msm1267 - Slashdot User

Submission + - How Malvertising Abuses Real-Time Bidding on Ad Networks (threatpost.com)

Submitted by msm1267 on Monday March 30, 2015 @10:54AM

msm1267 writes: Dark corners of the Internet harbor trouble. They’re supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?

That’s the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes.

Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.

Submission + - MIT Debuts Integer Overflow Debugger (threatpost.com)

Submitted by msm1267 on Thursday March 26, 2015 @02:40PM

msm1267 writes: Students from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems.

Researchers from the school’s Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection.

As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes.

Submission + - BIOS Rootkit Implant To Debut at CanSecWest (threatpost.com)

Submitted by msm1267 on Thursday March 19, 2015 @07:05AM

msm1267 writes: Research on new BIOS vulnerabilities and a working rootkit implant will be presented on Friday at the annual CanSecWest security conference. An attacker with existing remote access on a compromised computer can use the implant to turn down existing protections in place to prevent re-flashing of the firmware, enabling the implant to be inserted and executed.

The devious part of the exploit is that the researchers have found a way to insert their agent into System Management Mode, which is used by firmware and runs separately from the operating system, managing various hardware controls. System Management Mode also has access to memory, which puts supposedly secure and privacy focused operating systems such as Tails in the line of fire of the implant.

Their implant, the researchers said, is able to scrape the secret PGP key Tails uses for encrypted communication, for example. It can also steal passwords and encrypted communication. The implant survives OS re-installation and even Tails’ built-in protections, including its capability of wiping RAM.

Submission + - Persistent DLL Hijacking Works Against OS X (threatpost.com)

Submitted by msm1267 on Tuesday March 17, 2015 @07:12AM

msm1267 writes: DLL hijacking has plagued Windows machines back as far as 2000 and provides hackers with a quiet way to gain persistence on a vulnerable machine, or remotely exploit a vulnerable application. And now it’s come to Apple’s Mac OS X.

This week at the CanSecWest conference in Vancouver, a researcher will explain different attacks that abuse dylibs in OS X for many of the same outcomes as with Windows: persistence; process injection; security feature bypass (in this case, Apple Gatekeeper); and remote exploitation.

Source code for a scanner that discovers apps that are vulnerable to the attack is also expected to be released. Using the script, the researcher was able to find 144 binaries vulnerable to different flavors of the dylib hijacking attacks, including Apple’s Xcode, iMovie and Quicktime plugins, Microsoft Word, Excel, and PowerPoint, and third-party apps such as Java, Dropbox, GPG Tools and Adobe plugins.

Submission + - Incomplete Microsoft Patch Left Machines Exposed to Stuxnet LNK Vulnerability (threatpost.com)

Submitted by msm1267 on Tuesday March 10, 2015 @01:10PM

msm1267 writes: A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010.

Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010.

“That patch didn’t completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch,” said Brian Gorenc, manager of vulnerability research with HP's Zero Day Initiative. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.

The vulnerability was submitted to ZDI by German researcher Michael Heerklotz.

Submission + - New Technique Complicates Mutex Malware Analysis (threatpost.com)

Submitted by msm1267 on Tuesday March 10, 2015 @09:00AM

msm1267 writes: Malware analysts have had a measure of success using static mutex values as a fingerprint for detecting and blocking malicious code. Malware writers, however, may have caught on to this fingerprinting technique.

A SANS Institute instructor said a malware sample he was examining dynamically generates the name of a mutex object by using the product ID associated with the software, lessening its predictability and complicating detection.

“Given that malware analysts know to look for mutex names for ‘fingerprinting’ malicious software, it’s natural that authors of such programs will start shifting their techniques,” Lenny Zeltser said. “The technique that this malware used to generate the mutex name wasn’t especially elaborate, but it made it harder for the defenders to use this attribute for defending or investigating the system.”

Submission + - Firefox 37 to check security certificates via blocklist (thestack.com)

Submitted by Anonymous Coward on Thursday March 05, 2015 @07:29AM

An anonymous reader writes: The next version of Firefox will roll out [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/] a ‘pushed’ blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet [https://dev.chromium.org/Home/chromium-security/crlsets], but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser. OneCRL will permit non-live verification on EV certificates, trading off currency for speed. Chrome pushes its trawled list of CA revocations every few hours, and Firefox seems set to follow that method and frequency. Both Firefox and Chrome developers admit that OCSP stapling would be the better solution, but it is currently only supported in 9% of TLS certificates.

Submission + - Domain Shadowing Latest Angler Exploit Kit Evasion Technique (threatpost.com)

Submitted by msm1267 on Wednesday March 04, 2015 @08:12AM

msm1267 writes: The Angler Exploit Kit continues to evolve at an alarming rate, seamlessly adding not only zero-day exploits as they become available, but also a host of evasion techniques that have elevated it to the ranks of the more formidable hacker toolkits available.

New research has been released on a technique used in a recent Angler campaign in which attackers are using stolen domain registrant credentials to create massive lists of subdomains that are used in rapid-fire fashion to either redirect victims to attack sites, or serve as hosts for malicious payloads.

The technique has been called domain shadowing, and it is considered the next evolution of fast flux; so far it has enabled attackers to have thousands of subdomains at their disposal. In this case, the attackers are taking advantage of the fact that domain owners rarely monitor their domain registration credentials, which are being stolen in phishing attacks.They’re then able to create a seemingly endless supply of subdomains to be used in additional compromises.

Submission + - Effects of stress on health (twitter.com)

Submitted by Lesliewrightn on Wednesday March 04, 2015 @04:45AM

Lesliewrightn writes: Higher levels of stress were reported in the young adult (18-35) group than for the older groups. The three highest sources of stress cited were finances, family pressures, and maintaining a healthy lifestyle. For young adults aged 18-25, listening to music was cited as the most common coping method.

Submission + - FREAK Attack Threatens SSL Clients (threatpost.com)

Submitted by msm1267 on Tuesday March 03, 2015 @04:17PM

msm1267 writes: For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack.

Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers.

The vulnerability affects a variety of clients, most notably Apple’s Safari browser. The bug was discovered by a large group of researchers from Microsoft Research and the French National Institute for Research in Computer Science and Control, and they found that given a server that supports export-grade ciphers and a client that accepts those weak keys, an attacker with a man-in-the-middle position could force a client to downgrade to the weak keys. He could then take the key and factor it, which researchers were able to do in about seven and a half hours, using Amazon EC2. And because it’s resource-intensive to generate RSA keys, servers will generate one and re-use it indefinitely.

Submission + - Pharming Attack Targets Home Router DNS Settings (threatpost.com)

Submitted by msm1267 on Friday February 27, 2015 @04:05PM

msm1267 writes: Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email.

Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies.

Submission + - ICS-SCADA Hackers Want Operational Intelligence (threatpost.com)

Submitted by msm1267 on Tuesday February 24, 2015 @04:06PM

msm1267 writes: Advanced attackers targeting critical infrastructure aren't seeking intellectual property the way some APT gangs are. Instead, they want operational intelligence, stealing documents and files that give them an understanding of the inner workings of ICS infrastructure. The end game is sabotage, the weaponization of malware and other attacks that will ultimately lead to some kind of disruption of manufacturing, oil production or power distribution.

Submission + - Inside the Equation APT Persistence Module (threatpost.com)

Submitted by msm1267 on Tuesday February 17, 2015 @07:10PM

msm1267 writes: Module nls_933w.dll is the ultimate cyberweapon, the best indicator of the capabilities of the group behind the Equation cyberespionage platform, according to researchers at Kaspersky Lab. The module is the most advanced persistence module ever uncovered, and it's used rarely and only against very high-value targets.

Submission + - Massive, Decades-Long Cyberespionage Framework Exposed

Submitted by Trailrunner7 on Monday February 16, 2015 @03:09PM

Trailrunner7 writes: Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations. The attackers, known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods, including interdicting physical media such as CDs and inserting their custom malware implants onto the discs.

Some of the techniques the group has used are closely associated with tactics employed by the NSA, specifically the interdiction operations and the use of the LNK vulnerability exploit by Stuxnet.

The Equation Group has a massive, flexible and intimidating arsenal at its disposal. Along with using several zero days in its operations, the attack crew also employs two discrete modules that enable them to reprogram the hard drive firmware on infected machines. This gives the attackers the ability to stay persistent on compromised computers indefinitely and create a hidden storage partition on the hard drive that is used to store stolen data. At the Security Analyst Summit here Monday, researchers at Kaspersky presented on the Equation Group’s operations while publishing a new report that lays out the inner workings of the crew’s tools, tactics and target list. The victims include government agencies, energy companies, research institutions, embassies, telecoms, universities, media organizations and others. Countries targeted by this group include Russia, Syria, Iran, Pakistan, China, Yemen, Afghanistan, India but also US and UK, between and several others.

Submission + - Female Skype Avatar Sinks Syria Opposition Fighters (threatpost.com)

Submitted by msm1267 on Monday February 02, 2015 @12:35PM

msm1267 writes: It’s a tried-and-true plotline for many a corny movie: the lonely soldier on the front lines falling for a girl who turns out to be the enemy. If you apply a 2015 reality to that scenario, you have the lonely soldier Skyping with an alluring woman who turns out to be an enemy hacker dropping custom malware on your Android device or PC.

In the latter case, this is an all-too-real script for opposition fighters taking on the forces of Syrian leader Bashar al-Assad.

Researchers found a cache of stolen strategic and tactical documents, plans, maps and personal information belonging to opposition fighters stolen by an unknown group using social engineering and a custom version of the DarkComet remote access Trojan to learn the secrets of opposition forces.

Victims in Syria, Turkey, Lebanon, Jordan, Egypt and elsewhere in the Middle East and even Europe, fell for the same scam. In most cases, contact information from stolen Skype account databases were used to reach out to other opposition fighters over Skype. The hackers, using a female avatar who went by the name of Iman, would engage with the fighters over time, building a rapport, before enticing them with a malware-laden photograph of the supposed female. There were also corresponding Facebook and other social media accounts belonging to the same female avatar with links to malware-laden websites.

Slashdot Top Deals