image
The U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk. Cardioverter Defibrillator is a small surgically implanted device (in patients’ chests) that gives a patient’s heart an electric shock (often called a countershock) to re-establish a normal heartbeat. While the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world’s largest medical device companies Medtronic have been found vulnerable to two serious vulnerabilities. Discovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices. “Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,” warns the advisory released by DHS. The vulnerabilities reside in the Conexus Radio Frequency Telemetry Protocol—a wireless communication system used by some of Medtronic defibrillators and their control units to wirelessly connect to implanted devices over the air using radio-waves. Flaw 1: Lack of Authentication in Medtronic’s Implantable Defibrillators According to an advisory [PDF] published by Medtronic, these flaws affect more than 20 products, 16 of which are implantable defibrillators and rest are the defibrillators’ bedside monitors and programmers. The more critical flaw of the two is CVE-2019-6538 which occurs because the Conexus telemetry protocol does not include any checks for data tampering, nor performs any form of authentication or authorization. The successful exploitation of this vulnerability could allow an attacker within the radio range of the affected device and right radio gear to intercept, spoof, or modify data transmitting between the device and its controller, which could potentially harm or perhaps even kill the patient. “This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” the DHS says. Flaw 2: Lack of Encryption in Medtronic’s Implantable Defibrillators The Conexus telemetry protocol also provides no encryption to secure the telemetry communications, making it possible for attackers within the range to eavesdrop on the communication. This issue has been assigned CVE-2019-6540. However, Medtronic said the vulnerabilities would be hard to take advantage of and harm patients since it requires the following conditions to be met: An unauthorized individual would need to be in close proximity of up to 6 meters (20 feet) to the targeted device or clinic programmer. Conexus telemetry must be activated by a healthcare professional who is in the same room as the patient. Outside of the hospital activation times of devices are limited, which vary patient to patient and are difficult to be predicted by an unauthorized user. The medical technology giant also assures its users that “neither a cyberattack nor patient harm has been observed or associated with these vulnerabilities” to this date. Medtronic also noted that its line of implanted pacemakers, including those with Bluetooth wireless functionality, as well as its CareLink Express monitors and CareLink Encore programmers (Model 29901) used by some hospitals and clinics are not vulnerable to either of these flaws. Medtronic has already applied additional controls for monitoring and responding to the abuse of the Conexus protocol by the affected implanted cardiac devices and is working on a fix to address the reported vulnerabilities. The security fix will soon become available, and in the meantime, Medtronic urged “patients and physicians continue to use these devices as prescribed and intended.”

Source

image
The Department of Homeland Security has issued an emergency alert warning of critical flaws allowing attackers to tamper with several Medtronic medical devices, including defibrillators. The two vulnerabilities – comprised of a medium and critical-severity flaw – exist in 20 products made by the popular medical device manufacturer, including an array of defibrillators and home patient monitoring systems. An update is not yet available for fixing these flaws, Medtronic told Threatpost. The flaws could allow a local attacker to take control of the devices’ functions – and for a product like an implantable cardioverter defibrillator, which is inserted under the skin and shocks patients’ irregular heartbeats into a normal rhythm, that could have dangerous implications. “The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device,” according to the DHS alert. Impacted products include homecare patient monitors, portable computer system used to program cardiac devices, and several specific Medtronic implanted cardiac devices – potentially up to 750,000 devices, according to a report by the Star Tribune. A Medtronic spokesperson stressed that while defibrillators are impacted, the issue does not affect Medtronic pacemakers or insertable cardiac monitors. “Medtronic is conducting security checks to look for unauthorized or unusual activity that could be related to these issues,” the spokesperson told Threatpost. “To date, no cyberattack, privacy breach, or patient harm has been observed or associated with these issues. Medtronic is developing a series of software updates to better secure the wireless communication affected by these issues. The first update is scheduled for later in 2019, subject to regulatory approvals.” The Flaws The vulnerabilities stem from the Conexus telemetry protocol, which does not implement authentication, authorization or encryption for communication – allowing an attacker to easily carry out several attacks, such as viewing or altering sensitive data. The Conexus telemetry protocol is used as part of Medtronic’s remote patient management system. The vulnerabilities specifically are a critical improper access control vulnerability (CVE-2019-6538), which has a CVSS score of 9.3 as it only requires a low skill level to exploit; and a cleartext transmission of sensitive information vulnerability (CVE-2019-6540) which has a CVSS score of 6.5. “Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data,” according to the DHS advisory. The improper access control stems from the fact that the Conexus telemetry protocol utilized in impacted products does not implement authentication or authorization. “This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device,” warned the DHS. In order to exploit the vulnerabilities, an attacker would need a radio frequency device capable of transmitting or receiving Conexus telemetry communication (such as a monitor, programmer, or software-defined radio) and would need short-range access to the vulnerable products. Updates To Come Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices – but updates will not be ready until later in 2019. In the meantime, “Medtronic and the FDA recommend that patients and physicians continue to use devices and technology as prescribed and intended, as this provides for the most efficient way to manage patients’ devices and heart conditions,” Medtronic said in a statement. It’s only the latest set of security issues found in medical manufacturer Medtronic. In 2018, a flaw in Medtronic’s CareLink 2090 and CareLink Encore 29901 programmers was discovered allowing remote code implantation over Medtronic’s dedicated Software Deployment Network. At Black Hat 2018, researchers stressed that the healthcare device landscape remains insecure and in need of addressing. “[These attacks] alter how physicians act with patients because they trust technology implicitly,” said Jeff Tully, a pediatrician and anesthesiologist at the University of California Davis at Black Hat. (Image is licensed under the Creative Commons Attribution 3.0 Unported license.)

Source

image
Brace yourself guys. Microsoft is going to release its Windows Defender ATP antivirus software for Mac computers. Sounds crazy, right? But it’s true. Microsoft Thursday announced that the company is bringing its anti-malware software to Apple’s macOS operating system as well—and to more platforms soon, like Linux. As a result, the technology giant renamed its Windows Defender Advanced Threat Protection (ATP) to Microsoft Defender Advanced Threat Protection (ATP) in an attempt to minimize name-confusion and reflect the cross-platform nature of the software suite. But wait, does your Macbook need antivirus protection? Of course! For all those wondering if Mac even gets viruses—macOS is generally more secure than Windows, but in recent years cybercriminals have started paying attention to the Mac platform, making it a new target for viruses, Trojans, spyware, adware, ransomware, backdoors, and other nefarious applications. Moreover, hackers have been successful many times. Remember the dangerous FruitFly malware that infected thousands of Mac computers, the recently discovered cryptocurrency-stealing malware CookieMiner and DarthMiner, and .EXE malware discovered last month? Microsoft Defender ATP Antivirus for Mac Microsoft has now come up with a dedicated Defender ATP client for Mac, offering full anti-virus and threat protection with the ability to perform full, quick, and custom scans, giving macOS users “next-generation protection and endpoint detection and response coverage” as its Windows counterpart. “We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized “single pane of glass” experience,” Microsoft says in a blog post. Microsoft also promised to add Endpoint Detection and Response, and Defender ATP’s new Threat and Vulnerability Management (TVM) capabilities in public preview next month. TVM uses a risk-based approach to help security teams discovery, prioritize, and remediate known vulnerabilities and misconfigurations using a mixture of real-time insights, added context during incident investigations and built-in remediation processes through Microsoft’s Intune and System Center Configuration Manager. For now, the tech giant has released Microsoft Defender ATP for Mac (compatible with macOS Mojave, macOS High Sierra, or macOS Sierra) in limited preview for businesses that have both Windows and Mac computer systems. Like MS Office for Mac, Defender for Mac will also use Microsoft AutoUpdate software to get the latest features and fixes on time. While Microsoft has announced its plans to launch Defender ATP for more platforms in the future, the company has not explicitly named those platforms. Also, it is not clear if Microsoft is also planning to launch a consumer version of Microsoft Defender for Mac users in the future. Microsoft’s business customers can sign up here for the limited preview. In the attempt to make its security software available to more people, Microsoft just last week released Windows Defender extensions for Mozilla Firefox and Google Chrome as well. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

image
By Uzair Amir The company says it discovered the issue in January and there is no need to change passwords. The social media giant Facebook has revealed that its internal data storage systems saved user passwords in plain text that could be accessed by employees. The social media said an ongoing investigation so far has revealed no sign that employees abused or accessed […] This is a post from HackRead.com Read the original post: Facebook stored 600m user passwords in plain text exposed to 20k employees

Source

image
Holy moly, Facebook is again at the center of a new privacy controversy after revealing today that its platform mistakenly kept a copy of passwords for “hundreds of millions” users in plaintext. What’s more? Not just Facebook, Instagram users are also affected by the latest security incident. So, if you are one of the affected users, your Facebook or Instagram password was readable to some of the Facebook engineers who have internal access to the servers and the database. Though the social media company did not mention exactly what component or application on its website had the programmatic error that caused the issue, it did reveal that the company discovered the security blunder in January this year during a routine security check. In a blog post published today, Facebook’s vice president of engineering Pedro Canahuati said an internal investigation of the incident found no evidence of any Facebook employee abusing those passwords. “To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati said. Canahuati didn’t mention the exact number of users affected by the glitch, but confirmed that the company would start notifying its “hundreds of millions of affected Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook has now fixed this issue and recommended users to change their Facebook and Instagram passwords immediately. “In the course of our review, we have been looking at the ways we store certain other categories of information — like access tokens — and have fixed problems as we’ve discovered them.” Besides this, all Facebook and Instagram users are always highly recommended to enable two-factor authentication, login alert feature and use the physical security key to protect their accounts from cyber attacks. This is yet another security incident for Facebook. In October last year, Facebook announced its worst-ever security breach that allowed hackers to successfully steal secret access tokens and access personal information from 29 million Facebook accounts. However, Facebook is not alone that exposed hundreds of millions of its users’ passwords in plain text. Twitter last year also addressed a similar security incident that unintentionally exposed passwords for its 330 million users in readable text on its internal computer system. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

image
By Waqas On March 12th, at around 2:30 a.m., residents of two Texas towns panicked after hearing tornado alarm that went off until 4:00 a.m. They were disturbed because the alarms repeatedly went on and off for about one and a half hours, thanks to hackers – Finally, related authorities were able to turn them off. See: […] This is a post from HackRead.com Read the original post: Panic after hackers take control of emergency tornado alarms in Texas

Source

image
A popular WordPress plugin has been removed from the WordPress plugin repository after it was discovered to have a vulnerability that was being exploited in the wild. The plugin, Social Warfare, lets users add social media sharing buttons to their websites. Social Warfare has an active install base of over 70,000 sites and over 805,000 downloads. Wordfence said that the most recent version of the plugin (3.5.2) was plagued by a stored cross-site scripting vulnerability. Worse, researchers have identified attacks in the wild against the vulnerability. “The flaw allows attackers to inject malicious JavaScript code into the social share links present on a site’s posts,” said Mikey Veenstra with Wordfence in a Thursday post. The attacks started after an “unnamed security researcher published a full disclosure” of the vulnerability earlier today, said Veenstra. There is currently no evidence that attacks started prior to today, he told Threatpost. The plugin was consequently taken down. A notice on the WordPress plugin page for Social Warfare says “This plugin was closed on March 21, 2019 and is no longer available for download.” Meanwhile, Social Warfare tweeted that it is aware of the vulnerability: “Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more.” WE ARE AWARE OF A ZERO-DAY EXPLOIT AFFECTING SOCIAL WARFARE CURRENTLY BEING TAKEN ADVANTAGE OF IN THE WILD. Our developers are working to release a patch within the next hour. In the meantime, we recommend disabling the plugin. We will update you as soon as we know more. — Warfare Plugins (@warfareplugins) March 21, 2019 At this time, Veenstra said that Wordfence will refrain from publicizing details of the flaw and the attacks against it: “At such time that the vendor makes a patch available, we will produce a follow-up post with further information,” he said. In the meantime, Veenstra said that users should deactivate the plugin as soon as possible until a patch has been released. PSA: The #WordPress plugin Social Warfare contains an unpatched zero-day flaw which is under active attack in the wild. @wordfence premium users have access to the WAF rule we’ve released, others should deactivate the plugin ASAP until a patch is released. https://t.co/meha42c3SE — Mikey Veenstra (@heyitsmikeyv) March 21, 2019 Social Warfare did not immediately respond to a request for comment from Threatpost. This is not the first time WordPress has fallen victim to flaws – specifically those tied to third-party plugins. In fact, according to a January Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. The incident comes after a separate vulnerability was disclosed and patched in a different WordPress plugin, Easy WP SMTP. This vulnerability was also under active attack and being exploited by malicious actors to establish administrative control of impacted sites, said Veestra. “The attacks against this vulnerability are widespread, and successful exploits can grant full control of vulnerable sites to the attackers,” he said.

Source

image
By Waqas GHIDRA is NSA’s reverse engineering tool released earlier this month. Earlier this month, Hackread.com posted about the National Security Agency’s (NSA) publicly releasing its decompiler and disassembler tool GHIDRA and make it open-source software. Now, it has been revealed that the generic reverse engineering tool has a flaw that can be exploited by cybercriminals for carrying […] This is a post from HackRead.com Read the original post: Flaw in NSA’s GHIDRA leads to remote code execution attacks

Source

image
Hackers took down Apple Safari, VMware Workstation, and Oracle VirtualBox on Wednesday, the first day of Pwn2Own, the annual hacking competition held in tandem with the CanSecWest conference in Vancouver. Contestants with the team of Fluoroacetate (Amat Cama and Richard Zhu) were the first to hit pay dirt; hacking Apple’s Safari browser via escaping the sandbox. The team used an integer overflow in the browser and a heap overflow to escape the sandbox. The attack took hours, using a brute force technique, eventually earning the team $55,000. The takedown would be the first of three for the Fluoroacetate team on Wednesday. Later in the day Cama and Zhu focused their attention on the virtualization category and Oracle’s VirtualBox. Oracle VirtualBox is a free and open-source hypervisor for x86-class computers. Successful VM escape exploit. Impressive work by Amat Cama and Richard Zhu #Pwn2Own pic.twitter.com/y0pSMYjI2l — Ryan Naraine (@ryanaraine) March 20, 2019 Fluoroacetate was able to “pop calc” (open the calculator app) on the VirtualBox using an integer underflow and a race condition to escalate from the virtual client, according to the write-up of the event by Zero Day Initiative. After their first failed attempt – tied to a botched memory leak attempt – things aligned and a successful code execution (opening of the calculator app) earned the two-person team $35,000. Rounding out Fluoroacetate’s trifecta of successful hacks was a compromise of the VMware Workstation. By leveraging an race condition and chaining it to an out-of-bounds write the team was able to jump from the virtual client to executing code on the underlying host operating system, ZDI reported. That hack earned the team $70,000, bringing their total to $160,000 for the day. Team Anhdaden of STAR Labs at Pwn2Own 2019 The Oracle VirtualBox took a second beating by hacker team Anhdaden of STAR Labs. They used an integer underflow to escalate from the virtual client to execute his code on the hypervisor at medium integrity, ZDI reported: “[Anhdaden] used a unique integer underflow different than the previously demonstrated underflow. His first foray into Pwn2own netted him $35,000.” Three hackers only identified by their Twitter handles (@_niklasb @qwertyoruiopz and @bkth_) that were part of a team called Phoenhex and Qwerty Team, received partial credit for hacking Apple Safari with a kernel elevation. The three demonstrated a complete system compromise. “By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug,” ZDI wrote. The team only received partial credit because Apple already knew of one of the bugs used in the attack. Nevertheless, they were awarded $45,000 for their efforts. In total, day one of the two-day Pwn2Own hacking competition paid out $240,000.

Source

image
Hundreds of millions of Facebook user passwords have been stored in plain text for years, the social media giant acknowledged on Thursday. KrebsOnSecurity, which first reported the news, said that specifically between 200 and 600 million passwords were stored in plain text as early as 2012, and were searchable by thousands of Facebook employees. Plain text means that the stored passwords are unencrypted, meaning they can be easily accessed and read by people who had access to Facebook’s internal data storage systems. “As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems,” said Pedro Canahuati, vice president of engineering, security and privacy at Facebook in a Thursday post. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable. We have fixed these issues and as a precaution we will be notifying everyone whose passwords we have found were stored in this way.” Facebook said it will notify hundreds of millions of Facebook Lite users (Facebook Lite is a version of Facebook predominantly used by people in regions with limited connectivity), as well as tens of millions of other Facebook users, and tens of thousands of Instagram users. Canahuati said that the passwords were never visible to anyone outside of Facebook and that Facebook has found no evidence to date that anyone internally abused or improperly accessed them. Despite that, Krebs reported that 2,000 engineers or developers made around nine million internal queries for data elements containing plain text user passwords. Canahuati also stressed that Facebook has been looking at the ways it stores certain other categories of information, such as access tokens, and has “fixed problems as we’ve discovered them.” Between the Cambridge Analytica incident that occurred about a year ago, to several other Facebook security problems over the past year (such as sketchy data sharing partnerships and other privacy violations), Facebook continues to be criticized for data privacy issues. _Threatpost will update this story as more information becomes available… _

Source