60873601
submission
Trailrunner7 writes:
There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software.
The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That’s not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle.
Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.
60620107
submission
Trailrunner7 writes:
Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project.
The CII is backed by a who’s who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing.
Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites.
60327779
submission
Trailrunner7 writes:
Researchers have disclosed a new zero day vulnerability in Internet Explorer 8 that could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages.
The vulnerability was discovered and disclosed to Microsoft in October, but the company has yet to produce a patch, so HP’s Zero Day Initiative, which is handling the bug, published its advisory Wednesday. The ZDI has a policy of disclosing vulnerability details after 180 days if the vendor hasn’t produced a patch.
The use-after-free flaw lies in the way that IE handles CMarkup objects, and ZDI’s advisory says that an attacker can take advantage of it to run arbitrary code.
60287959
submission
Trailrunner7 writes:
It was high drama. Indicting five Chinese military officers for allegedly hacking into the networks of several old-line American companies and stealing financial data, technical specifications, internal communications and other sensitive information was an unprecedented step in what has been a long-running war of words between American and Chinese politicians and diplomats. The Obama administration has accused the Chinese military of running regular operations to compromise the networks of American businesses and steal as much intellectual property as they can. The Chinese, of course, deny this, and counter that the U.S. is in fact the one targeting Chinese businesses and government agencies. The rhetoric has reached the highest levels in recent months, with President Obama talking about the problem of cyberespionage with Chinese President Xi Jinping in September.
Let’s be honest; the chances of any of these men ever setting foot in the U.S. to face these charges are roughly zero point zero. The Chinese government has virtually no incentive whatsoever to cooperate with the U.S. on this issue. Relations between the two governments are not, shall we say, ideal, and putting five PLA officers on FBI most wanted posters is not likely to help in that regard.
Nor does the U.S. hold the moral high ground here. As the Snowden revelations of the last year have shown, the NSA and the U.S. government have turned the Internet into a turnkey surveillance platform, bending the global network to its will and its purpose. The latest evidence of this also surfaced Monday, with The Intercept revealing that the NSA was recording all of the cell phone traffic in the Bahamas and another, unnamed country. The U.S. also has long accused the Chinese IT company Huawei of being a pawn of the government, and has warned American companies about buying gear from the company, for fear it may be compromised during manufacture. As it turns out, the NSA allegedly has been conducting just such operations on IT gear manufactured by U.S. companies, intercepting shipments and implanting “beacons” that give the agency access to the boxes after installation.
It’s difficult to take a tough stance on things like this, when there’s an army of skeletons banging on the door of your own closet.
59821443
submission
Trailrunner7 writes:
If law enforcement gets hold of your locked iPhone and has some interest in its contents, Apple can pull all kinds of content from the device, including texts, contacts, photos and videos, call history and audio recordings.
The company said in a new document that provides guidance for law enforcement agencies on the kinds of information Apple can provide and what methods can be used to obtain it that if served with a search warrant, officials will help law enforcement agents extract specific application-specific data from a locked iOS device. However, that data appears to be limited to information related to Apple apps, such as iMessage, the contacts and the camera.
Email contents and calendar data can’t be extracted, the company said in the guidelines.
59542957
submission
Trailrunner7 writes:
It has been a running joke in the tech industry for years that the hacking scenes in movies are, well, a joke. Hackers in hoodies pushing a few keys and taking down the power grid or causing massive traffic pileups by turning all the stoplights green at once. While those scenes provide endless entertainment for security folks, it turns out some of those attacks aren’t so far-fetched.
Cesar Cerrudo, a researcher and CTO at IOActive, decided to take a look at the security of some of the devices that control traffic lights and electronic signs in many cites around the world, and found that not only were the devices vulnerable to a number of attacks, but they could be exploited quite easily and perhaps could be used to spread malware from device to device. Cerrudo said that the vulnerabilities he identified can be exploited from up to a mile or two away with the right equipment.
59501855
submission
Trailrunner7 writes:
The White House wants you to know that it did not know about the OpenSSL Heartbleed vulnerability before you did. The White House also wants you to know that administration officials don’t think stockpiling zero days isn’t necessarily good for national security. That’s all well and good, except that it mostly doesn’t matter.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.”
Here’s the problem, though: The government doesn’t necessarily need to stockpile zero days, because it has a cadre of contractors doing that job in its stead. One of the conundrums of vulnerability research is that there’s no way to know whether the bug you just discovered is in fact new. The population of skilled researchers around the world is sufficiently large that it’s possible, if not probable, that someone else has found the same bug and is already using it. It’s tempting to think that you’ve discovered a special snowflake, but there’s a good chance someone on the other side of the Web has found the same snowflake. So the fact that the White House has a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” sounds nice, but it’s not enough.
59448011
submission
Trailrunner7 writes:
A couple days after Microsoft warned users about a new vulnerability in Internet Explorer that’s being used in targeted attacks, Adobe on Monday said that researchers have discovered a zero day in Flash, as well, which attackers are using to target victims in Syria through a watering hole attack on a compromised Syrian government site.
The Adobe Flash zero day was first identified in early April by researchers at Kaspersky Lab, who say that there are at least two separate exploits in use right now.
Researchers believe that the operation and the exploits are likely the work of high-level attackers. At this point, Kaspersky Lab has only seen about 30 infection attempts using these exploits.
“It’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this,” Kaspersky Lab researcher Vyacheslav Zakorzhevsky said.
59302383
submission
Trailrunner7 writes:
The Apache Software Foundation today released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts did not fully patch the bug in question.
Officials said a new patch is in development and will be released likely within the next 72 hours, said Rene Gielen of the Apache Struts team.
On March 2, a patch was made available for a ClassLoader vulnerability in Struts up to version 2.3.16.1. An attacker would be able to manipulate the ClassLoader via request parameters. Apache said the fix was insufficient to repair the vulnerability.
59182847
submission
Trailrunner7 writes:
Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code.
The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user’s network, he might be able to intercept supposedly secure traffic or change the connection’s properties.
58515825
submission
Trailrunner7 writes:
For those of you anticipating the start of a Walking Dead-style malware apocalypse next Tuesday, calm yourselves. The official end of security support for Windows XP is upon us, but it’s important to check some anxiety at the door and keep some perspective.
“All the administration stuff in place around these systems falls down. Attackers leverage that because they want the path of least resistance,” said Christopher Pogue, director at Trustwave. “You have to presume that before they get their exploit on an unpatched XP machine, they have to breach the environment, bypass firewalls get to the system, pivot to the unpatched system and hope it has critical data on it so they can run exploit code. There are a whole lot of items that have to line up for that to happen.”
The hype and hyperbole around April 8, the latest in a long line of security Doomsdays, is rooted in theories that because a good number of XP systems remain in use storing data and processing transactions, that any previously unreported XP vulnerabilities will be perpetual zero-days. The theory continues that attackers have been building and hoarding XP exploits, anxiously wringing their hands waiting for April 8, 2014 to come and go.
Now to dismiss all of that as FUD is foolhardy; some attackers who do have XP exploits that will be zero days in a matter of five days are going to wait. Others are less patient (see the recent XP Rich Text Format zero day that will be patched on Tuesday). And for those smaller organizations with fewer IT resources that may still be running XP machines that still hum along carrying out their mission day after day, their risk posture will be slouching a little more come Tuesday.
58357565
submission
Trailrunner7 writes:
The list of threats on the Internet is long and getting longer each day. Cybercrime, nation-state attackers, cyber espionage and hacktivists all threaten the security and stability of the network and its users in one way or another. But the one threat that some experts have warned about for years and has never emerged is cyber terrorism, a former top U.S. intelligence official said.
In the years after 9/11, as the Internet became an integral part of daily life in much of the world, some in the national security community warned that the network also would become a key conduit for terrorist attacks against a variety of targets. Utilities, critical infrastructure, banks and other vital pieces of the global economy would be choice targets for groups seeking to wreak havoc via electronic attacks. However, those attacks have not materialized.
“I don’t have a single example of cyber terrorism. Not one incident,” Michael Hayden, the former director of the CIA and NSA, said during a keynote speech at the Systems Engineering DC conference here Thursday.
58295049
submission
Trailrunner7 writes:
The current move by auto makers to stuff their vehicles full of networked devices, Bluetooth radios and WiFi connectivity has not gone unnoticed by security researchers. Charlie Miller and Chris Valasek spent months taking apart–literally and figuratively–a Toyota Prius to see what vulnerabilities might lie inside; and they found plenty. Now, another researcher has identified a number of issues with the security of the Tesla S, including its dependence upon a weak one-factor authentication system linked to a mobile app that can unlock the car remotely.
The Tesla S is a high-end, all-electric vehicle that includes a number of interesting features, including a center console touchscreen that controls much of the car’s systems. There also is an iPhone app that allows users to control a number of the car’s functions, including the door locks, the suspension and braking system and sunroof. Nitesh Dhanjani found that when new owners sign up for an account on the Tesla site, they must create a six-character password. That password is then used to login to the iPhone app.
Dhanjani discovered that the Tesla site doesn’t seem to have a function to limit the number of login attempts on a user account, so an attacker potentially could try to brute force a user’s password. An attacker also could phish a user to get her password and then, if he had access to the user’s iPhone, log in to the Tesla app and control the vehicle’s systems. The attacker also could use the Tesla API to check the location of the user’s vehicle, even without the iPhone app.
58091421
submission
Trailrunner7 writes:
The long shadow cast by the use of surveillance technology and so-called lawful intercept tools has spread across much of the globe and has sparked a renewed push in some quarters for restrictions on the export of these systems. Politicians and policy analysts, discussing the issue in a panel Monday, said that there is room for sensible regulation without repeating the mistakes of the Crypto Wars of the 1990s.
“There’s virtually no accountability or transparency, while he technologies are getting faster, smaller and cheaper,” Marietje Schaake, a Dutch member of the European Parliament, said during a panel discussion put on by the New America Foundation. “We’re often accused of over-regulating everything, so it’s ironic that there’s no regulation here. And the reason is that the member states [of the EU] are major players in this. The incentives to regulate are hampered by the incentives to purchase.
“There has been a lot of skepticism about how to regulate and it’s very difficult to get it right. There are traumas from the Crypto Wars. Many of these companies are modern-day arms dealers. The status quo is unacceptable and criticizing every proposed regulation isn’t moving us forward.”
57914461
submission
Trailrunner7 writes:
Perhaps no company has been as vocal with its feelings about the revelations about the NSA’s collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users’ sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections.
The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user’s machine to the time they leave Google’s infrastructure. This makes life much more difficult for anyone–including the NSA–who is trying to snoop on those Gmail sessions.
