chicksdaddy shares a report from The Security Ledger: Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set's owners. The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner's knowledge or permission, according to a report published on Monday by two security researchers. The report describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989. That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned. Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from and write to critical vendor resource directories within the TV's Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055. The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle "Sick Codes," said the flaws amount to a "back door" on any TCL Android smart television. "Anybody on an adjacent network can browse the TV's file system and download any file they want," said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica : In 2008, researcher Dan Kaminsky revealed one of the more severe Internet security threats ever: a weakness in the domain name system that made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industrywide coordination, thousands of DNS providers around the world installed a fix that averted this doomsday scenario. Now, Kaminsky's DNS cache poisoning attack is back. Researchers on Wednesday presented a new technique that can once again cause DNS resolvers to return maliciously spoofed IP addresses instead of the site that rightfully corresponds to a domain name. On Wednesday, researchers from Tsinghua University and the University of California, Riverside presented a technique that, once again, makes cache poisoning feasible. Their method exploits a side channel that identifies the port number used in a lookup request. Once the attackers know the number, they once again stand a high chance of successfully guessing the transaction ID. The side channel in this case is the rate limit for ICMP, the abbreviation for the Internet Control Message Protocol. To conserve bandwidth and computing resources, servers will respond to only a set number of requests from other servers. After that, servers will provide no response at all. Until recently, Linux always set this limit to 1,000 per second. To exploit this side channel, the new spoofing technique floods a DNS resolver with a high number of responses that are spoofed so they appear to come from the name server of the domain they want to impersonate. Each response is sent over a different port. When an attacker sends a response over the wrong port, the server will send a response that the port is unreachable, which drains the global rate limit by one. When the attacker sends a request over the right port, the server will give no response at all, which doesn't change the rate limit counter. If the attacker probes 1,000 different ports with spoofed responses in one second and all of them are closed, the entire rate limit will be drained completely. If, on the other hand, one out of the 1,000 ports is open, then the limit will be drained to 999. Subsequently, the attacker can use its own non-spoofed IP address to measure the remaining rate limit. And if the server responds with one ICMP message, the attacker knows one of the previously probed 1,000 ports must be open and can further narrow down to the exact port number. Linux kernel developers responded by introducing a change that causes the rate limit to randomly fluctuate between 500 and 2,000 per second, preventing the new technique from working. Cloudflare also introduced a fix where its DNS service will fall back to TCP, "which is much more difficult to spoof," reports Ars. The researchers' press release is available here.

Read more of this story at Slashdot.

The Swiss intelligence service has known since at least 1993 that Switzerland-based encryption device maker Crypto AG was actually a front for the CIA and its German counterpart, according to a new report released by the Swiss Parliament, but Swiss leaders were in the dark until last year. From a report: Switzerland's intra-governmental information gap is unlikely to be welcome news in Europe, which already looks warily upon the U.S.' expansive surveillance practices. Still, Crypto AG provided information of incalculable value to U.S. policymakers over many decades. Crypto AG was controlled from 1970 on by the CIA and the West German BND intelligence agency. It sold encryption devices -- often employed in diplomatic communications -- that were used by over 120 countries through the 2000s.

Read more of this story at Slashdot.