64519685
submission
msm1267 writes:
The SANS Internet Storm Center is seeing SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.
“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.
Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands.
64352023
submission
msm1267 writes:
The University of Texas information security office yesterday disclosed the details on a critical vulnerability in Webmin that was patched in May, days after it was reported.
The bug in the UNIX remote management tool provided remote root access to a host server. Authenticated users would then be able to delete files stored on the server. Researcher John Gordon published a report yesterday on the UT ISO website explaining that the problem was discovered in the cron module’s new environment variable. Gordon wrote that an attacker would have been able to use directory traversal and null byte injection techniques to force Webmin to delete any file stored on the system.
The vulnerability, Gordon said, likely cannot be flipped into an attack granting someone remote shell access or code execution on a standard Linux server, for example.
64319493
submission
msm1267 writes:
In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no exploit attempts in the months leading up to the public disclosure.
Researchers from the University of Michigan, the University of Illinois, the University of California at Berkeley , Purdue University and the International Computer Science Institute took a comprehensive look at the way that the Heartbleed vulnerability affected the Internet as a whole in the months since it was disclosed in April, focusing mainly on the response by organizations to patch vulnerable servers and revoke certificates. As the scope and effect of the Heartbleed vulnerability set in, security teams scrambled to determine which of their servers were vulnerable to the issue and whether they needed to begin revoking a bunch of SSL certificates, as well. Many of the top sites on the Internet were patched almost immediately after the disclosure, but that didn’t extend to the rest of the vulnerable server population.
64180759
submission
msm1267 writes:
Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla.
Data from HD Moore's Project Sonar, which indexes more than 20 million websites, found 107,535 sites using a cert signed by what will soon be an untrusted CA certificate. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said.
64147581
submission
msm1267 writes:
A growing compilation of close to 350 Android applications that fail to perform SSL certificate validation over HTTPS has been put together by the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University.
Researcher Will Dormann created a large spreadsheet hosted on the CERT/CC site listing Android applications found on both the Google play and Amazon stores that fail to validate digital certificates, leaving them exposed to man-in-the-middle attacks.
Dormann said the spreadsheet is a living document and more applications are currently being tested and will be added to the list. Most of the apps on the list are currently available in the respective app stores. The apps ran the gamut from games, to music, productivity and everything in between. If available, a CVE number is provided for each app, as well as a notation of whether credentials are weak or are otherwise at risk.
63995391
submission
Trailrunner7 writes:
Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.
Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites.
63995025
submission
The Bad Astronomer writes:
Astronomers have found a 5.4 Earth-mass planet orbiting the star Gliese 15A, a red dwarf in a binary system just 11.7 light years away. Other exoplanets candidates have been found that are closer, but they are as yet unconfirmed. This is more evidence that alien planets are common in the galaxy.
63989861
submission
msm1267 writes:
The IEEE's Center for Secure Design debuted its first report this week, a guidance for software architects called "Avoiding the Top 10 Software Security Design Flaws." Developing guidance for architects rather than developers was a conscious effort the group made in order to steer the conversation around software security away from exclusively talking about finding bugs toward design-level failures that lead to exploitable security vulnerabilities.
The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration.
63752229
submission
msm1267 writes:
The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results were a bit eye-opening since the report’s recommendations don’t favor Firefox as a baseline for Tor, rather Google Chrome. But Tor’s handlers concede that budget constraints and Chrome’s limitations on proxy support make a switch or a fork impossible.
63704171
submission
msm1267 writes:
Researchers from Ruhr University in Bochum, Germany, have developed a proof-of-concept attack in which they are able to inject malicious code into a download that runs in parallel to the original application, without modifying the code.
The attack targets free and open source software, in particular those where code signing verification and other integrity checks are lacking in the download process.
Rather than spike the original application with malware, the researchers use a binder that links the binder application, malware and original download.
63550405
submission
msm1267 writes:
Secure mobile phone Blackphone makers SGP Technologies and researcher Justin Case clear the air on how Blackphone was rooted, what circumstances have to be in place to successfully exploit the trio of vulnerabilities in the chain, and what this means for Blackphone going forward.
63413563
submission
msm1267 writes:
The Turla APT campaign has baffled researchers for months as to how its victims are compromised. Peaking during the first two months of the year, Turla has targeted municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle East and Europe.
Researchers at Kaspersky Lab, however, today announced they have discovered a precursor to Turla called Epic that uses a cocktail of zero-days and off-the-shelf exploits against previously unknown and patched vulnerabilities to compromise victims. Epic is the first of a multistage attack that hits victims via spear-phishing campaigns, social engineering scams, or watering hole attacks against websites of interest to the victims.
Epic shares code snippets with Turla and similar encryption used to confound researchers, suggesting a link between the two campaigns; either the attackers are cooperating or are the same group, Kaspersky researchers said.
63396941
submission
msm1267 writes:
Researcher David Litchfield is back at it again, dissecting Oracle software looking for critical bugs. At the Black Hat 2014 conference, Litchfield delivered research on a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities that bypass the data redaction service and trick the system into returning data that should be masked.
63234913
submission
msm1267 writes:
If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension exposes leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate.
“[Multipath TCP] solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”
63182263
submission
msm1267 writes:
For a little more than six months, attackers were on the Tor network trying to deanonymize users who operate or use Tor hidden services.
Tor issued a security advisory this morning warning users who operated or accessed hidden services between Jan. 30 and July 4 that they were likely affected. Tor officials are also recommending users to upgrade relays to the most recent Tor release, which closes off the vulnerability exploited by the attackers. Hidden service operators are also advised to change the location of their services.
