Author: Dan Goodin

Gas detectors used in factories and other industrial settings to identify toxic conditions contain several vulnerabilities that can allow hackers to remotely sabotage the devices, according to an industry advisory published late last week.

The vulnerabilities in the Midas and Midas Black gas detectors manufactured by Honeywell can be exploited by hackers with a low skill level, according to the advisory, which was published Thursday by the Industrial Control System Cyber Emergency Response Team. The first weaknesses is a "path traversal" weakness, which allows remote attackers to bypass the normal authentication system. A second one results in the failure to encrypt user passwords when they're being transmitted.

"Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes," the advisory warned. The notice went on to advise organizations that rely on on the detectors to install versions 1.13b3 or 2.13b3, which patch against the vulnerabilities. The advisory pointed to this link from Honeywell.

Malware targeting banks, payment card processors, and other financial services has found an effective way to remain largely undetected as it plucks sensitive card data out of computer memory. It hijacks the computer's boot-up routine in a way that allows highly intrusive code to run even before the Windows operating system loads.

The so-called bootkit has been in operation since early this year and is part of "Nemesis," a suite of malware that includes programs for transferring files, capturing screens logging keystrokes, injecting processes, and carrying out other malicious actions on an infected computer. Its ability to modify the legitimate volume boot record makes it possible for the Nemesis components to load before Windows starts. That makes the malware hard to detect and remove using traditional security approaches. Because the infection lives in such a low-level portion of a hard drive, it can also survive when the operating system is completely reinstalled.

"The use of malware that persists outside of the operating system requires a different approach to detection and eradication," researchers from security firm FireEye's Mandiant Consulting wrote in a blog post published Monday. "Malware with bootkit functionality can be installed and executed almost completely independent of the Windows operating system. As a result, incident responders will need tools that can access and search raw disks at scale for evidence of bootkits."

A recent review of the Internet-connected Hello Barbie doll from toymaker Mattel uncovered several red flags. Not only did the toy use a weak authentication mechanism that made it possible for attackers to monitor communications the doll sent to servers, but those servers were also vulnerable to POODLE, an attack disclosed 14 months ago that breaks HTTPS encryption.

The vulnerabilities, laid out in a report published Friday by security firm Bluebox Labs, are the latest black eye for so-called "Internet of Things" devices. The term is applied to appliances and other everyday devices that are connected to the Internet, supposedly to give them a wider range of capabilities. The Hello Barbie doll is able to hold real-time conversations by uploading the words a child says to a server. Instant processing on the server then allows the doll to provide an appropriate response.

Bluebox researchers uncovered a variety of weaknesses in the iOS and Android app developed by Mattel partner ToyTalk. The apps are used to connect the doll to a nearby Wi-Fi networks. The researchers also reported vulnerabilities in the remote server used to communicate with the doll.

The married couple police say carried out Wednesday's shooting rampage that left 14 people dead in San Bernardino, California, took pains to erase their digital footprints in the hours leading up to the deadly attack, according to a published report.

The husband-and-wife team, identified as Syed Rizwan Farook and Tashfeen Malik, stormed a conference room inside the Inland Regional Center as a holiday party took place Wednesday and sprayed the area with bullets, authorities said. The couple, who wore military-style gear and were armed with high-powered rifles, pipe bombs, and 1,500 rounds of ammunition, were killed by police following a high-speed chase following a multi-hour manhunt. According to a report published Thursday by The Washington Times, they took actions to hide their electronic trail. The report stated:

Officials involved in the investigation say the couple appeared to have gone to great lengths to conceal their plans—a cell phone recovered from Ms. Malik’s body was newly purchased and had had been used only recently. Two other cell phones that were recovered had been smashed with a hammer and were expected to be sent to the FBI’s forensic lab in Washington for examination.

Authorities also noted that a hard drive and motherboard are missing from a computer found at the Redlands, California home the couple rented.

Not all of their digital footprints were wiped clean, according to other reports. This Daily Caller post said Farook's online dating profile claimed he enjoyed reading religious books and engaging in shooting practice. The New York Times, meanwhile, said that an online baby registry in Malik's name showed the couple was expecting daughter to be born in May and listed diapers, baby wash, a car seat, and safety swabs.

A new wave of crypto ransomware is hitting Windows users courtesy of poorly secured websites. Those sites are infected with Angler, the off-the-shelf, hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack.

The latest round is especially nasty because before encryption, the drive-by attacks first use malware known as Pony to harvest any login credentials stored on the infected computer, according to a blog post published by a firm called Heimdal Security. The post explains:

The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.

The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.

In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop the infamous Angler exploit kit.

The Angler exploit kit will then scan for vulnerabilities in popular third-party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.

To consider just how insidious attacks like these are, consider this: earlier this week, Ars reported that the Reader's Digest website was actively infected by Angler. A reader promptly replied that someone in his organization had visited the site in early November—four weeks before the article was published—and was infected by CryptoWall after reading an article. The target's only mistake, it seems, was failing to update one of several apps.

VTech, the hacked maker of electronic toys and apps that leaked the data of 4.8 million customers, including hundreds of thousands of children, exposed gigabytes' worth of pictures and chat histories on the same compromised servers, according to an article published on Motherboard, the website that first broke news of the breach.

The news website said a hacker who asked to remain anonymous was able to download almost 200 gigabytes' worth of photos of both parents and children who had registered with the site. The hacker also obtained logs of chats conducted between parents and their kids and in some cases recordings of conversations. VTech encouraged parents to take the headshots and use them with apps that allow them to interact with children. The hacker, who said he didn't intend to publish or sell the data, provided Motherboard with 3,832 image files and at least one audio recording for verification purposes.

It's not clear why VTech stored the data on its servers in the first place. The article reported:

An active hacking campaign is forcing Reader's Digest and many other websites to host malicious code that can surreptitiously infect visitors with malware and linger for days or weeks before being cleaned up.

Reader's Digest has been infected since last week with code originating with Angler, an off-the-shelf hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack scripts, researchers from antivirus provider Malwarebytes told Ars. People who visit the site with outdated versions of Adobe Flash, Internet Explorer, and other browsing software are silently infected with malware that gains control over their computers. Malwarebytes researchers said they sent Reader's Digest operators e-mails and social media alerts last week warning the site was infected but never got a response. The researchers estimate that thousands of other sites have been similarly attacked in recent weeks and that the number continues to grow.

"This campaign is still ongoing and we see dozens of new websites every day being leveraged to distribute malware via the Angler exploit kit," Malwarebytes Senior Security Researcher Jérôme Segura wrote in an e-mail. "This attack may have been going on for some time but we noticed a dramatic increase in infections via WordPress sites in the past couple of weeks."