Trailrunner7 - Slashdot User

Submission + - In Breakthrough, US and Cuba to Resume Diplomatic Relations

Submitted by HughPickens.com on Wednesday December 17, 2014 @01:00PM

HughPickens.com writes: Peter Baker reports at the NYT that in a deal negotiated during 18 months of secret talks hosted largely by Canada and encouraged by Pope Francis, the United States will restore full diplomatic relations with Cuba and open an embassy in Havana for the first time in more than a half-century. In addition, the United States will ease restrictions on remittances, travel and banking relations, and Cuba will release 53 Cuban prisoners identified as political prisoners by the United States government. Although the decades-old American embargo on Cuba will remain in place for now, the administration signaled that it would welcome a move by Congress to ease or lift it should lawmakers choose to. “We cannot keep doing the same thing and expect a different result. It does not serve America’s interests, or the Cuban people, to try to push Cuba toward collapse. We know from hard-learned experience that it is better to encourage and support reform than to impose policies that will render a country a failed state,” said the White House in a written statement. "The United States is taking historic steps to chart a new course in our relations with Cuba and to further engage and empower the Cuban people."

Submission + - Shellshock Worm Exploiting Unpatched QNAP NAS Devices (threatpost.com)

Submitted by msm1267 on Monday December 15, 2014 @12:47PM

msm1267 writes: A worm exploiting network attached storage devices vulnerable to the Bash flaw is scanning the Internet for more victims.

The worm opens a backdoor on QNAP devices, but to date it appears the attackers are using the exploit to run a click-fraud scam, in addition to maintaining persistence on owned boxes.

“The goal appears to be to backdoor the system, so an attacker could come back later to install additional malware,” said Johannes Ullrich, head of the Internet Storm Center at the SANS Institute.

QNAP of Taiwan released a patch in October for the Bash vulnerability in its Turbo NAS products. Like many other vulnerable products and devices, owners may not be aware that Bash is present and exposed. Bash was among a litany of Internet-wide vulnerabilities uncovered this year; the flaw in Bash, or Bourne Again Shell, affects Linux and UNIX distributions primarily, but also Windows in some cases. Bash is accessed, often quietly, by any number of functions which makes comprehensive patching difficult even though all major Linux distributions and most vendors have issued patches.

Submission + - Keurig 2.0 Genuine K-Cup Spoofing Vulnerability (blogspot.com)

Submitted by Anonymous Coward on Thursday December 11, 2014 @01:15PM

An anonymous reader writes: A security researcher has released a humorous vulnerability description for the Keurig 2.0 coffee maker, which includes DRM designed to only brew Keurig brand coffe pods (K-Cups)
Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods, known as K-Cups, uses weak verification methods, which are subject to a spoofing attack through re-use of a previously verified K-Cup.

The vulnerability description even includes mitigating controls, such as keeping the Keurig in a locked cabinet when not in use.

Submission + - New Destover Malware Signed by Stolen Sony Certificate

Submitted by Trailrunner7 on Tuesday December 09, 2014 @03:57PM

Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony.

The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it’s representative of the genre of malware that doesn’t just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords.

The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.

Submission + - FISA Court Extends Section 215 Bulk Surveillance for 90 Days

Submitted by Trailrunner7 on Monday December 08, 2014 @03:56PM

Trailrunner7 writes: The secret Foreign Intelligence Surveillance Court has authorized a 90-day extension to the Section 215 bulk telephone collection program used by the National Security Agency, giving the agency through the end of February to run the program in the absence of legislation establishing a new authority.

On Monday, the Office of the Director of National Intelligence revealed that the administration had applied for a 90-day extension to the existing Section 215 authority, and that the FISC had approved the request, extending the authority through Feb. 27.

“The Administration welcomes the opportunity to work with the new Congress to implement the changes the President has called for. Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President directed in January,” a statement from the Office of the DNI and the Office of the Attorney General said.

Submission + - Security Researcher Creates Database of 300k Known-Good SCADA Files

Submitted by Trailrunner7 on Monday December 01, 2014 @03:58PM

Trailrunner7 writes: A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.

The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.

He said via email that the current iteration of the database is just the first version and that it represents about half of the software he has.

“I have 300,000 files in WhiteScope right now, and I plan to have half a million files in WhiteScope by the end of the year. I’ll have over a million the first quarter of 2015,” Rios said.

“Getting access to the software is the most difficult part, to get the artifacts that allowed WhiteScope to be created, it took over 5 years. If someone was more focused, they could probably do it in less time.”

Submission + - Researchers Uncover APT Threat That Infected Belgian GSM Network

Submitted by Trailrunner7 on Monday November 24, 2014 @03:23PM

Trailrunner7 writes: Researchers have uncovered a complex espionage platform reminiscent of Duqu that has been used since at least 2008 not only to spy on and extract email and documents from government agencies, research institutions and banks, but also one that targets GSM network operators in order to launch additional attacks.

Kaspersky Lab published a report this morning that explains this aspect of the Regin attack platform, which has been detected on the Windows computers of 27 victimized organizations in 14 countries, most of those in Asia and the Middle East. In addition to political targets, Kaspersky Lab researchers identified Belgian cryptographer Jean Jacques Quisquater as one of its specific victims, along with an unnamed research institution that was also infected with other dangerous espionage malware including Mask/Careto, Turla, Itaduke and Animal Farm.

The attackers were able to steal credentials from a internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers.

“This means that they could have had access to information about which calls are processed by a particular cell, redirect these calls to other cells, activate neighbor cells and perform other offensive activities,” Kaspersky Lab researchers wrote. “At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations.”

The researchers are not speculating about the identities of the attackers, but signs point to a Western intelligence service or government.

Submission + - Thousands of Compromised Joomla, WordPress Plugins and Themes Used in Attack

Submitted by Trailrunner7 on Thursday November 20, 2014 @12:32PM

Trailrunner7 writes: Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013.

CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.

But the main purpose of the malware is to conduct blackhat SEO operations. The goal of these campaigns is to jack up the rank of sites controlled by the attackers, or their customers, which helps them look legitimate. This is done sometimes for gambling sites or similar sites and can also be tied to other scams.

The researchers have traced the attack to an IP address in Moldova, and the C2 servers are located in the Netherlands, Germany, Poland and the United States. Fox-IT said that they have identified thousands of plug-ins that have been backdoored, including both WordPress and Joomla plug-ins and themes and Drupal themes.

Submission + - Nasty Code Execution Bug Found in Android

Submitted by Trailrunner7 on Wednesday November 19, 2014 @02:47PM

Trailrunner7 writes: There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week.

The vulnerability lies in java.io.ObjectInputStream, which fails to check whether an object that is being deserialized is actually a serialized object. Security researcher Jann Horn discovered the vulnerability and reported it to Google earlier this year.

Horn said via email that the exploitability of the vulnerability is difficult to judge.

“An attacker would need to get a malicious app onto the device in order for this to work. The app would need no permissions,” he said. “However, I don’t have a full exploit for this issue, just the crash PoC, and I’m not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap (in order to make less accurate guesses for the memory position work). It might be necessary to crash system_server once in order to make its memory layout more predictable for a short amount of time, in which case the user would be able to notice the attack, but I don’t think that’s likely.”

Submission + - Internet Voting Hack Alters PDF Ballots in Transmission (threatpost.com)

Submitted by msm1267 on Thursday November 13, 2014 @02:21PM

msm1267 writes: Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be.

Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority.

The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify code strings representing votes and candidates within the PDF to change the submitted votes.

Submission + - Zero Day in iOS Used in WireLurker Attacks Disclosed

Submitted by Trailrunner7 on Monday November 10, 2014 @04:04PM

Trailrunner7 writes: The vulnerability used in the WireLurker attacks has been uncovered and was reported to Apple in July but has yet to be patched, a researcher at FireEye said.

Today’s disclosure of the Masque attack, which affects iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta, revealed that Apple mobile devices are not only exposed over USB as with WireLurker, but can also be taken over remotely via a SMS or email message pointing a victim toward a malicious app.

The vulnerability allows an attacker to swap out a legitimate iOS app with a malicious one without the user’s knowledge. Researcher Tao Wei, a senior staff research scientist at FireEye, said Apple’s enterprise provisioning feature does not enforce matching certificates for apps given identical bundle identifiers. Enterprise provisioning is an Apple developer service that allows enterprise iOS developers to build and distribute iOS apps without having to upload the app to Apple. Attacks can be successful against jailbroken and non-jailbroken devices.

“We have seen clues this vulnerability has been circulated, so we had to disclose it,” Wei told Threatpost this morning.

Submission + - Darkhotel APT Crew Targets Top Executives in Long-Term Campaign

Submitted by Trailrunner7 on Monday November 10, 2014 @12:35PM

Trailrunner7 writes: APT groups tend to be grouped together in a large amorphous blob of sinister intentions and similar targets, but not all APT crews are created equal. Researchers have identified a group that’s been operating in Asia for at least seven years and has been using hotel networks as key infection points to target top executives at companies in manufacturing, defense, investment capital, private equity, automotive and other industries.

The group, which researchers at Kaspersky Lab are calling Darkhotel, has access to zero day vulnerabilities and exploits and has shown a willingness to use them in situations where the zero days might be discovered. One of the zero days the group has used is a Flash vulnerability that was disclosed in February.

“This crew occasionally deploys 0-day exploits, but burns them when required. in the past few years, they deployed 0-day spear-phishing attacks targeting Adobe products and Microsoft internet Explorer, including cve-2010-0188. in early 2014, our researchers exposed their use of cve-2014-0497, a Flash 0-day described on Securelist in early February,” the Darkhotel report says.

The Darkhotel group has been operating mainly in Asian countries, but there have been infections recorded in the United States, South Korea, Singapore, Germany, Ireland and many others, as well. The key infection method for this group is the compromise of WiFi networks in business hotels. When users connect to the network, they are presented with a dialog box prompting them to install a fake update, typically something that looks legitimate, such as Adobe Flash. If a victim agrees to install the fake update, he instead receives a digitally signed piece of malware, courtesy of the attackers. The malware has keylogging and other capabilities and steals information, which is then sent back to the attackers.

Submission + - More Tor .Onion Sites May Get Digital Certificates Soon

Submitted by Trailrunner7 on Friday November 07, 2014 @12:58PM

Trailrunner7 writes: News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project’s proxy service. Unlike any .onion domain before it, Facebook’s would be verified by a legitimate digital signature, signed and issued by DigiCert.

Late yesterday, Jeremy Rowley, DigiCert’s vice president of business development and legal, explained his company’s decision to support this endeavor in a blog entry. He also noted that DigiCert is considering opening up its certification business to other .Onion domains in the future.

“Using a digital certificate from DigiCert, Tor users are able to identify the exact .onion address operated by Facebook,” Rowley explained. “Tor users can evaluate the digital certificate contents to discover that the entity operating the onion address is the same entity as the one operating facebook.com.”

Submission + - NSA Director Says Agency Shares Most, But Not All, Bugs it Finds

Submitted by Trailrunner7 on Wednesday November 05, 2014 @12:11PM

Trailrunner7 writes: When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it’s typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them.

Speaking at an event at Stanford University, Rogers said that the NSA has been told by President Barack Obama that the default decision should be to share information on new vulnerabilities.

“The president has been very specific to us in saying, look, the balance I want you to strike will be largely focused on when you find vulnerabilities, we’re going to share them. By orders of magnitude, when we find new vulnerabilities, we share them,” Rogers said.

“He also said, look, there are some instances when we’re not going to [share vulnerability information]. The thought process as we go through this policy decision, the things we tend to look at are, how foundational and widespread is this potential vulnerability? Who tends to use it? Is it something you tend to find in one nation state? How likely are others to find it? Is this the only way for us to generate those insights we need or is there another alternative we could use?” Rogers said. “Those answers shape the decision.”

Submission + - Drupal Warns Users of Mass, Automated Attacks on Critical Flaw

Submitted by Trailrunner7 on Thursday October 30, 2014 @09:15AM

Trailrunner7 writes: The maintainers of the Drupal content management system are warning users that any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised.

The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.

Slashdot Top Deals