Please create an account to participate in the Slashdot moderation system


Forgot your password?

+ - UK Student's Dissertation Redacted Thanks to Wassenaar Rules

Trailrunner7 writes: U.S.-based security researchers may soon be championing the case of Grant Wilcox, a young U.K. university student whose work is one of the few publicly reported casualties of the Wassenaar Arrangement.

Wilcox last week published his university dissertation, presented earlier this spring for an ethical hacking degree at the University of Northumbria in Newcastle, England. The work expands on existing bypasses for Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), free software that includes a dozen mitigations against memory-based exploits. Microsoft has on more than one occasion recommended use of EMET as a temporary stopgap against publicly available zero-day exploits.

Wilcox’s published dissertation, however, is missing several pages that describe proof-of-concept exploits, including one that completely bypasses a current EMET 5.1 installation running on a fully patched Windows computer. He said last Wednesday in a blogpost that the missing pages and redactions within the text happened partly because of the Wassenaar Arrangement.

“Whilst it has impacted the release of my research it has not impacted my passion and I plan to continue researching such material as and when I feel like, though in an ideal world I would like clearer instructions so I can figure out how to do this appropriately (of which there seems to be some confusion),” Wilcox said in an email to Threatpost.

+ - Former L0pht Hacker Mudge Leaves Google to Start Cyber UL

Trailrunner7 writes: One of the longstanding problems in security–and the software industry in general–is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime researcher and hacker better known as Mudge in security circles, announced he’s leaving Google to start an initiative designed to be a cyber version of Underwriters’ Laboratory.

Zatko said on Monday that he had decided to leave Google’s Advanced Technology and Projects team and start a cyber UL, at the behest of the White House.

The new project will not be run out of the White House, Zatko said, and the specifics of the plan are not clear right now. But the fact that someone with Zatko’s experience, history, and respect in the security community is involved in the project lends immediate weight and potential to it.

+ - LG Android Phones App Updater Doesn't Validate SSL Certs

Trailrunner7 writes: Many smartphones manufactured by LG contain a vulnerability that can allow an attacker to replace an APK file with a malicious file of his choice.

The problem is the result of several conditions on LG phones. Like other manufacturers, LG includes custom apps on its handsets, which are not available through the normal Google Play store. The apps are pre-loaded and have a separate update mechanism that relies on contacting an LG server to download new code. Researchers at Search-Lab in Hungary found that the update process for these apps does not validate the security certificate presented by the server on the other end, opening users up to man-in-the-middle attacks.

+ - Cisco Security Appliances Found to Have Default SSH Keys

Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said that all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco’s market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

“The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.

+ - Facebook Hires Ex-Yahoo CISO Alex Stamos

Trailrunner7 writes: Facebook has hired away the top security executive at Yahoo, Alex Stamos, to become the company’s new CSO.

Stamos said Wednesday that he is joining Facebook because he believes the company is in the best position to address some of the large security challenges facing users and companies right now.

A longtime industry executive, Stamos joined Yahoo as CISO in March 2014 and quickly set about working on upgrading the security of that company’s many services. One of the first moves he made was to address Yahoo’s lack of encryption on its platforms. One of the more damaging bits of information contained in the Snowden documents was the revelation that the NSA and British GCHQ had been tapping fiber optic cables used by major Internet companies, including Google and Yahoo. The news infuriated engineers at the companies, and Google quickly responded by accelerating its project to encrypt the links among its data centers.

A month after arriving at Yahoo, Stamos announced that the company was making the same move. Yahoo also enabled encryption between its mail servers and other email providers, and earlier this year the company released an extension that enabled end-to-end encryption for all Yahoo email users. All search queries and traffic to the Yahoo home page also run over HTTPS by default now. uf

+ - HP Researchers Disclose Details of Internet Explorer Zero Day

Trailrunner7 writes: Researchers at HP’s Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn’t plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI’s team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn’t think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn’t plan to patch the remaining bugs because they didn’t affect 64-bit systems.

+ - OPM Hack Started in December

Trailrunner7 writes: The attack on the Office of Personnel Management that was disclosed earlier this month began as early as December 2014 and likely was the end result of a social engineering attack that enabled the hackers to gain valid user credentials and move around OPM’s network.

During a hearing on Capitol Hill Tuesday to address the hack and its fall-out, members of the House Committee on Oversight and Government Reform grilled OPM officials and IT executives about the breach and why the department had failed to implement many security defenses. Much of the hearing focused on the question of what information was stolen, why the data wasn’t encrypted, and why the OPM hadn’t been able to shore up its defenses, as recommended in a report from the Office of the Inspector General last year.

Katherine Archuleta, director of the OPM, said that protecting user data was her highest priority, and that the IT staff had been working on implementing the changes recommended in the OIG report. Rep. Jason Chaffetz (R-Utah), chairman of the committee, said the changes weren’t nearly enough.

“You have completely and utterly failed, if that was your mission,” Chaffetz said.

The OPM breach came to light in early June, but department officials said in the hearing that the attack apparently began in December 2014. The attackers had access to personal information contained in security clearance background checks for millions of federal employees, and OPM officials said they believe the data was, in fact, removed from the network by the attackers.

“We concluded with a high probability that the data was exfiltrated by the adversary,” said Andy Ozment, assistant secretary, Office of Cybersecurity and Communications, National Program Preparedness Directorate, at the Department of Homeland Security, which helped investigate the breach.

+ - Malware Found Hiding in PNG Images on Legitimate Hosting Sites

Trailrunner7 writes: Malware writers aren’t hesitant to do what it takes to protect a campaign and keep it hidden from detection technologies and security researchers.

The group behind the Stegoloader malware, disclosed Monday by researchers at Dell SecureWorks, has taken to digital steganography to keep its information-stealing code from being seen. Once having compromised a user’s machine, the deployment module grabs a PNG file that contains the malware from a legitimate hosting site.

Despite its information-stealing capability, Dell researchers said they have not seen the malware used in targeted attacks, but they don’t dismiss the possibility outright. So far, Dell said it has seen victims in the health care, education, and manufacturing industries, yet it has not been spread via exploits or spearphishing emails. Instead, Dell researchers believe victims are being compromised by downloading pirated software from third-party sites, the same propagation strategy used with older versions of the malware.

“The only infection vector I can confirm is through software piracy tools. I suspect once the attacker gains a foothold on an interesting network, they can deploy additional modules to spread further but I have not been able to find such module,” said senior security researcher Pierre-Marc Bureau.

+ - The St. Louis Cardinals Hacked the Houston Astros and Didn't Do a Good Job

mwn3d writes: The St. Louis Cardinals are under investigation for hacking into a database storing Houston Astros operational data. "Hacking" is used loosely here as almost everyone involved seems to have made many not-so-smart choices. An initial mistake is that "Astros general manager Jeff Luhnow...used to work with the Cardinals and ran a similar database in St. Louis. It appears that Luhnow used the same passwords in both places, leaving the database open to mischief". Later mistakes including perpetrating this "hack" from their home computers and posting stolen documents on a public pastebin site.

+ - New Duqu 2.0 APT Hits High-Value Victims, Including Kaspersky

Trailrunner7 writes: The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.

The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own systems had been compromised by the platform, which is being called Duqu 2.0. Kaspersky’s investigation into the incident showed that the Duqu attackers had access to a small number of systems and were especially interested in the company’s research into APT groups, its anti-APT technology, and some Kaspersky products, including the Secure Operating System and Kaspersky Security Network. Kaspersky officials said that although the initial infection vector isn’t known, the attackers used as many as three Windows zero-day in the course of the operation.

The company said that is confident that its technologies and products have not been affected by the incident.

The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.

“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s researchers said.

+ - Bug Bounties in the Crosshairs of Wassenaar Rules

Trailrunner7 writes: Bug bounties have gone from novelty to necessity, not only for enterprises looking to take advantage of the skills of an organized pool of vulnerability hunters, but also for a slew of independent researchers who make a living contributing to various vendor and independent bounty and reward programs.

The proposed U.S. rules for the Wassenaar Arrangement pose a real challenge for all sides of that equation.

Under the rules, researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor in question. As a result, there will be occasions when a foreign researcher, for example, would have to share details on a zero-day with their government before the vendor in question.

“There are lots of concerns from researchers if this gets implemented,” said Kymberlee Price, senior director of operations at Bugcrowd, a private company that provides a platform for organizations wishing to start bug bounty programs. “Is it worth the effort to continue to report vulnerabilities if you have to go through a government and are likely to have to disclose details on that vulnerability? Do we want foreign governments knowing about it before it’s reported directly to the vendor so it can be patched?”

+ - Opening Fixed-Code Garage Doors With a Toy in 10 Seconds

Trailrunner7 writes: It may be time to upgrade your garage door opener. Security researcher Samy Kamkar has developed a new technique that enables him to open almost any garage door that uses a fixed code–and he implemented it on a $12 child’s toy.

The attack Kamkar devised, known as OpenSesame, reduces the amount of time it takes to guess the fixed code for a garage door from several minutes down to less than 10 seconds. Most openers in commercially available garage door openers have a set of 12 dip switches, which are binary, and provide a total of 4,096 possible code combinations. This is a highly limited keyspace and is open to brute-force attacks. But even on such a small keyspace, those attacks take some time.

With a simple brute-force attack, that would take 29 minutes, Kamkar said. To begin reducing that time, he eliminated the retransmission of each code, bringing the time down to about six minutes. He then removed the wait period after each code is sent, which reduced the time even further, to about three minutes. Looking to further reduce the time, Kamkar discovered that many garage door openers use a technique known as a bit shift register. This means that when the opener receives a 12-bit code, it will test that code, and if it’s incorrect, the opener will then shift out one bit and pull in one bit of the next code transmitted.

Kamkar implemented an algorithm known as the De Bruijn sequence to automate this process and then loaded his code onto a now-discontinued toy called the Mattel IM-ME. The toy was designed as a short-range texting device for kids, but Kamkar reprogrammed it using the GoodFET adapter built by Travis Goodspeed. Once that was done, Kamkar tested the device against a variety of garage door openers and discovered that the technique worked on systems manufactured by several companies, including Nortek and NSCD. It also works on older systems made by Chamberlain, Liftmaster, Stanley, Delta-3, and Moore-O-Matic.

+ - NSA Planned to Hijack Google App Store to Hack Smartphones->

Advocatus Diaboli writes: "The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals. The surveillance project was launched by a joint electronic eavesdropping unit called the Network Tradecraft Advancement Team, which includes spies from each of the countries in the “Five Eyes” alliance — the United States, Canada, the United Kingdom, New Zealand and Australia."

"The newly published document shows how the agencies wanted to “exploit” app store servers – using them to launch so-called “man-in-the-middle” attacks to infect phones with the implants. A man-in-the-middle attack is a technique in which hackers place themselves between computers as they are communicating with each other; it is a tactic sometimes used by criminal hackers to defraud people. In this instance, the method would have allowed the surveillance agencies to modify the content of data packets passing between targeted smartphones and the app servers while an app was being downloaded or updated, inserting spyware that would be covertly sent to the phones."

Link to Original Source

+ - Stanford Research Outs Would-Be Hacker Marketplace

An anonymous reader writes: What if there were an Uber for hackers? Well, there is. It's called Hacker's List, and it made the front page of the New York Times this year. Anyone can post or bid on an 'ethical' hacking project.

According to new Stanford research, however, the site is a wreck. 'Most requests are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal.'

And it gets worse. 'Many users on Hacker’s List are trivially identifiable,' with an email address or Facebook account. The research dataset includes thousands of individuals soliciting federal crimes.

There's a whole WORLD in a mud puddle! -- Doug Clifford