Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Submission + - Drupal Warns Users of Mass, Automated Attacks on Critical Flaw

Submitted by Trailrunner7
Trailrunner7 writes: The maintainers of the Drupal content management system are warning users that any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised.

The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.

Submission + - Former NSA Lawyer: Cyberespionage Is a Problem That Doesn't Have a Solution

Submitted by Trailrunner7
Trailrunner7 writes: Gentlemen may not read each other’s mail, as Henry Stimson famously said so long ago, but in today’s world they certainly steal it and there’s precious little in the way of gentlemanly conduct happening in the realm of cyberespionage. It’s every man—or country—for himself in this environment, and that free-for-all is creating unforeseen consequences for governments and their citizens around the world.

“This isn’t a problem that can be solved. Don’t think it has a solution,” Joel Brenner, former head of national counterintelligence at the Office of the Director of National Intelligence and former senior counsel at the NSA, said in a keynote speech at the Kaspersky Government Cybersecurity Forum here Tuesday. “We are economically interdependent with the Chinese in an extraordinary way.”

The animosity between the U.S. and China and other countries over cyberespionage and the theft of intellectual property has been simmering for several years now, and it has resulted in plenty of vague assertions and accusations from both sides, and some not-so-vague ones as well. U.S. officials maintain that American intelligence agencies don’t use their attacks on foreign adversaries in order to gain economic advantages for American companies, something that they say China and other governments do on a regular basis.

Still, experts say it’s difficult to know exactly who’s doing what to whom.

“I don’t think anyone’s hands are clean,” said Howard Schmidt, former White House cybersecurity adviser under President Barack Obama and a former security adviser to President George W. Bush.

Submission + - Researcher Finds Tor Exit Node Adding Malware to Downloads

Submitted by Trailrunner7
Trailrunner7 writes: A security researcher has identified a Tor exit node that was actively patching binaries users download, adding malware to the files dynamically. The discovery, experts say, highlights the danger of trusting files downloaded from unknown sources and the potential for attackers to abuse the trust users have in Tor and similar services.

Josh Pitts of Leviathan Security Group ran across the misbehaving Tor exit node while performing some research on download servers that might be patching binaries during download through a man-in-the middle attack. Downloading any kind of file from the Internet is a dodgy proposition these days, and many users know that if they’re downloading files from some random torrent site in Syria or The Marshall Islands, they are rolling the dice. Malware runs rampant on these kinds of sites.

But the scenario that worries security experts much more involves an attacker being able to control the download mechanism for security updates, say for Windows or OS X. If an attacker can insert malware into this channel, he could cause serious damage to a broad population of users, as those update channels are trusted implicitly by the users’ and their machines. Legitimate software vendors typically will sign their binaries and modified ones will cause verification errors. What Pitts found during his research is that an attacker with a MITM position can actively patch binaries–if not security updates–with his own code.

In terms of defending against the sort of attack, Pitts suggested that encrypted download channels are the best option, both for users and site operators.

“SSL/TLSis the only way to prevent this from happening. End-users may want to consider installing HTTPS Everywhere or similar plugins for their browser to help ensure their traffic is always encrypted,” he said via email.

Submission + - Cisco Fixes Three-Year-Old Telnet Flaw in Security Appliances

Submitted by Trailrunner7
Trailrunner7 writes: There is a severe remote code execution vulnerability in a number of Cisco’s security appliances, a bug that was first disclosed nearly three years ago. The vulnerability is in Telnet and there has been a Metasploit module available to exploit it for years.

The FreeBSD Project first disclosed the vulnerability in telnet in December 2011 and it was widely publicized at the time. Recently, Glafkos Charalambous, a security researcher, discovered that the bug was still present in several of Cisco’s security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance. The vulnerability is in the AsyncOS software in those appliances and affects all versions of the products.

Submission + - Mobile Device Crypto Could Lead to a 'Very, Very Dark Place', FBI Dir. Says (threatpost.com) 2

Submitted by Gunkerty Jeb
Gunkerty Jeb writes: FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law enforcement agencies to gather vital information on criminals.

Submission + - Schmidt Says Attack on Google Prompted Encryption Changes

Submitted by Trailrunner7
Trailrunner7 writes: Eric Schmidt, executive chairman of Google, said that the changes to Android's encryption model, which have angered law enforcement officials, should have come as no surprise to law enforcement and government agencies, given the events of the last couple of years.

“The people who are criticizing this should’ve expected this. After Google was attacked by the British version of the NSA we were annoyed to no end,” Schmidt said. “We put in encryption end to end, at rest and in transit. Law enforcement has many many ways to get this information without doing this.”

After the details of Apple’s and Google’s encryption changes became public, some in the law enforcement community have suggested that the companies should include a backdoor in their devices. Both Sen. Ron Wyden and Schmidt dismissed this suggestion out of hand.

“U.S. companies shouldn’t be forced to build backdoors into their products,” Wyden said.

Submission + - Twitter Sues DoJ Over Restrictions on National Security Letter Data

Submitted by Trailrunner7
Trailrunner7 writes: Twitter has filed a lawsuit in federal court asking that the United States Department of Justice’s prohibitions on publishing the number and kind of government requests for data the company receives be declared unconstitutional. The suit claims that the rules infringe on Twitter’s right to free speech by requiring that the company “engage in speech that has been preapproved by government officials or else to refrain from speaking altogether.”

The move by Twitter is the first public shot across the bow of the FBI and Justice Department on this issue. Many companies, including Google, Microsoft, Apple and others, have been pressing the government for the ability to publish detailed information about the scope of the requests they receive for user data. The government so far has said that companies can publish only broad ranges of numbers about the volume of National Security Letters they receive, which only gives a vague picture of the situation.

"Twitter’s ability to respond to government statements about national security surveillance activities and to discuss the actual surveillance of Twitter users is being unconstitutionally restricted by statutes that prohibit and even criminalize a service provider’s disclosure of the number of national security letters (“NSLs”) and court orders issued pursuant to FISA that it has received, if any," the suit says.

Submission + - Obama Administration argues for backdoors in personal electronics (washingtonpost.com)

Submitted by mi
mi writes:

Attorney General Eric H. Holder Jr. said on Tuesday that new forms of encryption capable of locking law enforcement officials out of popular electronic devices imperil investigations of kidnappers and sexual predators, putting children at increased risk.

Seriously. Would somebody, please, think of the children?!

Submission + - DARPA Working on 'Unhackable' Embedded Software

Submitted by Trailrunner7
Trailrunner7 writes: DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it. That task has grown ever more complex and difficult, and now DARPA is working on a new kind of software that is provably secure for specific properties.

Arati Prabhakar, the director of DARPA, said that the agency, which performs advanced research and development for the United States military and government, has been working on the software in the hopes that it can run on some embedded systems. The software isn’t meant as a general purpose operating system for servers or desktops, but Prabhakar said that the agency believes it has plenty of applications.

“Unfortunately there’s not going to be a silver bullet. There are pieces of this we think can become tractable. One of our programs is working on software that’s unhackabale for specific security properties,” said Prabhakar, who was speaking at the Washington Post Cybersecurity Summit on Wednesday. “We’re working on a mathematical proof that the software can’t be hacked from the outside. It’s for embedded systems with a modest number of lines of code.”

Submission + - Google to Pay Researchers Extra Cash for Exploits

Submitted by Trailrunner7
Trailrunner7 writes: Google is again increasing the amount of money it offers to researchers who report vulnerabilities in Chrome as part of the company’s bug bounty program. Now, researchers will be able to earn $15,000 at the high end of the scale, and Google also is offering more cash for researchers who can submit a working exploit for their vulnerability submission.

The range for Google’s vulnerability reward program is now $500-$15,000, and there are a number of factors that go into the company’s decision on what to pay a researcher for a submission. Much of it has to do with the severity of the vulnerability and the likelihood that it will affect a large number of users.

“We’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later," Google's Tim Willis said.

Submission + - FBI Plans to Open Up Malware Analysis Tool to Outside Researchers

Submitted by Trailrunner7
Trailrunner7 writes: The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others.

The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file. Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.

Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal’s reach in the near future.

“We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon,” he said.

Submission + - Google Funds New Group to Improve Usability of Open Source Security Tools

Submitted by Trailrunner7
Trailrunner7 writes: The dramatic revelations of large-scale government surveillance and deep penetration of the Internet by intelligence services and other adversaries have increased the interest of the general public in tools such as encryption software, anonymity services and others that previously were mainly of interest to technophiles and activists. But many of those tools are difficult to use and present major challenges for users, so to help improve the usability of these applications, Google, Dropbox and others are supporting a new project called Simply Secure.

The project is focused on making open-source security and privacy tools easier to use and to remove some of the pain of using crypto packages, off-the-record messaging and other tools that protect users online. The organization’s activities will center on bringing developers of open source security tools together with usability researchers and experts to help solve the difficult problems the developers face. Many open source projects are run by volunteers who don’t have the time or resources to tackle these issues on their own.

Submission + - NSA Director Says Agency is Still Trying to Figure Out Cyber Operations

Submitted by Trailrunner7
Trailrunner7 writes: In a keynote speech at a security conference in Washington Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war.

“We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,” said Rogers. “If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what’s an act of defense.”

Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.

Submission + - SNMP DDoS Scans Spoof Google DNS Server (threatpost.com)

Submitted by msm1267
msm1267 writes: The SANS Internet Storm Center is seeing SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.

“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.

Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands.

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close