Hacker Who DDoSed Sony, EA and Steam Gaming Servers Pleads Guilty

A 23-year-old hacker from Utah pleaded guilty this week to launching a series of denial-of-service (DoS) attacks against multiple online services, websites, and online gaming companies between 2013 and 2014.

According to a Justice Department (DoJ) press release, Austin Thompson, a.k.a. “DerpTroll,” took down servers of several major gaming platforms including Electronic Arts’ Origin service, the Sony PlayStation network, and Valve Software’s Steam, between December 2013 and January 2014, by flooding them with enough internet traffic.

Thompson then typically used the Twitter account the @DerpTrolling handle to announce his attacks, subsequently posting screenshots or other photos of the server being unavailable after launching DDoS attacks.

The attacks usually took down game servers and related computers of the victim companies for at least a few hours at a time, causing at least $95,000 in damages to the gaming companies around the world.

Thompson pleaded guilty in federal court in San Diego on Thursday and was charged with causing damages to a protected computer, which carries a maximum penalty of 10 years prison, a fine of $250,000, as well as three years supervised release.

Active since 2011, the DerpTrolling hacking group is believed to be operated by Thompson, who write malware used to launch the DDoS attacks against online services around the world.

However, the hacking group made headlines in late 2013 and early 2014 after disrupting online gaming servers owned by Sony, Riot Games, Microsoft, Nintendo, Valve, and Electronic Arts.

Thompson’s sentencing is scheduled for March 1, 2019, before United States District Judge Jeffrey Miller.

It wasn’t just DerpTrolling that created chaos in 2014. The infamous Lizard Squad hacking group also made headlines in 2014 by launching DDoS attacks against Microsoft Xbox Live and Sony PlayStation Network and knocking them offline during the Christmas holidays.

Several teenagers last year from around the world were charged with participating in the Lizard Squad 2014 DDoS attacks.

Popular WooCommerce WordPress Plugin Patches Critical Vulnerability

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new vulnerability that could compromise your online store.

Simon Scannell, a researcher at RIPS Technologies GmbH, discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the unpatched websites.

WooCommerce is one the most popular eCommerce plugins for WordPress that helps websites to upgrade their standard blog to a powerful online store. WooCommerce powers nearly 35% of e-stores on the internet, with more than 4 million installations.

Exploiting WooCommerce File-Deletion and WordPress Design Flaws

The attack demonstrated in the following video takes advantage of the way WordPress handles user privileges and WooCommerce file deletion vulnerability, allowing an account with “Shop Manager” role to eventually reset administrator accounts’ password and take complete control over the website.

When installed, WooCommerce extension creates “Shop Managers” accounts with “edit_users” capability, allowing them to edit customer accounts of the store in order to manage their orders, profiles, and products.

In WordPress, an account with “edit_users” capability by default allowed to even edit an administrator account and reset its password. But to draw a permission-based line between an administrator and a shop manager account, the WooCommerce plugin adds some extra limitations on the shop managers.

However, the researcher discovered that if WordPress admin, for some reason, disables the WooCommerce plugin, its configuration that mandated the limitation goes away, allowing Shop Manager accounts to edit and reset the password for administrator accounts.

Now, according to Simon, a malicious Shop Manager can forcefully disable the WooCommerce plugin by exploiting a file deletion vulnerability that resides in the logging feature of WooCommerce.
Once the file is deleted, the WooCommerce plugin gets disabled, allowing shop managers to update the password for the administrator account and then take over the complete website.

Install WooCommerce and WordPress Patch Updates

The researcher responsibly reported the security issues to the Automattic security team, who manages the WooCommerce plugin, via Hackerone on 30, August 2018. The team acknowledged the flaws and fixed them in Woocommerce version 3.4.6 last month.

If you haven,t yet updated your WordPress and Woocommerce, you are highly recommended to install the latest available security updates as soon as possible.

New Intel CPU Flaw Exploits Hyper-Threading to Steal Encrypted Data

A team of security researchers has discovered another serious side-channel vulnerability in Intel CPUs that could allow an attacker to sniff out sensitive protected data, like passwords and cryptographic keys, from other processes running in the same CPU core with simultaneous multi-threading feature enabled.

Discovered by a team of security researchers from the Tampere University of Technology in Finland and Technical University of Havana, Cuba, the new side-channel vulnerability resides in Intel’s Hyper-Threading technology, the company’s implementation of Simultaneous MultiThreading (SMT).

Simultaneous MultiThreading is a performance feature that works by splitting up each physical core of a processor into virtual cores, known as threads, allowing each core to run two instruction streams at once.

Since SMT runs two threads in two independent processes alongside each other in the same physical core to boost performance, it is possible for one process to see a surprising amount of what the other is doing.
Thus, an attacker can run a malicious PortSmash process alongside a selected victim process on the same CPU core, allowing the PortSmash code to snoop on the operations performed by the other process by measuring the precise time taken for each operation.

PortSmash Attack to Steal OpenSSL Decryption Keys

As a proof-of-concept released on Github, researchers tested the PortSmash attack against OpenSSL (version <= 1.1.0h) cryptography library and were successfully able to steal the private decryption key using a malicious process (exploit) running on the same physical core as the OpenSSL thread (victim).

While the PortSmash attack has been confirmed to work on Intel’s Kaby Lake and Skylake processors at this moment, researchers “strongly suspected” the attack to work on other SMT architectures, including AMD’s, with some modifications to their code.

In August this year, after TLBleed and ForeShadow attacks were unveiled, Theo de Raadt, the founder of OpenBSD and leader at OpenSSH projects, advised users to disable SMT/Hyperthreading in all Intel BIOSes.

He also suspected that “there will be more hardware bugs and artifacts disclosed. Due to the way SMT interacts with speculative execution on Intel CPUs, I expect SMT to exacerbate most of the future problems.”

How to Protect Your Systems Against PortSmash Attack

Researchers reported the new side-channel vulnerability to Intel security team early last month, but when the company failed to provide the security patches until 1 November, the team went public with the PoC exploit.

The team has also promised to release detailed paper on the PortSmash attack, titled Port Contention for Fun and Profit, in the coming days.

The simple fix for the PortSmash vulnerability is to disable SMT/Hyper-Threading in the CPU chip’s BIOS until Intel releases security patches. OpenSSL users can upgrade to OpenSSL 1.1.1 (or >= 1.1.0i if you are looking for patches).

In June this year, the OpenBSD project disabled Intel’s Hyper-Threading to prevent its users from previously disclosed Spectre-class attacks, as well as future timing attacks.

AMD is investigating the PortSmash side-channel vulnerability report to know any potential AMD product susceptibility.

Facebook Fined £500,000 for Cambridge Analytica Data Scandal

Facebook has finally been slapped with its first fine of £500,000 for allowing political consultancy firm Cambridge Analytica to improperly gather and misuse data of 87 million users.

The fine has been imposed by the UK’s Information Commissioner’s Office (ICO) and was calculated using the UK’s old Data Protection Act 1998 which can levy a maximum penalty of £500,000 — ironically that’s equals to the amount Facebook earns every 18 minutes.

The news does not come as a surprise as the U.K.’s data privacy watchdog already notified the social network giant in July this year that the commission was intended to issue the maximum fine.

For those unaware, Facebook has been under scrutiny since earlier this year when it was revealed that the personal data of 87 million users was improperly gathered and misused by political consultancy firm Cambridge Analytica, who reportedly helped Donald Trump win the US presidency in 2016.

The ICO, who launched an investigation the Cambridge Analytica scandal in March, said that the data from at least 1 million British citizens was “unfairly processed,” and that Facebook “failed to take appropriate technical and organisational measures” to prevent the data from falling into the wrong hands.

Besides this, the ICO also stressed that the social network also “failed to make suitable checks on apps and developers using its platform,” which eventually expose the personal data of up to 87 million people worldwide, without their knowledge.

In response to the ICO announcement, Facebook noted that the company is reviewing the ICO decision, highlighting its previous admission that Facebook “should have done more” to investigate claims about Cambridge Analytica in 2015.

However, the £500,000 fine is just a drop in the ocean for a company like Facebook that brought in £31.5 billion in global revenue last year.

The penalty could have been much larger had it fallen under EU’s General Data Protection Regulation (GDPR), wherein a company could face a maximum fine of 20 million euros or 4% of its annual global revenue, whichever is higher, for such a privacy breach.

Facebook’s annual revenue was nearly £31.5 billion in 2017, which could have resulted in a possible fine of £1.26 billion under the GDPR rules. But luckily for Facebook that GDPR came into force in May 2018 after the timing of the Cambridge Analytica scandal.

Last month, the UK’s data protection watchdog also issued the maximum allowed fine of £500,000 on credit reporting agency Equifax for its last year’s massive data breach that exposed personal and financial data of hundreds of millions of its customers.

FireEye: Russian Research Lab Aided the Development of TRITON Industrial Malware

Cybersecurity firm FireEye claims to have discovered evidence that proves the involvement of a Russian-owned research institute in the development of the TRITON malware that caused some industrial systems to unexpectedly shut down last year, including a petrochemical plant in Saudi Arabia.

TRITON, also known as Trisis, is a piece of ICS malware designed to target the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric which are often used in oil and gas facilities.

Triconex Safety Instrumented System is an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically if a dangerous state is detected.

Since malware of such capabilities can’t be created by a computer hacker without possessing necessary knowledge of Industrial Control Systems (ICS), researchers believe with “high confidence” that Moscow-based lab Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM, a.k.a ЦНИИХМ) helped attackers, dubbed “TEMP.Veles,” with institutional knowledge develop the TRITON framework and test its components in a targeted environment.

In a blog post published earlier today, FireEye uncovered various attribution clues that connect the development and testing activities of Triton malware to the Russian government, CNIIHM and a former professor at CNIIHM.

Moreover, behavior patterns observed in the TEMP.Veles group activity are also consistent with the Moscow time zone, where the CNIIHM institute is located.

Though CNIIHM researchers possess experience in critical infrastructure and the development of weapons and military equipment, FireEye did not claim or has any evidence if the institute was also involved in deploying the Triton malware in the wild.

Neither Russian government nor the CNIIHM institute has responded to the FireEye report, though we can predict Russia’s response, as the country has repeatedly denied such allegations from private cybersecurity firms in the past.

What’s concerning is that the hackers behind Triton remained an active threat to critical infrastructure across the globe, as the malware has the ability to cause severe, life-threatening damages to an organization or shut down its operations.

WiJungle

WiJungle NextGen Firewall & Hotspot Gateway

WiJungle NextGen Firewall & Hotspot Gateway

WiJungle is a unified (NextGen Firewall & Hotspot Gateway) appliance that manages network, internet and security of business verticals like Corporates, Education Institutes, Hospitality, Healthcare, Retail, Transportation, Smart City, Residential Estates, Events etc. across the globe. It has been recognized by Government of India for product, process & service innovation and is listed among the Most Promising Enterprise Information Security Product by CIO Review.

The appliances range from user 20 to any higher number and offer features like Access/Interface Management, Network Management, User/Guest Management, Content Filtering, Data Leakage Prevention, Bandwidth Management Load Balancing, Gateway Anti-Virus, Anti-Spam, IPS, Virtual Private Network, Vulnerability Assessment, Intuitive Captive Portals, SMS Gateway Integration, Social Media Engagement/Advertisement option, Feedback Management, User Logging, Reporting and Analytics, Prepaid/Postpaid Billing, Voucher Management, PMS/HIS Integration, Alert Management, Access Point/Device Management etc.

Product has 24/7 Free Call/Email/WhatsApp support with Advance Hardware Replacement warranty.

Key Features –

✓ Offers features of both UTM & Hotspot Gateway in a single appliance.

✓ Most affordable product with lowest renewal cost.

✓ Only updates and support are halted on license expiry. Product features continue to work as it is.

✓ Unlimited Free Transaction Messages along with Appliance (India Only).

✓ Inbuilt Storage Capacity to store surfing logs for a period of 1 year.

✓ PMS/HIS/Third Party Integration & personalized development provision available.

✓ Intuitive Captive portals with social media engagements and advertisement options.

✓ Highly User-Friendly UI to configure.

✓ Auto Feature update via cloud.

WiJungle NextGen Firewall & Hotspot Gateway Price

Model Users Around (Both UTM + Hotspot) Price (With 1 Year License)
WiJungle U20
32 30400
WiJungle U35

50 41800
WiJungle U50

70 57740
WiJungle U75

100 72980
WiJungle U100

160 94320
WiJungle U150

210 132200
WiJungle U250

300 194700

GST Tax Extra

For More details, Please call us on

Sales :+91 958 290 7788 | Support : 0120 2631048

Register & Request Quote | Submit Support Ticket

Critical Flaw Found in Streaming Library Used by VLC and Other Media Players

Security researchers have discovered a serious code execution vulnerability in the LIVE555 Streaming Media library—which is being used by popular media players including VLC and MPlayer, along with a number of embedded devices capable of streaming media.

LIVE555 streaming media, developed and maintained by Live Networks, is a set of C++ libraries companies and application developers use to stream multimedia over open standard protocols like RTP/RTCP, RTSP or SIP.

The LIVE555 streaming media libraries support streaming, receiving, and processing of various video formats such as MPEG, H.265, H.264, H.263+, VP8, DV, and JPEG video, and several audio codecs such as MPEG, AAC, AMR, AC-3, and Vorbis.

The vulnerable library is internally being used by many well-known media software such as VLC and MPlayer, exposing their millions of users to cyber attacks.

The code execution vulnerability, tracked as CVE-2018-4013 and discovered by researcher Lilith Wyatt of Cisco Talos Intelligence Group, resides in the HTTP packet-parsing functionality of the LIVE555 RTSP, which parses HTTP headers for tunneling RTSP over HTTP.

To exploit this vulnerability, all an attacker needs to do is create and send “a packet containing multiple ‘Accept:’ or ‘x-sessioncookie’ strings” to the vulnerable application, which will trigger a stack buffer overflow in the ‘lookForHeader’ function, leading to arbitrary code execution.

Cisco Talos team confirmed the vulnerability in Live Networks LIVE555 Media Server version 0.92, but the team believes the security issue may also be present in the earlier version of the product.

Cisco Talos responsibly reported the vulnerability to Live Networks on October 10 and publicly disclosed the security issue on October 18 after the vendor released security patches on October 17.

 

Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

All major web browsers, including Google Chrome, Apple Safari, Microsoft Edge, Internet Explorer, and Mozilla Firefox, altogether today announced to soon remove support for TLS 1.0 (20-year-old) and TLS 1.1 (12-year-old) communication encryption protocols.

Developed initially as Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) is an updated cryptographic protocol used to establish a secure and encrypted communications channel between clients and servers.

There are currently four versions of the TLS protocol—TLS 1.0, 1.1, 1.2 and 1.3 (latest)—but older versions, TLS 1.0 and 1.1, are known to be vulnerable to a number of critical attacks, such as POODLE and BEAST.

Since TLS implementation in all major web browsers and applications supports downgrade negotiation process, it leaves an opportunity for attackers to exploit weaker protocols even if a server supports the latest version.

All Major Web Browsers Will Remove TLS 1.0 and TLS 1.1 Support in 2020

According to the press releases published by four major companies, Google, Microsoft, Apple and Mozilla, their web browsers will completely drop TLS 1.0 and 1.1support by default in the first half of 2020.

TLS 1.2, which was released ten years ago to address weaknesses in TLS 1.0 and 1.1, has enjoyed wide adoption since then, and will thus be the default TLS version unless the availability of TLS 1.3, which is currently in the development stage.

According to Microsoft, as TLS 1.0 continues to age, many websites have already moved to newer versions of the protocol. Today 94 percent of sites already support TLS 1.2, while only less than one percent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.

Apple also says TLS 1.2 is the standard on its platforms and represents 99.6 percent of TLS connections made from Safari, while TLS 1.0 and 1.1 account for less than 0.36 percent of all connections.

Google could not agree more and says that today only 0.5 percent of HTTPS connections made by Chrome use TLS 1.0 or 1.1.

All the tech companies recommended websites that do not support TLS 1.2 or newer to move off of the old versions of the protocol as soon as possible and is practical.

Furthermore, the PCI Data Security Standard (PCI DSS) compliance also requires websites to disable SSL/TLS 1.0 implementation by June 30, 2018.

Besides these tech giants, Gitlab today also announced to deprecate support for TLS 1.0 and TLS 1.1 on its website and API infrastructure by the end of 2018.

You can also manually disable older TLS versions on Google Chrome by opening Settings → Advanced Settings → Open Proxy Settings → Click ‘Advanced’ Tab → Under ‘Security’ section uncheck TLS 1.0 and 1.1 and then save.

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

In an effort to secure users’ data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can’t read it.

Google allows Android users to automatically backup their essential app data and settings to their Google account, allowing them to simply restore it when required, instead of re-configuring all the apps after formatting or switching to a new phone.

However, until now your backup data was not encrypted and visible to Google, and now the company is going to change its storage procedure.

Starting with Android Pie, Google is going to encrypt your Android device backup data in the following way:

Step 1: Your Android device will generate a random secret key (not known to Google),

Step 2: The secret key will then get encrypted using your lockscreen PIN/pattern/passcode (not known to Google),

Step 3: This passcode-protected secret key will then securely sent to a Titan security chip on Google’s servers,

So, your Android back data will get encrypted or decrypted only if the lockscreen passcode get authorized through the Titan security chip.

In other words, the Titan security key will not decrypt any of your backup data unless it detects the lockscreen passcode you have used to request for decryption.

To prevent brute force attacks, Google’s Titan chip will permanently block access to the backup data if someone inputs incorrect passcode combinations several times in an attempt to guess it.

Google also hired cybersecurity and risk mitigation firm NCC Group to perform a full security audit of the new Android Cloud Backup/Restore feature. NCC discovered a few issues, which were quickly fixed by the company.

Google has not yet confirmed that which Android smartphones will be able to use this additional layer of security, but it is clear that the device must be running the latest Android 9 Pie operating system.

Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities

Microsoft has just released its latest monthly Patch Tuesday updates for October 2018, fixing a total of 49 security vulnerabilities in its products.

This month’s security updates address security vulnerabilities in Microsoft Windows, Edge Browser, Internet Explorer, MS Office, MS Office Services and Web Apps, ChakraCore, SQL Server Management Studio, and Exchange Server.

Out of 49 flaws patched this month, 12 are rated as critical, 35 are rated as important, one moderate, and one is low in severity.

Three of these vulnerabilities patched by the tech giant are listed as “publicly known” at the time of release, and one flaw is reported as being actively exploited in the wild.

Windows Update Patches An Important Flaw Under Active Attack

According to the Microsoft advisory, an undisclosed group of attackers is actively exploiting an important elevation of privilege vulnerability (CVE-2018-8453) in Microsoft Windows operating system to take full control over the targeted systems.

This flaw exists when the Win32K (kernel-mode drivers) component fails to properly handle objects in memory, allowing an attacker to execute arbitrary code in the kernel mode using a specially crafted application.

This month’s updates also patches a critical remote code execution vulnerability in Microsoft Windows and affects all supported versions of Windows, including Windows 10, 8.1, 7, and Server 2019, 2016, 2012, and 2008.

The vulnerability (CVE-2018-8494) resides in the parser component of the Microsoft XML Core Services (MSXML), which can be exploited by passing malicious XML content via user input.

An attacker can remotely execute malicious code on a targeted computer and take full control of the system just by convincing users to view a specially crafted website designed to invoke MSXML through a web browser.

Microsoft Patches Three Publicly Disclosed Flaws

The details of one of the three publicly disclosed vulnerabilities was revealed late last month by a security researcher after the company failed to patch the bug within the 120-days deadline.

The vulnerability, marked as important and assigned CVE-2018-8423, resides in Microsoft Jet Database Engine that could allow an attacker to remotely execute malicious code on any vulnerable Windows computer.

For proof-of-concept exploit code and more details about this vulnerability you can read our article.

Rest two publicly disclosed vulnerabilities are also marked as important and reside in Windows Kernel (CVE-2018-8497) and Azure IoT Hub Device Client SDK (CVE-2018-8531), which lead to privilege escalation and remote code execution respectively.

The security updates also include patches for 9 critical memory corruption vulnerabilities—2 in Internet Explorer, 2 in Microsoft Edge, 4 in Chakra Scripting Engine, and 1 in Scripting Engine—all leads to remotely execution of code on the targeted system.

Besides this, Microsoft has also released an update for Microsoft Office that provides enhanced security as a defense in depth measure.

Users and system administrators are strongly advised to apply these security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems.

For installing security patch updates, directly head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.