Over 500 Million Accounts affected in Yahoo Breach

Internet giant Yahoo last Thursday disclosed a major data breach affecting over 500 million user accounts. Yahoo announced that a state-sponsored actor was responsible for the breach which occurred in late 2014.

Information suspected to be leaked in the breach include names, email address, telephone numbers, birth dates, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers. Yahoo has already invalidated those unencrypted security questions and answers.

Yahoo has said it is taking steps to notify affected users and has advised users who haven’t changed their passwords since 2014 to do so. The company statement also recommended that customers “avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.”

Further security concerns with the breach includes attackers using leaked information for phishing attacks, sending spam messages from compromised accounts as well as other identity theft incidences.

Remote Control Vulnerability in Tesla cars fixed

Researchers at Tencent’s Keen Security Lab had found a security flaw in Tesla cars that allowed control of car brakes and other less critical components from a remote location by attackers. They responsibly disclosed the flaw to Tesla’s security team which confirmed the flaw and has now issued fixes for it in it’s latest firmware version.

Tesla has urged car owners to update their car’s firmware to the latest version to stay immune from exploitation of the remote control flaw.

The researchers were able to open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. They also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from a remote location 12 miles away.

Backdoors in Xiaomi Smartphones

indexA computer science student, Thijs Broenink has found that one of the pre-installed apps that come with Xiaomi smartphones ‘AnalyticsCore (AnalyticsCore.apk)‘ is an app that sends device information (IMEI, MAC address, Model, Nonce, Package name and signature) to Xiaomi as well as checks for updates daily from Xiaomi’s server and install them. He made the discovery when out of curiosity, he reverse-engineered the pre-installed apps to see what they actually do.

Broenink found that the download of update is done over HTTP which means it could be tampered with in transit and replaced with a malicious file. The access granted by the app also gives Xiaomi the power to silently replace signed apps within 24 hours on all devices sold by them.

In response, a Xiaomi spokesperson told The Hacker News that a successful attack on the “self-upgrade” feature by a random attacker is impossible, as the MIUI’s (Xiaomi’s Android firmware for mobile devices) checks the signature of the Analytics.apk app during installation, and will not install any app that has not be signed by Xiaomi. He also noted that “Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks,”

To completely block access for this app, users can use an ad-blocking app with root access to blacklist Xiaomi related webservers as uninstalling the app does not work because it reinstalls itself after a while.

Microsoft brings Tuesday Patches to an end

microsoft-patch-tuesday-header

Yesterday’s Patch Tuesday is meant to be the last traditional Windows Patch Tuesday. Microsoft is changing its patch release model. The new model will have all patches for a month bundled together and users will not be able to pick and choose which updates to install.

Microsoft has said this will start with Windows 10 but will be affect other operating systems as well in due course.

Security teams should be prepared to make changes to their patching methods as soon as Microsoft implements its new patch release model.

Critical Zero-day vulnerability in MySQL

mysql_hostingMultiple severe vulnerabilities affecting MySQL and it’s forks were discovered by researcher, Dawid Golunski according to Helpnetsecurity. One of the vulnerabilities – CVE-2016-6662 – can be used to make malicious settings in the MySQL configuration file or create a new configuration file, allowing execution of arbitrary code with root access when the service is restarted. The vulnerability.

Golunski explained in an advisory published on Monday, that “The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,”

Oracle is yet to release a fix for these issues even though Golunski reported to the issues to them in late July. MySQL forks, Percona and MariaDB have pushed out new releases that addresses the CVE-2016-6662.

Golunski advised, “As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,”

Teenagers arrested for offering Booter Services

rpxubn-a_400x400vDOS is a distributed denial-of-service (DDoS) kit that is allegedly responsible for most of the DDoS attacks in the past four years. Two teenagers have been arrested in Israel for their alleged link to the selling of the kit. The teenagers, Itay Huri and Yarden Bidani, both 18, were arrested on September 8 by Israeli authorities on the request of the FBI and are under house arrest and forbidden to use internet-connected devices for 30 days. The service has been running undercover for four years now until security researcher, Brian Krebs found a hole in another DDoS-for-hire service that enabled access to vDoS’s database leading to the arrest of the teenagers.

The vDoS service was offered for between $20 to $200 per month depending on how long the hackers wanted to operate and payment was preferred through Bitcoin digital currency. The database uncovered by Krebs had tens of thousands of paying customers and over $600,000 has been netted in the past two years by the operators.

Possible data breach of VoIPtalk

Voice over IP provider, VoIPtalk has warned its customers of a possible breach of their login credentials. The email notice stated that the company’s security systems discovered strange activity: “activity involving online attempts to exploit vulnerabilites in our infrastructure to obtain customer data” according to SC Magazine.

The company is threading the lane of caution to notify its customers even though there is no strong evidence of successful breach by attackers.