Security Week 40: Yahoo, do not leak, Google is caulking holes, as Netgear bugs catches

“Three, three billion Yahoo! - all that was acquired by overwork, everything died, ”- said (well, not literally, of course) the company Verizon, which after the purchase of the IT giant has made an audit in its heavily neglected farm. However, the case of hacking Yahoo stretches from last year and started with some 200 million user uteshok, put up for sale in a darkweb in August 2016. A month later, Bob Lord, a CISO company, slightly adjusted this figure, notifying the public of the theft of already 500 million accounts. And by December, as it should be gathered, he resolutely declared that in fact we are talking about a billion . Finally, Verizon undertakes the audit and reports that “everything has already been stolen before us” - all 3 billion accounts, almost half of the world have suffered, but what is being done, citizens ?!

As it now turns out, they grazed in Yahoo's bins at least twice: the first time in August 2013, the second - a year later. However, only in 2016, Yahoo notified about the hacking facts themselves. Who is involved in this leakage - one group or several - is also not reported yet, but, as usual, some “government hackers” have already been accused. According to a Yahoo report, attackers were able to take control of the process of generating authentication cookies, and as a result used it to access the system without authentication.

Yahoo claims that there are no unencrypted passwords and billing information in the stolen data. Hackers got only names, email addresses, phone numbers, dates of birth, password hashes and answers to secret questions. Only. Mere trifles.

Five critical holes in Android are closed
')
News Alert . New patch to Android as usual neutralizes a bunch of different vulnerabilities. For this, patches are done, but in the case of the green robot there is one nuance: the vast majority of mobile devices under this OS will never see this patch, despite the fact that the vulnerabilities will not disappear. In general, their owners would be nice to know what risk they are exposed to.

In total, 14 holes are closed this time:

• CVE-2017-0806, which allows a malicious application to obtain additional permissions without a user request.
• Seven vulnerabilities from CVE-2017-0809 to CVE-2017-0816 are contained in the media system. Three of them allow you to remotely run code in the context of a privileged process (RCE), one - to elevate privileges (EoP), two more help the attacker to recognize what is not supposed to (ID).
• CVE-2017-14496 - RCE in the system.
• CVE-2017-7374 sits in the file system component, allows you to elevate privileges.
• CVE-2017-9075 is located in the network subsystem and also raises privileges.
• CVE-2017-0827 in the MediaTek chip driver, like the previous ones, abuses the “official position”.
• CVE-2017-11053, CVE-2017-9714 and CVE-2017-9683 sit in components for Qualcomm chips, one RCE and two EoPs.

In general, see the update date for ro.build.version.security_patch. If it was made before October 1, 2017, then all the listed bugs in your system are available.

Netgear covered 50 vulnerabilities in routers, switches and network storages

News The well-known manufacturer of network equipment Netgear is not exchanged for such trifles as Google. Patch so patch - in early October, Netgear uploaded updated firmware for its hardware, covering 50 vulnerabilities. 20 holes are especially dangerous gaps, 30 are a little inferior to them in the colorfulness and provided potential, but they are also good.

Through some of these vulnerabilities, an external hacker can run commands on devices, bypass the administrator password and take control of the device completely, which in the case of the home router allows you to rotate very daring phishing attacks on users, redirect them to pages with exploit whales, etc.

Such a number of finds is not accidental. The fact is that Netgear together with Bugcrowd launched a reward program for the discovered vulnerabilities. The rewards are not to say to the king: the highest amount of $ 15 thousand is paid for the most terrible holes like remote unauthorized access to the files of all users in the cloud storage, $ 10 thousand for the same vulnerabilities, but with access to the files of one user, well, Zhelezyakah take wholesale at prices ranging from $ 150 to $ 1200.

It's nice that the manufacturers of network and IoT equipment have finally attended to the safety of their products. As practice shows, neither in-house testing nor periodic audits solve the problem. But the ongoing remuneration program for bagolovlyu gives a very good result.

Antiquities

"Jews-2339"

Non-dangerous resident virus. It is recorded in COM, EXE and SYS files. Driver files are infected when an infected COM or EXE file is started or during a warm boot (Alt-Ctrl-Del): the virus infects all .SYS and .BIN files specified in the C: \ CONFIG.SYS file. It creates its TSR-copy only when it starts from the infected driver: it copies itself to the 7000: xxxx segment, waits for the driver to be installed and completes its codes to the driver codes. Files of the type COM and EXE infect only on diskettes, and when starting or opening a file, the virus disinfects it, and when closing it infects. 5 days after the infection of the system, every hour at 59 minutes 30 seconds, the call sign of Mayak radio station loses: 3 times "Moscow Nights" and 6 times BEEP. Contains texts: "Jews-2 Virus. MSU 1991, "c: \ config.sys.device", ".com.exe.bin.sys". Intercepts int 8.9, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 36.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.