61731139
submission
Trailrunner7 writes:
Microsoft’s latest takedown of a malware operation, announced Monday and involving the infrastructure of several malware families, has, like many of the company’s actions, elicited strong opinions on both sides of the issue from security researchers, activists and others with a stake in the game. This takedown didn’t involve simply hitting the C2 infrastructure of a botnet, but also includes legal action against a hosting company, No-IP.com, which has called out Microsoft for its tactics and raised a lot of questions in the security community, as well.
Microsoft officials said No-IP was a nest of malware activity, but officials at the hosting provider denied this and said Microsoft never even contacted them. Meanwhile, security researchers aren't too happy with Redmond's tactics either. Claudio Guarnieri, an independent botnet researcher, said Microsoft severely overstepped.
“Any other way would have been a better one. Microsoft is building legal precedents to be able to indiscriminately police the Internet at their own discretion. It is absolutely intolerable that Microsoft feels entitled to “take to task” another company and seize its assets, apparently without having explored all possible avenues as No-IP’s statement indicates. Microsoft’s DCU has been disrespectful and uncooperative in many of its recent operations and I’m sure the community will start protesting and refusing to work with them in the future,” he said.
“Whether No-IP was or was not cooperative is irrelevant (still consider that it’s a very small organization), the fact that Microsoft decided “school” them and severely damage their business because they didn’t live up to Microsoft’s own standards is ludicrous.”
61598765
submission
Trailrunner7 writes:
The United States federal government issued more than 19,000 National Security Letters–perhaps its most powerful tool for domestic intelligence collection–in 2013, and those NSLs contained more than 38,000 individual requests for information.
The new data was released by the Office of the Director of National Intelligence on Friday as part of its effort to comply with a directive from President Obama to declassify and release as much information as possible about a variety of tools that the government uses to collect intelligence. The directive came in the immediate aftermath of the first revelations by former NSA contractor Edward Snowden about the agency’s capabilities, methods and use of legal authorities.
The use of NSLs is far from new, dating back several decades. But their use was expanded greatly after 9/11 and NSLs are different from other tools in a number of ways, perhaps most importantly in the fact that recipients typically are prohibited from even disclosing the fact that they received an NSL. Successfully fighting an NSL is a rare thing, and privacy advocates have been after the government for years to release data on their use of the letters and the number of NSLs issued. Now, the ODNI is putting some of that information into the public record.
61562917
submission
Trailrunner7 writes:
Encryption software has been enjoying a prolonged day in the sun for about the last year. Thanks to the revelations of Edward Snowden about the NSA’s seemingly limitless capabilities, security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops.
The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so.
The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt’s Fifth Amendment rights.
61530097
submission
Trailrunner7 writes:
There’s a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim’s account to any recipient he chooses.
The flaw lies in the way that the PayPal authentication flow works with the service’s mobile apps for iOS and Android. It’s on the server side, and researchers at Duo Security developed a proof-of-concept app that can exploit the vulnerability. PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July.
Using the app they built to exploit the vulnerability, the researchers were able to transfer money from a 2FA-protected account with just the username and password. In an interview, Lanier said there were any number of ways to accomplish that task, none of which is very complicated.
“There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing,” he said. “That approach is already being used. People have long been and are continuing to do so. The whole two factor thing was supposed to make you feel all warm and fuzzy if your password is compromised. I’d probably use one of these techniques that are pretty darn efficient or maybe iterate through the public dumps of passwords.”
61494369
submission
Trailrunner7 writes:
Controversial spyware commercially developed by Italy’s HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work.
Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Monk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices.
The new modules enable governments and law enforcement officers with extensive monitoring capabilities over victims, including the ability to report on their location, steal data from their device, use the device’s microphone in real time, intercept voice and SMS messages sent via applications such as Skype, WhatsApp, Viber, and much more.
61364003
submission
jfruh writes:
When the U.S. government shut down the Silk Road marketplace, they seized its assets, including roughly $18 million in bitcoin, and despite the government's ambivalence about the cryptocurrency, they plan to auction the bitcoin off to the highest bidder, as they do with most criminal assets. Ironically, considering many bitcoin users' intense desire for privacy, the U.S. Marshall service accidentally revealed the complete list of potential bidders by sending a message to everyone on the list and putting their addresses in the CC field instead of the BCC field.
61335603
submission
Trailrunner7 writes:
Code Spaces, a code-hosting and software collaboration platform, has been put out of business by an attacker who deleted the company’s data and backups.
Officials wrote a lengthy explanation and apology on the company’s website, promising to spend its current resources helping customers recover whatever data may be left.
“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility,” read the note. “As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.”
The beginning of the end was a DDoS attack initiated yesterday that was accompanied by an intrusion into Code Spaces’ Amazon EC2 control panel. Extortion demands were left for Code Spaces officials, along with a Hotmail address they were supposed to use to contact the attackers.
61266307
submission
Trailrunner7 writes:
Banker Trojans have proven to be reliable and effective tools for attackers interested in quietly stealing large amounts of money from unwitting victims. Zeus, Carberp and many others have made piles of money for their creators and the attackers who use them, and researchers have been looking at a newer banker Trojan that has the ability to bypass SSL protection for banking sessions by redirecting traffic through the attackers’ own domains.
The Trojan, which is being called either Dyre or Dyreza by researchers, uses a technique known as browser hooking to intercept traffic flowing between the victim’s machine and the target Web site. The malware arrives in users’ inboxes through spam messages, many of which will look like messages from a financial institution. The list of targeted banks includes Bank of America, Natwest, Citibank, RBS and Ulsterbank. Researchers say that much of the activity from the Trojan so far is in the U.K.
“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,” an analysis by Peter Kruse at CSIS says.
61125527
submission
Science_afficionado writes:
One of the research projects featured at the SmartAmerica Challenge EXPO in DC was a collaboration between engineers at Vandebilt University and UC Berkeley to develop methods for detecting cyberattacks on smart road systems that use computers, a network of sensors and computer-controlled traffic signals to reduce traffic congestion on heavily traveled stretches of freeway. The goal is to give operators the tools they need to identify such attacks when they occur and, ultimately, create sofware tools that can automatically detect and take measures to block such attacks.
61125053
submission
Trailrunner7 writes:
The last 24 hours have been a sad, scary and frustrating time for an 19-year-old aspiring programmer in Austria who found himself smack in the middle of Wednesday’s TweetDeck mess—all because of a Unicode heart.
Twitter’s real-time account dashboard was taken down for a brief time yesterday before a cross-site scripting vulnerability in the TweetDeck Chrome plug-in was properly addressed. But not before code exploiting the bug in a benign manner spread to Twitter users worldwide.
Ground zero for the incident was the Austrian teen who identified himself only as Florian to Threatpost. The youngster said things began yesterday when he tweeted out an HTML hearts symbol (&hearts) that was graphically displayed in the message.
“TweetDeck is not supposed to display this as an image, because it’s simple text, which should be escaped to “♥,” he said.
“I didn’t know that there is such a big problem. So I experimented with this in a public environment, there was no reason not to do so,” Florian said. “And that was the point where I reported this to TweetDeck.
“TweetDeck actually did not react in any way,” Florian said. “Their next Tweet was saying that there is a security-issue and the users should log in again.”
61053661
submission
Trailrunner7 writes:
As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a.
“These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit,” said Kenn White, part of the team involved in the TrueCrypt audit.
60883407
submission
Charliemopps writes:
A few months ago it was revealed that the NSA had been spying on Googles customers according to documents released by Edward Snowned.
In one image NSA staff joked "SSL added and removed here! :-)
Recently Google released a Chrome extention designed to combat this. People who have reviewed the code found an Easter Egg left for the NSA by Google. Interesting times indeed.
60873601
submission
Trailrunner7 writes:
There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software.
The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That’s not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle.
Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.
60754655
submission
msm1267 writes:
A cryptanalysis of TrueCrypt will proceed as planned, said organizers of the Open Crypto Audit Project who announced the technical leads of the second phase of the audit and that there will be a crowdsourcing aspect to phase two.
The next phase of the audit, which will include an examination of everything including the random number generators, cipher suites, crypto protocols and more, could be wrapped up by the end of the summer.
60620107
submission
Trailrunner7 writes:
Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project.
The CII is backed by a who’s who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing.
Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites.
