CVE-2017-1363

CVE-2017-1363

http://ift.tt/2zD1qGW



References to Advisories, Solutions, and Tools


By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.










Technical Details


Vulnerability Type
(View All)







Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 25, 2017 at 10:27AM

Hackers steal compromising photos from plastic surgery clinic

Hackers steal compromising photos from plastic surgery clinic

http://ift.tt/2yQTWCY

Nudity will always get people’s attention.

Which is probably a large part of the motive behind the latest attack by The Dark Overlord, the hacker group that gained an international profile in the past year-plus by advertising millions of medical records on the dark web, threatening schools and businesses and leaking Netflix shows.

Now it is apparently looking to raise its profile further, diversifying into lurid sensationalism with threats to leak graphic photos from a hack of a high-profile London-based plastic surgery clinic that caters to celebrities including, according to the group, some royals.

The Daily Beast reported on Monday that a member of the group contacted it using an email account from the victim – the London Bridge Plastic Surgery & Aesthetic Clinic (LBPS)– and included a cache of photos they said were from LBPS surgeries:

Many are highly graphic and close-up, showing surgery on male and female genitalia. Others show apparent patients’ bodies post-operation, and some include faces. None of a selection of tested photos returned any matches from Google reverse image searches, implying that they were indeed obtained from a private source.

The clinic acknowledged in a statement on its website that it had been breached.

We can confirm that the Clinic has been the victim of a cyber attack. We took measures to block the attack immediately in order to protect patient information and we informed the Metropolitan Police who launched an investigation.

Regrettably, following investigations by our IT experts and the police, we believe that our security was breached and that data has been stolen. We are still working to establish exactly what data has been compromised.

The clinic’s public relations firm, Marco Richards, did not respond to a request for comment on whether the hackers had been in touch with the clinic and if there are any extortion demands. But according to the hackers, the stolen data includes a lot more than graphic photos of famous people.

“We have TBs [terabytes] of this shit. Databases, names, everything,” a member of the hacker group told The Daily Beast, adding that they intended to make it all public:

We’re going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree.

And if they do have what they claim, once the sensational element of the photos fades the other stolen data could mean more long-term risk to the clinic’s customer base. As is the case with other high-profile hacks, medical records and personally identifiable information (PII) can lead to continuing nightmares ranging from blackmail to identity theft – criminals posing using the PII of victims to get medical services, tax refunds, lines of credit and more.

This latest hack follows what seems to be the standard Dark Overlord MO: Break into an organization, steal data and then seek a level of publicity that will pressure the victim into complying with any ransom demand.

Motherboard reported in June 2016 that after the group stole hundreds of thousands of health care records, rather than immediately posting them, it advertised them on the dark web. It followed that with a claim that it had possession of 9 million health insurance records.

An encrypted chat with one of the hackers led to a loose description of the method:

First, he posts a database; then, he gives samples of the data to reporters, who go out and verify them. These articles, and the subsequent reblogging of them by other outlets, convinces companies that the hacker is a legitimate threat. These steps repeat over and over, building up the hacker’s reputation as someone to be taken seriously.

“I have a reputation with this handle now,” the hacker added. “Every time I put a new listing up it gets reported without hesitation now.”

Indeed, the group’s exploits have drawn plenty of press. It is also reportedly responsible for the hack late last year of Larson Studios, a Hollywood audio post-production firm, that led to the company paying them $50,000 in Bitcoin, but still ended up with the group leaking nine unreleased episodes of the Netflix hit “Orange is the New Black” this past spring after the network refused to pay an extortion demand.

Then just weeks ago in mid-September, the entire Flathead Valley, Montana school district shut down for three days after the group targeted several schools with death threats to parents and promises to release the PII of students, teachers and administrators unless a ransom was paid.

The Flathead County sheriff said the physical threats were more hot air than serious, in part because the group is believed to be overseas, not in the US. Still, out of caution, the district shut down for three days.

That may be in part because, as Motherboard noted, “depending on who they are communicating with, The Dark Overlord pushes itself as playful jester, ruthless criminal, or calculated professional.”

The variety of targets the group has attacked – which also include Gorilla Glue and a US defense contractor – are also a reminder that mega-corporations like Netflix or credit bureau Equifax are not the only targets of interest to hackers. Given that data is today’s real currency just about every organization has things of value, which means no matter what an organization does, or its size, security matters.

LBPS is obviously now more aware of that. In their statement, they said they were “horrified” at the hack, adding:

Security and patient confidentiality has always been of the utmost importance to us. We invest in market-leading technology to keep our data secure and our systems are updated daily. We are deeply saddened that our security has been breached.

Chances are that horror and deep sadness aren’t going to mollify their clients.

Security News

via Naked Security http://ift.tt/1pHdTOi

October 25, 2017 at 10:24AM

Kaspersky did upload NSA hacking code from PC that was backdoored via pirated software

Kaspersky did upload NSA hacking code from PC that was backdoored via pirated software

http://ift.tt/2yMhgj8

While revealing the results of an internal investigation, Kaspersky Lab admitted that it had uploaded classified NSA malware from a user’s computer in 2014, but that same user had been backdoored after installing a pirated version of Microsoft Office.

The NSA worker, who had stored classified NSA materials on his home computer, ran a home version of Kaspersky Antivirus and had chosen to enable Kaspersky Security Network (KSN) which automatically uploads new and previously unknown malware. That is how Kaspersky ended up with the new sample of malware. When an analyst alerted Eugene Kaspersky that the file contained classified source code for a new hacking tool, the CEO said to immediately delete it.

The user is not identified as being an NSA worker, but numerous reports have described him as being part of the NSA’s hacking unit who had classified material on his home computer.

According to the preliminary results of Kaspersky Lab’s internal investigation, the Equation malware was first detected on September 11, 2014, after it was automatically submitted due to KSN being enabled on the NSA worker’s computer.

After the detection, the NSA worker turned off Kaspersky Lab antivirus in order to install pirated software. Logs indicated that the activation key generator for the 2013 version of Microsoft Office was infected with malware. The antivirus was disabled in order for him to run the keygen.

Kaspersky Lab explained:

The user was infected with this malware for an unspecified period, while the product was inactive. The malware dropped from the trojanized keygen was a full blown backdoor which may have allowed third parties access to the user’s machine.

The NSA worker re-enabled Kaspersky AV at some point which resulted in the malicious keygen being detected and blocked. The NSA dude then scanned his computer multiple times “which resulted in detections of new and unknown variants of Equation APT malware.” The last detection from his machine was on November 17, 2014.

One file which was detected and automatically uploaded due to KSN being enabled was a 7zip archive; the archive reportedly contained “multiple malware samples and source code for what appeared to be Equation malware.”

When an analyst came to Kaspersky about what was discovered, he reportedly said to delete it from their systems. “The archive was not shared with any third parties.”

The internal investigation turned up no other third party intrusion detected in Kaspersky Lab’s networks other than Duqu 2.0. This fits with reports of Israel having burrowed deeply into Kaspersky’s networks. The company revealed Duqu 2.0 to the public in 2015.

Kaspersky goes on to report that it found no evidence of being hacked by Russian spies; its “investigation confirmed that Kaspersky Lab has never created any detection of non-weaponized (non-malicious) documents in its products based on keywords like ‘top secret’ and ‘classified’.”

Kaspersky published its report on the Equation Group in February 2015. Afterwards, “several other users with KSN enabled have appeared in the same IP range as the original detection. These seem to have been configured as ‘honeypots’, each computer being loaded with various Equation-related samples. No unusual (non-executable) samples have been detected and submitted from these ‘honeypots’ and detections have not been processed in any special way.”

To hear Kaspersky tell it, it does sound plausible that Russian hackers may have obtained the NSA malware from the pirated software’s backdoor.

Kaspersky has vehemently denied any inappropriate links to the Russian government. On Monday, the company launched a transparency initiative to win back trust after the U.S. government’s spying claims.

Security News

via CSO Online http://ift.tt/2gDzvif

October 25, 2017 at 10:19AM

Fortinet Expands Security Fabric Visibility and Protection into the Industrial Internet of Things – Nasdaq

Fortinet Expands Security Fabric Visibility and Protection into the Industrial Internet of Things – Nasdaq

http://ift.tt/2zOAPYx





Fortinet Demonstrates IoT Security Momentum and Industry-Leading Patent Innovation


SUNNYVALE, Calif., Oct. 25, 2017 (GLOBE NEWSWIRE) —

John Maddison, senior vice president of products & solutions at Fortinet
“IoT-based attacks have revealed the sheer volume and ease by which billions of devices can be weaponized and used to disrupt global digital economies, critical infrastructure and the data of millions of users. To successfully defend the massive scope of IoT, organizations need an architecture that scales the entire infrastructure for complete visibility, segmentation and end-to-end protection. The Fortinet Security Fabric arms enterprises with a comprehensive solution that spans the entire IoT attack surface, delivering the performance and threat intelligence required to learn, segment, and ultimately protect the varied attack surfaces created by IoT.”

News Summary
Fortinet® (NASDAQ:FTNT), the global leader in high-performance cybersecurity solutions, today announced its new FortiGuard Industrial Security Service, extending the Fortinet Security Fabric visibility, control and protection into the Industrial Internet of Things (IIoT).


  • FortiGuard Industrial Security Service (ISS) builds on the award-winning threat intelligence services of FortiGuard Labs by providing application control and defensive signatures specific to critical infrastructure and industrial sector organizations, including utility, oil and gas, transportation, and manufacturing.
  • Customers around the globe are selecting the breadth of IoT solutions in Fortinet’s Security Fabric to secure their complex networks and endpoint devices, from manufacturing, natural resources, and aviation to government organizations.
  • Fortinet demonstrates its continued commitment to innovation in IoT with its expanded portfolio of patents on IoT security.

Securing the Industrial Internet of Things with FortiGuard Threat Intelligence
Enterprise and consumer demand has created an explosion in the number of IoT devices connecting to global networks. McKinsey estimates that 20 to 30 billion IoT devices could be connected globally by 2020, up from 10 billion to 15 billion devices in 2015. However, as devices proliferate, the security risks also increase.

Traditionally, commercial and industrial networks and their IoT devices have operated in isolation, but the mainstreaming of things like smart cities and connected homes have begun to merge these devices within local, national and global infrastructures. This is requiring organizations to rethink how they secure increasingly converged IT, OT and IoT networks and devices. Integrating distinct security tools into a unified Security Fabric enables organizations to collect and correlate threat intelligence in real time, identify abnormal behavior and automatically orchestrate a response anywhere across this complex IoT attack surface.
FortiGuard ISS protects the most widely-used Industrial Control System (ICS) and Supervisory Control And Data Acquisition (SCADA) devices and applications. The new service provides vulnerability protection, deep visibility and granular control over ICS and SCADA systems and is backed by real-time threat intelligence updates – enabling organizations to restrict access and minimize the attack surface of their critical IIoT infrastructures. FortiGuard ISS complements Fortinet’s industrial-strength security appliances, which are designed to run in harsh environments.

Global Enterprises Securely Leveraging the Benefits of IoT with Fortinet
Organizations of all sizes and across industries are adopting the Fortinet Security Fabric to solve their IoT security challenges:

  • Gibsons Energy – An an oil and gas company involved in the midstream operations between extraction and retail, Gibsons has a highly distributed IT infrastructure and needed a better way to secure its move to the cloud and manage the IoT devices deployed in the field. “We have several thousand devices in the field and previously we had to manually monitor these devices. Now we have a plan to connect them to the cloud and provide important operation analytics,” said Richard Hannah, VP of information services at Gibson Energy. “Working with Fortinet, our operations teams can now monitor these devices in real-time, saving thousands of hours of maintenance and man time while ensuring the security of our infrastructure.”
     
  • City of Mumbai -The Government of Maharashtra selected Fortinet to provide wireless internet access for the Mumbai WiFi project to cover all major areas in the city with public WiFi hotspots for its citizens and also to be used for smart parking and smart transportation. “The Mumbai WiFi project plays a crucial role in empowering our citizens digitally. Our goal was to cover all major areas in the city with public WiFi in order to make important government services available online,” said Vijay Kumar Gautam, Principal Secretary Information Technology, Government of Maharashtra. “Because of the hyper-connected nature of our public infrastructure today, an ambitious project like this requires technology that can scale and be flexible to enable more users, devices, and applications over time.”

An Integrated Solution for IoT Security
Fortinet is uniquely positioned to address the IoT security challenge with its broad and integrated solutions that secure IoT at all points across the attack surface. Enterprises need three strategic network security capabilities of learn, segment and protect to harden their infrastructure against IoT threats. Fortinet’s breadth of IoT security solutions include : FortiOS, FortiGate, FortiSIEM, Secure Access, FortiGuard Threat Intelligence, and Advanced Threat Protection. Additonally, Fortinet’s robust Fabric Ready Partner ecosystem enables advanced integration and complete protection through technical partnerships with additional IoT and endpoint security vendors like ForeScout, Nozomi Networks and SentinelOne.

Industry-Leading IoT Security Innovation
Fortinet has a long history of delivering security innovation and holds the most robust portfolio of IoT security patents in the industry, outpacing the nearest security vendor portfolios by several times. Patents like these are foundational to Fortinet’s continued leadership and ability to deliver cutting-edge IoT security solutions to its customers.

  • System for Managing and/or Securing the Internet of Things
  • IoT Intrusion Detection at the Physical Level
  • Fingerprinting IPv6 Clients in Stateless Auto-Configuration of IoT
  • Heuristics-based Techniques to Identify IoT Attacks in WiFi

Fortinet’s continued momentum and innovation has earned it recent accolades such as being named in Fortune’s inaugural Future 50 list of companies best positioned for breakout growth.

Additional Resources


About Fortinet
Fortinet (NASDAQ:FTNT) secures the largest enterprise, service provider, and government organizations around the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network – today and into the future. Only the Fortinet Security Fabric architecture can deliver security without compromise to address the most critical security challenges, whether in networked, application, cloud or mobile environments. Fortinet ranks #1 in the most security appliances shipped worldwide and more than 320,000 customers trust Fortinet to protect their businesses. Learn more at http://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.    


FTNT-O


Copyright © 2017 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet’s trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiManager, FortiMail, FortiClient, FortiCloud, FortiCare, FortiAnalyzer, FortiReporter, FortiOS, FortiASIC, FortiWiFi, FortiSwitch, FortiVoIP, FortiBIOS, FortiLog, FortiResponse, FortiCarrier, FortiSIEM, FortiAP, FortiDB, FortiVoice, FortiWeb and FortiCASB.

Fortinet does not independently endorse such statements. Notwithstanding anything to the contrary herein, nothing herein constitutes a warranty, guarantee, binding specification or other binding commitment by Fortinet, and performance and other specification information herein may be unique to certain environments. This news release contains forward-looking statements that involve uncertainties and assumptions, such as statements regarding program, technology and functionality releases and release times. Changes of circumstances, product release delays or product priority or roadmap changes, or other risks as stated in our filings with the Securities and Exchange Commission, located at www.sec.gov, may cause results to differ materially from those expressed or implied in this press release. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Fortinet assumes no obligation to update any forward-looking statements, and expressly disclaims any obligation to update these forward-looking statements.


 





Source: Fortinet, Inc.





Referenced Stocks:

FTNT





Security News,IoT News

via IoT – Google News http://ift.tt/2pYPKZV

October 25, 2017 at 10:12AM

A Passive Mixer’s Adventure Through Product Development

A Passive Mixer’s Adventure Through Product Development

http://ift.tt/2z6JxnI

The year was 2014, and KORG’s volca line of pint-sized synthesizers were the latest craze in the music world. Cheap synths and drum machines were suddenly a reality, all in a backpack-friendly form factor. Now practically anyone could become an electronic music sensation!

I attended a jam with friends from my record label, and as was the style at the time, we all showed up with our latest and greatest gear. There was the microKORG, a MiniNova, and a couple of guitars, but all attention was on the volcas, which were just so much fun to pick up and play with.

There was just one problem. Like any game-changing low-cost hardware, sacrifices had been made. The volcas used 3.5mm jacks for audio and sync pulses, and the initial lineup came with a bassline, lead, and drum synth. Syncing was easy, by daisy chaining cables between the boxes, but if you wanted to record or mix, you’d generally need to stack adapters to get your signals in a more typical 6.5mm TS format used by other music hardware.

After mucking around, I did some research on what other people were doing. Most were suffering just like we were, trying to patch these little machines into full-sized mixing desks. It seemed like overkill — when you just want to muck around, it’s a bit much to drag out a 24 channel powered mixer. I wanted a way to hook up 3 of these machines to a single set of headphones and just groove out.

To solve this problem, we needed a mixer to match the philosophy of the volcas; simple, accessible, and compact. It didn’t need to be gold-plated or capable of amazing sonic feats, it just had to take a few 3.5mm audio sources, and mix them down for a pair of headphones.

I’d heard of people using headphone splitters with mixed results, and it got me thinking about passive mixing. Suddenly it all seemed so clear — I could probably get away with a bunch of potentiometers and some passives and call it a day! With a friend desperate to get their hands on a solution, I decided to mock up a prototype and took it round to the studio to try out.

The First gMIX

The prototype gMIX, in a Hammond 1590BB case.

Right away, it was a success. I wired up four inputs through four pots to a single output for headphones. Hook up anything from a micro-synth to an iPod and you could mix away and jam to your heart’s content. I was running an electronics company called Grav Corp at the time, so I dubbed the device “gMIX”. Creative, I know.

At this point I realised that with the success of the volca line, it was likely that more than just my friends could benefit from this device. With the hardware being little more than pots and connectors, I figured I could probably make these fairly cheaply and have a great market to tap into.

The next step was research, which I consider to be a major cornerstone of the design process. The prototype was hand wired, and in a huge case. This was overkill for the intended use and took a long time to make. I needed to optimise the device for size and cost of manufacture. I spent many hours behind the computer screen considering each and every kind of stereo potentiometer and stereo connector I could lay my hands on for a reasonable price.  I also knew I didn’t want to sit around soldering these up myself, so I investigated ways of getting them manufactured, too.

Recognizing Good Ideas from Other Products

Teenage Engineering’s Pocket Operators influenced the gMIX design, through their use of a bare PCB in the absence of any enclosure.

By this point, it was January 2015, and Teenage Engineering launched the Pocket Operator series of compact synthesizers. This was perfect timing — micro-synths were taking off, and all their users were potential customers for the gMIX. What’s more, I found inspiration.

 

The Pocket Operator line of synths are constructed without an enclosure. Components are soldered straight to the PCB, which even includes a hook to hang the synth on a sales rack. It was a stroke of genius that gave Teenage Engineering a unique aesthetic and a way to bring a synth to market at a frankly ridiculous US $59 price point. It also showed me the way forward.

Looking at their success I realised I could build the gMIX as a bare PCB, saving the cost of an expensive enclosure. With this in mind, I began to hunt for a company that could manufacture small-run products at an affordable cost. Once I found one, I started to use their list of preferred suppliers to guide my hunt for components.

I chose surface mount resistors and audio jacks as it’s much cheaper than paying for the labor of through hole assembly. I then settled on Phillips potentiometers, for their perceived quality and the fact that they could be pressed into the board and then soldered. This would mean the potentiometers would self-align to holes cut in the PCB, which avoided having to rely on the assembly technicians to position the pots perfectly straight.

Getting Their Attention

I was ready to go ahead with production. Because it was in vogue, and because it reduced the need for a major capital investment, I decided to take a crowdfunding approach, starting a Kickstarter campaign. After promoting it online through my friends and business associates, a thought then clicked in my mind. This product wasn’t just useful to volca users. I had recently begun to mix in the Australian chiptune scene, and they were heavy users of the Nintendo Game Boy in their composition and live performances. Like the volca, this relied on a 3.5mm stereo output jack, which can be quite a headache to use in a stage environment.

 

Once launched, the gMIX also came in a cased version. It’s just the bare PCB version, pushed into a Hammond box. It’s held in place by a combination of the threaded potentiometers and the 3.5mm jacks snap fitting into their respective holes.

A product only succeeds if you can get it into the hands of people who want to use it. Perhaps the greatest master stroke that got the gMIX into production was that I shared my Kickstarter with an international chiptunes group, where it gained a huge amount of attention overnight. Following this, I then sent off a press release to every music hardware blog I could possibly find. This is where I saw a contrast; chiptune users saw a cool product that solved a problem they’d been having for ages. Volca users were typically new to electronic music and seemed to feel quite the same way. Conversely, the rusted on gearheads at the music blogs were deeply offended at the idea of paying $35 AUD and up for “just a passive mixer”.

 

The age old cry went out – “I can build that at home for $5!”

This was something I fully expected. The curmudgeonly are right — it is possible to build a passive mixer very cheaply, particularly if one has plenty of old audio hardware lying around as scrap. However, it isn’t really possible to sell a nicely designed and integrated mixer, made with high-quality pots & connectors, and ship it all over the world, for $5. Well, at least not when your initial production run is less than 200 units and you’re based out of Australia.

In the end, however, the fans won the day. The simple fact was that while $35 might feel a little spendy for what is a very simple product, there wasn’t a better way to do it cheaper at the time. I shifted many more units than I expected, and learned a lot in the process, like how to work with an overseas production house, and how to promote a product to the media.

Logistics are Tricky

 

A US-based gMIX customer sent this photo plugged into a Volca Keys, a Pocket Operator, and a Kaoss Pad.

The best part was seeing the gMIX out in the wild, and shipping hardware all over the world. The worst part was trying to understand Swiss and Turkish addresses well enough to get the products to their far-flung destinations. It was a successful product that filled a market niche, and while it was only on sale for a short period, it brought in a healthy profit, too. While Grav Corp is no longer trading, the gMIX did its job, and has since been followed by a cavalcade of products by other companies, all competing to be the groovebox mixing champion. Overall, it was a fantastic learning experience and one that made me a tidy profit, to boot. Plus, I’ve always got a pocket mixer handy for those surprise jam sessions.

 

I highly recommend that anyone kicking around for a project in their spare time consider designing a commercial product. It’s a lot of work, but the skills can serve you well for years to come. You need to make yourself an expert in the field your product will fill. What people want, what they actually need, and what is already out there — these are questions you have to answer when getting ready to pull the trigger. Successfully connecting with user, funding the production run, and actually seeing the process through to fill all of your orders is a roller coaster in itself. My one warning: be prepared to spend a lot of time at the post office.

Filed under: Business, Hackaday Columns, musical hacks

Security News

via Hackaday https://hackaday.com

October 25, 2017 at 10:03AM

2017 Linux Kernel Report Highlights Developers’ Roles and Accelerating Pace of Change

2017 Linux Kernel Report Highlights Developers’ Roles and Accelerating Pace of Change

http://ift.tt/2y6CypI

Roughly 15,600 developers from more than 1,400 companies have contributed to the Linux kernel since 2005, when the adoption of Git made detailed tracking possible, according to the 2017 Linux Kernel Development Report released at the Linux Kernel Summit in Prague.

Security News

via Linux.com | The source for Linux information http://ift.tt/1Wf4iBh

October 25, 2017 at 10:02AM

KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection

KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection

http://ift.tt/2zNEZQa

KeystoneJS version 4.0.0-beta.5 suffers from an unauthenticated CSV injection vulnerability in admin/server/api/download.js and lib/list/getCSVData.js.

Security News

via Files ≈ Packet Storm http://ift.tt/1Fpvz7L

October 25, 2017 at 09:51AM