Computers

The Tech Corner is a technology news and advice column presented each week courtesy of Melvin McCrary at Georgia Computer Depot in Cedartown. 

Federal Trade Commission obtains record $100 million settlement with LifeLock

The FTC announced that the identity theft protection firm LifeLock will pay $100 million to resolve allegations that the company made false statements about its services and failed to safeguard consumer data. This settlement represents the largest of its kind in an FTC order enforcement action.

Researcher Discloses Flaws in D-Link 850L Wireless Routers

A security researcher has discovered a total of ten critical zero-day vulnerabilities in routers from Taiwan-based networking equipment manufacturer D-Link which leave users open to cyber-attacks.

Private keys hardcoded in the firmware — the private encryption keys are hardcoded in the firmware of both D-Link 850L Rev A and Rev B, allowing to extract them to perform attacks. Kim advised users to cut the connections with the affected D-Link router in order to be safe from such attacks.

Android malware infects over 4.2M Google Play users

Even after so many efforts by Google, malicious apps somehow managed to fool its Play Store’s anti-malware protections and infect people with malicious software.

The same happened once again when at least 50 apps managed to infect Google Play Store and were successfully downloaded as many as 4.2 million times — one of the biggest malware outbreaks.

How to protect your Android from such malware apps

Even after Google removed all the malware-tainted apps from its official Play Store marketplace, your smartphones will remain infected with the ExpensiveWall malware until you explicitly uninstall the malicious apps, if you have downloaded any.

Google has recently provided a security feature known as Play Protect that uses machine learning and app usage analysis to automatically remove malicious apps from the affected smartphones to prevent further harm.

Equifax suffered data breach after failing to patch old Apache struts flaw

The massive Equifax data breach that exposed highly sensitive data of as many as 143 million people was caused by exploiting a flaw in Apache Struts framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed.

Credit rating agency Equifax is yet another example of the companies that became victims of massive cyber-attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies.

Rated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1.

This flaw is separate from CVE-2017-9805, another Apache Struts2 vulnerability that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plug­in handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13.

Right after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its proof-of-concept exploit code was uploaded to a Chinese site.

Despite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patch its Web applications against the flaw, which resulted in the breach of personal data of nearly half of the US population.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,” the company officials wrote in an update on the website with a new

For those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers.

The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

Since the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also initiated an investigation into its products against four newly discovered security vulnerabilities in Apache Struts2.

Zerodium Offers $1 Million for Tor browser 0-days that it will resell to governments

It seems like Tor Browser zero-day exploits are in high demand right now — so much so that someone is ready to pay ONE MILLION dollars.

Zerodium — a company that specializes in acquiring and reselling zero-day exploits — just announced that it will pay up to USD 1,000,000 for working zero-day exploits for the popular Tor Browser on Tails Linux and Windows operating system. Tor browser users should take this news as an early warning, especially who use Tails OS to protect their privacy.

The company has also clearly mentioned that the exploit must leverage remote code execution vulnerability, the initial attack vector should be a web page and it should work against the latest version of Tor Browser. Moreover, the zero-day Tor exploit must work without requiring any user interaction, except for victims to visit a web page.

Other attack vectors such as delivery via malicious document are not eligible for this bounty, but ZERODIUM may, at its sole discretion, make a distinct offer to acquire such exploits.

Zerodium to sell Tor browser 0-days to law enforcement agencies

The nonprofit foundation also urges researchers and hackers to responsibly disclose vulnerabilities in Tor via its recently-launched bug bounty program.

“We think the amount of the bounty is a testament to the security we provide.

“We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty,” a Tor Project spokesperson told The Hacker News.

“Over 1.5 million people rely on Tor every day to protect their privacy online, and for some it’s life or death.

“Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”

Those interested can submit their exploit until Nov. 30, 2017, at 6 p.m. The company also notes that the bounty may be terminated before its expiration if the total payout to researchers reaches $1 million.