Category Archives: News

Node.js HTTP/2 Server Denial of Service Vulnerability

CVE Number – CVE-2018-7161

A vulnerability in the HTTP/2 implementation feature of Node.js could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists when the affected software interacts with an HTTP/2 server in such a way that triggers a cleanup bug where objects are used in native code after they are no longer available. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted node server that provides an HTTP/2 server. An exploit could cause the node server to crash, resulting in a DoS condition.The Node.js Foundation has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must send a request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software
  • The Node.js Foundation has released software updates at the following link: Node.js 10.4.1





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

EE To Trial 5G In East London

EE, the UK’s largest mobile operator, will switch on the UK’s first live 5G trial network in East London in October, connecting real EE customers and businesses to 5G for the first time.

The trial will see 5G switched on at 10 sites around East London in areas including City Road, Old Street, Hoxton Square, St Paul’s and Chiswell Street. Five small businesses and five homes will have the chance to get connected to the unique 5G launch to trial the new technology, using prototype 5G broadband devices. In the coming weeks, EE will be using social media channels to find the UK’s first ever 5G trialists.

The live trial will demonstrate the ability of 5G to provide the highest speed mobile data connections, even in the most densely populated urban environments. 5G will create more reliable and responsive mobile internet connections, enabling widespread adoption of technologies like virtual reality and augmented reality in apps and services. EE aims to deliver live speeds in excess of one gigabit per second with this first trial.

EE aims to be the first UK operator to launch 5G, and will build the new mobile technology on top of its award winning 4G network, boasting the fastest speeds and the widest coverage.

Minister for Digital, Margot James, said: “We want the UK to be a global leader in 5G as part of our ambition to create a world-leading digital economy that works for everyone. Together with the Government’s own test beds and trials programme, industry initiatives like this will help deliver the benefits of this new revolutionary technology to businesses and consumers across the UK.”

Marc Allera, CEO of BT’s Consumer business, said: “This live trial is a big step forward in making the benefits of 5G a reality for our customers, and in making sure that the UK is at the front of the pack for 5G technology. We’re focusing our resource and experience across EE and BT to ensure that we continue to lead the UK market with a mobile network that keeps giving our customers the best speeds and the best coverage. 5G is a fundamental part of our work to build a converged, smart network that keeps our customers connected to the things that matter most.”




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Netgear Security Advisory for Pre-Authentication Command Injection [CVE-2018-11106]

CVE Number = CVE-2018-11106 ( PSV-2018-0051)

NETGEAR has released fixes for a pre-authentication command injection in request_handler.php  security vulnerability on the following product models:

  • WC7500, running firmware versions prior to 6.5.3.5
  • WC7520, running firmware versions prior to 2.5.0.46
  • WC7600v1, running firmware versions prior to 6.5.3.5
  • WC7600v2, running firmware versions prior to 6.5.3.5
  • WC9500, running firmware versions prior to 6.5.3.5

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

To download the latest firmware for your NETGEAR product:

  1. Visit NETGEAR Support.
  2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
    If you do not see a drop-down menu, make sure that you entered your model number correctly, or select a product category to browse for your product model.
  3. Click Downloads.
  4. Under Current Versions, select the download whose title begins with Firmware Version.
  5. Click Download.
  6. Follow the instructions in your product’s user manual, firmware release notes, or product support page to install the new firmware.

The pre-authentication command injection in request_handler.php vulnerability remains if you do not complete all recommended steps. NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Schneider Electric – Multiple Vulnerabilities In U.motion Builder

Schneider Electric has become aware of multiple vulnerabilities in the U.motion Builder product.

U.motion is a building automation solution used by commercial facilities, key manufacturing, and energy sectors around the world. U.motion Builder is a tool that allows users to create projects for their U.motion devices.

Researchers discovered that the Builder software is affected by 16 vulnerabilities, including path traversals and other bugs that can lead to information disclosure, and remote code execution flaws via SQL injection.

A majority of the security holes have been classified as medium severity, but some of them are more serious based on their CVSS score.

The most severe, with a CVSS score of 10, actually impacts the Samba software suite. The flaw allows remote code execution and it has been dubbed “SambaCry” by some members of the industry due to similarities to the WannaCry attack. The vulnerability, tracked as CVE-2017-7494, has been found to impact devices from several major vendors, including Cisco, Netgear, QNAP, Synology, Veritas, Sophos and F5 Networks.

Another serious vulnerability in U.motion Builder, identified as CVE-2018-7777, allows an authenticated attacker to remotely execute arbitrary code by sending specially crafted requests to the targeted server. One of the SQL injection flaws, CVE-2018-7765, has also been classified as high severity.

Most of these weaknesses were reported to Schneider by researcher Andrea Micalizzi, also known as “rgod,” and one was disclosed to the company by Constantin-Cosmin Craciun.

The issues affect U.motion Builder versions prior to 1.3.4, which Schneider released in early February. In addition to providing patches, the company has shared some recommendations for mitigating potential attacks.

This is not the first time Micalizzi has been credited for finding vulnerabilities in U.motion Builder. Last year, ICS-CERT reported that the researcher had found half a dozen types of flaws in this software. Those issues were disclosed in late June 2017 before patches were made available by Schneider as they were reported to the vendor via Trend Micro’s Zero Day Initiative (ZDI) more than one year earlier.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Typeframe Malware Via North Korea Hacking Group Known As Hidden Cobra

The US Department of Homeland Security said that it has identified malicious cyber activity by the North Korean government, according to a new report released on Thursday, just days after the historic summit between President Donald Trump and North Korean dictator Kim Jong Un.

This malware variant is known as TYPEFRAME, according to the report by the DHS Computer Emergency Readiness Team, noting that “the US Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA”.

Themalware samples that have been checked so far consist of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. These files have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim’s firewall to allow incoming connections.

More info: https://www.us-cert.gov/ncas/analysis-reports/AR18-165A

C&C IP’s And Host’s To Block

111.207.78.204

181.119.19.56

184.107.209.2

59.90.93.97

80.91.118.45

81.0.213.173

98.101.211.162




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

EE BECOMES THE FIRST UK NETWORK TO LAUNCH SMART NUMBER TECHNOLOGY

EE  announced it is the first UK operator to launch smart number technology that enables customers to make and receive calls across their tablets, watches and laptops using one phone number, even when they don’t have their smartphone with them. Available at no extra cost to new and existing customers, this service is part of EE’s strategy to keep customers connected by bringing together the best of mobile and broadband through first-of-their-kind converged services across the UK.

If a customer leaves their smartphone at home, their phone battery goes dead, or even if they want to go away for the weekend with fewer devices – they’ll still be able to use other connected devices to make and receive calls and messages. The number will be the same, so friends and family will be able to call them just like they can on their smartphone, and they’ll know exactly who is trying to get hold of them.

Max Taylor, Managing Director of Marketing, EE We’ve made it our mission to give our customers amazing new technologies that make the most of our award-winning network to help keep them connected, wherever they go and whatever they want to do. Our new smart number technology is a great example of how we’re helping customers to seamlessly connect their favourite devices – whether on laptops, tablets or smartwatches, even if they’re away from their smartphone.”

With smart number technology, multiple calls can be made at the same time, so customers can ring friends and family on a tablet while on-hold on their smartphone. Calls can also be handed off from one device to another with the simple press of a button, so a customer can make a call on their connected laptop or tablet and then quickly switch to their smartphone if they need to leave the house.

The service works using Wi-Fi Calling and EE is the first network in the UK network to offer this feature. A customer can extend their phone number to five other connected devices which are internet connected with either Wi-Fi or mobile connectivity. While the primary device needs to be on EE, the other devices do not need to be. If they are made or received on a device with access to EE’s network, the calls will be taken out of their voice allowance.

The service will give existing and new EE pay monthly mobile customers new levels of freedom and convenience, without any requirement to upgrade, across a wide selection of compatible devices including smart watches, tablets and laptops. Initially available for Apple devices including iPhones, iPads, MacBooks and the Apple Watch, EE is also developing the functionality for Android devices with more details to be announced in due course. Customers will need to be on a EE pay monthly plan on their smartphone and have iOS 11.3 on an iPhone 6 or later. Paired iPads will need to be on iOS 10 (or later) and OS X El Capitan or later is required for Macs.

EE is also the only UK network to support the full connected capability of the Apple Watch Series 3.

For more information on EE’s unique new service, please visit https://ee.co.uk/help/help-new/offers-and-services/ee-smart-number/one-number




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Adobe Acrobat XML Formal Architecture Object Mismatch Use-After-Free Arbitrary Code Execution Vulnerability [CVE-2018-4977]

CVE Number = CVE-2018-4977

A vulnerability in the XML Formal Architecture engine of Adobe Acrobat DC and Adobe Acrobat Reader DC could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a mismatch between old and new event objects, resulting in a use-after-free memory error that could allow improper memory access. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.

Adobe has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link or file that submits malicious input to the affected software.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
  • Adobe has confirmed the vulnerability and released a security bulletin at the following link: APSB18-02
Fixed Software





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Adobe Acrobat Enhanced Metafile Format Heap Overflow Vulnerability [CVE-2018-4968]

A vulnerability in the image conversion engine component of Adobe Acrobat DC and Adobe Acrobat Reader DC could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a heap overflow memory corruption error that could occur when the affected software is handling Enhanced Metafile Format (EMF) data. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code and compromise the system completely.

CVE Number = CVE-2018-4968

Adobe has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link or file that submits malicious input to the affected software.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
  • Adobe has confirmed the vulnerability and released a security bulletin at the following link: APSB18-02
Fixed Software





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

2018 CogX UK Rising Star Awards Presented by Prime Minister Theresa May

Following the 2018 CogX Awards earlier this week, Prime Minister Theresa May announced the final two UK Rising Star winners at an exclusive reception held at Number 10 Downing Street to showcase Britain as the best place in the world to run a tech company.

The CogX UK Rising Star Awards shine a light on individuals who are building companies that are set to shape society through AI, with the two accolades going to:

  • Noor Shaker, CEO and co-founder of GTN, for her work using deep learning and quantum physics to transform drug discovery and support the treatment of chronic diseases, with a focus on oncology. Noor recently closed a seed funding round of approximately $3 million, and has well-established partnerships with The Francis Crick Institute and the UK government’s Medicines Discovery Catapult.
  • Dhruv Ghulati, CEO and co-founder of Factmata, for his work using human-assisted AI to tackle fake news, abusive content, hate speech and propaganda on the internet; and score the credibility and quality of media information in almost real-time. Founded in January 2017, Dhruv has already raised $1 million in seed funding from billionaire Mark Cuban, Twitter founder Biz Stone and Zynga founder Mark Pincus, among others.

Matt Hancock, Secretary of State for Culture, Media and Sport, with CognitionX co-founders Tabitha Goldstaub and Charlie Muirhead, and CogX Award winners Noor Shaker and Dhruv Ghulati at Number 10 Downing Street (PRNewsfoto/CognitionX)

Prime Minister Theresa May said: “It’s a great time to be in tech in the UK, and our modern Industrial Strategy will drive continued investment, ensuring the nation flourishes in the industries of the future and creating more high-paying jobs.”

Following the presentation by Prime Minister Theresa MayDhruv Ghulati said: “Despite being only 10 months into our journey, this award is recognition that the UK tech sector wants us to succeed. I am hugely proud of my team for the strides they have made in launching our first AI products, and excited about continuing to tackle one of the major challenges of our time – online misinformation.”

2018 CogX Rising Star Award winner Noor Shaker said: “AI has the potential to disrupt drug discovery through access to better medicines, addressing neglected areas such as orphan diseases and reducing the cost of developing medicines. We very much appreciate the recognition of GTN’s efforts in that direction and we are very excited about the PM’s agenda that recognises the challenges and rewards innovations in this field. We are also very happy to have a base in U.K. and in being part of a strong ecosystem that facilitates access to high quality talent, expertise and capital.”

The CogX Awards, held on Monday 11th June and hosted by CognitionX, celebrated the best in AI from around the world, and saw the winners joined by more than 300 guests at a gala dinner to raise awareness of the incredible work that is being done in the industry. CogX presented over 50 awards this year, including industry achievements across 18 different sectors and technical achievements across 16 different domains, as well as for contributions to research and academia, and outstanding leadership in ethics.

The 2018 awards were held as part of the CogX AI Festival during London Tech Week. A festival of all things AI, CogX brought together 6,000+ people from technology, business, academia and the media across a packed two-day schedule including keynotes from Baroness Joanna Shields, Group CEO of BenevolentAI, and Jurgen Schmidhuber, the “father of AI”.

Following the hugely successful event, CognitionX co-founder and CEO Charlie Muirhead said: “Having so many AI and industry experts in one place really reinforced the challenges and opportunities that we’re facing; AI is at a tipping point. Organisations need to define their strategy and start deployment, not in 10 years, but right now. This is why we’ve launched our AI advice platform to transform the way in which knowledge and expert advice is accessed. Web search has many merits, but organisations need advice specific to their needs across departments. Sometimes they may even have the expertise internally, but often end up turning to consultancies for this.”

“We have a unique opportunity to catalyse adoption of artificial intelligence in the UK,” added Tabitha Goldstaub, co-founder of CognitionX. “Our platform helps to remove the barriers to deployment, by reducing the time it takes to make decisions and find the right AI services to use. As industry and government gain more confidence in implementing AI, we will see the technology adopted more often and more successfully. As long as the challenging ethical considerations are understood, AI is designed responsibly, and the benefits fairly distributed, this will lead to a brighter future for the country.”

About CognitionX: CognitionX is the AI Advice Platform that connects organisations with a global on-demand network of AI experts. The platform allows experts in AI from the around the world to share invaluable expertise with organisations of any size and sector who want to tap into that knowledge. Founded in 2015 by Charlie Muirhead and Tabitha Goldstaub, CognitionX’s mission is to bring clarity to, and accelerate adoption of, AI across all organisations from global enterprises to startups, and help ensure a safe and responsible transition to an AI-driven society. Through its freemium model, CognitionX’s expert network helps level the playing field, by making scarce AI expertise accessible to all, and provide a new way for experts to monetise their knowledge.



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Green Light For Ultra-fast Electric Car Charging Innovation

A new pioneering technology to ensure a next generation of safer, high-powered electric car batteries can be charged by drivers in ultra-fast time is just one of 12 innovation projects to receive the green light from the government’s Faraday Battery Challenge.

The PowerDrive Line project being led by Southampton-based company Ilika is focusing on sold state battery cell development, in particular how to manufacture at scale in the UK and how to build in ultra-fast charging technology of less than 25 minutes for a vehicle as is seen in some current battery systems.

In total £22 million grants are being rewarded to consortia across the UK as part of the latest round of funding through the Faraday Battery Challenge, part of the government’s Industrial Strategy Challenge Fund.

The funding is key to realising the government’s ambitions for innovative energy solutions as set out in our modern Industrial Strategy. The Faraday Battery Challenge brings together world-leading research and business to accelerate the research needed to develop battery technologies.

Other major R&D projects funded include:

  • a revolutionary approach to battery management led by Williams Advanced Engineering
  • a McLaren Automotive led consortium project that aims to accelerate the development of electrified powertrains
  • a revolutionary battery recycling project that will develop the first UK industrial scale capability to reclaim and reuse battery essential metals. This project is being led by Cheshire-based ICoNiChem and involves Jaguar Land Rover
  • an Aston Martin Lagonda project into the development of better performance battery packs.

Business and Energy Secretary Greg Clark said:

Innovative battery technology is changing the way we live, travel and work and the Government is committed to putting Britain at the heart of this energy revolution.

Today’s £22 million investment in world-leading R&D projects is an example of our modern Industrial Strategy in action and will help pioneering companies realise the economic benefits the global transition to a low carbon economy offers.

UK Research and Innovation chief executive Professor Sir Mark Walport said:

Effective, efficient and sustainable transport is key to addressing so many of today’s challenges from industrial growth to social inclusion. Through advanced battery technology, we will unlock a new generation of electric vehicles, further improving vehicle performance and uptake, opening doors to innovative new transport ideas and significantly reducing environmental impacts. Today’s investment shows we are catalysing collaboration between research teams and commercial partners across the UK to make this a reality.

Battery Challenge Director Tony Harper said:

This latest round of cutting-edge research and development projects illustrate the quality of innovations coming from our research and industrial base, and reinforce why the UK is a world-leader in battery technology development.





An electric car being charged

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.