Security Weekly 21

Security Week 21 Main Logo

Security Weekly 21: Three Billion Yahoo Accounts Has Been Compromised, Netgear Covered 50 Vulnerabilities in Routers, Five Critical Holes Were Closed on Android

Three billion Yahoo accounts – everything that is acquired by excessive work, is lost.

Verizon the IT giant made an audit in its very neglected farm, reported (well, not verbatim, of course). However, the case of hacking Yahoo has been dragging on since last year and started with some 200 million user accounts that were put up for sale in a darkwave in August 2016.

Security Week 21 Photo 1

A month later, Bob Lord, CISO company, slightly adjusted this figure, notifying the public about the theft of 500 million accounts. And by December, as it should have gathered, resolutely stated that in fact, it was a billion. Finally, Verizon takes the audit and reports that “everything has already been stolen from us” – all 3 billion accounts, almost half of the world suffered, but what is being done, citizens!

  • As it now turns out, in the bins of Yahoo at least twice: the first time in August 2013, the second – a year later. However, only in 2016, Yahoo notified the very facts of hacking. Who is involved in this leak – one group or several – is also not yet reported, but, as usual, some “state hackers” have already been accused. According to the Yahoo report, the attackers were able to take control of the process that generates authentication cookies, and as a result used it to access the system without authentication.

Yahoo claims that there are no unencrypted passwords and billing information in the stolen data. Hackers got only names, email addresses, phone numbers, dates of birth, hashes of passwords and answers to secret questions. Only. Trivial matters.

Closed five critical vulnerabilities on Android

Security Week 21 Photo 2

A new patch to Android, as usual, neutralizes a bunch of different vulnerabilities. To do this, patches do, but in the case of a green robot, there is one nuance: the vast majority of mobile devices under this OS will never see this patch, although vulnerabilities will not disappear anywhere. In general, their owners would be nice to know what risk they are exposed to.

In total this time 14 vulnerabilities are closed:

  • CVE-2017-0806, which allows a malicious application to obtain additional permissions without prompting the user.
  • Seven vulnerabilities from CVE-2017-0809 to CVE-2017-0816 are contained in the media system. Three of them allow you to remotely run code in the context of a privileged process (RCE), one to increase privileges (EoP), two more help the attacker to learn what is not allowed (ID).
  • CVE-2017-14496-RCE in the system.
  • CVE-2017-7374 sits in the file system component, allows you to increase privileges.
  • CVE-2017-9075 is located in the network subsystem and also raises privileges.
  • CVE-2017-0827 in the MediaTek driver, like the previous one, abuse the “official position”.
  • CVE-2017-11053, CVE-2017-9714, and CVE-2017-9683 sit-in components for Qualcomm chips, one RCE, and two EoP.

In general, see the update date ro.build.version.security_patch. If it is made before October 1, 2017, then all of the listed bugs in your system are available.

Netgear covered 50 vulnerabilities in routers, switches, and network storage

Security Week 21 Photo 3

Known manufacturer of network equipment Netgear is not exchanged for such trifles as Google. Patch so patch – in early October Netgear posted updated firmware for its hardware, covering 50 vulnerabilities. 20 holes are particularly dangerous gaps, 30 – slightly inferior to them in coloring and the provided potential, but also good.

  • Through some of these vulnerabilities, an external hacker can run commands on devices, bypass the administrator’s password and completely take the device under control, which in the case of a home router allows you to crank very dashing phishing attacks on users, redirect them to pages with exploit whales, etc.

Such a number of findings is not accidental. The matter is that Netgear together with Bugcrowd has launched a reward program for the detected vulnerabilities. Rewards do not say that the royal: the highest amount of $ 15 thousand is paid for a fatal holes like remote unauthorized access to files of all users in the cloud storage, $ 10 thousand for the same vulnerability, but with access to files of one user, well, flaws in hardware take wholesale at a price of $ 150 to $ 1200.

It’s nice that the manufacturers of network and IoT-equipment finally took care of the safety of their products. As practice shows, neither in-house-testing nor periodic audits solve the problem. But the constantly working program for paying rewards for bugs finding gives a very good result.