March 19, 2019
Category archive


Fortnite bugs put accounts at risk of takeover

in computer security/cryptography/Delhi/fortnite/Gaming/Hack/hacking/India/Password/Politics/Prevention/Security/security breaches/software testing/spokesperson/vulnerability by

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm who says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they’ve entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: the user clicks on a link, which points to an subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to login first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

News Source =

Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds

in computer security/Delhi/DJI/Gadgets/hacking/India/internet security/north america/Politics/Security/spokesperson/vulnerability by

It took about six months for popular consumer drone maker DJI to fix a security vulnerability across its website and apps, which if exploited could have given an attacker unfettered access to a drone owner’s account.

The vulnerability, revealed Thursday by researchers at security firm Check Point, would have given an attacker complete access to a DJI users’ cloud stored data, including drone logs, maps, any still or video footage — and live feed footage through FlightHub, the company’s fleet management system — without the user’s knowledge.

Taking advantage of the flaw was surprisingly simple — requiring a victim to click on a specially crafted link. But in practice, Check Point spent considerable time figuring out the precise way to launch a potential attack — and none of them were particularly easy.

For that reason, DJI called the vulnerability “high risk” but “low probability,” given the numerous hoops to jump through first to exploit the flaw.

“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively,” said Oded Vanunu, Check Point’s head of products vulnerability research.

A victim would have had to click on a malicious link from the DJI Forum, where customers and hobbyists talk about their drones and activities. By stealing the user’s account access token, an attacker could have pivoted to access the user’s main account. Clicking the malicious link would exploit a cross-site scripting (XSS) flaw on the forum, essentially taking the user’s account cookie and using it on DJI’s account login page.

The researchers also found flaws in DJI’s apps and its web-based FlightHub site.

By exploiting the vulnerability, the attacker could take over the victim’s account and gain access to all of their synced recorded flights, drone photos, and more. (Image: Check Point)

Check Point reached out in March, at which time DJI fixed the XSS flaw in its site.

“Since then, we’ve gone product-by-product through all the elements in our hardware and software where the login process could have been compromised, to ensure this is no longer an easily replicable hack,” said DJI spokesperson Adam Lisberg.

But it took the company until September to roll out fixes across its apps and FlightHub.

The good news is that it’s unlikely that anyone independently discovered and exploited any of the vulnerabilities, but both Check Point and DJI concede that it would be difficult to know for sure.

“While no one can ever prove a negative, we have seen no evidence that this vulnerability was ever exploited,” said Lisberg.

DJI heralded fixing the vulnerability as a victory for its bug bounty, which it set up a little over a year ago. Its bug bounty had a rocky start, after the company months later threatened a security researcher, who “walked away from $30,000” after revealing a string of emails from the company purportedly threatened him after finding sensitive access keys for the company’s Amazon Web Services instances.

This time around, there was nothing but praise for the bug finders.

“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” DJI’s North America chief Mario Rebello said.

Good to see things have changed.

News Source =

A pair of new Bluetooth security flaws expose wireless access points to attack

in computer security/Delhi/exploit/hacking/Hardware/Healthcare/India/Politics/Security/wireless by

Security researchers have found two severe vulnerabilities affecting several popular wireless access points, which — if exploited — could allow an attacker to compromise enterprise networks.

The two bugs are found in Bluetooth Low Energy chips built by Texas Instruments, which networking device makers — like Aruba, Cisco and Meraki — use in their line-up of enterprise wireless access points. Although the two bugs are distinctly different and target a range of models, the vulnerabilities can allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks.

Security company Armis calls the vulnerabilities “Bleeding Bit,” because the first bug involves flipping the highest bit in a Bluetooth packet that will cause its memory to overflow — or bleed — which an attacker can then use to run malicious code on an affected Cisco or Meraki hardware.

The second flaw allows an attacker to install a malicious firmware version on one of Aruba’s devices, because the software doesn’t properly check to see if it’s a trusted update or not.

Although the security researchers say the bugs allow remote code execution, the attacks are technically local — in that a would-be attacker can’t exploit the flaws over the internet and would have to be within Bluetooth range. In most cases, that’s about 100 meters or so — longer with a directional antenna — so anyone sitting outside an office building in their car could feasibly target an affected device.

“In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation,” Armis said in a technical write-up.

Ben Seri, vice president of research at Armis, said that the exploit process is “relatively straight forward.” Although the company isn’t releasing exploit code, Seri said that all an attacker needs is “any laptop or smartphone that has built-in Bluetooth in it.”

But he warned that the Bluetooth-based attack can be just one part of a wider exploit process.

“Once the attacker gains control over an access point through one of these vulnerabilities, he can establish an outbound connection over the internet to a command and control server he controls, and continue the attack from a more remote location,” he said. That would give an attacker persistence on the network, making it easier to conduct surveillance or steal data once the attackers drive away.

“Bleeding Bit” allows an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. (Image: Asrmis/supplied)

Armis doesn’t know how many devices are affected, but warned that the vulnerabilities are found in range of other devices with Bluetooth Low Energy chips.

“This exposure goes beyond access points, as these chips are used in many other types of devices and equipment,” said Seri. “They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more.”

Seri said that the vulnerabilities aren’t within the Bluetooth protocol, but with the manufacturer — in this case, the Bluetooth chip itself. As an open standard, device makers are largely left to decide for themselves how to implement the protocol. Critics have long argued that the Bluetooth specifications leave too much room for interpretation, and that can lead to security issues.

For its part, Texas Instruments confirmed the bugs and issued several patches, but attacked Armis’ findings, calling its report “factually unsubstantiated and potentially misleading,” said spokesperson Nicole Bernard.

After Armis privately disclosed the bugs in July, the three affected device makers have also released patches.

Aruba said it was “aware” of the vulnerability and warned customers in an advisory on October 18, but noted that its devices are only affected if a user enables Bluetooth — which Aruba says is disabled by default. Cisco, which also owns the Meraki brand, said some of its devices are vulnerable but they too have Bluetooth disabled by default. Fixes are already available and the company has a list of vulnerable devices noted in its support advisory. A Cisco spokesperson said that the company “isn’t aware” of anyone maliciously exploiting the vulnerability.

Carnegie Mellon University’s public vulnerability database, CERT, also has an advisory out for any other devices that might be affected.

News Source =

The United States needs a Department of Cybersecurity

in China/Column/computer security/Congress/cyberattack/cybercrime/Cyberwarfare/Delhi/department of defense/Department of Homeland Security/department of justice/executive/Federal Bureau of Investigation/Government/hacking/India/national security/Politics/Russia/San Francisco/Security/spy/United States/Washington by

This week over 40,000 security professionals will attend RSA in San Francisco to see the latest cyber technologies on display and discuss key issues. No topic will be higher on the agenda than the Russian sponsored hack of the American 2016 election with debate about why the country has done so little to respond and what measures should be taken to deter future attempts at subverting our democracy.

For good reason. There is now clear evidence of Russian interference in the election with Special Counsel Mueller’s 37-page indictment of 13 Russians yet the attack on US sovereignty and stability has gone largely unanswered.  The $120 million set aside by Congress to address the Russian attacks remains unspent. We expelled Russian diplomats but only under international pressure after the poisoning of a former Russian spy and his daughter.

Recent sanctions are unlikely to change the behavior of the Putin administration. To put it bluntly, we have done nothing of substance to address our vulnerability to foreign cyberattacks. Meanwhile, our enemies gain in technological capability, sophistication and impact.

Along with the Russians, the Chinese, North Koreans, Iranians and newly derived nation states use cyber techniques on a daily basis to further their efforts to gain advantage on the geopolitical stage. It is a conscious decision by these governments that a proactive cyber program advances their goals while limiting the United States.

Krisztian Bocsi/Bloomberg via Getty Images

We were once dominant in this realm both technically and with our knowledge and skillsets. That playing field has been leveled and we sit idly by without the will or focus to try and regain the advantage. This is unacceptable, untenable and will ultimately lead to potentially dire consequences.

In March of this year, the US CyberCommand released  a vision paper called “Achieve and Maintain Cyberspace Superiority.” It is a call to action to unleash the country’s cyber warriors to fight  for our national security in concert with all other diplomatic and economic powers available to the United States.

It’s a start but a vision statement is not enough.  Without a proper organizational structure, the United States will never achieve operational excellence in its cyber endeavors.  Today we are organized to fail.  Our capabilities are distributed across so many different parts of the government that they are overwhelmed with bureaucracy, inefficiency and dilution of talent.

The Department of Homeland Security is responsible for national protection including prevention, mitigation and recovery from cyber attacks. The FBI, under the umbrella of the Department of Justice,  has lead responsibility for investigation and enforcement. The Department of Defense, including US CyberCommand, is in charge of national defense.  In addition, each of the various military branches  have their own cyber units. No one who wanted to win would organize a critical  capability in such a distributed and disbursed manner.

How could our law makers know what policy to pass? How do we recruit and train the best of the best in an organization, when it might just be a rotation through a military branch? How can we instantly share knowledge that benefits all when these groups don’t even talk to one another? Our current approach does not and cannot work.

Image courtesy of Colin Anderson

What is needed is a sixteenth branch of the Executive — a Department of Cybersecurity — that  would assemble the country’s best talent and resources to operate under a single umbrella and a single coherent policy.  By uniting our cyber efforts we would make the best use of limited resources and ensure seamless communications across all elements dealing in cyberspace. The department would  act on behalf of the government and the private sector to protect against cyberthreats and, when needed, go on offense.

As with physical defense, sometimes that means diplomacy or sanctions, and sometimes it means executing missions to cripple an enemy’s cyber-operations. We  have the technological capabilities, we have the talent, we know what to do but unless all of this firepower is unified and aimed at the enemy we might as well have nothing.

When a Department of Cybersecurity is discussed in Washington, it is usually rejected because of the number of agencies and departments affected. This is code for loss of budget and personnel. We must rise above turf battles if we are to have a shot at waging an effective cyber war. There are some who have raised concerns about coordination on offensive actions but they can be addressed by a clear chain of command with the Defense Department to avoid the potential of a larger conflict.

We must also not be thrown by comparisons to the Department of Homeland Security and conclude a Cybersecurity department would face the same challenges. DHS was 22 different agencies thrust into one. A Department of Cybersecurity would be built around a common set of skills, people and know-how all working on a common issue and goal. Very different.

Strengthening our cyberdefense is as vital as having a powerful standing army to defend ourselves and our allies. Russia, China and others have invested in their cyberwar capabilities to exploit our systems almost at will.

Counterpunching those efforts requires our own national mandate executed with Cabinet level authority. If we don’t bestow this level of importance to the fight and set ourselves up to win, interference in US elections will not only be repeated …  such acts will seem trivial in comparison to what could and is likely to happen.

News Source =

Averon closes $8.3M funding to make your smartphone the key to ID online

in Averon/Delhi/hacking/India/Politics/TC by

Because of the threat of cyber attacks, sign in and identity verification procedures are becoming utterly cumbersome. There’s no “identity” layer to the internet (until there is a mainstream Blockhain solution perhaps?). However, using signalling and data packets, and the SIM/eSIM chips already found in smartphones, you could make this much easier. It would also require no installation and much less effort for users, and could be rolled out in areas like IoT.

This is what SF-based startup Averon is working on. They call it Direct Autonomous Authentication (DAA), or a mobile identity verification standard that is both pretty frictionless and very secure.

Averon has now closed an $8.3 million Series A financing round led by Avalon Ventures. The idea is to make the hacks involving Equifax, Target, Home Depot, Anthem Medicare, a thing of the past.

Developed in stealth for nearly two years, Averon’s security solution takes the real-time mobile network signal from your phone and the SIM/eSIM chips to create authentication.

With existing solutions, users manually enter ID info on their device, use 2-factor authentications, and biometric info that is easily breached and prone to human error. Your mobile carrier actually knows who you are, but so far packet device origination tracking (SIM) has been limited to carrier use and carriers themselves have been viewed as siloed networks. This solution breaks down the barriers.

Wendell Brown, CEO and chairman of Averon says DAA “has the potential to substantially reduce the exposure each of us has to the growing wave of cybercriminals.” His co-founder is Lea Tarnowski, a former UK-based VC partner.

Tarnowski was formerly an investment manager at Northzone Ventures, one of Europe’s leading global venture capital funds.

Brown is an acclaimed computer scientist, entrepreneur, and inventor known for his innovations in telco and mobile security with 20 years of expertise in cryptosecurity and a U.S. Department of Defense security.

Averon is led by a cadre of business leaders, engineers and cybersecurity experts with backgrounds spanning MIT, Harvard Business School, Stanford, USC, Cornell, the NSA, the Israel Defense Force, PayPal, Microsoft, and other top universities and institutions. It’s also the creator and holder of IP protected by 15 U.S. and international patents

Featured Image: Getty Images

News Source =

Go to Top