwt CVE-2016-7037 Security Bypass Vulnerability
python-jose CVE-2016-7036 Unspecified Security Vulnerability
secuvera-SA-2017-01: Privilege escalation in an OPSI Managed Client environment ("rise of the machines")
libarchive 'lha_read_file_header_1()' Function Memory Corruption Vulnerability

In Diary entry py2exe Decompiling - Part 1 we took a quick look at py2exe files.

How can we identify an .exe file generated by py2exe? A quick test is to check if the PE file has a resource PYTHONSCRIPT. I developed a YARA rule for this.

Of course, this YARA rule just detects if a PE file was created with py2exe. It doesnt identify the sample as malware, there are legitimate py2exe applications too.

As mentioned in part 1, unpy2exe supports Python 2, not Python 3.

For Python 3, you can use program decompile-py2exe.

Please post a comment mentioning the py2exe analysis tools you like to use.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
OpenSSL CVE-2017-3731 Denial of Service Vulnerability
OpenSSL CVE-2016-7056 Local Information Disclosure Vulnerability
[SECURITY] [DSA 3773-1] openssl security update
CVE-2017-3160: Gradle Distribution URL used by Cordova-Android does not use https by default
Multiple blind SQL injection vulnerabilities in FormBuilder WordPress Plugin
Persistent Cross-Site Scripting vulnerability in User Access Manager WordPress Plugin
WordPress Prior to 4.7.2 Multiple Security Vulnerabilities
Internet Storm Center Infocon Status