HotSpot Shield’s parent company Pango has been acquired by the digital security company Aura for an undisclosed sum.
Posts tagged "Security"
An Evolution In Endpoint Security
What must be an absolute result of the workforce shift- endpoint security went from the fifth highest to the second highest spend in the past six months.
Top 5 Key Takeaways From Cyber Security Hub In June
The Cyber Security Hub community has safely made it’s way into July. As cyber security is a moving target, we take the opportunity to share perspective on where our collective sites were most recently…
Discovering A Brief History Of Cyber Security & Our Latest Inflection Point
How cyber security experts can remember the past, glean new key learnings, apply those insights to today’s plan and benefit the enterprise tomorrow.
Identity Access, Endpoint Security & User Productivity
No matter where you currently are on the “return” continuum, some form of accentuated remote work, it seems- it’s here to stay. The days of 30%ish of your workforce remotely accessing your systems som…
Cyber Security Budget Shift Happens: What Action Can A CISO Take?
The dollar cost of a breach, plus the future IP cost of that breach, plus the cost to the perception of the brand when the breach hits the headlines- explain all of that. Then ask- is it worth saving…
Netgear router security flaws finally patched after six months
Netgear has issued patches to fix security vulnerabilities in two of its routers which can be exploited by an attacker to take full control of the devices remotely.
The two devices that have received patches are the R6400v2 and R6700v3. However, 77 of Netgear's other routers reportedly still remain vulnerable to a zero-day vulnerability that was reported to the company back in January of this year.
The vulnerability, which lies in the HTTPD daemon used to manage the routers, was discovered independently by both Grimm's Adam Nichols and d4rkn3ss from Vietnam's VNPT ISC through the Zero Day Initiative (ZDI).
- Netgear Nighthawk M5 Mobile Router brings 5G to your workplace
- Where to buy a router: work remotely without interruption
- Need additional security? These are the best secure routers
ZDI has released a report that includes some information about the vulnerability while Nichols has written a lengthy blog post describing it in detail, a Proof of Concept (PoC) exploit and even scripts to find vulnerable routers online.
Zero-day vulnerability
Based on the reports about the vulnerability, affected router models have an HTTPD daemon which does not adequately check the length of data supplied by a user and this allows an attacker to create a buffer overflow when data is copied to a fixed-length variable.
To exploit the flaw in Netgear's routers, an attacker would need to create a specially crafted string capable of executing commands on the device without having to authenticate first. In his blog post, Nichols explained that while stack cookies would normally be able to mitigate this vulnerability, many of Netgear's routers don't use them, saying:
“In most modern software, this vulnerability would be unexploitable. Modern software typically contains stack cookies which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 use stack cookies. However, later versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable.”
By default, the HTTPD Daemon these routers is only accessible via LAN, although router admins can enable it so it can be accessed remotely over the internet. However, attackers can still create malicious websites using JavaScript to perform DNS rebinding attacks which would allow them to execute commands remotely on routers that are not accessible over the internet.
If you have Netgear's R6400v2 or R6700v3 router you can download hot-fixes for the vulnerability now but if you have one of the 77 other affected routers, you're out of luck until the company releases patches for them.
- We've also highlighted the best small business routers
Via BleepingComputer
IoT Security
Digital identities for IoT devices identify them within their ecosystem. From there, authorization is granted only to the IDs of the devices we want active on our home or enterprise network. This syst…
Cisco fixes major security flaws in Webex on Windows and Mac
Cisco has addressed two high severity vulnerabilities in its Webex video conferencing software that could have allowed unprivileged attackers to run programs and code on vulnerable systems.
The two vulnerabilities, tracked as CVE-2020-3263 and CVE-2020-3342, affect Cisco Webex Meetings Desktop App releases earlier than version 39.5.12. and all Webex users should update their software to the latest version to avoid falling victim to any potential exploits.
In an advisory concerning the arbitrary program execution flaw affecting Webex's Windows client, Cisco provided more details on the vulnerability and explained what an attacker could do to a user's system following a successful exploit, saying:
- Cisco is making Webex even smarter with AI
- Cisco Webex triples capacity and doubles down on security
- Billions will be spent on video conferencing in 2020
“The vulnerability is due to improper validation of input that is supplied to application URLs. The attacker could exploit this vulnerability by persuading a user to follow a malicious URL. A successful exploit could allow the attacker to cause the application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system.”
Webex vulnerabilities
Cisco also patched a remote code execution vulnerability in Webex's Mac client that was caused by improper certificate validation on software update files downloaded by the software.
The vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code with the same privileges of the logged in user on macOS. In a separate advisory, Cisco explained how an attacker could exploit the vulnerability, saying:
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update.”
Cisco has since fixed both of these vulnerabilities with the release of version 40.1.0 of Webex for Windows and version 39.5.11 of Webex for Mac. Windows and Mac users can update their Cisco Webex clients by following these instructions while admins can update both versions of the client by following this guide.
- We've also highlighted the best video conferencing software
Via BleepingComputer
Tactic & Strategy In Cyber Security
This new threat landscape, while more immediately dynamic- was noticeable. 100% remote couldn’t have been predicted, but the tools that have opened up new threat vectors were already being used in lim…