Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×

Submission + - Nasty IE Zero-Day Used in Attacks Against US Firms (securityweek.com) 1

Submitted by wiredmikey
wiredmikey writes: Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.

The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11. FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday. Microsoft also issued a security advisory on Saturday.

FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

Submission + - Tech Giants Launch 'Core Infrastructure Initiative' to Fund Open Source Projects (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Technology giants including Microsoft, Google, Intel, and Cisco are banding together to support and fund open source projects that make up critical elements of global information infrastructure. The new Core Infrastructure Initiative brings technology companies together to identify and fund open source projects that are widely used in core computing and Internet functions, The Linux Foundation announced today. Formed primarily as the industry's response to the Heartbleed crisis, the OpenSSL library will be the initiative's first project. Other open source projects will follow.

The funds will be administered by the Linux Foundation and a steering group comprised of the founding members, key open source developers, and other industry stakeholders. Anyone interested in joining the initiative, or donating to the fund can visit the Core Infrastructure Initiative site.

Submission + - Verizon Publishes Vastly Expanded Data Breach Investigations Report (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Verizon has published the latest version of its highly respected and always anticipated Verizon Data Breach Investigations Report. Point-of-sale (PoS) attacks are declining, while Web application attacks and cyber-espionage is increasing, according to the 2014 Verizon Data Breach Investigations Report (DBIR).

The highlight of this year's report, however, is not the data breach numbers, but the industry-by-industry analysis of various threat types. In previous years, the highly regarded report from Verizon focused on actual data breaches investigated by either Verizon's security team or by one of its global partners. This year, the team decided to expand the report definition to include security incidents that didn't result in breaches in order to "gain a better understanding of the cybersecurity landscape," Marc Spitler, a senior risk analyst with Verizon's RISK team, told SecurityWeek.

"This evolution of the DBIR reflects the experience of many security practitioners and executives who know that an incident needn’t result in data exfiltration for it to have a significant impact on the targeted business," the report said.

Verizon RISK team researchers found that 92 percent of security incidents from the past 10 years could be categorized in one of nine "threat patterns," or attack types. The full report is available online in PDF format.

Submission + - Heartbleed Exploited to Bypass Two-factor Authentication, Hijack User Sessions (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye, an attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions. The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” Mandiant’s Christopher Glyer explained. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated."

After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.

Submission + - Russian Officials Dump iPads for Samsung Tablets Over Spy Fears (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Russian government officials have swapped their iPads for Samsung tablets to ensure tighter security, the telecoms minister told news agencies on Wednesday. Journalists spotted that ministers at a cabinet meeting were no longer using Apple tablets, and minister Nikolai Nikiforov confirmed the changeover "took place not so long ago." He said the ministers' new Samsungs were "specially protected devices that can be used to work with confidential information." This isn't the first time Russian powers have had concerns over mobile. In August 2012, Russia unveiled a prototype tablet with its own "almost Android" mobile OS that has the remarkably familiar feel of an Android but with bolstered encryption. In an even more paranoid move, this past July a Russian state service in charge of safeguarding Kremlin communications was looking to purchase an array of old-fashioned typewriters to prevent leaks from computer hardware.

Submission + - Full Disclosure List Reborn Under New Operator (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Less than a week after announcing that it would suspended service indefinitely due to a conflict with an unnamed security researcher and ongoing legal threats, The Full Disclosure mailing list is coming back.

Gordon Lyon (aka Fyodor), who operates several Internet security resources and other mailing lists, has created a replacement list with the blessing of John Cartwright, one of of the creators of Full Disclosure, which served as a forum for the discussion of vulnerabilities and exploitation techniques and other security topics.

Because the list is getting a fresh start and no previous subscriber information appears to be headed to Lyon, interested users will have to manually subscribe which can be done here.

"Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete," Lyon said. "I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future."

Submission + - Verizon Knows your Wi-Fi SSID and Key (wlanbook.com) 4

Submitted by FuzzyFox
FuzzyFox writes: While browsing my Verizon FIOS account settings on their web site, I happened to notice my Wi-Fi SSID was prominently displayed. Below that, I noticed a link that would also display the WPA2 password for my private network.

I was really surprised by this, because I did not tell Verizon this information, or ask them to store it on my behalf. It appears they have lifted the information remotely from the ActionTec router that they supplied me with.

It bothers me that they are storing this information about me, because it could conceivably be (1) stolen by hackers, (2) subpoena'd by the government, (3) silently borrowed by the NSA, or other uses that haven't yet come to mind.

Do other ISP's also silently store their customers' password information without the knowledge of the customer? Should we be outraged about this? I would rather that my private information not be stored without my consent, at the very least.

Comment Affects more than Word 2010, Including Mac OS (Score 1) 1

by wiredmikey (#46569455) Attached to: Microsoft Word Zero-Day Used in Targeted Attacks

One important piece not included in my original post, is that while the reported attacks are targeting Microsoft Word 2010, other software products affected by the vulnerability include: Microsoft Word 2003, Microsoft Word 2007, Microsoft Word 2013, Microsoft Word Viewer Microsoft Office for Mac 2011. Fortunately for Windows systems, according to the Microsoft engineers, tests showed that EMET default configuration can block the exploits seen in the wild.

Submission + - Microsoft Word Zero-Day Used in Targeted Attacks (securityweek.com) 1

Submitted by wiredmikey
wiredmikey writes: Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word that is being actively exploited in targeted attacks directed at Microsoft Word 2010.

If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges.

“The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,” Microsoft explained in the advisory.

Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft.

Submission + - Google Boosts Security of Gmail Infrastructure (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Google announced on Thursday that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure. "Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email,” Gmail security engineering lead, Nicolas Lidzborski, wrote in a blog post.

Lidzborski said that 100 percent of email messages that Gmail users send or receive are encrypted while moving internally. “This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations,” he said.

Joseph Hall, chief technologist at the Center for Democracy and Technology, told AFP that Google's encryption "would make it very difficult" for the NSA or others to tap into email traffic directly. "I'm reluctant to say anything is NSA-proof," Hall said. "But I think what Google is trying to do is make sure they come through the front door and not the back door."

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

Submission + - Symantec Fires CEO Steve Bennett (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Symantec on Thursday announced that CEO Steve Bennett was terminated by the security company and has been replaced by Michael Brown as interim president and CEO. Bennett, who also resigned from Symantec's board of directors, took the top position at Symantec in July 2012, after former president and CEO Enrique Salem was pushed out by the Board of Directors.

In April 2013, Bennett, told attendees at its own Vision Conference, that the company was changing, and acknowledged that Symantec “lacked strategy” when it came to dealing with acquisitions. His plan was to move the company forward slowly, but consistently and make Symantec easier to do business with. That strategy, or at least the execution of it, hasn't impressed the board of directors, it seems.

Submission + - NSA's PRISM Targets Email Addresses, Not Keywords: Officials (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: The US government's PRISM Internet spying program exposed by Edward Snowden targets suspect email addresses and phone numbers but does not search for keywords like terrorism, officials said Wednesday. Top lawyers of the country's intelligence apparatus including the NSA and FBI participated Wednesday in a public hearing on the controversial US data-mining operations that intercept emails and other Internet communications including on social media networks like Facebook, Google or Skype.

"We figure out what we want and we get that specifically, that's why it's targeted collection rather than bulk collection," Robert Litt, general counsel at the Office of the Director of National Intelligence, told the hearing.

Under authority of the Foreign Intelligence Surveillance Act, the NSA asks Internet service providers to hand over messages sent from or received by certain accounts such as "terrorist@google.com, the Justice Department's Brad Wiegmann said, using a hypothetical example.

Submission + - "Robot" Snowden Takes Stage at TED Promising More Spying Revelations (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Edward Snowden's face appeared on a screen as he maneuvered the wheeled android around a stage at the TED gathering, addressing an audience in Vancouver without ever leaving his secret hideaway. He promised more sensational revelations about US spying programs, saying "some of the most important reporting to be done is yet to come."

Internet creator Tim Berners-Lee briefly joined Snowden's interview with TED curator Chris Anderson, and came down in the hero camp. When Anderson posed the question to the TED audience — known for famous, innovative, and influential attendees — the idea that Snowden was a force for good met with applause. "Hero patriot or traitor; I would say I am an American citizen just like anyone else," Snowden said. "What really matters here is the kind of government we want; the kind of Internet we want."

Submission + - Malware Attack Infected 25,000 Linux/UNIX Servers (securityweek.com)

Submitted by wiredmikey
wiredmikey writes: Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world.

The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day. "Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control," said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH.

ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present.

Submission + - hhhhhhhhhhhhhhhhhhhhhhhhhhhhh hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh ggggggggggg (slashdot.org)

Submitted by Anonymous Coward
An anonymous reader writes: pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp oooooooooooooooooooooooooooooooooooooooo

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close