Home Tags Hypertext Markup Language (HTML)

Tag: Hypertext Markup Language (HTML)

Spring Dragon – Updated Activity

In the beginning of 2017, Kaspersky Lab became aware of new activities by an APT actor we have been tracking for several years called Spring Dragon (also known as LotusBlossom).
Information about the new attacks arrived from a research partner in Taiwan and we decided to review the actorrsquo;s tools, techniques and activities.

VU#586501: Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor...

Inmarsat Solutions offers a shipboard email client service,AmosConnect 8(AC8),which was designed to be utilized over satellite networks in a highly optimized manner.

A third-party security research firm has identified two security vulnerabilities in the client software:On-board ship network access could provide visibility of user names and passwords configured on the client device.

A backdoor account has been identified in the client that provides full system privileges.

This vulnerability could be exploited remotely.

An attacker with high skill would be able to exploit this vulnerability.

AmosConnect 8 has been deemed end of life,and no longer supported.
Inmarsat customers must contact Inmarsat Customer Service to obtain the replacement mail client software.

VU#547255: Dahua IP cameras Sonia web interface is vulnerable to stack...

Dahua IP camera products using firmware versions prior to V2.400.0000.14.R.20170713 include a version of the Sonia web interface that may be vulnerable to a stack buffer overflow.

Over many objections, W3C approves DRM for HTML5

Contentious feature is added, without mandate to protect security researchers.

Ohio Gov. Kasich’s website, dozens of others defaced using year-old exploit

"High risk" exploit patch was issued in May of 2016.

VU#846320: Samsung Magician fails to update itself securely

Samsung Magician fails to securely check for and retrieve updates,which an allow an authenticated attacker to execute arbitrary code with administrator privileges.

VU#768399: HPE SiteScope contains multiple vulnerabilities

HPE's SiteScope is vulnerable to several cryptographic issues,insufficiently protected credentials,and missing authentication.

VU#251927: CalAmp LMU-3030 devices may not authenticate SMS interface

OBD-II devices are used to provide telematics information for managers of fleets of vehicles. One type of device,manufactured by CalAmp,has an SMS(text message)interface. We have found multiple deployments where no password was configured for this interface by the integrator/reseller.

Companies using the CalAmp hardware should be aware that they need to set a password or disable SMS.
Vendors were notified and the SMS interface was disabled or password-protected by all vendors known to be affected.

The 10 tools every modern developer should use

Years ago, all you needed to be a developer was an editor, a compiler, and hopefully some kind of revision control system. (Sadly, many developers still donrsquo;t use revision control systems properly.)These days, you need to know more even for basic software development. Herersquo;s the top 10 list of tools every modern developer should know and use:[ The art of programming moves rapidly.
InfoWorld helps you navigate whatrsquo;s running hot and what's going cold. | Keep up with hot topics in programming with InfoWorld's App Dev Report newsletter. ]
Git and GitHub: Although there are companies that still use Subversion or CVS even, let alone the awful Clearcase, you probably shouldnrsquo;t work at one of them.

Git is now a basic skill like tying your shoes or spell checking. SSH: Yeah, I know: Yoursquo;re a Windows developer and you donrsquo;t know no stinking shell.

But yoursquo;re going to run into having to create an SSH key or do other SSH stuff.
So you may as well learn now. Terminal Services or remote login: Even if yoursquo;re a Linux or Mac person, sooner or later yoursquo;ll have to deal with Windows.

These tools are how you will connect in. Amazon Web Services: AWS isnrsquo;t just cloud, it is the reason you donrsquo;t have to wait on IT.

There are other cloud providers, but yoursquo;ll have to deal with AWS sooner or later.

AWS has gotten so big that you canrsquo;t know all of AWS any more, but you do need to know at least the EC2 stuff. JavaScript: You donrsquo;t need to know it cold, but this is the scripting language of the now.
If a product or tool is going to add a scripting API, it will probably be for JavaScript. Bash and PowerShell: Sure, more modern devops tools are handy, but sooner or later something isnrsquo;t going to work and it wonrsquo;t have quite what you need.
So, expect to need to know how to write a basic restart script, grab an error code from an exiting command, or do a few things in a loop.

Thatrsquo;s what Bash (in Linux, many Unixes, MacOS, and Windows 10) and Microsoftrsquo;s PowerShell let you do.

Bonus: Add a tool like Grep (PowerShellrsquo;s equivalent Select-String is more wordy) and yoursquo;ll be an even more powerful deity. MongoDB: You need to know how to work with at least one document database. MongoDB is the easiest to learn. Whether yoursquo;re ultimately going to use MongoDB isnrsquo;t relevant; what matters is learning how to deal with a new-generation database.
If yoursquo;re going to use an index like Apache Solr, which is document-shaped, or yoursquo;re going to work with a more columnar structured database, the MongoDB skills will transfer. Curl and Invoke-RestMethod: Most software now has a REST API. On Mac and Linux, Curl is the command-line tool that lets you test and tweak and even script against a REST API.
In PowerShell, it is Invoke-RestMethod (although like everything on PowerShell, it requires more typing).

There are GUI tools like Postman that accomplish the same work, but a serious developer needs to be able to move past a point-and-click interface for efficiencyrsquo;s sake. Markdown: This is the format of the README.md file in GitHub. You should be able to read and write a simple Markdown document.

And thatrsquo;s easy because it has just seven symbols: (# is a header, ## is a subheader, * is a bullet, __ and ** are bold, _ and * are italics, ` is monospace, and --- is a break or rule). Markdown editors often have extensions but those are the basics.

From that basic markup language, you can get slides, PDFs, and HTML. Often these output formats can be consistently formatted with CSS or some other way.

Best of all, you donrsquo;t end up with smart quotes in your code samples. Basic HTML: I canrsquo;t make a decent-looking web page to save my life; Irsquo;m a back-end developer.

But whether yoursquo;re going to stub something out or have to parse HTML, you will need to know basics of the web markup language. To read this article in full or to leave a comment, please click here

VU#350135: Various WiMAX routers contain a authentication bypass vulnerability in custom...

WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote,unauthenticated attacker to change the administrator password on the device.

Dridex: A History of Evolution

In the several years that the Dridex family has existed, there have been numerous unsuccessful attempts to block the botnetrsquo;s activity.

The ongoing evolution of the malware demonstrates that the cybercriminals are not about to bid farewell to their brainchild, which is providing them with a steady revenue stream.

Google’s Polymer zeroes in on ES6 compatibility, interoperability

Polymer, Googlersquo;s open source JavaScript library for building reusable HTML elements, has graduated to version 2.0, a major revision that improves the data system, interoperability with other web libraries and frameworks, and support for ECMAScript 6 standards. ECMAScript is the official specification underlying JavaScript and implemented in web browsers.Arriving nearly two years after Polymer 1.0, the 2.0 release complies with HTML custom elements v1, for creating new HTML tags, and shadow DOM v1, for self-contained web components.

Developers can now draw on Polymer APIs associated with both specifications. Polymer 2.0 uses standard ECMAScript 6 classes and custom elements v1 methods rather than a Polymer factory method, according to release notes.

Developers can mix Polymer features with standard JavaScript, although the factory method is still supported via a compatibility layer. To read this article in full or to leave a comment, please click here