NewEgg hit by card-stealing code injected into shopping code

The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg’s webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg’s Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

Details of the breach were reported by the security research firms RiskIQ (which exposed the code behind the British Airways attack) and Volexity Threat Research today. The attack was shut down by NewEgg on September 18, but it appears to have been actively siphoning off payment data since August 16, according to reports from the security researchers. Yonathan Klijnsma, head researcher at RiskIQ, said that the methods and code used are virtually identical to the attack on British Airways—while the Ticketmaster breach was caused by code injected from a third-party service provider, both the BA breach and the NewEgg attack were the result of a compromise of JavaScript libraries hosted by the companies themselves.

The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain’s TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers’ infrastructure.

Read 4 remaining paragraphs | Comments

Password bypass flaw in Western Digital My Cloud drives puts data at risk

A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.

Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.

The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.

The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and that it was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices are. He posted a proof-of-concept video on Twitter.

Details of the bug were also independently found by another security team, which released its own exploit code.

Vermeulen reported the bug over a year ago in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.

After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.

A year later, WD still hasn’t release a patch.

The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”

WD said that several of its My Cloud products are vulnerable — including the EX2, EX4, and Mirror, but not My Cloud Home.

In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.

The adventures of lab ED011—“Nobody would be able to duplicate what happened there”

BUCHAREST, Romania—At the edge of Europe, Romania’s University Politehnica of Bucharest has long been the most prestigious engineering school in the region. Here, a terracotta-tiled building looms large over the campus, hosting the faculty of the Automatic Control and Computer Science (ACCS) program. On the ground floor, close to the entrance, is a humble computer lab. The label reads ED011.

Back in the early 1990s, after Romania escaped the grip of communism, this room was one of the few places offering an Internet connection free of charge. So every night, when no one was watching, students descended upon the lab to connect to the rest of the world. Eager to learn about life in Western Europe and the US, these students already had the look of their counterparts there—long hair, blue jeans, and Metallica shirts.

“Computers gave us the possibility to communicate with people around the world, which was extraordinary,” a former student named Lari tells me today. The ED011 computer lab did more than that, of course. It gave these students total freedom—to not only chat on the early Web but to explore all the odd nooks and crannies of computer science.

Read 61 remaining paragraphs | Comments

Nintendo’s Switch has been hiding a buried “VrMode” for over a year

Hackers have uncovered and tested a screen-splitting “VR Mode” that has been buried in the Switch’s system-level firmware for over a year. The discovery suggests that Nintendo at least toyed with the idea that the tablet system could serve as a stereoscopic display for a virtual reality headset.

Switch hackers first discovered and documented references to a “VrMode” in the Switch OS’ Applet Manager services back in December when analyzing the June 2017 release of version 3.0.0 of the system’s firmware. But the community doesn’t seem to have done much testing of the internal functions “IsVrModeEnabled” and “SetVrModeEnabled” at the time.

That changed shortly after Switch modder OatmealDome publicly noted one of the VR functions earlier this month, rhetorically asking, “has anyone actually tried calling it?” Fellow hacker random0666 responded with a short Twitter video (and an even shorter followup) showing the results of an extremely simple homebrew testing app that activates the system’s VrMode functions.

Read 6 remaining paragraphs | Comments

Hacking the websites responsible for election information is so easy an 11 year-old did it

It’s time to talk about election security.

Over the weekend at Def Con, the annual hacker convention in Las Vegas to discuss some of the latest and greatest (or scariest) trends in the wild world of hacking, a pair of election security hacking demonstrations set up for adults and kids alike offered up some frightening revelations about America’s voting infrastructure. (I’m not even going to begin to touch Voatz.)

For 11 year-old Emmett from Austin, hacking the website for the Florida Secretary of State was as easy as a simple SQL injection.

While it took Emmett only 10 minutes to break into the election reporting section of the Florida Secretary of State web page, it’s important to note that these pages were set up as replicas.

The idea, according to event organizers from Wickr (a secure communications platform), “was mainly focused on breaking into the portions of the websites that are critical to the election process, [so] the kids worked against the replicas of the webpages where election results are reported by secretaries of state.”

The replicas were built by the team at Wall of Sheep Village and they issued the following statement: “The main issues with the live sites we are creating the replicas of are related to poor coding practices. They have popped up across the industry and are not vendor specific.”

And while the National Association for the Secretaries of State had some choice words for the Voting Machine Hacking Village, they didn’t address the hacks the kids made on their actual web sites.

In all, some 47 kids participated in the election hacking contest and 89% of them managed to get in to the virtual web sites set up by Wickr and Wall of Sheep Village.

Emmett, whose dad works in cybersecurity and who has been attending Def Con now for four years, has some thoughts on how easy it was for him to get into the system and change the vote tallies for election results.

“It’s actually kind of scary,” the 11 year-old said. “People can easily hack in to websites like these and they can probably do way more harmful things to these types of websites.”

The point, according to Wickr’s (badass) founder Nico Sell, is to bring attention to just how flawed security operations remain at the state level in areas that are vital to the nation’s democracy.

“The really important reason why we’re doing this is because we’re not taking the problem serious enough how significantly someone can mess with our elections,” said Sell. “And by showing this with eight year old kids we can call attention to the problem in such a way that we can fix the system so our democracy isn’t ruined.”

Some executives at big corporations share the same concerns. For Hugh Thompson, the chief technology officer at Symantec, the risks are real — even if the problems won’t manifest in the most important elections.

As Thompson (who worked on election security in the early 2000s) told The Financial Times, “The risk that I think most of us worried about at that time is still the biggest one: someone goes into a state or a county that doesn’t really matter in the grand scheme of the election, is not going to change the balance on x, y or z, but then publishes details of the attack,” he said. “Undermining confidence in the vote is scary.”

Stakes are incredibly high, according to experts familiar with election security. Despite the indictments that Robert Mueller, the special counsel investigating Russian interference, issued against 12 Russian nationals for targeting the 2016 US election, Russian hacking remains a threat in the current election cycle.

Microsoft has already said that it has detected evidence of attempted Russian interference into three campaigns already in the 2018 election cycle.

As Fortune reported in July, Microsoft’s vice president for customer security, said that researchers at the company had discovered phishing campaigns that were linked to the GRU, the Russian military intelligence unit tied to the DNC election hacks from 2016.

For security officers working on the websites for the secretaries of state in the battleground states that the tween and teen hackers targeted during Def Con, young Emmett has some advice.

“Use more protection. Upgrade your security and obviously test your own websites against some of the common vulnerabilities,” the 11 year-old advised. 

Hack causes pacemakers to deliver life-threatening shocks

Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

Read 8 remaining paragraphs | Comments

Daily Beast: Russian hackers targeted Democrat facing tough 2018 election

The digital ink was barely dry on Ars IT and National Security Editor Sean Gallagher’s feature, “How they did it (and will likely try again): GRU hackers vs. US elections,” when the Daily Beast reported yesterday’s bombshell: Claire McCaskill, among the most vulnerable Senate Democrats facing re-election this year, was one of three candidates in the 2018 midterm election targeted by the highly determined Russian intelligence agency.

According to the post, McCaskill’s office received one or more fake notifications claiming the target’s Microsoft Exchange password had expired and advising it be changed. Targets who clicked on a link were directed to a counterfeit version of the US Senate’s Active Directory Federation Services login page, which would send any passwords the targets entered to the people behind the fake page. McCaskill has been highly critical of Russia and is considered one of the most vulnerable Senate Democrats facing reelection this year. She represents Missouri, a state where Donald Trump defeated Hillary Clinton by almost 20 points in the 2016 election.

McCaskill’s office was one of three candidates that was targeted. The Daily Beast went on to report that the Senate phishing campaign sent each target a different link that caused the fake password-change webpage to display users’ individual email address when they arrived. The customization made the site more convincing.

Read 3 remaining paragraphs | Comments

$1 million heist on Russian bank started with hack of branch router

A prolific hacking group has struck again, this time stealing close to $1 million from Russia’s PIR Bank. The July 3 heist came about five weeks after the sophisticated hackers first gained access to the bank’s network by compromising a router used by a regional branch.

The theft—which according to kommersant.ru is conservatively estimated at about $910,000—is the latest achievement of a group researchers at security firm Group-IB call the MoneyTaker group. In a report published last November that first detailed the group, researchers said its members had conducted 20 successful attacks on financial institutions and legal firms in the US, UK, and Russia. In a follow-up report, Group-IB said MoneyTaker netted about $14 million in the hacks, 16 of which were carried out on US targets, five on Russian banks, and one on a banking-software company in the UK.

While MoneyTaker is skilled at concealing its activities, Group-IB was able to connect the heists by tracing a common set of tactics, techniques, and procedures. After initially gaining access to a target’s network, members often spend months doing reconnaissance in an effort to elevate system privileges to those of a domain administrator. Members also try to remain active inside hacked networks long after the heists are carried out. The attackers also use a variety of freely available tools popular among hackers and security professionals alike, including the Metasploit exploit framework, Microsoft’s PowerShell management framework, and various Visual Basic scripts.

Read 3 remaining paragraphs | Comments