bugs

Qualcomm's been bitten by the bounty bug, signing on with HackerOne to offer up to US$ 15,000 for vulnerabilities in modems and processors.

The bounty covers Snapdragon 400, 615, 801, 805 808, 810, 820 and 821 processors, and its X5, X7, X12 and X16 LTE modems.

A vulnerability in any one of these would reach a long way into the wild. The Snapdragon X20, to pick one example, is in current-generation smartphones from Google, Samsung, Motorola, LG, ZTE, Sony, Asus, HTC, and HP.

Because the company has about 65 per cent of the LTE market, the Quadrooter bug that landed during Def Con in August was thought to affect up to 900 million devices.

Qualcomm's note at HackerOne gives white hats a pretty wide brief: Linux kernel code 3.14 or newer in the Android for MSM project, written by the Qualcomm Innovation Center and not in an end-of-life branch.

There are also rewards for bootloader bugs, anything that has root or system, privileges, the modem, networking firmware (Wi-Fi and Bluetooth), or the Qualcomm Secure Execution on Trustzone.

Merely crashing a process isn't enough; the bug has to then let the attacker get to code execution. ®

Sponsored: Transforming software delivery with DevOps


The Register - Security

This Moday Microsoft debuted Project Springfield, a cloud-based fuzz testing (aka fuzzing) service that the company has been working on for a quite a while.

Project Springfield: Cloud-based fuzz testing

David Molnar and Patrice Godefroid, two of the key researchers behind Project Springfield, have been claiming since 2010 that fuzzing in the cloud will revolutionize security testing, and now they have provided the means to prove that assertion.

What is fuzz testing?

Fuzz testing is a method for discovering bugs and security vulnerabilities in software by hitting it with random and unexpected inputs. Some of the inputs thrown at the software will cause crashes, thus revealing the existence of a bug and pointing programmers in the right direction to fix it.

Fuzz testing improves software security because it often finds bugs that human testers fail to find.

In fact, Microsoft has been using SAGE – a fuzzing technology they developed and employed internally, and a key component of Project Springfield – to test Windows 7 before it was released. Through it, they found one third of the “million dollar” security bugs affecting the OS.

About Project Springfield

“Project Springfield works on binaries, with no source code or private symbols needed,” Microsoft explains. “You need to be able to install software you deploy on a virtual machine that runs in Azure, provide a “test driver” that exercises your software, and a set of sample inputs. Project Springfield uses these to create many test cases for exercising your program.”

The service performs (among other things) white-box fuzz testing with the help of artificial intelligence. This way, the fuzzing is more focused and, they claim, definitely more effective.

Project Springfield incorporates SAGE, but also other fuzz testing tools. Users interact with the service through a web portal.

“Project Springfield reports security vulnerabilities in real time on the secure web portal. Customers can download actionable test cases to reproduce the issue,” they explain. “Customer can prioritize and fix bugs, then re-test to ensure the effectiveness of the fix.”

Project Springfield is currently being used by a number of enterprise customers, and others are welcome to sign up for a free evaluation.


Help Net Security

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

Mamba Ransomware Encrypts Hard Drives Rather Than Files

September 20, 2016 , 3:29 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm


Threatpost | The first stop for security news

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm


Threatpost | The first stop for security news

Analysis A team of security researchers tipped off an investment firm about software vulnerabilities in life-preserving medical equipment in order to profit from the fallout.

Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, found numerous holes in pacemakers and defibrillators manufactured by St Jude Medical. Instead of telling the maker straightaway, the crew first went to investment house Muddy Waters Capital to make money off the situation.

MedSec offered Muddy Waters the chance to short sell the stock of St Jude Medical so that when details of the flaws are made public, MedSec and Muddy Waters could all profit. The more the shares fell, the higher MedSec's profits would be.

Muddy duly published details of the flaws earlier today, on Thursday, and sent this doom-laden alert to investors:

Muddy Waters Capital is short St. Jude Medical, Inc. (STJ US). There is a strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years. STJ’s pacemakers, ICDs, and CRTs might – and in our view, should – be recalled and remediated. (These devices collectively were 46% of STJ’s 2015 revenue.) Based on conversations with industry experts, we estimate remediation would take at least two years. Even lacking a recall, the product safety issues we present in this report offer unnecessary health risks and should receive serious notice among hospitals, physicians and cardiac patients.

We have seen demonstrations of two types of cyber attacks against STJ implantable cardiac devices (“Cardiac Devices”): a “crash” attack that causes Cardiac Devices to malfunction – including by apparently pacing at a potentially dangerous rate; and, a battery drain attack that could be particularly harmful to device dependent users. Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks.

St Jude's share price fell 4.4 per cent to $ 77.50.

MedSec claims it used Muddy Waters in order to draw attention to insecurities in St Jude's products and to fund its research efforts admittedly in a rather unorthodox manner.

"We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action," said MedSec's CEO Justine Bone on her company blog.

"Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products."

Alternatively they could have simply gone to the device maker, showed them the holes, and got them fixed. If they wanted to force the manufacturer into action, MedSec could have presented a paper at any one of the many security conferences – as car hackers Charlie Miller and Chris Valasek did in the Chrysler hacking case.

Instead MedSec decided to hook up with Muddy Waters and short the stock to earn a tidy profit. Carson Block, founder of Muddy Waters, took to Bloomberg TV to put the frighteners on folks about the severity of the flaws, which could help depress the share price further and thus boost his profits.

"The nightmare scenario is somebody is able to launch a mass attack and cause these devices that are implanted to malfunction," he gushed.

But based on his own company's report today into the St Jude devices, that seems unlikely. The two attack vectors mentioned include a battery draining attack and one that could crash a pacemaker, but both require the attacker to get access to the device's home control unit for about an hour.

The report blames St Jude Medical for using off-the-shelf parts in its devices that any hacker could buy and analyze, and for not making a custom operating system with extra security. It estimates the faults will take years to rectify.

Dr Hemal Nayak, a cardiac electrophysiologist at the University of Chicago, recommends in the Muddy report that users turn off their home controllers and says he will not implant any of St Jude Medical's devices. Nayak just happens to be a board member of MedSec.

The report claims that it would be theoretically possible to carry out a widespread attack using St Jude Medical's network, but says MedSec didn't try it because that would be morally wrong. So it seems they publicized that some flaws were merely present instead and cashed in on short selling.

Medical device hacking has been demonstrated for years now, so much so that's it's almost considered old hat. Nevertheless, it seems a cunning firm has found a way to make big bucks out of the issue. ®

Sponsored: 2016 Cyberthreat defense report


The Register - Security

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Apple Launches Bug Bounty with Maximum $ 200,000 Reward

August 4, 2016 , 8:30 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am


Threatpost | The first stop for security news

Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.
Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.

Researchers at Rapid7 discovered vulnerabilities in Fisher-Price's Smart Toy and hereO's GPS platforms that could allow an attacker to collect the personal information of a user.

The Smart Toy is a stuffed animal that connects to an online account via Wi-Fi to provide users with a customizable educational and entertainment experience.

The toy's platform contained an improper authentication handling vulnerability that could allow an unauthorized user to obtain a child's name, age, date of birth, gender, spoken language and more, according to a Feb. 2 security blog post.

Many of the platform's web service application program interface (API) calls didn't appropriately verify the “sender” of messages and could allow a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions, according to the post.

In addition to compromising privacy, an attacker could use the bug to launch social engineering campaigns or to force the toy to perform actions that users didn't intend, the researchers wrote.

The platform in a GPS tracker that allows family members to share their location with each other was also vulnerable to outside manipulation.

The hereO GPS platform contained an authorization bypass vulnerability which could allow an attacker to access every family member's location, according to the post.

Once exploited, an attacker could discreetly add their account to any family's network and manipulate notifications through social engineering to avoid detection.

Researchers gave the example of an attacker adding themselves to a family's network under the “name” 'This is only a test, please ignore,' in an attempt to avoid raising suspicion.

Both vulnerabilities were reported to their respective vendors and have since been rectified. Rapid7's Security Research Manager Tod Beardsley told SCMagazine.com in an email correspondence that these issues didn't require patches or firmware upgrades.

Beardsley said that both vendors acted “reasonably and responsibly” during the disclosure process. It's nearly impossible to ship products without some bugs when dealing with the internet of things (IoT) or software in general, he said.

“The goals of companies dedicated to securing personal information should be twofold,” Beardsley said.

”One, make sure that bugs are found in the design and development phases, and two, once vulnerabilities are identified after launch, they are easily and quickly remediated without too much effort by the end users,” he said.

Other IoT toys have been found to pose risks to users as well.

Last year, researchers identified security concerns in Mattel's Hello Barbie that could allow an attacker to extract, internal Mac addresses, Wi-Fi network names, account IDs, and MP3 files from the popular doll.

ToyTalk, the company that operates the doll's speech services, reportedly admitted the doll could be hacked but said the vulnerable information did not identify children, nor did it compromise any audio of a child speaking.


Latest articles from SC Magazine News

Google offers bounty on browser bugs
Published: 2010-02-02

Google announced last week that the company had joined the ranks of a small group of other organizations that pay researchers for finding bugs in its code.

The company will pay $ 500 per bug found in Chromium, the open-source code that powers the company's Chrome Internet browser, Google stated in a blog post published on Thursday. For extremely critical issues, as judged by the company's security team, Google will pay $ 1,337 -- a play on hackerspeak for "leet" or elite.

"We are hoping that the introduction of this program will encourage new individuals to participate in Chromium security," Chris Evans, a member of Google's Chrome security team, stated in the blog post. "The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be."

The search giant is far from the first company to agree to pay security researcher who find and privately disclose bugs. Google's program is based on browser maker Mozilla's bug bounty. In addition, security firms TippingPoint and iDefense both pay for critical bugs in other companies' software, using the information to protect their own customers.

In the blog post, Google's Evans appeared to indicate that only responsibly disclosed vulnerabilities would be considered for a reward and that bugs publicly disclosed without giving Google developers time to fix would not be considered.

"We encourage responsible disclosure," Evans wrote. "Note that we believe responsible disclosure is a two-way street; it's our job to fix serious bugs within a reasonable time frame."

Bug bounties allow researchers to receive a small amount of cash for their research, but pale in comparison to the fees that critical issues can command from cybercriminals and government cyber programs. Exploits for a serious flaw in a popular program can sell for more than $ 100,000.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos


SecurityFocus News