Thursday, 15 May 2014

SanDisk ships its first self-encrypting SSDs

SanDisk's new X300s SSD uses both the Trusted Computing Group's Opal 2.0 specification and Microsoft Encrypted Hard Drive hardware-based encryption to protect data on the drive.
SanDisk's new X300s SSD. (Image: SanDisk)
The encryption algorithms are also coupled with a management dashboard for IT admins to use for audit and compliance purposes.
The SanDisk X300s SSD will be available in June through the SanDisk Commercial Business Channel in two form factors - 2.5-in x 7mm thick and an M.2 single-sided expansion board, with capacities of 64GB, 128GB, 256GB, 512GB and 1TB.
SanDisk's X300s SSD and accompanying software being installed on a laptop. (Image: SanDisk)
Capacities up to 512GB will be supported on the M.2 expansion board; the 2.5-in SSD, which fits in a standard laptop's hard drive bay, is available in 64GB, 128GB, 256GB, 512GB, and 1TB capacities.
The X300s SSD comes equipped with Wave System's Embassy Security Center (ESC) as part of the upcoming SanDisk SSD Dashboard software suite. Wave's ESC is a local client application that manages the X300s by determining who can access the encrypted data via user and password set-up. The inclusion of Wave's ESC on each X300s SSD includes local management of each drive.
The Wave software is provided at no additional cost, SanDisk said.
The company did not release pricing for the drives.
SanDisk demonstrates how to upgrade a laptop from a hard disk drive to one of its SSDs

Stop using Microsoft's IE browser until bug is fixed, US and UK warn

It's not often that the US or UK governments weigh in on the browser wars, but a new Internet Explorer vulnerability -- one that affects all major versions of the browser from the past decade -- has forced them to raise an alarm: Stop using IE.
The zero-day exploit -- the term given to a previously unknown, unpatched flaw -- allows attackers to install malware on your computer without your permission. That malware could be used to steal personal data, track online behavior, or gain control of the computer. Security firm FireEye, which discovered the bug, said that the flaw is being used with a known Flash-based exploit technique to attack financial and defense organizations in the US via Internet Explorer 9, 10, and 11. Those versions of the browser run on Microsoft's Windows Vista, Windows 7, and Windows 8, although the exploit is present in Internet Explorer 6 and above.
While the Computer Emergency Readiness Team in England and the US regularly issue browser advisories, this is one of the few times that the CERT team has recommended that people avoid using a particular browser. Specifically, the advisory says administrators and users should "review Microsoft Security Advisory 2963983 for mitigation actions and workarounds" and that people who can't implement those stopgap measures, Windows XP users among them, "may consider employing an alternate browser."
FireEye recommends that if you can't switch browsers, then disable Internet Explorer's Flash plug-in. You also can use IE with Microsoft's Enhanced Mitigation Experience Toolkit (EMET) security app, but that will not be as secure as simply switching browsers.
In a statement, Microsoft told CNET, "On April 26, 2014, Microsoft released Security Advisory 2963983 to notify customers of a vulnerability in Internet Explorer. At this time we are aware of limited, targeted attacks. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized."
The company advises Internet Explorer users that the Enhanced Protected Mode, on by default in IE 10 and IE 11, used with EMET, "will help protect against this potential risk."
The company did not address what people who use IE 9 or older should do. It's not expected that IE 6 will ever see an update, as Microsoft has stopped issuing security updates for the 12-year-old browser that still makes up 4.65 percent of the browser market.
The US Department of Homeland Security did not immediately respond to requests for comment.
Statistics vary as to how many people actually use Internet Explorer. NetMarketShare puts the total around 55 percent of the desktop browser market, while competitor StatCounter says that 22.58 percent of people use IE. While the disparity is large, in either case the flaw affects a huge number of browsers being actively used.

Upper Allen Twp. payroll company defends its handling of computer hacking incident

Nearly 1,000 Central Penn College employees are among the thousands of people who are learning their personal information has recently fallen into the hands of hackers.
Paytime Inc., an Upper Allen Twp.-based payroll company, said it acted quickly to get the word out about a computer hacking incident that puts thousands of people's personal information at risk.  
The hackers accessed such information as Social Security numbers, birth dates, hiring dates, phone numbers and other payroll-related data stored in the computer system at Paytime Inc., an Upper Allen Twp.-based company that handles payroll services for an undisclosed number of employers in and outside of Pennsylvania.
Since learning of the security breach that Paytime discovered on April 30, the college in East Pennsboro Twp. has sent out several informal notices over the past week to employees advising them of steps to take to protect their identities, said college spokeswoman Sarah Blumenschein.
It plans to send out letters on Thursday sharing similar information with former employees who worked there over the past eight years since they too have may have personal data at risk, she said.
"Over the years, Paytime has been a great business partner with superior customer service, and we will assist them in any way possible to spread this message to our employees," Blumenschein said.
Other individuals who work at companies that are Paytime customers are not as understanding. Several contacted PennLive expressing outrage that Paytime plans to hold off until May 21 to send out notices that tell them what they should do. They accused the payroll service company of dragging its feet.
Chris Haverstick, Paytime's vice president of sales and marketing, said his company has been doing anything but that.
He said as soon as its information technology forensics experts detected a file in the computer system that shouldn't have been there, federal law enforcement authorities were notified and alerts were sent to the employers it works with about its security being compromised.
But it wasn't until Monday that the company felt the investigation had progressed far enough to determine that customers' employees indeed needed to be notified, he said.
The investigation found that skilled hackers with foreign IP addresses exploited a vulnerability in Paytime's computer system starting on April 7, according to a company-issued statement released today.
Paytime immediately sent its customers notices asking for permission to contact their current and former employees to advise them of the breach and the free year of credit monitoring and identity restoration services that Paytime will provide.
Once customers' permission is granted, Haverstick said the official notifications will be sent out, starting next week. In the meantime, Paytime is establishing a call center to field the anticipated calls from affected individuals who may want further guidance.
Haverstick was adamant that Paytime has kept its customers in the loop along the way unlike other companies that he said waited a month or more before dropping the news of a breach.
"We didn't drag our feet on this. We acted quickly as possible." Paytime vice president Chris Haverstick
"We have very loyal clients and our clients have been great. We were telling them what we knew when we knew it. I think that's very important," he said. "We didn't drag our feet on this. We acted quickly as possible."
He said he thinks the employers that Paytime serves understand the situation, but "I don't think the employees get it."
Because federal authorities were on the case, Haverstick said Paytime never alerted the Upper Allen Twp. police, the Cumberland County District Attorney's office or the state Attorney General's office.
Upper Allen Twp. police Detective Ryan Parthemore said he called the company on Wednesday after learning of the hacking incident through media reports and was told to call the company's attorney. Parthemore said the law firm never returned the call.
The attorney general's office offers the following tips to individuals who find themselves as victims of a personal information security breach:
  • Check your credit report with the three nationwide consumer reporting companies: Equifax, Experian and TransUnion. If consumers find errors on their report, contact the reporting company in writing.  Under the Fair Credit Reporting Act, consumers are entitled to a free copy of their credit report from each company every 12 months. Visit or call 1-877-322-8228.
  • Check for unauthorized activity on your bank account and immediately report them to the bank's fraud department. 
  • Consumers can place a fraud alert on their credit reports to help mitigate potential issues by contacting the three credit reporting agencies: Equifax:  1-800-525-6285; Experian:  1-888-397-3742; and TransUnion:  1-800-680-7289.
  • Concerned consumers can also contact the Attorney General's Bureau of Consumer Protections helpline at 1-800-441-2555.

DNS Flood of 1.5 Billion Requests a Minute, Fueled by anti-DDoS

According to the new report released by a US based security solutions provider Incapsula, another interesting DDoS attack activities have been noticed by the researchers in which an attacker abused two major anti-DDoS Service providers to perform massive DDoS attack on other websites.
Its really EPIC that the services who should protect websites from DDoS attack, itself compromised to perform DDoS on other web services.
The researchers at the security firm noticed a surge of massive DNS DDoS attack on one of its client, peaking at approximately 25Mpps (Million packets per second).
With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend – one that can endanger even the most hardened network infrastructures,” reads the report.
This time, hacker used the DNS DDoS attack, which is totally different and more responsive from the previously most commonly used DNS amplification attack by the hackers, both in their methods of execution and in the type of trouble they aim to deliver.
DNS amplification attack is an asymmetrical DDoS attack in which the attacker set the source address to that of the targeted victim by using spoofed Internet Protocol (IP) of the target, which means the target receives the replies from all the DNS servers that are used, making it the recipient of much larger DNS responses. “With these attacks the offender’s goal is to achieve network saturation by continuously exhausting the target’s bandwidth capacity,” Incapsula wrote.
But its totally different in the case of DNS DDoS attack as DNS floods are symmetrical DDoS attacks in which the attacker tries to exhaust the server-side assets (for e.g., memory or CPU) with the large number of UDP requests generated by the malicious scripts running on several compromised botnet machines. The packets sends per seconds are even larger in this case compare to DNS amplification attack.
With DNS amplification, the effectiveness of an attacker’s own resources is increased by anywhere from 300% to 1000%, which means that large attacks could be initiated by relatively small botnets”, says the report. “On the other hand, with DNS floods there is no multiplier to speak of at all. This means that, in order to generate a DNS flood at the rate of 25Mpps, the offender needs access to an equally powerful botnet infrastructure.”
Anti-DDoS Services abuse to DDoS at 1.5 Billion Requests per Minute with DNS Flood Attack
By using the same DNS DDoS attack, the hacker succeeded in sending the malicious requests through two different servers at a rate of 1.5 Billion DNS queries per minute, amounting to over 630 Billion requests during the course of the 7 hour-long DDoS attack.
Both the servers used by the attacker belongs to anti-DDoS service providers, one of which is based in Canada and the other in China. After acknowledging the attack, Incapsula informed both the anti-DDoS vendors, which then dropped the responsible clients from using their services.
Malicious misuse of security solutions is anything but new. However, this is the first time we encountered “rogue” scrubbing servers used to carry out large-scale DDoS attacks. This fact, combined with the inherit danger of non-amplified DNS floods, is what makes these attacks so devastatingly dangerous,” the researchers said.
DNS Amplification DDoS attack could be defended by dropping all unexpected DNS responses to port 53, whereas DNS Flood queries are difficult to differentiate from the legitimate DNS queries, and it is not possible to drop all DNS queries in order to migrate the attack. However this could be filtered when individually processed at the server level, but such process is practically very difficult to execute. Thankfully, the Impact of DNS Flood attack depends upon the capacity of the attacker’s own resources.

Gaming friendship leads to hacking nightmare

STOCKTON - Stockton Record columnist Michael Fitzgerald figured things were just fine when his 14-year-old son played the online game Minecraft. Fizgerald didn't realize his son was friendly with another gamer, who the teen allowed remote access into the family computer.
"Life is a mine field and sometimes you find the land mines by stepping on them and I did in this case," Fitzgerald said. "If others can benefit from my mistake, by all means take those strong measures."
Law enforcement in Canada have arrested a 16-year-old boy for gaining similar access to computers in five states and multiple cities. Fitzgerald said the first indication something was wrong came about six weeks ago, when the family was a victim of "swatting."
"Swatting is a fake call to police to bring out the SWAT team, one of the most serious police responses," Fitzgerald said. "The call was my son murdered his mother. They rolled out with numerous patrol cars at four in the morning."
It was a bogus call and so too were bomb threats phoned in at Stockton schools. It was because the hacker appeared to be making those calls from a Stockton address, police responded.
"He got remote access to the computer, got addresses, names and other information," Fitzgerald explained. "You get control of the WiFi, then you get control of every computer in the house and the phones."
Other calls brought pizza delivery workers to the house and an escort as well. Fitzgerald said some of the pranks would be considered funny if there wasn't so much damage being done.
'He (was) posting social security numbers and bank pin numbers to a hacker website," Fitzgerald said. "The numbers are still out there, with 50 attempts by identity thieves to get a credit card."
Fitzgerald blames not his son for the computer invasion, but himself.
"I needed to be a stronger parent. You're tempted to say 'let him have space', but don't do that," Fitzgerald said. "Be the parent. Demand their passwords and if they don't give them, take the computer away."
A friendship made over the online game "Minecraft" led to the hack of a Stockton family. (Wednesday, May 14, 2014) News10

NSA reportedly installs backdoors in U.S.-made Internet routers

Yesterday in a published excerpt of his forthcoming book, “No Place to Hide”, Journalist Glenn Greenwald underlines the interest of National Security Agency in planting backdoors in U.S. suppliers’ routers and other networking devices in order to carry out its massive surveillance program.
A June 2010 report from the head of the NSA’s Access and Target Development department is shockingly explicit,” Greenwald said. “The NSA routinely receives — or intercepts — routers, servers and other computer network devices being exported from the US before they are delivered.
While US government is always prohibiting the purchase of Huawei products due to suspected backdoors from the Chinese government, however the book written by Glenn Greenwald reads that the US government does the same thing with US suppliers’ hardware and repackages them with a factory seal before supplying them to overseas nations.
As Greenwald notes in the excerpt, “It is quite possible that Chinese firms are implanting surveillance mechanisms in their network devices. But the US is certainly doing the same.
The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users. The document gleefully observes that some ‘SIGINT tradecraft…is very hands-on (literally!)’,” Greenwald writes.
According to Greenwald, the document of this new revelation is going to release today. His new book is based upon the leaked documents from 2010 provided by the former NSA contractor Edward Snowden that detailed the NSA receiving or intercepting various devices in the US before exporting them to foreign countries, which he apparently obtained from Snowden.
So far, The US National Security Agency (NSA) has been working with the security firm RSA on planting backdoors to spy on people, but if these allegations by Greenwald are correct, it’s all clear that all manner of US companies must be complicity involved with the agency.
By planting backdoors surveillance systems in the equipments, the NSA could feasibly gain access to the vast networks and users.
In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure,” the NSA report says, according to the Guardian. “This callback provided us access to further exploit the device and survey the network.”
It’s not first time the NSA has been accused of this type of allegation. Also a report from German newspaper Der Spiegel alleged that the US intelligence agency intercepts the shipping deliveries to plant back doors in electronic equipments in order to gain remote access of the systems, including computers’ hard drives, routers, and other devices from companies such as Cisco, Dell, Western Digital, Seagate, Maxtor, Samsung, and Huawei.

Cybersecurity Drawing Political Focus

The Daily Roundup

Most Notable Info

Cybersecurity is definitely becoming a bigger priority for politicians. With the past (and probably future) Snowden revelations, and never-ending breaking news of new cyber-attacks, there is good reason for this shift in political focus.
There is word out that a bill is currently being drafted; the goal of which is allowance for “companies to monitor their computer networks for cyber-attacks, promotes sharing of cyber threat information and provides liability protection for companies who share that information.” The motivation behind this bipartisan bill is to “protect our corporate, governmental and personal digital assets from all cyber threats, foreign and domestic.”
Reuters reports that U.S. Homeland Security Secretary Jeh Johnson is observing an attitude shift in both political parties towards a more open dialogue between companies and the government when it comes to discussing cyber threats that could compromise multiple industries. Johnson believes cybersecurity to be an extremely important element for both the government and private businesses.
There is speculation about whether Congress will be able to agree on any sort of legislation that would mandate information sharing. One example of this disbelief comes from Peter Swire, Georgia Tech Professor and member of President Obama's spying practices panel, “I don't believe Congress is going to vote on a massive increase of information sharing at the same time as it is voting to end (NSA's) bulk collection.”
While the hesitation is valid, it is clear that these two actions are very different. The need for cybersecurity defenses is vitally important, especially when there are new and growing threats popping up everywhere.

On to the daily roundup...

IT Gravity 45, Risk 46
Beginning in July, Microsoft's Office 365 business customers will see a move from per-disk encryption to a model where every file stored in SharePoint Online and OneDrive for Business has its own encryption key. This change may be encouraging to businesses seeking a secure collaboration environment for company files.
Top Targets: Infrastructure and Utilities- Kuwait IT infrastructure

GOVERNMENT Gravity 26, Risk 29
A new report examines an Iranian sponsored hacking group that evolved from website defacements to targeted espionage campaigns aimed at defense organizations and Iranian dissidents. Dubbed “Operation Saffron Rose” the report analyzes the group’s methods and targets The report can be found
Top Targets: Infrastructure and Utilities- Kuwait IT infrastructure

A 17 year old student at a South Dakota high school cost his school $1,000 in damage after he hacked the schools network and shut down the phone, internet, and email systems.
Top Targets: Customers/Clients- British Pregnancy Advisory Service (BPAS) clients

CONSUMER GOODS Gravity 8, Risk 10
Point-of-sale attacks have evolved over the past few years from opportunistic to sophisticated attacks. Ambitious threat actors are moving towards "highly targeted attacks that require a substantial amount of lateral movement and custom malware created to blend in with the target organization." Read the Arbor report:
Top Targets: Group Members- Taiwanese mailing service agency

ENERGY Gravity 1, Risk 11
An advanced actor used the IE vulnerability to target defense and energy companies, claims FireEye. The advanced actor then shared the vulnerability with another threat actor. The actors utilized watering hole attacks to try to compromise targeted organizations. The two attack groups are state sponsored, claim
Top Targets: Infrastructure and Utilities- Tehran's nuclear company network

FINANCIALSGravity 5, Risk 9
A scam that targets social media uses directs the user to a fake facebook login page and steals the user's credentials. This same format is also being employed on a Chase Bank fake page from gifting sites.
Top Targets: Websites- Corporate websites

ENTERTAINMENT Gravity 1, Risk 5
An AnonGhost member created a Facebook page for a campaign dubbed OpFifa. The hacktivists targets Fifa over its “attitude towards Muslim teams.” This years World Cup is a cause célèbre among hacktivists. Brazilian hacktivists have said they will attack FIFA and Brazilian government websites to protest the
Top Targets: Social Media Accounts- Gary Barlow Twitter account

HEALTHCARE Gravity 2, Risk 4
Joel Scott and James Giscombe Jr., who work with patients treated at the NYU College of Dentistry, were busted for allegedly stealing credit card information from more than 350 victims using a mini card skimmer attached to the reader. Claims have circulated that the school covered up the crime by not reporting it.
Top Targets: Medical Equipment- Medical device

Telecom Gravity 2, Risk 3
The French Telecom company, Orange, released a statement this week stating they were hit by a massive data theft. The theft could affect over 1.3 million subscribers and this comes only a few months after the company had over 800,000 customer records stolen in another data
Top Targets: Data- Orange S.A. database

UTILITIES Gravity 0, Risk 0
Ronald Ross from NIST said at Utilities Telecom Council convention that security shortfalls are in communication, not tools. "We're drowning in risk management frameworks. We're drowning in controls." The key is determining who is responsible for protecting software, equipment, and systems and for responding when attacks

INDUSTRIALS Gravity 0, Risk 0
The Pakistan Haxors Crew breached and defaced a sub domain of Indian carmaker Tata. The hacker’s defacement calls out Tata’s lack of security on their website. The group target several numerous Indian websites, including several government websites and the country’s railway system.

MATERIALS Gravity 0, Risk 0
On Sunday Anonymous attacked the Monsato Brazil website via a DDoS and took it offline. This is not the first attack Anonymous has conducted against Monsato. The hacktivist organization is protesting the use of GE Trees that they claim poisons land and displaces communities in Latin America.

In other news...

A 17-year-old South Dakota student has been arrested for hacking the computer system of Sioux Falls Catholic schools, and has been charged with “felony intentional damage to property.” The police are saying that phone, email, and internet services were shut down last week to at least eight different schools in the district, costing about $1,000 to get restored.
I mean, why? Why?

How to Leverage Brand Intelligence for Fraud Management

One of the hardest responsibilities to tackle when it comes to fraud management is identifying and anticipating emergent attacks that seek to exploit your security controls. When I was in charge of rooting out fraud at a well-known financial services company, I spent a lot of time and money designing and deploying fraud solutions, as well as establishing proactive mitigation efforts to help identify threats in their planning stages. I know what it’s like to be on the client side of the fraud protection fence, regularly evaluating tools to see which ones are effective and which are a waste of time and money.
Gathering online brand intelligence is not a new concept, but it is something that many fraud organizations are just starting to look at due to the requirements set forth by the recent FFIEC guidance. There are a number of companies focused on helping others with patch management and checking for software exploitations, but few monitor for fraud threats related to bypassing controls, policies, or review processes. Cybercriminals know this, and are often able to take advantage of vulnerabilities in these areas with comparatively few obstacles thrown in their way.
At the time, my organization initially established a security intelligence department to identify and remove exploitations of a new account opening process, which permitted account applications to be queued even if they had no chance of being opened. This wasn’t necessarily a fraud concern, since the threat detection process was working smoothly on the back end. But it did artificially inflate my operations team’s workload, costing my organization time and money to remove these bad applications.
Once we started scouring the Internet to search for and remove these exploits, we serendipitously found a large number of social media discussions related to stolen debit cards, credentials for sale, targeted DDoS attacks in their planning stages and brand abuse cases on Twitter and other platforms. Many of our legitimate customers were also followers of fake accounts impersonating our brand, and could have easily been tricked into clicking the shortened URL links they contained to unknowingly access malware drop sites or phishing pages.
Proactively identifying these fake accounts, getting them removed from the Internet, and protecting my customers from falling for these scams had a positive affect on my account takeover numbers and helped resolve many customer complaints about fake e-mail and media campaigns. And to think, the social media intelligence was lying in plain sight, just waiting for the right tools to decipher it.
If you were not performing thorough Internet searches for evidence of malicious intentions against your brand before, the new FFIEC guidelines mandate that your organization do so now. While it can be tempting to simply check off all the regulatory boxes just to maintain compliance, organizations should see this new guidance as an opportunity to further safeguard their reputation and bottom line. Once a program for collecting brand intelligence is in place, it becomes very effective at taking down previously undetected threats, helping your fraud teams to proactively stop attacks and reduce customer-related compromises and losses.

Buffer Overflows Patched in Yokogawa Control System Products

Patches for critical vulnerabilities in production control system software built by Yokogawa Electric Corp. of Japan are available, according to an advisory issued Tuesday by the Industrial Control System Cyber Emergency Response Team (ICS-CERT).
The advisory warns that there are publicly available exploits targeting these vulnerabilities, and a Metasploit module for the bugs was recently released.
Yesterday’s alert is an update to a previous advisory issued in March warning of buffer overflow vulnerabilities in the software. Yokogawa said this prompted a deeper examination of its products and additional security issues were discovered, the company said.
In March, Rapid7 engineers Juan Vazquez and Julian Vilas Diaz disclosed three vulnerabilities in the Yokogawa Centum CS3000 Windows-based production control system. The Centum CS line is deployed in numerous critical industries such as oil refinery, iron and steel manufacturing, as well as public utilities and other manufacturing uses.
Vazquez and Diaz said that a working exploit was developed for version R3.09.50 running on Windows XP SP3 and Windows Server 2003, a data execution prevention (DEP) bypass that would allow an attacker to remotely execute code. The issue, they said, is in the BKESimmgr.exe service, which listens on TCP port 34205.
“By sending a specially crafted packet to the port TCP/34205, it’s possible to trigger a stack-based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user,” Vazquez and Diaz wrote on the Rapid7/Metasploit website.
In all, there are four vulnerabilities affecting a slew of Yokogawa products:
  • CENTUM CS 1000 all revisions,
  • CENTUM CS 3000 Entry Class R3.09.50 and earlier,
  • CENTUM VP R5.03.00 and earlier,
  • CENTUM VP Entry Class R5.03.00 and earlier,
  • Exaopc R3.71.02 and earlier,
  • B/M9000CS R5.05.01 and earlier, and
  • B/M9000 VP R7.03.01 and earlier
“Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service (DoS) or potentially acquire system privileges to execute arbitrary code,” ICS-CERT said in its alert. “Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
All of the bugs are buffer overflows, Yokogawa said.
The first is a heap-based buffer overflow in the BKCLogSvr.exe service. An attacker can send malicious packets to the service on UDP Port 52302, triggering the heap-based overflow that would allow an attacker to crash the system and also execute code remotely.
The remaining bugs are stack-based buffer overflows, all of which allow an attacker to run code on the production control system.
The first affects the BKHOdeq.exe service which starts when the system’s FCS/Test Function runs; malicious packets sent to TCP Port 20171 would trigger the vulnerability.
Similarly, the BKBCopyD.exe service, which also starts on the same function, but listens on TCP Port 20111, is also vulnerable to attack.