73908961
submission
msm1267 writes:
Adobe released an emergency patch for a Flash zero day used in targeted attacks by APT3, the same group behind 2014’s Clandestine Fox attacks.
Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.
The current iteration of Clandestine Fox attacks shares many traits with last year’s attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.
73673961
submission
msm1267 writes:
The US Navy posted a RFP, which has since removed from FedBizOpps.gov, soliciting contractors to share vulnerability intelligence and develop zero day exploits for most of the leading commercial IT software vendors.
The Navy said it was looking for vulnerabilities, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others.
The RFP seemed to indicate that the Navy was not only looking for offensive capabilities, but also wanted use the exploits to test internal defenses.The request, however, does require the contractor to develop exploits for future released CVEs. “Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild,” the RFP said.
73545141
submission
Trailrunner7 writes:
The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.
The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own systems had been compromised by the platform, which is being called Duqu 2.0. Kaspersky’s investigation into the incident showed that the Duqu attackers had access to a small number of systems and were especially interested in the company’s research into APT groups, its anti-APT technology, and some Kaspersky products, including the Secure Operating System and Kaspersky Security Network. Kaspersky officials said that although the initial infection vector isn’t known, the attackers used as many as three Windows zero-day in the course of the operation.
The company said that is confident that its technologies and products have not been affected by the incident.
The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.
“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s researchers said.
73517439
submission
msm1267 writes:
If the proposed US Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.
Researchers are starting to speak out, not only about the rules' broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license. Many may soon question whether it's worth the time and effort to go through the export process if governments are acting as a clearinghouse.
73498603
submission
Trailrunner7 writes:
Bug bounties have gone from novelty to necessity, not only for enterprises looking to take advantage of the skills of an organized pool of vulnerability hunters, but also for a slew of independent researchers who make a living contributing to various vendor and independent bounty and reward programs.
The proposed U.S. rules for the Wassenaar Arrangement pose a real challenge for all sides of that equation.
Under the rules, researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor in question. As a result, there will be occasions when a foreign researcher, for example, would have to share details on a zero-day with their government before the vendor in question.
“There are lots of concerns from researchers if this gets implemented,” said Kymberlee Price, senior director of operations at Bugcrowd, a private company that provides a platform for organizations wishing to start bug bounty programs. “Is it worth the effort to continue to report vulnerabilities if you have to go through a government and are likely to have to disclose details on that vulnerability? Do we want foreign governments knowing about it before it’s reported directly to the vendor so it can be patched?”
73210317
submission
msm1267 writes:
Influential security researchers, including Halvar Flake and Jonathan Zdziarski, have begun publishing their comments, objections and concerns regarding the proposed U.S. export control rules under the Wassenaar Arrangement. The bug-hunters are worried that the rules' definition of intrusion software is too broad and would curtail vulnerability research, proof-of-concept exploit development, the use of certain scanners, pen-testing software, and other potential dual-use tools.
73175703
submission
msm1267 writes:
For the first time, DNS redirection attacks against small office and home office routers are being delivered via exploit kits. French security researcher Kafeine said an offshoot of the Sweet Orange kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure.The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.
73034237
submission
msm1267 writes:
The Commerce Department’s Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries.
For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.
72563087
submission
msm1267 writes:
Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched.
Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buffer overflow and integer overflow bugs in versions 52 through 54. Older versions of the library could also be affected, said researcher Pedro Ribeiro of Agile Information Security, who discovered the vulnerabilities while fuzzing LibreOffice, one of the numerous open source and enterprise software packages that are built using the library.
72452383
submission
msm1267 writes:
Heartbleed made the world notice what kind of shape OpenSSL development was in from a financial and human resources standpoint. In the year since, the project has been funded enough to hire full-time engineers and a crucial refactoring of the codebase has the project in the right direction.
72424579
submission
Trailrunner7 writes:
Crazy is never in short supply in Washington. Through lean times and boom times, regardless of who is in the White House or which party controls the Congress, the one resource that’s reliably renewable is nuttery.
This is never more true than when that venerable and voluble body takes up a topic with some technical nuance to it. The appearance of words such as “Internet”, “computers” or “technology” in the title of a committee hearing strike fear into the hearts of all who use such things. This is the legislative body, after all, that counted among its members the late Sen. Ted Stevens, who so eloquently described the Internet as a series of tubes.
And so when a panel with the wonderfully Orwellian name of the House Committee on Oversight and Government Reform announced a hearing titled “Encryption Technology and Potential U.S. Policy Responses”, the expectations in the security and crypto communities were for plenty of crazy. And it delivered in spades, but perhaps not in the way observers had expected.
The committee hearing was a response to the recent conversations in Washington circles about the need for backdoors in encryption technologies to enable lawful access by the FBI and other agencies. Cryptographers have said consistently that such systems simply don’t work, as they inevitably will allow access for attackers as well as law enforcement, never mind the huge technical challenges of implementing them.
That fact that the decisions by Apple and Google are a result of the NSA's actions did not get past Rep. Ted Lieu (D-Calif.), a man with computer science and law degrees and a clear grasp of the issue at hand.
“I take great offense to your testimony today,” Lieu said to Conley. “It’s a fundamental misunderstanding of the problem. Why do you think companies like Apple and Google are doing this? It’s not to make less money. It’s because the public is asking for it.
“This is a private sector response to government overreach. Let me make another statement, that somehow these technology companies aren’t credible because they collect private data. Here’s the difference: Apple and Google don’t have coercive powers. District attorneys do. The FBI does. The NSA does. And to me it’s very simple to draw the privacy balance when it comes to law enforcement privacy. Just follow the damn Constitution. And because the NSA and other law enforcement agencies didn’t do that, you’re seeing a vast public reaction to this."
71826499
submission
msm1267 writes:
The Simda botnet, known for spreading banking malware and dropping a backdoor on hundreds of thousands of machines worldwide, was taken down last Thursday in a collaborative effort between international law enforcement bodies and private security and technology companies.
Thirteen command and control servers in four countries were seized, putting an end to a malware family that has infected more than 90,000 computers since January of this year alone.
Simda distributed several types of malware including financial Trojans and illicit software, and has been active since the end of 2012. The keepers of Simda make frequent functionality updates and constantly enhance its capabilities to evade detection by researchers and security software, making it an attractive option for cybercriminals, who buy only access to Simda-infected machines and then install additional malicious code on the machines.
The takedown was coordinated by the INTERPOL Global Complex for Innovation in Singapore, the Cyber Defense Institute, the FBI, the Dutch National High Tech Crime Unit (NHTCU), Microsoft, Kaspersky Lab and Trend Micro. Not only were officials able to seize command and control servers and domains, but were also able to sinkhole Simda traffic. That traffic shows a diverse set of victims in more than 40 countries, officials said.
71647067
submission
msm1267 writes:
What's next for TrueCrypt now that a two-phase audit of the code and its cryptography uncovered a few critical vulnerabilities, but no backdoors? Two alternative open source encryption projects forked TrueCrypt once its developers decided to abandon the project in early 2014, giving rise to VeraCrypt and CipherShed--and both are ready to accelerate growth, compatibility and functionality now that the TrueCrypt code has been given a relative clean bill of health.
71506939
submission
msm1267 writes:
Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design.
The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so.
71414863
submission
msm1267 writes:
Dark corners of the Internet harbor trouble. They’re supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?
That’s the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes.
Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.
