cns-logo-hut3cns-logo-hut3

Information Assurance

Blog

CNS Security News

by CNS Team | Sep 21, 2012

How I CRASHED my bank, stole PINs with a touch-tone phone >Users told: Get rid of Internet Explorer (again)>Critical flaw exposes Oracle database passwords >Single NFC bonk subjugated Samsung Galaxy SIII and slurped it out

How I CRASHED my bank, stole PINs with a touch-tone phone

Miscreants can crash or infiltrate banks and help desks' touch-tone and voice-controlled phone systems with a single call, a security researcher warns.
Rahul Sasi, who works for iSight Partners, said audio processing algorithms in office telephone networks and speech-driven command software are liable to crash when bombarded with unusual data in so-called fuzzing attacks.

Certain DTMF (Dual-Tone Multi-Frequency) signals can cause these private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way that unexpected input data can knacker applications running on a desktop computer or server.

 

Users told: Get rid of Internet Explorer (again)

Internet Explorer users have been told to ditch the application and switch to another browser, pronto.
The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites).
Visiting a malicious site gives the attacker the same privileges as the current user, according to Rapid7’s post - the published exploit targets XP, but Rapid7 say the attack works on IE 7 through 9 running on XP, Vista and Windows 7.

Single NFC bonk subjugated Samsung Galaxy SIII and slurped it out

A Galaxy S III running Android 4.0.4 was infected with malware over an NFC connection at a hacking contest in Amsterdam using nothing more than a bump in the dark.
Full details of the vulnerabilities exploited haven't been revealed by the team, who came from MWR InfoSecurity and were showing off at Mobile Pwn2Own this week, as they are giving Samsung and Google time to issue a patch. An iPhone 4S was also compromised via a WebKit bug during the competition between security bods.
The Galaxy S III infection was accomplished using Android's Beam application to send a file, which is executed thanks to a buffer overflow attack, allowing the hackers to escalate privileges to superuser level and establish a network connection to a remote server. The assault hands over complete control of the device and allows the data within to be siphoned off.

Critical flaw exposes Oracle database passwords

A security researcher says some versions of the Oracle database contain a vulnerability so serious that anyone with access to the server over a network can crack database passwords using a basic brute-force attack, given nothing more than the name of the database and a valid username.
"This is a critical issue because it's very easy to exploit, and it doesn't require any privileges," AppSec's Esteban Martinez Fayó said in an interview with Dark Reading.