TeamViewer denies hack after PCs hijacked, PayPal accounts drained

June 2, 2016 – 7:33 PM

Updated TeamViewer users say their computers were hijacked and bank accounts emptied all while the software company’s systems mysteriously fell offline. TeamViewer denies it has been hacked.

In the past 24 hours, we’ve seen a spike in complaints from people who say their PCs, Macs and servers were taken over via the widely used remote-control tool on their machines. Even users with strong passwords and two-factor authentication enabled on their TeamViewer accounts say they were hit.

It appears miscreants gained control of victims’ TeamViewer web accounts, and used those to connect into computers, where they seized web browsers to empty PayPal accounts, access webmail, and order stuff from Amazon and eBay.

“Hackers got everything from me,” Doug, an Idaho-based Twitch streamer who was looking forward to celebrating his birthday today with his wife and two kids, told The Register.

“They remote connected in at 5AM MT, went into my Chrome and used my PayPal to buy about $3k worth of gift cards. And yes, I had two-factor authentication.”

Over on Reddit, people were lining up with tales of their systems being compromised via TeamViewer, sparking fears the platform had been hacked. TeamViewer makes remote-control clients for Windows, OS X, Linux, Chrome OS, iOS and Android.

“I never expected this to happen, but it did,” wrote Redditor Eric1084.

“When I sat down on my chair, I saw my mouse is moving across the screen. Of course, I immediately revoked remote control, and asked who [the hacker] is. At that point, he disconnected, and attempted to connect to my Ubuntu server, which has all my backups. Good thing I connected to [the server] right after he remote’d into my workstation. I revoked his permission before he tried to open Firefox. Immediately after, I started panicking, and thought he just stole all my passwords.”

Source:
http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/

MitM Attack against KeePass 2’s Update Check

June 1, 2016 – 5:21 PM

This post is about a Man in the Middle (MitM) vulnerability in KeePass 2’s automatic update check. KeePass – the free and open source password manager – uses, in all versions up to the current 2.33, unencrypted HTTP requests to check for new software versions. An attacker can abuse this automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page. Update: At the first start the users is asked if he wishes to enable the recommended update checks.

During a recent traffic analysis I stumbled upon an interesting request to http://keepass.info/update/version2x.txt.gz. As I had a few hours spare over the last weekend I took a closer look.

It turned out that KeePass 2’s automatic update check uses HTTP to request the current version information. For that purpose it downloads the following text file from http://keepass.info/update/version2x.txt.gz

Source:
https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/

How the Top 5 PC Makers Open Your Laptop to Hackers

May 31, 2016 – 6:39 PM

Software makers like Microsoft put a lot of effort into ensuring that the operating system and application updates they deliver to your system are secure, so that hackers can’t hijack updates to get into your computer.

But it turns out that PC hardware makers are not so careful. An investigation conducted by Duo Security into the software updaters of five of the most popular PC manufacturers—HP, Dell, Acer, Lenovo, and Asus—found that all had serious security problems that would allow attackers to hijack the update process and install malicious code on victim machines.

Researchers at Duo Security’s Duo Labs found that all five vendors, known as OEMs or Original Equipment Manufacturers, shipped computers with pre-installed updaters that had at least one high-risk vulnerability that would give an attacker remote-code execution abilities—the ability to remotely run whatever malicious code they want on a system—and gain complete control of the system. The skill required to exploit the vulnerabilities was minimal, the researchers said in a report they’re releasing (.pdf) about their findings.

The OEM vendors all shared similar security flaws in varying degrees, such as failure to deliver updates over a secured HTTPS channel or failure to sign update files or validate them. These problems make it possible for attackers to conduct a man-in-the-middle attack to intercept update files as they’re transmitted to computers and replace them with malicious ones. The malicious files can get installed regardless of other protections a machine might have because updaters operate with the highest level of trust and privilege on machines.

Source:
https://www.wired.com/2016/05/2036876/

Google to block Flash on Chrome, only 10 websites exempt

May 16, 2016 – 7:55 AM

The slow and inexorable slide to a world without Flash continues, with Google revealing plans to phase out support for Adobe’s Flash Player in its Chrome browser for all but a handful of websites. And the company expects the changes to roll out by the fourth quarter of 2016.

While it says Flash might have “historically” been a good way to present rich media online, Google is now much more partial to HTML5, thanks to faster load times and lower power use.

As a result, Flash will still come bundled with Chrome, but “its presence will not be advertised by default.” Where the Flash Player is the only option for viewing content on a site, users will need to actively switch it on for individual sites. Enterprise Chrome users will also have the option of switching Flash off altogether.

Source:
http://www.cnet.com/news/google-to-block-flash-on-chrome-only-10-websites-exempt/

New Windows 10 build kills controversial password-sharing Wi-Fi Sense

May 14, 2016 – 7:27 AM

When Microsoft announced Windows 10, it added a feature called Wi-Fi Sense that had previously debuted on the Windows Phone operating system. Wi-Fi Sense was a password-sharing option that allowed you to share Wi-Fi passwords with your friends and contacts in Skype, Outlook, and Facebook. Here’s how Microsoft described the feature last year:

“When you share Wi-Fi network access with Facebook friends, Outlook.com contacts, or Skype contacts, they’ll be connected to the password-protected Wi-Fi networks that you choose to share and get Internet access when they’re in range of the networks (if they use Wi-Fi Sense). Likewise, you’ll be connected to Wi-Fi networks that they share for Internet access too. Remember, you don’t get to see Wi-Fi network passwords, and you both get Internet access only. They won’t have access to other computers, devices, or files stored on your home network, and you won’t have access to these things on their network.”

There were security concerns related to Windows 10’s management of passwords and whether or not said passwords could be intercepted on the fly. To our knowledge, no security breaches or problems were associated with Wi-Fi Sense. According to Microsoft, few people actually used the feature and some were actively turning it off. “The cost of updating the code to keep this feature working combined with low usage and low demand made this not worth further investment,” said Gabe Aul, Microsoft’s Windows Insider czar.

Source:
http://www.extremetech.com/computing/228259-new-windows-10-build-kills-controversial-password-sharing-wi-fi-sense