41602661
submission
Gunkerty Jeb writes:
The Senate today rejected the inclusion of four privacy-friendly amendments before voting to reauthorize the controversial Foreign Intelligence Surveillance Act (FISA) that grants the federal government the authority to clandestinely monitor electronic communications involving foreign citizens coming into or out of the United States without the probable cause required for traditional warrants.
41050039
submission
Gunkerty Jeb writes:
In the process of analyzing a seemingly new and fairly small botnet called Skynet, Rapid7 security researchers determined that this was precisely the same network described by its creator in a particularly bold Ask Me Anything’ (AMA) on the social news site Reddit earlier this year.
40674491
submission
Gunkerty Jeb writes:
Defense Advanced Research Projects Agency (DARPA), the avant-garde research and development arm of the Department of Defense — perhaps best known for its central role in the development of the Internet — is soliciting research proposals that would help the military improve its cyber battlespace capabilities such that they match the DoD’s existing superiority in the other domains of war.
The 52-page announcement for the funding opportunity, enigmatically titled Plan X, is predictably vague. It is billed as a call for research proposal submissions designed to advance the nature of cyberwarfare by further measuring, quantifying, and understanding cyberspace as well as planning and managing large-scale, real-time operations on the dynamic network environments there.
40509993
submission
Gunkerty Jeb writes:
Researchers from two U.S. universities have created a way to anonymously use cloud-based Web browsers to perform large-scale computing tasks — a feat that also demonstrates how hackers might secretly harness massive computing power to launch attacks.
Using the MapReduce technique developed by Google to facilitate large-scale computations, researchers at North Carolina State University and the University of Oregon explored the computation and memory limits of four cloud browsers. They specifically focused on the viability of the MapReduce BMR architecture by implementing a client based on a reverse engineering of the Puffin cloud browser.
40475269
submission
Gunkerty Jeb writes:
Security researcher Bogdan Calin found that he could remotely compromise the internal networks of users with default or weak router passwords merely by compelling them to open a legitimate looking email on their iPhone, iPad, or Mac.
Writing for the Acunetix blog, Calin explains that he has found a way to specially craft emails in such a way that once opened he can compromise that user’s internal network and change the DNS servers generally used by the router to an IP address under his or an attacker’s control.
The attack leverages two unrelated instances of insecurity. The first is a functionality in Apple products that loads images from remote servers by default in emails. The other vulnerability is the reality that most Internet users are either completely unaware that they can change their default router password, know they can but choose not to change it anyway, or change it to a weak password. Of course, once you enter a router’s settings interface you can make all sorts of changes.
40468807
submission
Gunkerty Jeb writes:
The International Atomic Energy Agency has confirmed that one of its decommissioned servers had been accessed and had data stolen from it.
The admission from the United Nations’ nuclear regulatory arm came in response to the publication of some 170 email addresses, apparently belonging to the same number of scientists, showed up in identical entries on Cryptome and the text sharing site Pastebin.
The list of email addresses comes alongside a veiled threat to release more information from the compromised server if the IAEA doesn’t investigate nuclear weapons and other activities in Israel.
39758877
submission
Gunkerty Jeb writes:
Threatpost's Dennis Fisher talks with Chris Soghoian, a principal technologist at the ACLU, about the developing market for buying and selling exploits and vulnerabilities. Soghoian has been a vocal critic of exploit sales and in this podcast he discusses the reasons why and why he thinks the policymakers in Washington need to get involved.
39648383
submission
Gunkerty Jeb writes:
Side-channel attacks against cryptography keys have, until now, been limited to physical machines. Researchers have long made accurate determinations about crypto keys by studying anything from variations in power consumption to measuring how long it takes for a computation to complete.
A team of researchers from the University of North Carolina, University of Wisconsin, and RSA Security has ramped up the stakes, having proved in controlled conditions that it’s possible to steal a crypto key from a virtual machine.
The implications for sensitive transactions carried out on public cloud infrastructures could be severe should an attacker land his malicious virtual machine on the same physical host as the victim. Research has already been conducted on how to map a cloud infrastructure and identify where a target virtual machine is likely to be.
39232455
submission
Gunkerty Jeb writes:
The death knell for SSL is getting louder.
Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages.
Serious security vulnerabilities were found in programs such as Amazon’s EC2 Java library, Amazon’s and PayPal’s merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack.
38825445
submission
Gunkerty Jeb writes:
Initially thought to be merely a module of the now-infamous Flame malware, MiniFlame, or SPE is, in reality, a secondary surveillance tool deployed against specially identified targets following an initial Flame or Gauss compromise.
MiniFlame/SPE was one of three previously unseen pieces of malware discovered during a forensic analysis of Flame's command and control servers.'
Researchers at Kaspersky Lab and CERT-Bund/BSI determined that the program, which has compromised somewhere between 10 and 20 machines, can stand alone as an independent piece of malware or run as a plug-in for both Flame and Gauss.
38297071
submission
Gunkerty Jeb writes:
Researchers working on the "physically unclonable functions found in standard PC components (PUFFIN) project" announced last week that widely used graphics processors could be the next step in online authentication. The project seeks to find uniquely identifiable characteristics of hardware in common computers, mobile devices, laptops and consumer electronics.
The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another.
The implication of this discovery is that such differences can be used as physically unclonable features to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts.
37478699
submission
Gunkerty Jeb writes:
The developer of the notorious black hole exploit kit recently released a new version, adding an extensive list features to the kit. Among the additions is the use of short-term random URLs for delivering exploits and other functionalities designed to perplex researchers and reverse engineers.
The URL randomizer alone could present a formidable problem for site owners and security companies who will have to keep up with malicious URLs changing up as often as every few seconds.
Luckily for the malicious hackers out there, the price of the kit, despite its new features, remains the same.
37197533
submission
Gunkerty Jeb writes:
There is a feature supported by the SSL/TLS encryption standard and used by most of the major browsers that leaks enough information about encrypted sessions to enable attackers decrypt users' supposedly protected cookies and hijack their sessions. The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack.
The attack was developed by researchers Juliano Rizzo and Thai Duong, the same pair who last year released details of a similar attack on SSL/TLS and wrote a tool called BEAST, which also gave them the ability to decrypt users' cookies and hijack sessions with sensitive sites such as e-commerce or online banking sites. That attack targeted a specific problem with the AES (Advanced Encryption Standard) algorithm as it was implemented in TLS 1.0 and SSL 3.0 and were able to use the BEAST tool to grab encrypted cookies from active user sessions that were supposedly protected by SSL/TLS.
Once they had the cookie, Rizzo and Duong could return to whatever site the user was visiting and log in using her credentials. The attack caused quite a stir in the security and cryptography communities and browser vendors were forced to issue fixes. One of the workarounds that defeated BEAST (Browser Exploit Against SSL/TLS) was to switch from TLS 1.0 to TLS 1.2 or to switch from AES to the RC4 cipher suite. However, Rizzo said that defense won't work against their new attack, which they've dubbed CRIME.
36843225
submission
Gunkerty Jeb writes:
The Air Force Life Cycle Management Center (AFLCMC) posted a broad agency announcement recently, calling on contractors to submit concept papers detailing technological demonstrations of ‘cyberspace warfare operations’ (CWO) capabilities.
Among many other things, the Air Force is seeking to obtain the abilities to “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries' ability to use the cyberspace domain for his advantage” and capabilities that would allow them to intercept, identify, and locate sources of vulnerability for threat recognition, targeting, and planning, both immediately and for future operations.
36327349
submission
Gunkerty Jeb writes:
The findings from a recent study carried out by Microsoft Research and the University of South Carolina suggest that we should be asking ourselves when to require authentication rather than whether to require authentication.
The research puts forth the idea of tailoring authentication requirements on mobile devices, by application or otherwise, so that users are only prompted for a password or other authentication method when it's necessary. In this way, the study’s authors believe, users would be required to authenticate themselves less often, therefore, lowering the barrier of entry for those who currently use no authentication methods at all.
