Intel chip vulnerability lets hackers easily hijack fleets of PCs

Security researchers say exploiting the vulnerability requires little technical expertise, and can result in a hacker taking full control of an affected PC.

A vulnerability in Intel chips that went undiscovered for almost a decade allows hackers to remotely gain full control over affected Windows PCs without needing a password.

The “critical”-rated bug, disclosed by Intel last week, lies in a feature of Intel’s Active Management Technology (more commonly known as just AMT), which allows IT administrators to remotely carry out maintenance and other tasks on entire fleets of computers as if they were there in person, like software updates and wiping hard drives. AMT also allows the administrator to remotely control the computer’s keyboard and mouse, even if the PC is powered off. …

Source: Intel chip vulnerability lets hackers easily hijack fleets of PCs


Enterprise Chat Client HipChat Hacked

HipChat is a team chat app. Claiming to be “built for business” it promises some very nice features, including group chat, video chat, and screen sharing. Earlier today, all HipChat users were forced to reset their password because the HipChat servers had been broken into.

The hack was due to a vulnerability in a third-party library. The attackers may have gained access to user’s name, email, and hashed passwords, although at this time, there is no indication that user’s messages or content were compromised, although .05 percent of this information was fully available to the attackers. …

Source: Enterprise Chat Client HipChat Hacked – UTB Blogs


Jobseekers Information Hacked in 10 States

If you live in Arizona or other 9 states and you are looking for job, your personal information might be stolen after the state’s website was hacked.

The state of Arizona announced the hack that happened on Friday, 3 days ago. The website is used by Job Seekers in Arizona and was powered by third party company, America’s Joblink.  The information that was stolen can be, name, social security number, ID, and birth date.

There are 7.6 million citizens in Arizona so it could be that more then 1 million information details were stolen. In Delaware, that have less then one million citizens, more then 200K of personal details were stolen 2 days ago. …

Source: Jobseekers Information Hacked in 10 States – UTB Blogs


Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom

A hacker or group of hackers is apparently trying to extort Apple over alleged access to a large cache of iCloud and other Apple email accounts.

The hackers, who identified themselves as ‘Turkish Crime Family’, demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.

“I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing,” one of the hackers told Motherboard.

The hackers provided screenshots of alleged emails between the group and members of Apple’s security team. One also gave Motherboard access to an email account allegedly used to communicate with Apple. …

Source: Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom – Motherboard


Testing finds ‘100 percent’ of mobile banking apps hackable

“Even as security specialists, we were quite surprised” by the 100 percent failure rate, said an executive from Pradeo, the company that did the testing.

Mobile banking applications produced by 50 of the world’s largest 100 banks were all vulnerable to hacking attacks which could allow password capture or surveillance of users, according to new research from a European mobile security outfit.

“We didn’t initially plan to publish the results of our tests,” Caroline Borriello, chief operating officer of Paris-based Pradeo Security Systems told CyberScoop in an interview. “We chose to make this disclosure because we believe it’s important for people to know” how insecure mobile banking apps actually are. …

Source: Testing finds ‘100 percent’ of mobile banking apps hackable – Cyberscoop


Edge, VMWare, Safari And Ubuntu Linux Hacked at Pwn2Own 2017

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:

  • Ars Technica reports one team “compromised Microsoft’s heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in… by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware.”
  • Digital Trends reports “Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: “pwned by niklasb and saelo.”
  • Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, “triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user…” reports eWeek. “Chaitin Security Research Lab didn’t stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS.”
  • Another attacker “leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel.” …

Source: Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017 – Slashdot


Association of British Travel Agents Hacked

The UK’s Association of British Travel Agents (ABTA) found their website hacked into. The attackers gained access to around 1000 files, which included identity information on around 43,000 users.

“It is extremely disappointing that our web server, managed for Abta through a third party web developer and hosting company, was compromised and we are taking every step we can to help those affected.” stated ABTA Chief Executive Mark Tanzer. …

Source: Association of British Travel Agents Hacked – UTB Blogs


Researchers Uncover macOS and Safari Exploits at Pwn2Own 2017

… Day one results have already been published over at the Zero Day Initiative website, with a couple of successful Mac-related exploits already appearing in the list of achievements. Independent hackers Samuel Groß and Niklas Baumstark landed a partial success and earned $28,000 after targeting Safari with an escalation to root on macOS, which allowed them to scroll a message on a MacBook Pro Touch Bar. …

Later in the day, Chaitin Security Research Lab also targeted Safari with an escalation to root on macOS, finding success using a total of six bugs in their exploit chain, including “an info disclosure in Safari, four type confusion bugs in the browser, and a UAF in WindowServer”. The combined efforts earned the team $35,000. …

The participating teams earned a total of $233,000 in prizes on day one, including a leading $105,000 earned by Tencent Security, according to published details. Other software successfully targeted by contestants include Adobe Reader, Ubuntu Desktop, and Microsoft Edge on Windows. …

Source: Researchers Uncover macOS and Safari Exploits at Pwn2Own 2017


Teen quiz app Wishbone hacked, users’ emails and phone numbers exposed

Check your kid’s phone for this app, ASAP: Wishbone. This popular quiz app for kids, tweens and teens has been hacked, according to a report from Motherboard out this morning. The hack involved 2.2 million email addresses, as well as 287,000 phone numbers, many of which are from kids under the age of 18.

The app is operated by the incubator Science, and is one of the more popular social networking applications in the U.S., currently ranking No. 14 in that category on iTunes.

Users have been alerted to the hack by way of an email from the company, which explains that it became aware of the breach on March 14, 2017. …

Source: Teen quiz app Wishbone hacked, users’ emails and phone numbers exposed


4 ways cyber attackers may be hacking your IoT devices

Many (too many) of the connected devices that make up the Internet of Things (IoT) are extremely easy to hack. New IoT devices are being designed and released every day — from consumer items, like light bulbs and automobiles to industrial equipment, like drones and entire power plants. But many of these devices are built little-to-no security in place.

“IoT devices are simply computers and can be hacked in any ways that a traditional computer could be hacked,” says Patrick Wardle, director of research for Synack, a cybersecurity company. Even more alarming, because IoT devices are often connected directly to the internet, they can be accessed by attackers all over the world, explained Wardle. …

To know more about what the worst-case IoT security scenarios are, here are a few common ways that attackers are hijacking IoT devices:

  1. Mass vulnerability probing …
  2. Exploiting universal Plug-and-Play (uPNP) …
  3. Intercepting the cellular network …
  4. Reverse-engineering firmware …

Source: 4 ways cyber attackers may be hacking your IoT devices