Security News for the Week Ending September 6, 2019
Cisco: Critical Bug Allows Remote Takeover of Routers
Cisco rated this bug 10 out of 10. For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request. So yet another reminder that patching your network gear is critical. For Cisco, that means having to purchase their maintenance agreement every year. Source: Threatpost.
USBAnywhere – Especially Places You Don’t Want
Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine. Like stealing your data, installing malware or even disabling the server entirely. The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference. Part of the problem is that almost no one knows who’s motherboard is inside their server. The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually. Isn’t that exciting? Source: The Hacker News.
Remember When we Thought iPhones Were Secure?
Apparently that myth is beginning to get a little tarnished. In fact, Android zero days are worth more than iPhone attacks. Why? Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.
I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs. All software has bugs. Practice safe computing, no matter what platform you are using. Source: Vice.
Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web
When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.
The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable. But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price. Does this mean they are working on the other 35 million? Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too. Source: Bleeping Computer .
Researchers Claim to Have Hacked the Secure Enclave
CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer. Intel calls their feature SGX. Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave. If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe. Source: Bruce Schneier.