63995391
submission
Trailrunner7 writes:
Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.
Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites.
63995025
submission
The Bad Astronomer writes:
Astronomers have found a 5.4 Earth-mass planet orbiting the star Gliese 15A, a red dwarf in a binary system just 11.7 light years away. Other exoplanets candidates have been found that are closer, but they are as yet unconfirmed. This is more evidence that alien planets are common in the galaxy.
63989861
submission
msm1267 writes:
The IEEE's Center for Secure Design debuted its first report this week, a guidance for software architects called "Avoiding the Top 10 Software Security Design Flaws." Developing guidance for architects rather than developers was a conscious effort the group made in order to steer the conversation around software security away from exclusively talking about finding bugs toward design-level failures that lead to exploitable security vulnerabilities.
The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration.
63752229
submission
msm1267 writes:
The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results were a bit eye-opening since the report’s recommendations don’t favor Firefox as a baseline for Tor, rather Google Chrome. But Tor’s handlers concede that budget constraints and Chrome’s limitations on proxy support make a switch or a fork impossible.
63704171
submission
msm1267 writes:
Researchers from Ruhr University in Bochum, Germany, have developed a proof-of-concept attack in which they are able to inject malicious code into a download that runs in parallel to the original application, without modifying the code.
The attack targets free and open source software, in particular those where code signing verification and other integrity checks are lacking in the download process.
Rather than spike the original application with malware, the researchers use a binder that links the binder application, malware and original download.
63550405
submission
msm1267 writes:
Secure mobile phone Blackphone makers SGP Technologies and researcher Justin Case clear the air on how Blackphone was rooted, what circumstances have to be in place to successfully exploit the trio of vulnerabilities in the chain, and what this means for Blackphone going forward.
63413563
submission
msm1267 writes:
The Turla APT campaign has baffled researchers for months as to how its victims are compromised. Peaking during the first two months of the year, Turla has targeted municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle East and Europe.
Researchers at Kaspersky Lab, however, today announced they have discovered a precursor to Turla called Epic that uses a cocktail of zero-days and off-the-shelf exploits against previously unknown and patched vulnerabilities to compromise victims. Epic is the first of a multistage attack that hits victims via spear-phishing campaigns, social engineering scams, or watering hole attacks against websites of interest to the victims.
Epic shares code snippets with Turla and similar encryption used to confound researchers, suggesting a link between the two campaigns; either the attackers are cooperating or are the same group, Kaspersky researchers said.
63396941
submission
msm1267 writes:
Researcher David Litchfield is back at it again, dissecting Oracle software looking for critical bugs. At the Black Hat 2014 conference, Litchfield delivered research on a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities that bypass the data redaction service and trick the system into returning data that should be masked.
63234913
submission
msm1267 writes:
If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension exposes leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate.
“[Multipath TCP] solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”
63182263
submission
msm1267 writes:
For a little more than six months, attackers were on the Tor network trying to deanonymize users who operate or use Tor hidden services.
Tor issued a security advisory this morning warning users who operated or accessed hidden services between Jan. 30 and July 4 that they were likely affected. Tor officials are also recommending users to upgrade relays to the most recent Tor release, which closes off the vulnerability exploited by the attackers. Hidden service operators are also advised to change the location of their services.
63118731
submission
Trailrunner7 writes:
There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.
The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.
Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.
“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”
62427263
submission
msm1267 writes:
The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG).
The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”
OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.
“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”
62320815
submission
Trailrunner7 writes:
A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of cryptographers it employs and also that it take steps to clarify and define its relationship with the NSA.
The report from the Visiting Committee on Advanced Technology’s Committee of Visitors, released Monday, found that NIST was overly reliant on the input and expertise of NSA cryptographers and that the organization should have paid more attention to outside criticisms of the algorithm.
“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report.
62190337
submission
msm1267 writes:
The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit.
Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of “tiny banker”, and researchers say that it’s only about 20 KB in size.
