65746337
submission
Trailrunner7 writes:
A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.
Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.
But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.
In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators.
“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” he said via email.
65713829
submission
Trailrunner7 writes:
There is a severe remote code execution vulnerability in a number of Cisco’s security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years.
The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco’s security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products.
65301169
submission
Trailrunner7 writes:
Eric Schmidt, executive chairman of Google, said that the changes to Android's encryption model, which have angered law enforcement officials, should have come as no surprise to law enforcement and government agencies, given the events of the last couple of years.
“The people who are criticizing this should’ve expected this. After Google was attacked by the British version of the NSA we were annoyed to no end,” Schmidt said. “We put in encryption end to end, at rest and in transit. Law enforcement has many many ways to get this information without doing this.”
After the details of Apple’s and Google’s encryption changes became public, some in the law enforcement community have suggested that the companies should include a backdoor in their devices. Both Sen. Ron Wyden and Schmidt dismissed this suggestion out of hand.
“U.S. companies shouldn’t be forced to build backdoors into their products,” Wyden said.
65236493
submission
Trailrunner7 writes:
Twitter has filed a lawsuit in federal court asking that the United States Department of Justice’s prohibitions on publishing the number and kind of government requests for data the company receives be declared unconstitutional. The suit claims that the rules infringe on Twitter’s right to free speech by requiring that the company “engage in speech that has been preapproved by government officials or else to refrain from speaking altogether.”
The move by Twitter is the first public shot across the bow of the FBI and Justice Department on this issue. Many companies, including Google, Microsoft, Apple and others, have been pressing the government for the ability to publish detailed information about the scope of the requests they receive for user data. The government so far has said that companies can publish only broad ranges of numbers about the volume of National Security Letters they receive, which only gives a vague picture of the situation.
"Twitter’s ability to respond to government statements about national security surveillance activities and to discuss the actual surveillance of Twitter users is being unconstitutionally restricted by statutes that prohibit and even criminalize a service provider’s disclosure of the number of national security letters (“NSLs”) and court orders issued pursuant to FISA that it has received, if any," the suit says.
65086935
submission
Trailrunner7 writes:
DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it. That task has grown ever more complex and difficult, and now DARPA is working on a new kind of software that is provably secure for specific properties.
Arati Prabhakar, the director of DARPA, said that the agency, which performs advanced research and development for the United States military and government, has been working on the software in the hopes that it can run on some embedded systems. The software isn’t meant as a general purpose operating system for servers or desktops, but Prabhakar said that the agency believes it has plenty of applications.
“Unfortunately there’s not going to be a silver bullet. There are pieces of this we think can become tractable. One of our programs is working on software that’s unhackabale for specific security properties,” said Prabhakar, who was speaking at the Washington Post Cybersecurity Summit on Wednesday. “We’re working on a mathematical proof that the software can’t be hacked from the outside. It’s for embedded systems with a modest number of lines of code.”
65066517
submission
Trailrunner7 writes:
Google is again increasing the amount of money it offers to researchers who report vulnerabilities in Chrome as part of the company’s bug bounty program. Now, researchers will be able to earn $15,000 at the high end of the scale, and Google also is offering more cash for researchers who can submit a working exploit for their vulnerability submission.
The range for Google’s vulnerability reward program is now $500-$15,000, and there are a number of factors that go into the company’s decision on what to pay a researcher for a submission. Much of it has to do with the severity of the vulnerability and the likelihood that it will affect a large number of users.
“We’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later," Google's Tim Willis said.
65042203
submission
Trailrunner7 writes:
The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others.
The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file. Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.
Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal’s reach in the near future.
“We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon,” he said.
64601843
submission
Trailrunner7 writes:
The dramatic revelations of large-scale government surveillance and deep penetration of the Internet by intelligence services and other adversaries have increased the interest of the general public in tools such as encryption software, anonymity services and others that previously were mainly of interest to technophiles and activists. But many of those tools are difficult to use and present major challenges for users, so to help improve the usability of these applications, Google, Dropbox and others are supporting a new project called Simply Secure.
The project is focused on making open-source security and privacy tools easier to use and to remove some of the pain of using crypto packages, off-the-record messaging and other tools that protect users online. The organization’s activities will center on bringing developers of open source security tools together with usability researchers and experts to help solve the difficult problems the developers face. Many open source projects are run by volunteers who don’t have the time or resources to tackle these issues on their own.
64533661
submission
Trailrunner7 writes:
In a keynote speech at a security conference in Washington Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war.
“We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,” said Rogers. “If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what’s an act of defense.”
Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.
64492541
submission
Trailrunner7 writes:
There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit module available to exploit the vulnerability.
The vulnerability was first disclosed in late August, but there has not been much in the way of public discussion of it. Exploiting the flaw is a straightforward matter and allows the attacker to bypass the same-origin policy in the Android browser.
“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”
64315525
submission
Trailrunner7 writes:
In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.
“For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods.”
That result also doesn’t rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure.
64142621
submission
Trailrunner7 writes:
Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability.
The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to access a pool of hundreds of researchers who perform authorized research against a company’s products. HackerOne is used by a number of prominent companies, including Square, Yahoo and CloudFlare and also is the platform that supports the Internet Bug Bounty.
Twitter’s bug bounty program will pay researchers for finding vulnerabilities in its main Web site and the Twitter apps for iOS and Android. The types of vulnerabilities that are in scope for the program include XSS, CSRF, remote code execution, unauthorized access to private tweets or direct messages.
- See more at: http://threatpost.com/twitter-...
63995391
submission
Trailrunner7 writes:
Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.
Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites.
63900961
submission
Trailrunner7 writes:
Google has fixed 50 security vulnerabilities in its Chrome browser, including a critical string of bugs that can allow an attacker to execute arbitrary code outside of the browser’s sandbox.
This is one of the larger batches of fixes that Google has produced for Chrome recently. The company releases frequent updates for the browser and often will push out a new version with only a handful of security patches. But Chrome 37 includes 50 patches, a huge number by any measure. The most notable vulnerability patched in this version is actually a combo platter of several flaws that can be used to escape the Chrome sandbox and gain remote code execution.
The group of vulnerabilities earned the security researcher who reported them a $30,000 bug bounty from Google, one of the higher rewards that the company has given to a researcher outside of its Pwnium competitions. Google’s bug bounties typically fall into the $1,000-$5,000 range, but the company’ security team sometimes will award significantly higher rewards to researchers who report especially critical or creative bugs.
63637377
submission
Trailrunner7 writes:
The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.
Researchers at IBM’s X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.
“There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators,” Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.
