Security Alerts & News
by Tymoteusz A. Góral

#1460 Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON
Smart door locks, padlocks, thermostats, refrigerators, wheelchairs and even solar panel arrays were among the internet-of-things devices that fell to hackers during the IoT Village held at the DEF CON security conference in August.

A month after the conference ended, the results are in: 47 new vulnerabilities affecting 23 devices from 21 manufacturers were disclosed during the IoT security talks, workshops and onsite hacking contests.

The types of vulnerabilities found ranged from poor design decisions like the use of plaintext and hard-coded passwords to coding flaws like buffer overflows and command injection.

Door locks and padlocks from vendors like Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Lagute, Okidokeys, Danalock were found to be vulnerable to password sniffing and replay attacks, where a captured command can be replayed later to open the locks.

A wheelchair from an unknown vendor had a vulnerability that could be exploited to disable a safety feature and take control of the device. A thermostat from Trane used a weak plain text protocol potentially allowing attackers to cause excessive heating, furnace failures or frozen water pipes by manipulating thermostat functionality.
#1459 iOS 10 security updates move to HTTPS
Apple has finally moved its iOS security update mechanism to HTTPS with today’s release of iOS 10.

Previously, updates were sent to devices over HTTP and attackers already present on a network could potentially intercept and manipulate updates.

“An issue existed in iOS updates, which did not properly secure user communications. This issue was addressed by using HTTPS for software updates,” Apple said in its advisory, adding that a man-in-the-middle attacker could block devices from receiving updates.
#1458 Microsoft patches 47 vulnerabilities with September Patch Tuesday
Microsoft patched 47 vulnerabilities as part of 14 security bulletins, seven critical, with its monthly Patch Tuesday updates today.

The company is warning users that if left unpatched, 10 of the issues can lead to remote execution.

The updates resolve issues in Microsoft Windows, Office, Office Service and Web Apps, Exchange, its Internet Explorer and Edge browsers and Adobe Flash Player.

Among the bugs fixed on Tuesday is a 10-year-old vulnerability, CVE-2016-0137, that existed in Detours, Microsoft Office’s hooking engine. The bug, disclosed over the summer and discussed in depth at Black Hat, affected a handful antivirus platforms that use code hooking. The vulnerability allowed hackers to bypass exploit mitigations present in Windows and those third party applications. Researchers at enSilo, who unearthed the bug, disclosed it to Microsoft nine months ago, prior to Black Hat. At the time the researchers warned that hundreds of thousands of users could be affected by the vulnerability.
#1457 UK: Government data security slammed in new report
The National Audit Office has issued a damning report of the UK government's approach to digital security.

The central teams and departments dedicated to protecting information were found to be operating without cohesion and governance.

There are 73 teams and 1,600 staff across government with data security responsibilities.

However there was a lack of awareness among staff about who to contact for guidance, the NAO said.

"None of the departments we interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance," the report stated.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12