writes "In a keynote speech at a security conference in Washington Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war.
“We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,” said Rogers. “If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what’s an act of defense.”
Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad."
writes "The SANS Internet Storm Center is seeing SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.
“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.
Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands."Link to Original Source
writes "There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit module available to exploit the vulnerability.
The vulnerability was first disclosed in late August, but there has not been much in the way of public discussion of it. Exploiting the flaw is a straightforward matter and allows the attacker to bypass the same-origin policy in the Android browser.
“What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”"
writes "In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.
“For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods.”
That result also doesn’t rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure."
writes "The team assigned to pump potentially sensitive information out of Home Depot employees during live cold calls during this year's Social Engineering Capture the Flag competition at the DEF CON 22 hacker conference won the overall contest, which targeted major US retailers. While the contest was obviously unrelated to this week's revelation of a possible breach at the home improvement chain, it's an interesting look at the retail industry's wave of security woes."Link to Original Source
writes "Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability.
The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to access a pool of hundreds of researchers who perform authorized research against a company’s products. HackerOne is used by a number of prominent companies, including Square, Yahoo and CloudFlare and also is the platform that supports the Internet Bug Bounty.
Twitter’s bug bounty program will pay researchers for finding vulnerabilities in its main Web site and the Twitter apps for iOS and Android. The types of vulnerabilities that are in scope for the program include XSS, CSRF, remote code execution, unauthorized access to private tweets or direct messages.
- See more at: http://threatpost.com/twitter-..."
writes "Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.
Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites."
writes "The flat surface of the Racetrack Playa in Death Valley is littered with rocks, some weighing hundreds of kilograms, each at the end of a track indicating that it has somehow slid across the surface. The mechanism behind this has been the subject of much speculation but little evidence, until a trio of scientists caught them in action with cameras and GPS."Link to Original Source
writes "Google has fixed 50 security vulnerabilities in its Chrome browser, including a critical string of bugs that can allow an attacker to execute arbitrary code outside of the browser’s sandbox.
This is one of the larger batches of fixes that Google has produced for Chrome recently. The company releases frequent updates for the browser and often will push out a new version with only a handful of security patches. But Chrome 37 includes 50 patches, a huge number by any measure. The most notable vulnerability patched in this version is actually a combo platter of several flaws that can be used to escape the Chrome sandbox and gain remote code execution.
The group of vulnerabilities earned the security researcher who reported them a $30,000 bug bounty from Google, one of the higher rewards that the company has given to a researcher outside of its Pwnium competitions. Google’s bug bounties typically fall into the $1,000-$5,000 range, but the company’ security team sometimes will award significantly higher rewards to researchers who report especially critical or creative bugs."
writes "The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.
Researchers at IBM’s X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.
“There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators,” Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware."
Advocatus Diaboli (1627651)
writes "This article is the first part of a series on NSA BIOS backdoor internals. Before we begin, I’d like to point out why these malwares are classified as “god mode.” First, most of the malware uses an internal (NSA) codename in the realms of “gods,” such as DEITYBOUNCE, GODSURGE, etc. Second, these malwares have capabilities similar to “god mode” cheats in video games, which make the player using it close to being invincible. This is the case with this type of malware because it is very hard to detect and remove, even with the most sophisticated anti-malware tools, during its possible deployment timeframe."Link to Original Source
writes "The takedown of the GameOver Zeus malware operation in June got more than its share of attention, but it was the concurrent demolition of the CryptoLocker ransomware infrastructure that may prove to have been the most important part of the operation. That outcome was the culmination of months of behind the scenes work by dozens of security researchers who cooperated with law enforcement to trace, monitor and ultimately wreck the careful work and planning of the CryptoLocker crew.
“This was something new. This was ransomware done right,” said John Bambenek, president of Bambenek Consulting, who was involved in the working group that tracked CryptoLocker and talked about the operation at the Black Hat USA conference here Thursday. “It made for a good case study on how to do threat intelligence.”
The working group that came together to defeat CryptoLocker was global and had people with all kinds of different skill sets: malware reverse engineering, math, botnet tracking and intelligence. Some members worked on taking part the domain-generation algorithm while others looked at the command-and-control infrastructure and still others broke down the malware itself. What the researchers began to notice as they dug deeper into the CryptoLocker operation was that the crew behind the ransomware had done a lot of things right, but had also exhibited some oddly inconsistent behaviors."
writes "It was an absurd scene. Keith Alexander, the director of the NSA and a four-star general in the Army, stood alone on the stage, squinting through the floodlights as members of the standing-room-only crowd shouted insults and accusations. Armed men in dark suits roamed the area in front of the stage, eyeing the restless crowd. Nearby, a man sat with a carton of eggs at his feet, waiting for a chance to let fly.
There were loud calls for Alexander’s resignation throughout the summer, and previous whistleblowers, security experts and some lawmakers said that there was a clear need for reform at Fort Meade. Critics said the agency had taken the expanded powers granted it after 9/11 and run with them. Concurrent advancements in technology gave the NSA a deep bag of tricks for conducting offensive operations and as the details of the TAO toy catalog and other capabilities emerged, the anger and outrage in the security and privacy communities festered. Something had to be done. Things needed to change. And then, oddly enough, things began to change.
As the implications of the NSA’s deep penetration of the Internet began to sink in, small groups of smart technologists and engineers began looking for ways to help users secure their communications. Some of the folks from Silent Circle started a new venture, Blackphone, to produce secure, surveillance-resistant phones for consumer use. Another group of executives from Silent Circle, along with Ladar Levison, the founder of Lavabit, established the Dark Mail Alliance to create a new secure email service. And just last week, Moxie Marlinspike’s Open Whisper Systems released Signal, a new iPhone app that provides secure, encrypted phone calls for free.
There’s no way of knowing whether all of these technologies and changes would’ve come to pass without the Snowden leaks; some of them almost certainly would have. Google was on the path to encrypting its data center links, and Yahoo would likely have followed suit eventually. But there’s no question that the leaked documents, the avalanche of news stories and the massive backlash that followed contributed to the innovation that has followed."
writes "There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.
The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.
Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.
“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”"
writes "The critical vulnerability in the TAILS operating system discovered by researchers at Exodus Intelligence lies in the I2P software that’s bundled with the OS and the company has released some details and a video demonstrating an exploit against the bug. Exodus researchers said that the vulnerability can be used for remote code execution as well as de-anonymization of targeted users on TAILS.
I2P is an anonymity network, somewhat analogous to Tor, that encrypts all of its communications from end to end and enables private and anonymous use of the Internet and resources such as email, chat and Web browsing. Unlike Tor, however, I2P is a packet switched network, rather than a circuit switched one, and the communications its users send and receive are message-based. Each I2P node has an identical level of importance in the network and there are no central servers routing traffic.
Exodus researchers said that the flaw they discovered is present in TAILS for several versions, meaning its effect could be quite widespread.
“The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work,” the Exodus team wrote in a post explaining a bit about the flaw."