Security Roundup - 2018-05-10
RouterSploit 3.0 Released. A security tool for auditing routers has gotten a major upgrade. The biggest new feature tries to address the plague of default credentials, but providing a framework for anyone to add the appropriate authentication method for devices. This seems pretty important area of research, given stories like:
- This tweet suggesting that Zerodium has paid out bounties for exploits for every major router.
- Patches for critical vulnerabilities in Sierra Wireless devices.
- Router malware that survives reboots.
- Another set of exploits for GPON routers impacting millions of devices.
Other internet connected device flaws. Routers are not the only devices with reported flaws this week:
- This DVR exploit that is so simple the exploit fits into a tweet.
- More flaws discovered in SCADA devices.
- The Harmony Hub has several flaws discovered, including being able to turn on a dormant SSH server to gain remote control.
Office 365 Zero day discovered. Overlooked html functionality has resulted in an Office 365 zero day which bypasses security checks.
Fun with passwords. Who better to get password tips than from those that break them? Rapid7 has collected passwords from a number of security engagements and has some tips on how people can do better. Troy Hunt also reminds us all that password selection is horrible, with more than 86% of passwords in a recent breach already appearing in other breaches making brute force attempts that much easier.
Hijacked Accounts on Steam. Finally frustrated by scammers on the online gaming community Steam, one security researchers set out to discover how they worked, leading to him finding their admin console and alerting Steam of compromised user accounts.
OS Makers misread docs, build in vulnerabilities. The majority of OS providers are releasing patches this week to deal with a misunderstanding on how Intel deals with debug exceptions due to ambiguous documentation. This could allow an attacker with physical access to a machine to get elevated privileges.