70512145
submission
Trailrunner7 writes:
The NSA has a new director, a slew of new challenges and any number of new capabilities at its disposal. But it seems that the agency is intent on fighting the same old battles.
Even as fresh revelations about the extent of the NSA’s efforts to get access to encryption keys for mobile communications continue to unspool, the agency’s director is advocating for some form of legal, direct access to encrypted communications. Mike Rogers, director of the NSA and head of the U.S. Cyber Command, said at an event yesterday that it’s important for a legal framework to be put in place to govern how intelligence agencies can access secure communications.
Bruce Schneier, cryptographer and CTO of Resilient Systems, asked Rogers directly about that problem during the event held by the New America Foundation and was unsatisfied by the answer. For Schneier, the rhetoric and the lack of technical understanding coming from the government are eerily reminiscent of the crypto wars of the 1990s.
“If someone sat Rogers down and described Clipper to him, I think he would say, ‘I want that,'” Schneier said. “He says we need a legal rule, but that can’t solve the technical problems. This is a place where policy and technology collide in a way that it limits the solution space. There’s a belief that this is just a technical problem and we can solve it.”
70340973
submission
Trailrunner7 writes:
Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations. The attackers, known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods, including interdicting physical media such as CDs and inserting their custom malware implants onto the discs.
Some of the techniques the group has used are closely associated with tactics employed by the NSA, specifically the interdiction operations and the use of the LNK vulnerability exploit by Stuxnet.
The Equation Group has a massive, flexible and intimidating arsenal at its disposal. Along with using several zero days in its operations, the attack crew also employs two discrete modules that enable them to reprogram the hard drive firmware on infected machines. This gives the attackers the ability to stay persistent on compromised computers indefinitely and create a hidden storage partition on the hard drive that is used to store stolen data. At the Security Analyst Summit here Monday, researchers at Kaspersky presented on the Equation Group’s operations while publishing a new report that lays out the inner workings of the crew’s tools, tactics and target list. The victims include government agencies, energy companies, research institutions, embassies, telecoms, universities, media organizations and others. Countries targeted by this group include Russia, Syria, Iran, Pakistan, China, Yemen, Afghanistan, India but also US and UK, between and several others.
70246025
submission
Trailrunner7 writes:
WordPress has become a huge target for attackers and vulnerability researchers, and with good reason. The software runs a large fraction of the sites on the Internet and serious vulnerabilities in the platform have not been hard to come by lately. But there’s now a bug that’s been disclosed in all versions of WordPress that may allow an attacker to take over vulnerable sites.
The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response.
The consequences of an attack on the bug would be that the attacker might be able to predict the token used to generate a new password for a user’s account and thus take over the account. Arciszewski has developed a patch for the problem and published it, but it has not been integrated into WordPress. He said he has had almost no communication from the WordPress maintainers about the vulnerability, save for one tweet from a lead developer that was later deleted.
Arciszewski said he has not developed an exploit for the issue but said that an attacker would need to be able to predict the next RNG seed in order to exploit it.
“There is a rule in security: attacks only get better, never worse. If this is not attackable today, there is no guarantee this will hold true in 5 or 10 years. Using /dev/urandom (which is what my proposed patch tries to do, although Stefan Esser has highlighted some flaws that would require a 4th version before it’s acceptable for merging) is a serious gain over a userland RNG,” he said by email.
70048393
submission
Trailrunner7 writes:
The last year has seen a big swing in the support from the technology community for open-source security tools, many of which are maintained by tiny staffs or volunteers. OpenSSL last year received a large chunk of funding from the Core Infrastructure Initiative, and now it’s GnuPG’s turn.
After a story on ProPublica Thursday publicized the plight of Werner Koch, the creator and lone full-time developer of the encryption software, who was running low on money to fund the project, members of the security and technology communities began a word-of-mouth campaign to raise money to help. These kinds of campaigns can fizzle out quickly, but not this time. In less than a day, the GnuPG project received more than €120,000 in donations from individuals around the world.
In addition to the €120,000 in donations from individual supporters, the CII, which is supported by the Linux Foundation, has given GnuPG a $60,000 grant for this year. Also, both Facebook and Stripe, the payment processor GnuPG uses, have pledged $50,000 each to support the project.
70013789
submission
Trailrunner7 writes:
Attackers have compromised Anthem Inc., one of the larger health-care companies in the United States, gaining access to the Social Security numbers, birth dates, names, employment and income data and other personal information of an untold number of customers.
The company says it is not sure yet how many customers are affected, but Anthem claims to have 69 million customers across its product lines. In a statement, Anthem, which was previously known as WellPoint Health Networks, said that the company was the victim of a targeted, sophisticated attack.
Given the size of the Anthem customer base, this could turn out to be one of the larger data breaches in U.S. history. The scope of the information the attackers obtained could give them broad access to victims’ personal lives.
“If confirmed, we are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry. If you are wondering what it means for individuals, in a few words: it is a nightmare,” said Jamie Blasco, vice president and chief scientist at AlienVault.
69957799
submission
Trailrunner7 writes:
In the years since Edward Snowden began putting much of the NSA‘s business in the street, including its reliance on the secret FISA court and National security Letters, warrant canaries have emerged as a key method for ISPs, telecoms and other technology providers to let the public know whether they have received any secret orders. But keeping track of the various canaries scattered around the Web is difficult, so a group of legal and civil liberties organizations have come together to launch a new site to monitor the known warrant canaries.
The Canary Watch site is the work of the EFF, the Berkman Center for Internet and Society and NYU’s Technology Law and Policy Center and it works on a simple concept. The site maintains a list of all of the known warrant canaries and periodically checks each organization’s site to see whether the canary is still there and then lists any changes to the status.
Right now, Canary Watch lists 11 organizations, including Lookout, Pinterest, Reddit and Tumblr.
“Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about,” Nadia Kayyali of the EFF said in a blog post.
69789157
submission
Trailrunner7 writes:
In the wake of a recent enforcement action against Marriott for blocking guests’ WiFi hotspots in their hotels, the FCC is warning other hotel operators and business owners that such blocking is illegal and the commission’s Enforcement Bureau is taking note.
Marriott last year paid a fine of $600,000 to settle an FCC enforcement action that resulted from a customer complaint. A guest complained that while staying at the Gaylord Opryland hotel in Tennessee his personal WiFi hotspot was being blocked and he was being forced to pay to use the hotel’s network. The investigation by the FCC found that in some cases the hotel’s network would send de-authentication packets to the personal hotspots used by guests, forcing their devices to disconnect.
Now, the FCC is making it clear that the Enforcement Bureau is looking closely at this kind of behavior, not just by hotel operators, but by any commercial business.
“Willful or malicious interference with Wi-Fi hot spots is illegal. Wi-Fi blocking violates Section 333 of the Communications Act, as amended.1 The Enforcement Bureau has seen a disturbing trend in which hotels and other commercial establishments block wireless consumers from using their own personal Wi-Fi hot spots on the commercial establishment’s premises. As a result, the Bureau is protecting consumers by aggressively investigating and acting against such unlawful intentional interference,” the Federal Communications Commission said in a statement issued this week.
69696923
submission
Trailrunner7 writes:
Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.
The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.
“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report.
69575935
submission
Trailrunner7 writes:
The gauges that detect and prevent fuel leaks at more than 5,000 gas stations in the United States are utterly vulnerable to remote attacks, according to new research conducted by HD Moore of Rapid7. The gauges are manufactured by Veeder-Root, who says it is working with its customers better enable available security features.
Automated tank gauges (ATGs), as they are called, monitor fuel levels in gas station storage tanks and trigger alarms in compliance with environmental regulations when fuel tanks are overfilled. The risk posed to these gas stations — roughly three percent of the 150,000 station in the U.S. — are serious and could enable hackers to completely shut down the stations containing the vulnerable ATGs.
“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board,” Moore explained on Rapid7’s Security Street blog. “In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001.”
69526877
submission
Trailrunner7 writes:
Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit.
The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks.
The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn’t being used against Chrome or Firefox.
On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1.
69481133
submission
Trailrunner7 writes:
The dangerous Angler exploit kit has a new piece of ammunition to use in its attacks: a fresh Adobe Flash zero-day vulnerability. The kit is exploiting the previously unknown vulnerability in several versions of Internet explorer running on Windows 7 and Windows 8.
French security researcher Kafeine has spotted a version of the Angler kit that’s firing exploits for several vulnerabilities in Flash, including two known bugs. But the big problem is that the kit also has exploit code for what appears to be a zero-day in the latest version of Flash, version 16.0.0.257. Kafeine said that he first spotted the exploit for the zero-day in Flash on Wednesday and that it is being used to install a piece of malware known as Bedep.
The researcher said that not all instances of Angler are using the new Flash zero-day exploit, nor is it being used against all of the popular browsers. In his tests, Kafeine found that IE 10 on Windows 8, IE 8 on Windows 7 and IE 6-9 on Windows XP all are being exploited. Chrome is not being targeted and fully patched Windows 8.1 is not exploitable, he said.
Adobe officials said they are looking into the report.
69437915
submission
Trailrunner7 writes:
Oracle on Tuesday will release a huge number of security fixes as part of its quarterly critical patch update, and one of them is a patch for a vulnerability that a well-known security researcher said looks a lot like a back door but was likely just a terrible mistake.
The flaw is found in Oracle’s eBusiness Suite, a set of apps that includes financial management, CRM and other functions. David Litchfield, an accomplished security researcher who has been poking holes in Oracle products for more than a decade, discovered the vulnerability and reported it to the vendor last year.
A remote attacker could have the ability gain control of an affected database, which is game over for the target system. Litchfield said that when he discovered the vulnerability on a client’s network, his first thought was that the client had been owned and the attacker had left the back door there for later use.
Despite how bad the vulnerability looks, Litchfield said he doesn’t think that it is actually an intentional back door inserted for law enforcement or an intelligence agency.
“I don’t think Oracle as a company would do that. Could it be a disgruntled employee? Maybe, though, giving them the benefit [of the] doubt, it could be that some dev was testing something and they forgot to turn it off. Who knows. What is concerning however is that Oracle seem not to know who and why this privilege was granted, either,” he said.
69242521
submission
Trailrunner7 writes:
In a new article in an academic math journal, the NSA’s director of research says that the agency’s decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice.
Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning.
“With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable,” Wertheimer wrote in a piece in Notices’ February issue.
69206851
submission
Trailrunner7 writes:
There are few things scarier these days than a politician stepping in front of a microphone, taking a deep breath and opening his mouth to pontificate on security. A long list of American elected officials have reinforced this, and on Monday, UK Prime Minister David Cameron jumped to the head of this undistinguished line with his dangerous statement that encrypted communications shouldn’t be allowed.
Cameron, speaking in the wake of the terror attack in Paris last week, said at an event Monday that the UK government can’t allow any form of communication that can’t be read.
“Are we going to allow a means of communications which it simply isn’t possible to read?” Cameron said, according to the New York Times. “My answer to that question is: ‘No, we must not.’ “
Aside from the specter of attackers identifying and exploiting an intentional backdoor, there is the problem of trying to bend software makers to the will of the government. Even if by some miracle the backdoor proposal succeeds, the government still would face the hurdle of getting software makers such as Apple to prevent secure communications apps from showing up in their app store. Apple does what Apple wants and generally not much else. And, as Doctorow says, how would Cameron address the global open source community, which produces much of the secure communications software?
These kinds of systems just flat don’t work.
“It won’t work. The basic problem with these proposals is they work against regular people who don’t care. But to make it work, you have to close the loopholes,” cryptographer Bruce Schneier, CTO of Co3 Systems, said in an interview. “If you can’t do that, you don’t hurt the bad guys, you only hurt the good guys. It plays well on TV to someone who doesn’t understand the tech. Everything works against my grandmother, but nothing works against professionals.”
69038795
submission
Trailrunner7 writes:
A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac.
The research is the work of a reverse engineering hobbyist and security researcher named Trammel Hudson, who gave a talk at the recent 31C3 event in Hamburg, Germany, during which he described an attack he called Thunderstrike. Thunderstrike is a Mac OS X bootkit delivered either through direct access to the Apple hardware (at the manufacturer or in transport), or via a Thunderbolt-connected peripheral device; the latter attack vector exposes vulnerable systems to Evil Maid attacks, or state-sponsored attacks where laptops are confiscated and examined in airports or border crossings, for example.
Hudson’s bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple’s RSA signature check. Apple stores its public key in the boot ROM and signs firmware updates with its private key. The Option ROM over Thunderbolt circumvents this process and writes its own RSA key so that future updates can only be signed by the attacker’s key. The attack also disables the loading of further Option ROMs, closing that window of opportunity. A weaponized version of this attack would have free ring0 reign over the system.
Apple has only partially addressed the vulnerability behind this.
