A Second, Zero-Day Bug Allowed Hackers to Wipe Out Western Digital My Books

Colombian officials bust Romanian hacker for spreading Gozi virus, CISA issues short list of bad practices, SolarWinds hackers penetrated Denmark's central bank, Cops seize DoubleVPN servers, more

Check out my latest column in CSO that walks through NIST’s definitions of what constitutes critical software, a key component in implementing President Biden’s cybersecurity executive order.

Last week’s mass-wiping of Western Digital My Book Live storage devices involved exploiting one vulnerability and a second, previously unknown critical security bug that allowed hackers to perform a factory reset without a password remotely. Moreover, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.

The zero-day flaw resides in a file named system_factory_restore, which contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices. Western Digital said this reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware.  The company also said that somebody exploited the…