Miscreants sweep internet for unpatched Cisco kit, fears over bugged Chinese parts, Roger Stone nabbed...

...PHP's PEAR sabotaged for months, and more from the world of infosec

siren

Roundup This week we saw Hadoop hacks, Exchange exploits, and Deadpool besting scammers.

Here's some more computer security news to round off your week...

Alarms sounded over incoming Cisco attacks

Earlier this week, Cisco cleaned up a series of security flaws in its routers. Now, admins are being urged to apply those fixes as soon as possible now that exploits for two flaws in particular are public.

A security dev going by the name of David Davidson has provided proof-of-concept code that leverages a data-disclosure vulnerability (CVE-2019-1653) in the RV320 WAN router, and extracts various configuration files and other information from the machine. You don't have to be authenticated, you just have to be able to reach the router's web-based management portal. This is useful for checking whether or not a device is vulnerable, and whether Cisco's patch actually works.

The code also achieves remote code execution as root on the router (exploiting CVE-2019-1652) if you know any valid login creds for the box. You can always try to crack the passwords fetched via the info-disclosure bug, or brute-force or guess them.

What's more, botnet watcher Troy Mursch has spotted miscreants scanning the public internet for vulnerable RV320 routers. This means we now have both working exploits and people trying to find vulnerable devices.

If you're an admin at a company running one or more of these Cisco WAN routers, you will want to make sure all of the boxes have the latest patches installed, and you should probably do it ASAP.

Adobe Experience Manager gets patched up

While not as prominent as other products like Create Cloud or Flash, Adobe's Experience Manager is a well-used CMS and forms platform. So anyone running it will want to make sure they have installed the patches Adobe posted earlier this week.

The update patches up cross-site scripting and information disclosure flaws in Experience Manager and one cross-site scripting vulnerability in Experience Manager Forms. Updating to the latest version will apply all of the needed patches.

Credit for discovering the Forms bug was given to researcher Adam Willard.

In brief... Millions of loan and mortgage documents were accidentally exposed to the public internet via a poorly secured database, TechCrunch reports. The system has since been secured.

The PHP Extension and Application Repository (PEAR) was hacked, and go-pear.phar was maliciously tampered with. Anyone who downloaded that software manager between July 2018 and January 2019 may have fetched a poisoned version. "If you have downloaded this go-pear.phar in the past six months, you should get a new copy of the same release version from GitHub (pear/pearweb_phars) and compare file hashes. If different, you may have the infected file," the PEAR team warned this week.

Google has removed two programs from its Android Play Store – Currency Converter and BatterySaverMobi – that contained online-bank-account-raiding Trojan Anubis. Interestingly, the malware also detects the phone's motion sensors for movement: if any is detected, it continues on, and if not, then it figures it's being analyzed in an emulator, and kills itself.

Girl Scouts and HPE to offer cyber-security merit badge

HPE is going to be teaching Girl Scouts how to manage an entirely new type of cookie, as the enterprise tech giant announced this week it would work with the young women's group to offer a new cybersecurity badge.

The patch will be offered through the Girl Scout Juniors (age 9-11) program and will be focused on how scouts can protect themselves online and steer clear of identity theft and financial fraud schemes.

"Girls are going online earlier and earlier, and it’s especially crucial that they are equipped with the knowledge and tools they need to be savvy consumers, to protect themselves, their identity and data," said CEO Lidia Soto-Harmon of Girl Scouts Nation's Capital.

In addition to the patch, the Girl Scouts and HPE are going to develop an online game that centers around how to deal with online scams and privacy protection.

Washington DC worries over bugged Chinese rail cars

Security paranoia is nothing new in the US capital, but this latest episode of infosec scrutiny might be a bit much even for Washington, DC.

A report from NextGov examines how Senators have become concerned that the planned overhaul of the District's metro rail system with new carriages could put national security at risk.

Four Senators have signed a letter asking the head of the Washington Metropolitan Area Transit Authority to develop a plan to make sure that the agency does not end up purchasing cars from Chinese companies that might be bugged by that country's government.

The agency is reportedly planning to amend its request for proposals to include a requirement that the cars be built to NIST information security standards.

National intelligence advisers urge US to push hard on cybersecurity

While it is no secret that the US government is trying to improve its cybersecurity protections and practices, a key report this week signaled an even greater urgency is needed.

The National Intelligence Service has released its first report in four years on the US security threat landscape, and cyber looks to be a top priority.

For the first time the report places cybersecurity intelligence alongside areas like counterterrorism and counterintelligence, a signal that, at least as far as intelligence officials are concerned, data protection is now every bit as important as securing physical securities and guarding against spies.

"We face significant changes in the domestic and global environment; we must be ready to meet 21st century challenges and to recognize emerging threats and opportunities," the report reads.

"To navigate today’s turbulent and complex strategic environment, we must do things differently."

Trump man hauled in on charges of WikiLeaks dealing

A key figure in Donald Trump's presidential run has been cuffed and accused by the FBI of lying to Congress about the campaign's use of stolen Democratic party emails to derail rival Hillary Clinton's bid for the White House.

Roger Stone was cuffed early Friday morning after being indicted on seven charges related to the ongoing Mueller probe into the 2016 White House race. Specifically, he was charged with one count of obstruction of an official proceeding, five counts of false statements, and one count of witness tampering.

Among the allegations is the claim that Stone was part of the chain of intelligence between the Trump administration and WikiLeaks, which allegedly obtained sensitive Democratic party documents from Russian agents. Those documents – emails lifted from the Clinton campaign and DNC by Kremlin hackers – were credited with helping, in part, Trump win the 2016 election.

It should be noted that WikiLeaks has categorically denied the emails came from Russia. Stone denies any wrongdoing.

CitizenLab creeped out by government surveillance

Digital rights and research group CitizenLab says it has been the target of surveillance, possibly from the shadowy Israeli digital intelligence firm NSO Group.

The research foundation revealed on Friday that two of its investigators had been approached by people who were trying to collect sensitive personal information by creating fake companies and identities. On both occasions, CitizenLab said, it sniffed out the operations and confronted the individuals.

While Citizen Lab says it can't definitively tie the operation to NSO Group, it has a pretty strong hunch the company is in some way connected. Researchers were asked about antisemitism at the non-profit and whether this would have sparked interest in investigations.

"This failed operation against two Citizen Lab researchers is a new low. Citizen Lab research is public, and the evidence that we use to draw our conclusions is public as well," CitizenLab said.

"We have always welcomed debate and dialogue about our work, but we condemn these sinister, underhanded activities in the strongest possible terms. Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere." ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019