This Week In Security: Zero Days, Notarized Malware, Jedi Mind Tricks, And More

Honeypots are an entertaining way to learn about new attacks. A simulated vulnerable system is exposed to the internet, inviting anyone to try to break into it. Rather than actually compromising a deployed device, and attacker just gives away information about how they would attack the real thing. A honeypot run by 360Netlab found something interesting back in April: an RCE attack against QNAP NAS devices. The vulnerability is found in the logout endpoint, which takes external values without properly sanitizing them. These values are used as part of an snprintf statement, and then executed with a system() call. Because there isn’t any sanitization, special characters like semicolons can be injected into the final command to be run, resulting in a trivial RCE.

QNAP has released new firmware that fixes the issue by replacing the system() call with execv(). This change means that the shell isn’t part of the execution process, and the command injection loses its bite. Version 4.3.3 was the first firmware release to contain this fix, so if you run a QNAP device, be sure to go check the firmware version. While this vulnerability was being used in the wild, there doesn’t seem to have been a widespread campaign exploiting it.

Continue reading “This Week In Security: Zero Days, Notarized Malware, Jedi Mind Tricks, And More”

Criminals Steal Credit Card Data Just By Wardriving

Anime doll holding VISA card
A federal grand jury in Boston has charged eleven people with the theft of more than 41 million credit and debit card numbers from retail stores. What makes this case interesting is that, although the defendants stole the data from retail establishments, they did so without ever having to leave their cars; they stole the numbers while wardriving. While the report doesn’t make it clear whether the targeted networks used weak encryption or were simply unsecured, it’s obvious that the security of your data is still not a top priority for many companies.

[photo: Mujitra]