Trailrunner7 - Slashdot User

Submission + - NSA Official: Supporting Backdoored Random Number Generator was 'Regrettable"

Submitted by Trailrunner7 on Wednesday January 14, 2015 @02:13PM

Trailrunner7 writes: In a new article in an academic math journal, the NSA’s director of research says that the agency’s decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice.

Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning.

“With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable,” Wertheimer wrote in a piece in Notices’ February issue.

Submission + - Encryption is Not the Enemy

Submitted by Trailrunner7 on Tuesday January 13, 2015 @03:22PM

Trailrunner7 writes: There are few things scarier these days than a politician stepping in front of a microphone, taking a deep breath and opening his mouth to pontificate on security. A long list of American elected officials have reinforced this, and on Monday, UK Prime Minister David Cameron jumped to the head of this undistinguished line with his dangerous statement that encrypted communications shouldn’t be allowed.

Cameron, speaking in the wake of the terror attack in Paris last week, said at an event Monday that the UK government can’t allow any form of communication that can’t be read.

“Are we going to allow a means of communications which it simply isn’t possible to read?” Cameron said, according to the New York Times. “My answer to that question is: ‘No, we must not.’ “

Aside from the specter of attackers identifying and exploiting an intentional backdoor, there is the problem of trying to bend software makers to the will of the government. Even if by some miracle the backdoor proposal succeeds, the government still would face the hurdle of getting software makers such as Apple to prevent secure communications apps from showing up in their app store. Apple does what Apple wants and generally not much else. And, as Doctorow says, how would Cameron address the global open source community, which produces much of the secure communications software?

These kinds of systems just flat don’t work.

“It won’t work. The basic problem with these proposals is they work against regular people who don’t care. But to make it work, you have to close the loopholes,” cryptographer Bruce Schneier, CTO of Co3 Systems, said in an interview. “If you can’t do that, you don’t hurt the bad guys, you only hurt the good guys. It plays well on TV to someone who doesn’t understand the tech. Everything works against my grandmother, but nothing works against professionals.”

Submission + - First OSX Bootkit Revealed

Submitted by Trailrunner7 on Thursday January 08, 2015 @03:20PM

Trailrunner7 writes: A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac.

The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.

Hudson’s bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple’s RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker’s key. The attack also disables the loading of further Option ROMs, closing that window of opportunity. A weaponized version of this attack would have free ring0 reign over the system.

Apple has only partially addressed the vulnerability behind this.

Submission + - USBdriveby: The $20 Device That Installs a Backdoor in a Second

Submitted by Trailrunner7 on Friday December 19, 2014 @10:36AM

Trailrunner7 writes: Samy Kamkar has a special talent for turning seemingly innocuous things into rather terrifying attack tools. First it was an inexpensive drone that Kamkar turned into a flying hacking platform with his Skyjack research, and now it’s a $20 USB microcontroller that Kamkar has loaded with code that can install a backdoor on a target machine in a few seconds and hand control of it to the attacker.

Kamkar has been working on the new project for some time, looking for a way to install the backdoor without needing to use the mouse and keyboard. The solution he came up with is elegant, fast and effective. By using code that can emulate the keyboard and the mouse and evade the security protections such as local firewalls, Kamkar found a method to install his backdoor in just a couple of seconds and keep it hidden on the machine. He loaded the code onto an inexpensive Teensy USB microcontroller.

Kamkar’s USBdriveby attack can be executed in a matter of seconds and would be quite difficult for a typical user to detect once it’s executed. In a demo video, Kamkar runs the attack on OS X, but he said the code, which he’s released on GitHub, can be modified easily to run on Windows or Linux machine. The attack inserts a backdoor on the target machine and also overwrites the DNS settings so that the attacker can then spoof various destinations, such as Facebook or an online banking site, and collect usernames and passwords. The backdoor also goes into the cron queue, so that it runs at specified intervals.

Submission + - Hackers Compromise ICANN, Access Zone File Data System 2

Submitted by Trailrunner7 on Thursday December 18, 2014 @10:49AM

Trailrunner7 writes: Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names.

The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers.

ICANN officials said they are notifying any users whose zone data might have been compromised.

Submission + - Manufacturer's Backdoor Found on Popular Chinese Android Smartphone

Submitted by Trailrunner7 on Wednesday December 17, 2014 @01:07PM

Trailrunner7 writes: A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users’ consent.

The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor’s control system.

Ryan Olson, intelligence director at Palo Alto, said the CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user’s permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad.

Submission + - In Breakthrough, US and Cuba to Resume Diplomatic Relations

Submitted by HughPickens.com on Wednesday December 17, 2014 @01:00PM

HughPickens.com writes: Peter Baker reports at the NYT that in a deal negotiated during 18 months of secret talks hosted largely by Canada and encouraged by Pope Francis, the United States will restore full diplomatic relations with Cuba and open an embassy in Havana for the first time in more than a half-century. In addition, the United States will ease restrictions on remittances, travel and banking relations, and Cuba will release 53 Cuban prisoners identified as political prisoners by the United States government. Although the decades-old American embargo on Cuba will remain in place for now, the administration signaled that it would welcome a move by Congress to ease or lift it should lawmakers choose to. “We cannot keep doing the same thing and expect a different result. It does not serve America’s interests, or the Cuban people, to try to push Cuba toward collapse. We know from hard-learned experience that it is better to encourage and support reform than to impose policies that will render a country a failed state,” said the White House in a written statement. "The United States is taking historic steps to chart a new course in our relations with Cuba and to further engage and empower the Cuban people."

Submission + - Shellshock Worm Exploiting Unpatched QNAP NAS Devices (threatpost.com)

Submitted by msm1267 on Monday December 15, 2014 @12:47PM

msm1267 writes: A worm exploiting network attached storage devices vulnerable to the Bash flaw is scanning the Internet for more victims.

The worm opens a backdoor on QNAP devices, but to date it appears the attackers are using the exploit to run a click-fraud scam, in addition to maintaining persistence on owned boxes.

“The goal appears to be to backdoor the system, so an attacker could come back later to install additional malware,” said Johannes Ullrich, head of the Internet Storm Center at the SANS Institute.

QNAP of Taiwan released a patch in October for the Bash vulnerability in its Turbo NAS products. Like many other vulnerable products and devices, owners may not be aware that Bash is present and exposed. Bash was among a litany of Internet-wide vulnerabilities uncovered this year; the flaw in Bash, or Bourne Again Shell, affects Linux and UNIX distributions primarily, but also Windows in some cases. Bash is accessed, often quietly, by any number of functions which makes comprehensive patching difficult even though all major Linux distributions and most vendors have issued patches.

Submission + - Keurig 2.0 Genuine K-Cup Spoofing Vulnerability (blogspot.com)

Submitted by Anonymous Coward on Thursday December 11, 2014 @01:15PM

An anonymous reader writes: A security researcher has released a humorous vulnerability description for the Keurig 2.0 coffee maker, which includes DRM designed to only brew Keurig brand coffe pods (K-Cups)
Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods, known as K-Cups, uses weak verification methods, which are subject to a spoofing attack through re-use of a previously verified K-Cup.

The vulnerability description even includes mitigating controls, such as keeping the Keurig in a locked cabinet when not in use.

Submission + - New Destover Malware Signed by Stolen Sony Certificate

Submitted by Trailrunner7 on Tuesday December 09, 2014 @03:57PM

Trailrunner7 writes: Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony.

The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used in a variety of attacks in recent years and it’s representative of the genre of malware that doesn’t just compromise machines and steal data, but can destroy information as well. The attackers who have claimed credit for the attack on Sony have spent the last couple of weeks gradually releasing large amounts of information stolen in the breach, including unreleased movies, personal data of Sony employees and sensitive security information such as digital certificates and passwords.

The new, signed version of Destover appears to have been compiled in July and was signed on Dec. 5, the day after Kaspersky Lab published an analysis of the known samples of the malware.

Submission + - FISA Court Extends Section 215 Bulk Surveillance for 90 Days

Submitted by Trailrunner7 on Monday December 08, 2014 @03:56PM

Trailrunner7 writes: The secret Foreign Intelligence Surveillance Court has authorized a 90-day extension to the Section 215 bulk telephone collection program used by the National Security Agency, giving the agency through the end of February to run the program in the absence of legislation establishing a new authority.

On Monday, the Office of the Director of National Intelligence revealed that the administration had applied for a 90-day extension to the existing Section 215 authority, and that the FISC had approved the request, extending the authority through Feb. 27.

“The Administration welcomes the opportunity to work with the new Congress to implement the changes the President has called for. Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President directed in January,” a statement from the Office of the DNI and the Office of the Attorney General said.

Submission + - Security Researcher Creates Database of 300k Known-Good SCADA Files

Submitted by Trailrunner7 on Monday December 01, 2014 @03:58PM

Trailrunner7 writes: A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.

The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.

He said via email that the current iteration of the database is just the first version and that it represents about half of the software he has.

“I have 300,000 files in WhiteScope right now, and I plan to have half a million files in WhiteScope by the end of the year. I’ll have over a million the first quarter of 2015,” Rios said.

“Getting access to the software is the most difficult part, to get the artifacts that allowed WhiteScope to be created, it took over 5 years. If someone was more focused, they could probably do it in less time.”

Submission + - Researchers Uncover APT Threat That Infected Belgian GSM Network

Submitted by Trailrunner7 on Monday November 24, 2014 @03:23PM

Trailrunner7 writes: Researchers have uncovered a complex espionage platform reminiscent of Duqu that has been used since at least 2008 not only to spy on and extract email and documents from government agencies, research institutions and banks, but also one that targets GSM network operators in order to launch additional attacks.

Kaspersky Lab published a report this morning that explains this aspect of the Regin attack platform, which has been detected on the Windows computers of 27 victimized organizations in 14 countries, most of those in Asia and the Middle East. In addition to political targets, Kaspersky Lab researchers identified Belgian cryptographer Jean Jacques Quisquater as one of its specific victims, along with an unnamed research institution that was also infected with other dangerous espionage malware including Mask/Careto, Turla, Itaduke and Animal Farm.

The attackers were able to steal credentials from a internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers.

“This means that they could have had access to information about which calls are processed by a particular cell, redirect these calls to other cells, activate neighbor cells and perform other offensive activities,” Kaspersky Lab researchers wrote. “At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations.”

The researchers are not speculating about the identities of the attackers, but signs point to a Western intelligence service or government.

Submission + - Thousands of Compromised Joomla, WordPress Plugins and Themes Used in Attack

Submitted by Trailrunner7 on Thursday November 20, 2014 @12:32PM

Trailrunner7 writes: Researchers have discovered a group of attackers who have published a variety of compromised WordPress themes and plug-ins on legitimate-looking sites, tricking developers into downloading and installing them on their own sites. The components then give the attackers remote control of the compromised sites and researchers say the attack may have been ongoing since September 2013.

CryptoPHP is the name the researchers have given to the malware that’s delivered with the compromised components, and the backdoor has a number of capabilities. It carries with it several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions.

But the main purpose of the malware is to conduct blackhat SEO operations. The goal of these campaigns is to jack up the rank of sites controlled by the attackers, or their customers, which helps them look legitimate. This is done sometimes for gambling sites or similar sites and can also be tied to other scams.

The researchers have traced the attack to an IP address in Moldova, and the C2 servers are located in the Netherlands, Germany, Poland and the United States. Fox-IT said that they have identified thousands of plug-ins that have been backdoored, including both WordPress and Joomla plug-ins and themes and Drupal themes.

Submission + - Nasty Code Execution Bug Found in Android

Submitted by Trailrunner7 on Wednesday November 19, 2014 @02:47PM

Trailrunner7 writes: There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week.

The vulnerability lies in java.io.ObjectInputStream, which fails to check whether an object that is being deserialized is actually a serialized object. Security researcher Jann Horn discovered the vulnerability and reported it to Google earlier this year.

Horn said via email that the exploitability of the vulnerability is difficult to judge.

“An attacker would need to get a malicious app onto the device in order for this to work. The app would need no permissions,” he said. “However, I don’t have a full exploit for this issue, just the crash PoC, and I’m not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap (in order to make less accurate guesses for the memory position work). It might be necessary to crash system_server once in order to make its memory layout more predictable for a short amount of time, in which case the user would be able to notice the attack, but I don’t think that’s likely.”

Slashdot Top Deals