Miscreants are attracted to law-skirting schemes that generate strong revenues without significant ongoing investments. You can observe these characteristics in the trademark registration campaign described below. It seems to have been active for at least a decade and spans Texas, Delaware, Washington and the Principality of Liechtenstein. This is a manifestation of the broader set of fake invoice scams, such is the website backup “invoices” that I outlined in an earlier article.

Protected Trademarks on the Internet

After I registered the name of the malware analysis toolkit that I maintain, REMnux, as a trademark with the US Patent and Trademark Office, I began receiving postal solicitations requesting that I include this trademark in various private registries. You can see one of these letters below. (Click the image to see the PDF of the full page.)

The letter looks like an official invoice for trademark registration. In reality, the solicited $ 992 fee is for the proposed “service” that the notice describes in all capital letters as follows:

“THE TRADEMARK PUBLICATION PROVIDES THE NAME OF TRADEMARK OWNERS AND PRODUCT NAMES ON THE INTERNET.”

The letter states that “YOUR DATA WILL BE PUBLISHED FOR A TERM OF TWO YEARS UPON RECEIPT OF PAYMENT.” It describes the benefits of the service by claiming that “PUBLICATION ON THE TRADEMARK DATABASE REGISTER ENSURES THE REGISTERED PARTY A WORLDWIDE PUBLICATION ON THE INTERNET.”

Buried in the paragraph that describes the offer is the phrase “THIS PUBLICATION IS AN ELECTIVE SERVICE WHICH NEITHER SUBSTITUTES THE REGISTRATION… WITH U.S.P.T.O.” So, the letter does indicate that it’s not associated with the US Patent and Trademark Office. Unfortunately, plenty of its recipients don’t look closely at what they assume are bills, and probably pay what they believe is an official trademark registration invoice.

Send This Stub With Check in the Remittance Envelope

Recipients of the letter are asked to make checks payable to Trademark-DB Corp and mail them to 10223 W Broadway St Ste P, PMB # 336, Pearland, TX 77584. This is the location of a UPS Store, pictured by Google’s Street View on the photo below. The term “PMB” means it’s a private mailbox, which is a private company’s version of a PO Box.

After some research, I came across another trademark registration company that was associated with the same fax number as Trademark-DB, 011-423-3841889. That company was called Trademark Info Corp. Its mailing address was the same UPS Store location, but it was using private mailbox number 330 instead of 336.

The “invoices” sent by Trademark Info looked very much like the letters from Trademark-DB, as you can see in the excerpt below. This solicitation appears to have been sent in 2006. I found it in the collection of trademark scam examples published by the firm Hodgson Legal, where you can see the full letter on page 4.

fake-trademark-invoice2-preview

Based on the “invoices” I located for Trademark-DB, it was using the Texas location in 2015-2016. I came across additional invoices (1, 2) sent by this firm in 2013 and 2014 that specified a different address: 2207 Concord Pike, PMB # 582, Wilmington, DE 19803. This is a shop called My Mailbox Store, which, among other services, rents mailboxes.

Interestingly, this private mailbox number at this location was used in 2006 by a company called Americash Hotline, LLC d/b/a Direct Cash Express, LLC, which the Attorney General of the State of West Virginia accused of being “engaged in the business of making usurious payday loans to consumers” according to the Petition to Enforce Investigative Subpoenas filed that year. However, the use of the same mailbox by Trademark-DB ten years later might be a coincidence.

Another letter sent by Trademark-DB, probably dated 2015, uses the drop address of 2100 M St. NW, Ste 170, # 330, Washington, DC 20037. This is a UPS Store location. Note the use of the same mailbox number (330) as in the Texas location. Perhaps coincidentally, another mailbox (170) in the Washington store was reported to be associated with an unrelated award-acceptance scam in 2012.

Though the addresses where trademark letter recipients were urged to send payments were in the United States, bother Trademark-DB and Trademark Info are located elsewhere.

Court of Vaduz, Principality of Liechtenstein

Trademark Info and Trademark-DB maintain separate websites, www.trademark-info.net and www.trademark-db.info respectively. Each site includes a Terms of Business section stating that the companies are registered in Principality of Liechtenstein, though at different addresses.

Liechtenstein is a small sovereign country nestled between Switzerland and Austria, according to Wikipedia. Its capital is Vaduz. Trademark-DB’s site states that:

“The Court of Vaduz, Principality of Liechtenstein, shall have exclusive jurisdiction over all claims or disputes arising in relation to, out of or in connection with Trademark-DB AG…”

I was able to locate Trademark-DB’s record in the Liechtenstein business registry. The mailing address of the company in Liechtenstein matches the one on Trademark-DB’s website, though the record also indicates that the correspondence should be sent care of Treufid Trust. This company’s website, www.treufid.li, markets the firm as “your contact for start-ups and their management, accounting, tax and business consulting, auditing and secretarial services.” (I translated it from German via Google.)

trademark-db-registration-record-preview

I found Trademark Info’s record, too. It indicates that the company is in “in liquidation,” if I’m interpreting it correctly. This firm’s latest address is different from Trademark-DB’s address, and its point of contact is Kimar Anstalt. According to the Panama Offshore Leaks Database, it’s a subsidiary of Majoria Investments Limited, which the same database lists as being “defaulted.”

The two firms are clearly connected:

  • Both listed the same fax number on their letters, which included very similar content.
  • Both were using the same location in US as the drop point for checks. Both were registered in Liechtenstein, albeit at different addresses.
  • In addition, both specified the same phone number, 4233841077, in their domain registration records.
  • Moreover, a search of PassiveTotal records showed that the firms’ web servers employed the same DNS and registrar servers and at some point were assigned IP addresses on the same Class C subnet 195.225.200.0.

I suspect Trademark Info was the first incarnation of the scheme and has now been dissolved. Trademark-DB seems like a reincarnation of the service, or perhaps it is a copycat effort. It is active as of this writing.

Unsecured Nonpriority Claims

Though Trademark Info as a company appears to have been liquidated, the database hosted on its site is still available. I found no way to browse its full contents, but one can perform searches to query the records. For instance, when I search for records where the owner of the trademark contained an “a”, the site showed me 20 records of companies with addresses in the US and Canada.

Presumably, each of these companies paid around $ 600 to be included in this listing, possibly because they misinterpreted the letter sent by Trademark Info as an invoice. The service for which they paid was of dubious value. As far as I can tell search engine don’t include the site’s contents in their index, so people are unlikely to come across the trademark’s entry in this database unless they specifically search the database for it.

Another indication that companies issued payments to Trademark Info comes in the form of unclaimed funds that Texas Comptroller of Public Accounts is holding for the now-defunct company. I came across these records on the Texas government’s website that lets you search for such funds. It listed two unclaimed payments for $ 587 and two for $ 1,174, dating from 2005 to 2010.

Another example of the recipients treating Trademark Info’s letters as invoices can be seen in the petition that Mineola Water Corporation filed with the US Bankruptcy Court in Alabama. The company listed Trademark Info as a creditor “holding unsecured nonpriority claims” for its Sip of the South trademark in the amount of $ 596. The claim seems to be dated to 2008.

The database maintained by Trademark-DB is online as well. Like the Trademark Info catalog, the contents of this database do not seem to be available in search engines’ indexes. A few queries that I ran showed me various records registered between 2005 and 2012. It’s strange that I didn’t come across the more recent entries, given that I came across “invoices” that Trademark-DB sent between 2013 and 2015. I doubt people stopped responding, so perhaps the company stopped bothering to add new entries to its database? Or maybe the dates in its database are wrong?


Non-USPTO Solicitations

The US Patent and Trademark Office maintains a page that warns about “non-USPTO solicitations that may resemble official USPTO communications.” It includes several examples of what the page calls “non-USPTO solicitations about which we have received complaints within the past several months.” It carefully avoids using the term “scam,” except when referring to the criminal indictment issued against one of the listed entities.

Though the list of non-USPTO examples includes three letters sent by Trademark-TD (1, 2, 3) for its Texas, Washington and Delaware locations, the scheme involving Trademark-TD is still active. If it is, indeed, associated with the actions of Trademark Info, these machinations have been going on for at least a decade. The longevity of the campaign isn’t surprising, given the difficulty of tracking down the companies and individuals behind them, especially when the controlling organizations are in the Principality of Liechtenstein.

Yet, the checks are being collected from US-based locations, which can be used as a starting point for further investigating the schemes that, at best, push the boundaries of US laws.  For example, Title 39, United States Code, Section 3001, reportedly “makes it illegal to mail a solicitation in the form of an invoice, bill, or statement of account due unless it conspicuously bears a notice” stating that it’s not a bill. Furthermore, I wonder whether the lack of value in being listed in a private trademark registry might violate US federal and state laws that prohibit deceptive and unfair trade practices.

If you receive misleading communications from private trademark registration entities, the USPTO encourages you to file a complaint with the Federal Trade Commission (FTC). It also says that if you receive solicitations that are not already listed on the USPTO page mentioned above, that you [email protected] Lastly, USPTO recommends that you report the incident to your state’s “consumer protection authorities,” which you can locate via this link.

Updated


Lenny Zeltser

Juniper Networks has become the latest company to acknowledge that one of the implants leaked by the Shadow Brokers targets some of their products.

Cisco and Fortinet did the same a few days earlier.

NetScreen firewalls

“Juniper Networks is investigating the recent release of files reported to have been taken from the so-called Equation Group,” Juniper employee Derrick Scholl explained in a post.

“As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS. We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices. We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”

As a reminder: last December Juniper found and patched a critical vulnerability affecting ScreenOS on its NetScreen devices, which allowed unauthorized remote administrative access to the device over SSH or telnet and could have allowed a knowledgeable attacker to decrypt encrypted VPN traffic.

At the time, speculation was that the vulnerability arising from unauthorized code in ScreenOS created two backdoors, deliberately inserted by a state-sponsored intruder (or more of them). It was thought that at least one was the work of the NSA, as the NSA documents leaked by Edward Snowden showed that the NSA had the ability to backdoor Juniper’s network equipment.

The exploits and implants leaked by the Shadow Brokers are almost certainly the work of the NSA, i.e. their (formal or informal) hacking “arm” the Equation Group.

It is still unknown who the Shadow Brokers are. Snowden believes they might be state-sponsored Russian hackers, and the leak a way to urge the US government not to be hasty in denouncing Russia as the source of the DNC hack.

According to Shlomo Argamon, professor and director of the Master of Data Science Program at the Illinois Institute of Technology, the text that accompanied the leaked data points to the “Shadow Broker” most likely being a native English speaker trying to appear non-native.

“In the (quite unlikely) event that the writer is, in fact, not a native English speaker, their native tongue is much more likely to be a Slavic language (e.g., Russian or Polish) than either a Germanic or Romance language,” he added.

This opinion seems to prop a theory by former NSA staffers, who said that the “naming convention of the file directories, as well as some of the scripts in the dump” point to the attacker being an insider.


Help Net Security

Banking customers are hesitant to use mobile features due to fraud and security concerns, according to Kaspersky Lab and IDC Financial Insights. Their findings show that of those not using mobile banking at all today (36 percent), 74 percent cited security as the major reason, which could slow the overall adoption of mobile banking services during a time where mobile device usage is exploding.

banking customers

While security concerns are holding back non-mobile banking users from embracing the convenient, digital self-service solutions on the market, those who are active users of mobile banking today also share the same concerns. Of both, users and non-users of mobile banking, 85 percent said that they would increase their usage to “some extent” if there was more security and nearly half (44 percent) of those surveyed said that they would “significantly” increase their mobile banking usage with more security.

For financial organizations, an increase in self-service banking usage can drive revenue and reduce transactional costs, but currently customers don’t see a promising future for mobile banking in their lives – with 32 percent of respondents claiming that they do not ever foresee using mobile as the primary channel that they will engage with their bank or credit union. Banks that do not properly strengthen mobile financial security measures could miss out on a significant business opportunity and risk losing valuable customers in the process.

As financial institutions look for new ways to streamline adoption of self-service banking solutions, it is important that they proactively deploy and implement rigorous security solutions. In addition, banks should also reconsider their education strategies to ensure that customers understand the level of security in their mobile offerings. Survey Respondents want to see a proactive and informative approach to security from their banks with 80 percent indicating that they would like to see evidence of security measures being activated when they launch a mobile banking application.

“Consumers are concerned about security on their mobile devices, which has limited adoption of high margin mobile banking and payment activities including account opening, payments and transfers using a mobile phone.” Says Marc DeCastro, research director IDC Financial Insights. “As the next generation of online, mobile first and mobile only customers begin to explore digital banking choices, financial institutions that have and promote stronger security will attract and retain these customers more easily than those who do not.”

“As financial organizations continue to expand their self-service offerings to drive revenue and increase customer convenience, it’s important to proactively approach security technology for consumers’ mobile devices in the same way banks approach security for their own PC-based solutions, web offerings, and technology networks,” said Ross Hogan, Kaspersky Lab Global Head of Fraud Prevention.


Help Net Security

Previously unpublished documents released by former National Security Agency contractor Edward Snowden confirm that some of the spy agency's top-secret code has been leaked or hacked, The Intercept reported Friday.

The online news site's editors include journalists that worked with Snowden to publicize his notorious 2013 NSA leak revealing the extent of government snooping on private data.

The Intercept said Snowden had given the site a classified draft NSA manual on how to implant malware -- malicious code that is used to monitor or control someone else's computer.

Whether code published online by a mysterious group called "Shadow Brokers" is genuine has been the source of much debate in recent days.

The NSA has steadfastly declined to comment on whether it has been the victim of a security breach.

Over the weekend, the Shadow Brokers posted two sets of files, one that is freely accessible and another that remains encrypted.

They said they would release this additional information subject to raising one million Bitcoins -- digital currency, in this case worth about $ 575 million -- through an online auction.

According to the Intercept, the draft NSA manual contains instructions to NSA operators telling them to use a specific string of characters associated with the SECONDDATE malware program.

The exact same characters appear throughout parts of the Shadow Brokers leak, the Intercept said.

According to The New York Times, much of the code was created to peer through the computer firewalls of foreign powers like China, Iran and Russia.

Such access would enable the NSA to plant malware in rivals' systems and monitor -- or even attack -- their networks.

Whoever obtained the code would have had to break into NSA servers that store the files, the Times said.

Related: Cisco finds zero-day vulnerability leaked by Shadow Brokers

view counter

© AFP 2016

Tags:


SecurityWeek RSS Feed

When is the best time to deliver a security message?

A group of researchers from Brigham Young University has been tracking users’ neural activity while they are using a computer, and have discovered that security warnings are heeded more if they don’t pop-up right in the middle of a task or action that requires the users’ attention.

delivering security messages

Humans are generally bad at multitasking, and they will ignore such messages in most cases when they are watching a video, typing, or inputing a confirmation code, i.e. when we can’t attend to the message without it affecting the quality of our first task or give enough attention to it.

The best moments to spring a security warning is when the user waits for a web page to load or a file to be downloaded/processed, switches to another site, or after he or she is done watching a video.

Anybody who has ever used a computer and ignored their fair share of security messages will not be surprised by the results of this study.

But it is surprising that the software industry hasn’t already made it so that all security messages that don’t require immediate attention are shown when a task is started, finished, or the user is waiting for a task to complete.

While it might seem that this study was a waste of time that proves something we all know, it will have an impact on our daily lives – or, more specifically, on the lives of Google Chrome users.

The research was performed in collaboration with Google Chrome security engineers, and its results convinced them to tweak the timing of the security messages in future versions of the Chrome Cleanup Tool.

Hopefully, other software makers will follow. With the human element consistently being the weakest point of the security chain, we need all the help we can get to make the right choices.


Help Net Security

While most organizations fundamentally believe connecting people to the best technology is vital to business productivity, many struggle to achieve agility due to traditional on-premise security mindsets, according to an Okta survey of 300 IT and security professionals.

security compromising productivity

Failing to adapt and upgrade security tools is putting organizations at risk. 65% of respondents think that a data breach will happen within the next 12 months if they do not upgrade legacy security solutions in time.

“In order to be more productive, organizations worldwide are investing in cloud and mobile technologies, enabling their staff to work from virtually anywhere. But this isn’t enough to ensure true agility. As organizations become increasingly connected, the traditional idea of the enterprise network boundary is vanishing and businesses need to prioritise strong security,” said David Baker, CSO at Okta. “To successfully navigate the new perimeter and avoid compromising on security and productivity, IT leaders need to adopt tools that span traditional company and network boundaries and enable agility across the organization.”

Organizations are unsure if security is enabling or compromising productivity and agility

When asked if security measures compromised or enabled productivity in their organization, respondents’ opinions were mixed. Just over half (52%) said that their current security solutions compromise productivity, while 48% believe their security measures enable the organization to adopt best of breed solutions that enable productivity and agility.

Visibility into application usage is limited

Okta’s research shows that 85% of IT leaders suffer from a lack of insight over who has access to applications within their organization. Even more worrying, 80% of respondents pointed to weak passwords or weak access controls as a security issue.

Investing in new mobile, automation, and cloud technologies is paying dividends for organizations

92% of respondents believe their organization could do more to integrate and support cloud applications into their infrastructure and systems. This reveals a massive opportunity for IT teams to further drive agility and productivity, and the chance to drive this percentage down.


Help Net Security

USN-3065-1: Libgcrypt vulnerability | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

Threatpost News Wrap, August 19, 2016

August 19, 2016 , 9:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Necurs Botnet is Back, Updated With Smarter Locky Variant

June 23, 2016 , 4:10 pm

WordPress Security Update Patches Two Dozen Flaws

June 23, 2016 , 8:00 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

Apple Leaves iOS 10 Beta Kernel Unencrypted: Pros and Cons

June 27, 2016 , 5:13 pm

Voter Database Leak Exposes 154 Million Sensitive Records

June 24, 2016 , 10:14 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

Multiple Vulnerabilities Identified in ‘Utterly Broken’ BHU Routers

August 19, 2016 , 12:57 pm


Threatpost | The first stop for security news

  • Home
  • Software
  • Social Networking

Twitter suspends 360,000 accounts for terrorist ties Credit: REUTERS/Dado Ruvic

Twitter continues to fight to keep terrorist groups and sympathizers from using its service.

The social network announced today that in the last six months it has suspended 235,000 accounts for violating its policies related to the promotion of terrorism. In February, Twitter reported that it had suspended 125,000 accounts since mid-2015 for terrorist-related reasons.

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

That means Twitter has suspended 360,000 accounts since the middle of last year.

"Since that [February] announcement, the world has witnessed a further wave of deadly, abhorrent terror attacks across the globe," the company wrote in a blog post. "We strongly condemn these acts and remain committed to eliminating the promotion of violence or terrorism on our platform."

Twitter also reported that daily suspensions are up more than 80% since last year, with spikes in suspensions immediately following terrorist attacks.

"Our response time for suspending reported accounts, the amount of time these accounts are on Twitter, and the number of followers they accumulate have all decreased dramatically," the company said. "As noted by numerous third parties, our efforts continue to drive meaningful results, including a significant shift in this type of activity off of Twitter."

There has been increasing focus on trying to keep terrorist groups, whether it's ISIS or homegrown white supremacists, from using social networks like Twitter and Facebook to communicate, call for attacks and to recruit new members.

Democratic presidential nominee Hillary Clinton even raised the issue during her acceptance speech at the Democratic National Convention last month. "We will disrupt their efforts online to reach and radicalize young people in our country. It won't be easy or quick, but make no mistake - we will prevail," Clinton said.

Social media, including sites like YouTube and instant messaging service Telegram, have been used for years. Those sites are fighting back, too.

Facebook previously reported that it has suspended accounts it found were associated with radicalized groups.

Today, Twitter noted that it not only is suspending accounts, but is making it harder for those suspended to return to the platform.

"We have expanded the teams that review reports around the clock, along with their tools and language capabilities," Twitter said. "We also collaborate with other social platforms, sharing information and best practices for identifying terrorist content... Finally, we continue to work with law enforcement entities seeking assistance with investigations to prevent or prosecute terror attacks."

This story, "Twitter suspends 360,000 accounts for terrorist ties" was originally published by Computerworld.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-050
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

QTS is the operating system used by manufacturer QNAP on its series of
NAS devices (see [1]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found a persistent/stored cross-site scripting
vulnerability in the file viewer component of the QTS administrative
interface.

This type of vulnerability allows an attacker to store active content
like JavaScript on the system, executing the code in the browser of
visitors viewing the affected page. The code can then be used to e.g.
execute commands in the scope of the user, infect the users browser and
so on.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Log in to the QNAP. The user needs sufficient permissions to create
ZIP files.
2. Right-click on a file or directory and select "compress(ZIP)"
3. In the newly opened window, enter a name containing HTML codes like
blabla<img src=foo onError=alert(1)>
and press OK
4. The code is being executed directly after creating the ZIP.
5. Right-click on the ZIP-file and hover over 'Extract".
Again, the code is being executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer has not released any security update or patch so far.
Administrators of QNAP QTS 4.2 installations should ensure that only
trusted users/administrators have the neccessary permissions to create
or rename directories.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-06-03: Vulnerability discovered and reported to manufacturer
2016-06-20: Vulnerability report confirmed by manufacturer
2016-06-22: Vulnerability report updated to fix error in "hover over"
description.
2016-07-06: Manufacturer asked for timeline regarding a fix
2016-07-18: Manufacturer reminded about upcoming public disclosure
2016-08-18: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for QNAP QTS
http://www.qnap.com/qts/4.2/en/
[2] SySS Security Advisory SYSS-2016-050
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-050.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Sebastian Nerz of the SySS GmbH.

E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sebastian_Nerz.asc
Key ID: 0x9180FDB2
Key Fingerprint: 79DC 2CEC D18D F92F CBB4 AF09 D12D 26A4 9180 FDB2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJXtWVlAAoJENEtJqSRgP2yicQH/RVeQNcb3qhDUiLlfRMKmV//
Fxt52iVXKai0QiWN6GqBOIU0qon4xXvWyiwJckox5QMXJWELi4PPNoyPxfipCp0M
Q8jIbm1KbxMt2SAwUUG1fFY1Dvj8/dWt81S/HLWj131M7QParwFhLjiBoFNnerLM
49QSWe4jYonIUbqINqIIEJ1lp3hbHDTBOOlXHQahpxsUvphBsJBKfEJImERJ9vGT
VhJam8WJwwKjxsLRDxUiUiL2waLAhdbi2HeJiZy1CplwRvDst2yA5zdDG5iz5O3G
zcByMMyk5ZfRATGPYTH6tuEx2SWtFVFIIXPL8FtWi/7vKn2pITcj9vADFvANxSM=
=xxMF
-----END PGP SIGNATURE-----


Exploit Files ≈ Packet Storm