Varanoid.com Blog

VU#923388: Swann SRNVW-470 allows unauthorized access to video stream and contains a hard-coded password 0

VU#923388: Swann SRNVW-470 allows unauthorized access to video stream and contains a hard-coded password

Vulnerability Note VU#923388 Swann SRNVW-470 allows unauthorized access to video stream and contains a hard-coded password Original Release date: 17 Feb 2016 | Last revised: 17 Feb 2016 Overview Swann network video recorder (NVR) devices contain a hard-coded password and do not require authentication to view the video feed when accessing from specific URLs. Description CWE-259 : Use of Hard-coded Password – CVE-2015-8286 According to the researcher, the Swann SRNVW-470LCD and Swann SWNVW-470CAM contain a hard-coded passwords allowing administrative or root access.

VU#899080: Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials 0

VU#899080: Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials

Vulnerability Note VU#899080 Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials Original Release date: 17 Feb 2016 | Last revised: 18 Feb 2016 Overview Digital Video Recorders (DVRs), security cameras, and possibly other devices from multiple vendors use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password. Description CWE-259 : Use of Hard-coded Password – CVE-2015-8286 According to the reporter, DVR devices based on the Zhuhai RaySharp firmware contain a hard-coded root password

VU#457759: glibc vulnerable to stack buffer overflow in DNS resolver 0

VU#457759: glibc vulnerable to stack buffer overflow in DNS resolver

Vulnerability Note VU#457759 glibc vulnerable to stack buffer overflow in DNS resolver Original Release date: 17 Feb 2016 | Last revised: 18 Feb 2016 Overview GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code. Description CWE-121 : Stack-based Buffer Overflow – CVE-2015-7547 According to a Google security blog post : “The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.” According to glibc developers, the vulnerable code was initially added in May 2008 as part of the development for glibc 2.9.

VU#507216: Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default 0

VU#507216: Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default

Vulnerability Note VU#507216 Hirschmann “Classic Platform” switches reveal administrator password in SNMP community string by default Original Release date: 16 Feb 2016 | Last revised: 16 Feb 2016 Overview Hirschmann “Classic Platform” switches contain a password sync feature that syncs the switch administrator password with the SNMP community password, exposing the administrator password to attackers on the local network. Description CWE-257 : Storing Passwords in a Recoverable Format For all Hirschmann (part of Belden) “Classic Platform” switches (which includes the MACH series workgroup switches, among others), by default, the switch administrator password is used to construct an SNMP community string that allows remote management of some switch configuration

Image chiptrans.png 0

The Great EMV Fake-Out: No Chip For You!

Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe).

Fear and Anxiety 0

Fear and Anxiety

More psychological research on our reaction to terrorism and mass violence: The researchers collected posts on Twitter made in response to the 2012 shooting attack at Sandy Hook Elementary School in Newtown, Connecticut. They looked at tweets about the school shooting over a five-and-a-half-month period to see whether people used different language in connection with the event depending on how geographically close they were to Newtown, or how much time had elapsed since the tragedy. The analysis showed that the further away people were from the tragedy in either space or time, the less they used words related to sadness ( loss, grieve, mourn ), suggesting that feelings of sorrow waned with growing psychological distance.