msm1267 - Slashdot User

Submission + - Regin Attack Platform Targets GSM Networks Too (threatpost.com)

Submitted by msm1267 on Monday November 24, 2014 @02:51PM

msm1267 writes: Researchers have uncovered a complex espionage platform reminiscent of Duqu that has been used since at least 2008 not only to spy on and extract email and documents from government agencies, research institutions and banks, but also one that targets GSM network operators in order to launch additional attacks.

Kaspersky Lab published a report this morning that explains this aspect of the Regin attack platform, which has been detected on the Windows computers of 27 victimized organizations in 14 countries, most of those in Asia and the Middle East. In addition to political targets, Kaspersky Lab researchers identified Belgian cryptographer Jean Jacques Quisquater as one of its specific victims, along with an unnamed research institution that was also infected with other dangerous espionage malware including Mask/Careto, Turla, Itaduke and Animal Farm.

Submission + - Open Source Detekt Antispyware Tool Exposes Surveillance (threatpost.com)

Submitted by msm1267 on Friday November 21, 2014 @08:10AM

msm1267 writes: Human rights workers, political activists and journalists working in oppressed parts of the world now have an open source detection tool that helps them triage their computers and scan for the worst of the worst state-sponsored spyware.

Detekt, built by independent white hat Claudio Rainieri in partnership with the EFF, Amnesty International and others, scans for FinFisher and HackingTeam spyware, as well as the most prevalent remote access Trojans, such as BlackComet and Extreme.

It's not meant as a substitute for antivirus, but more about giving someone under state surveillance--a desperate, emergency situation--a free utility to figure out what's happening on their machine and how to proceed next.

Submission + - Nasty Code Execution Bug Found in Android

Submitted by Trailrunner7 on Wednesday November 19, 2014 @02:47PM

Trailrunner7 writes: There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week.

The vulnerability lies in java.io.ObjectInputStream, which fails to check whether an object that is being deserialized is actually a serialized object. Security researcher Jann Horn discovered the vulnerability and reported it to Google earlier this year.

Horn said via email that the exploitability of the vulnerability is difficult to judge.

“An attacker would need to get a malicious app onto the device in order for this to work. The app would need no permissions,” he said. “However, I don’t have a full exploit for this issue, just the crash PoC, and I’m not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap (in order to make less accurate guesses for the memory position work). It might be necessary to crash system_server once in order to make its memory layout more predictable for a short amount of time, in which case the user would be able to notice the attack, but I don’t think that’s likely.”

Submission + - If You Want Better Cybersecurity, Break Up The NSA (readwrite.com)

Submitted by electronic convict on Wednesday November 19, 2014 @02:37PM

electronic convict writes: People often forget that the NSA has a second mission beyond surveillance (or surveillance-plus): It's also supposed to take the lead in protecting federal information systems and critical national infrastructure from criminals and foreign attackers.

If the recent spate of cyberattacks is any indication, though, the NSA has bungled that job pretty badly. And small wonder: As we've known for a year, the agency actively works to introduce vulnerabilities into encryption systems, to discourage the use of strong security and to use its industry-outreach program to further both aims. So why should anyone trust it to help actually guard against hackers?

There's a simple, if currently impractical solution: Break up the NSA.

This isn't an entirely new idea; Bruce Schneier, for instance, has been pushing for an NSA breakup since February, primarily on the grounds that the agency is simply too large and out of control. His proposed division, however, would still task the NSA with both security and surveillance, keeping its inherent conflict of interest intact. A better solution would be to move the security function out of the NSA entirely, allowing its staff to plug holes as fast as their offense-minded NSA peers can create them.

Yes, the USA Freedom Act just went down in flames, and the odds of serious NSA reform look about as dim as ever. But wouldn't everyone be better off if some of the best cryptographers and security experts in the U.S. weren't working side-by-side with the spies bent on undermining their work?

Submission + - Viruses help keep the gut healthy (sciencemag.org)

Submitted by sciencehabit on Wednesday November 19, 2014 @02:23PM

sciencehabit writes: Ebola, flu, and colds have given viruses a bad rap. But there may be a good side to these tiny packages of genetic material. Researchers studying mice have shown that a virus can help maintain and restore a healthy gut in much the same way that friendly bacteria do. The work "shows for the first time that a virus can functionally substitute for a bacterium and provide beneficial effects," says Julie Pfeiffer, a virologist at the University of Texas Southwestern Medical Center in Dallas who was not involved with the study. "It's shocking."

Submission + - Microsoft Releases Emergency Patch for Kerberos Bug Under Attack (threatpost.com)

Submitted by msm1267 on Tuesday November 18, 2014 @03:28PM

msm1267 writes: Microsoft today released an out-of-band security bulletin patching a critical vulnerability in Kerberos implementations that is being exploited in targeted attacks. The vulnerability enables a hacker to escalate privileges on a compromised computers to domain administrator.

Originally, Microsoft planned to release the patch for this vulnerability, MS14-068, on Nov. 11, with the rest of the month’s Patch Tuesday fixes. However, the patch was not included in that release. No reason was given for the omission, but in the past Microsoft has delayed patches that weren’t ready yet or caused problems in testing. The MS14-068 vulnerability is rated critical and the company is urging users to install the patch right away.

Submission + - Internet Voting Hack Alters PDF Ballots in Transmission (threatpost.com)

Submitted by msm1267 on Thursday November 13, 2014 @02:21PM

msm1267 writes: Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be.

Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority.

The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify code strings representing votes and candidates within the PDF to change the submitted votes.

Submission + - Microsoft Patches OLE Zero-Day Vulnerability (threatpost.com)

Submitted by msm1267 on Tuesday November 11, 2014 @03:12PM

msm1267 writes: Microsoft today released a patch for a zero-day vulnerability under active exploit in the wild. The vulnerability in OLE, or Microsoft Windows Object Linking and Embedding, enables a hacker to remotely execute code on an infected machine, and has been linked to attacks by the Sandworm APT group against government agencies and energy utilities.

Microsoft also issued a massive Internet Explorer patch, but warned organizations that have deployed version 5.0 of its Enhanced Mitigation Experience Toolkit (EMET) to upgrade to version 5.1 before applying the IE patches. Version 5.1 resolves some compatibility issues, in addition to several mitigation enhancements.

Submission + - WireLurker Mac OS X Malware Shut Down (threatpost.com)

Submitted by msm1267 on Thursday November 06, 2014 @01:22PM

msm1267 writes: WireLurker is no more. After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.

Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.

Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.

Feed Ars Technica: FBI arrests Blake “Defcon” Benthall, alleged operator of Silk Road 2 (arstechnica.com)

From feed by feedfeeder on Thursday November 06, 2014 @12:52PM

Arrest comes nearly a year after feds nabbed Ross "DPR" Ulbricht from Silk Road 1.0.

Submission + - Researcher Takes Wraps Off Undisclosed Bash Vulnerabilities (threatpost.com)

Submitted by msm1267 on Friday October 03, 2014 @08:10AM

msm1267 writes: The Bash bug has kept Linux and UNIX administrators busy deploying a half-dozen patches, worrying about numerous Shellshock exploits in the wild, and a laboring over a general uncertainty that the next supposed fix will break even more stuff.

Researcher Michal Zalewski, a longtime bug-hunter, has been front and center on some of the Bash research and last week said he had found two additional bugs in the Bourne Again Shell, details of which he’d kept to himself until yesterday.

Zalewski took the wraps off the vulnerabilities, one of which, CVE-2014-6278, mimics the original vulnerability reported Sept. 24 but affects only systems patched against the original Bash vulnerability, CVE-2014-6271.

Like the original vulnerability, CVE-2014-6278 allows an attacker to remotely drop executable code by exploiting a weaknesses in environment variables in Bash, which is the most common command line shell used by Linux, UNIX and Mac OS X servers.

Submission + - SNMP DDoS Scans Spoof Google DNS Server (threatpost.com)

Submitted by msm1267 on Tuesday September 16, 2014 @07:52AM

msm1267 writes: The SANS Internet Storm Center is seeing SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.

“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.

Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands.

Submission + - Inside a Critical Webmin Vulnerability (threatpost.com)

Submitted by msm1267 on Wednesday September 10, 2014 @06:50PM

msm1267 writes: The University of Texas information security office yesterday disclosed the details on a critical vulnerability in Webmin that was patched in May, days after it was reported.

The bug in the UNIX remote management tool provided remote root access to a host server. Authenticated users would then be able to delete files stored on the server. Researcher John Gordon published a report yesterday on the UT ISO website explaining that the problem was discovered in the cron module’s new environment variable. Gordon wrote that an attacker would have been able to use directory traversal and null byte injection techniques to force Webmin to delete any file stored on the system.

The vulnerability, Gordon said, likely cannot be flipped into an attack granting someone remote shell access or code execution on a standard Linux server, for example.

Submission + - Research Finds No Large Scale Heartbleed Exploit Attempts Before Disclosure (threatpost.com)

Submitted by msm1267 on Tuesday September 09, 2014 @03:46PM

msm1267 writes: In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no exploit attempts in the months leading up to the public disclosure.

Researchers from the University of Michigan, the University of Illinois, the University of California at Berkeley , Purdue University and the International Computer Science Institute took a comprehensive look at the way that the Heartbleed vulnerability affected the Internet as a whole in the months since it was disclosed in April, focusing mainly on the response by organizations to patch vulnerable servers and revoke certificates. As the scope and effect of the Heartbleed vulnerability set in, security teams scrambled to determine which of their servers were vulnerable to the issue and whether they needed to begin revoking a bunch of SSL certificates, as well. Many of the top sites on the Internet were patched almost immediately after the disclosure, but that didn’t extend to the rest of the vulnerable server population.

Submission + - Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted (threatpost.com)

Submitted by msm1267 on Friday September 05, 2014 @03:14PM

msm1267 writes: Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla.

Data from HD Moore's Project Sonar, which indexes more than 20 million websites, found 107,535 sites using a cert signed by what will soon be an untrusted CA certificate. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said.

Slashdot Top Deals