54753161
submission
msm1267 writes:
eBay users remain vulnerable to account hijacking nearly five months after it was initially informed of a cross-site request forgery flaw by a U.K. security researcher. Ebay has three times communicated to the researcher that the code causing the XSRF situation has been fixed, but it still remains vulnerable to his exploit.
The attack allows a hacker who lures a victim to a website hosting the exploit to change the user's contact information necessary to perform a password reset. The hacker eventually is able to log in as the victim and make purchases on their behalf.
54402023
submission
Gunkerty Jeb writes:
It’s taken more than six months, but top officials at the National Security Agency are finally discussing some of the details of how former agency contractor Edward Snowden got access to all of the documents he stole and what kind of damage they believe the publication of the information they contain could do. A senior NSA employee tasked with investigating what Snowden did and how he did it said that Snowden simply used the legitimate access he had as a systems administrator to steal and store the millions of documents he’s been slowly leaking to the media, and that the information in those documents could give U.S. enemies a “road map” of the country’s intelligence capabilities and blind spots.
54196241
submission
Gunkerty Jeb writes:
Researchers at Kaspersky Lab’s Global Research and Analysis Team spotted a new, 64-bit version of the Zeus trojan that behaves much like its 32-bit contemporaries: it too uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and even log keystrokes. Unlike its contemporaries, this new variety of Zeus is — of course — 64-bit compatible, but also communicates with its command and control server over the Tor anonymity network.
53431115
submission
Gunkerty Jeb writes:
A lingering security issue in Ruby on Rails that stems from a setting in the framework’s cookie-based storage mechanism is still present in almost 2,000 websites.
Sites using an old version of Ruby on Rails that relies on CookieStore, the framework’s default cookie storage mechanism, are at risk. CookieStore saves each user’s session hash in the cookie on the client side, something that keeps each cookie valid for life. This makes it possible for an attacker to glean a user’s log-in information – either via cross-side scripting or session sidejacking – and log in as them at a later date.
52952147
submission
Gunkerty Jeb writes:
In a Senate hearing debating the NSA's contentious surveillance programs and a proposed bill that would impose more transparency onto those practices, Sen. Patrick Leahy of (D-Vt.) asked Google's director for law enforcement and information security matters, Richard Salgado, if government imposed gag orders on requests for user data were making the country safer. Salgado answered that he did not believe that his inability answer questions about data requests had any impact on national security.
In addition, the general counsel for the Director of National Intelligence claimed enumerating the exact number of U.S. citizens monitored under NSA surveillance programs would be too difficult and resource-intensive.
The general consensus of those not advocating for the NSA was that the bill introduced by Sen. Al Franken (D-Mich.) would be a great step forward, but that transparency alone would not undo the damages done to U.S. companies and its government by PRISM and other similar surveillance programs. Nor, they seemed to agree, would the addition of transparency make the NSA’s programs lawful or constitutional.
52635833
submission
Gunkerty Jeb writes:
Having found some initial success with its first foray into the bug bounty world, Microsoft is expanding the program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild that include new techniques that bypass exploit mitigations in place on the newest version of Windows.
52000163
submission
Trailrunner7 writes:
Lavabit, the now-shuttered secure email provider that has become something of a rallying point for privacy advocates and security experts in the ongoing NSA surveillance saga, is giving its former users until Thursday night to change their passwords on the service. They will then have a short window to download their email archives and get to their account data.
Ladar Levison, the founder of Lavabit, in August decided to make the dramatic move of shutting down the service rather than giving the government broad access to his users’ data. The FBI, in the wake of the Edward Snowden leaks of NSA surveillance methods, went to Levison with a court order demanding the SSL keys for the company’s service. Rather than comply, which Levison said would have spelled death for the Lavabit service anyway, he decided to shut down the secure email system. The Department of Justice was not pleased, to say the least, but Levison has held out and recently filed an appeal of the court order.
51810155
submission
Gunkerty Jeb writes:
The Google domain for Malaysia was hijacked on Thursday night, redirecting visitors to a page that said a group called Madleets from Pakistan had performed the attack. The domain has been restored now, but the name servers for the domain had been changed to a pair controlled by the attackers.
51566793
submission
Gunkerty Jeb writes:
The good news is that cooperation between the various law enforcement agencies in different countries all over the world is at an all time high; the bad news is that cybercriminals have embraced a potent combination of the anonymous online currency Bitcoin and equally anonymous, Web-based currency exchanges located outside U.S. jurisdiction that allow them to turn those Bitcoins into real money, making it more difficult than ever to track the bad actors down.
Such are the realities of the world we live in. The once-tried-and-true law enforcement method of following the money in order to get to the bottom of organized criminal operations is made more difficult by the emergence of digital currency, international wire transfers, and Web-based currency exchange services, shielded from U.S. law by their locations and hidden from sight with layers upon layers of obfuscation, Kaspersky Lab principle security researcher Kurt Baumgartner explained in an interview with Threatpost Wednesday.
51522697
submission
Gunkerty Jeb writes:
In the last few years, there have been a series of DDoS attacks and intrusions on government networks in South Korea that have resulted in the loss of untold amounts of data. The four attacks haven’t been linked together or attributed to the same attackers, but there are some similarities in the methods and results. In a presentation at Virus Bulletin in Berlin yesterday, Fortinet's Christy Chung explained that attack similarities included the use of malware overwriting the master boot record and massive DDoS attacks targeting DNS providers and individual sites.
50979211
submission
Gunkerty Jeb writes:
So now that RSA Security has urged developers to back away from the table and stop using the maligned Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG) algorithm, the question begging to be asked is why did RSA use it in the first place?
Going back to 2007 and a seminal presentation at the CRYPTO conference by Dan Shumow and Niels Ferguson, there have been suspicions about Dual EC DRBG primarily because it was backed by the National Security Agency, which initially proposed the algorithm as a standard. Cryptographer Bruce Schneier wrote in a 2007 essay that the algorithm contains a weakness that “can only be described as a backdoor.”
“I wrote about it in 2007 and said it was suspect. I didn’t like it back then because it was from the government,” Schneier told Threatpost today. “It was designed so that it could contain a backdoor. Back then I was suspicious, now I’m terrified.
50928099
submission
Gunkerty Jeb writes:
A group of researchers, hackers, and other security enthusiast are pooling their money and offering it as a bounty to the first person that can successfully crack the Touch ID fingerprint authentication mechanism on Apple’s recently released iPhone 5S.
50865603
submission
Gunkerty Jeb writes:
A newly declassified opinion from the Foreign Intelligence Surveillance Court from this summer shows the court’s interpretation of the controversial Section 215 of the USA PATRIOT Act that’s used to justify the National Security Agency’s bulk telephone metadata collections, and reveals that none of the companies that have been served with such orders has ever challenged one.
50495235
submission
Gunkerty Jeb writes:
The IETF is considering a range of options to help reengineer some of the fundamental protocols that underpin the Internet in response to revelations that the NSA and other intelligence agencies are conducting widespread, dragnet-style surveillance online.
The group, which is responsible for developing the standards that govern much of the technical workings of the Internet, has been looking at all of the information revealed by the documents leaked by former NSA contractor Edward Snowden with dismay and officials said that they’re already at work on some changes that could help make the Internet more resistant to pervasive surveillance. The IETF is not putting out a huge amount of detail on the changes, but said that regardless of the modifications, they won’t matter if the devices people use or the people they communicate with aren’t trustworthy.
50020745
submission
Gunkerty Jeb writes:
Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins.
According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim’s IP address has previously been flagged as a spam source or as a proxy. A CBL is a blacklist of IP addresses known to be participating in spreading spam or malware.
