writes "Mozilla has released Firefox 37, and along with the promised addition of the OneCRL certificate revocation list, the company has included a feature that enables opportunistic encryption on connections for servers that don’t support HTTPS.
The new feature gives users a new defense against some forms of monitoring and doesn’t require any setup from users. When Web servers are configured correctly to provide a specific response header, Firefox will begin sending requests to the indicated encrypted port rather than in cleartext to port 80. Opportunistic encryption isn’t a replacement for SSL, as it’s not authenticated, but it can provide a alternative for organizations that can’t migrate fully to HTTPS for one reason or another.
“OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial,” Patrick McManus of Mozilla wrote in a post explaining the new feature."
writes "A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust the source.
The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. Researcher David Sopas of WebSegura in Portugal found that by using the access token from any user’s account, pasting some code into the bio field in a user’s account and using some other little tricks, he could produce a file download link that seems to be hosted on a legitimate Instagram domain.
The attacker could host any malicious file he chooses at the target location, including malware. Sopas said he has been unable to convince Facebook security engineers that RFD issues are security vulnerabilities. He said they told him the issue was not a priority.
“Many companies still don’t understand that RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” Sopas said via email."
writes "Google security engineers, investigating fraudulent certificates issued for several of the company’s domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain.
Google’s engineers were able to block the fraudulent certificates in the company’s Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered.
But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic."
writes "The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks.
The Obama administration has proposed an amendment to existing United Stated federal law that would give it a more powerful tool to go after botnets such as GameOver Zeus, Asprox and others. In recent years, Justice, along with private security firms and law enforcement agencies in Europe, have taken down various incarnations of a number of major botnets, including GameOver Zeus and Coreflood. These actions have had varying levels of success, with the GOZ takedown being perhaps the most effective, as it also had the effect of disrupting the infrastructure used by the CryptoLocker ransomware.
In order to obtain an injunction in these cases, the government would need to sue the defendants in civil court and show that its suit is likely to succeed on its merits.
“The Administration’s proposed amendment would add activities like the operation of a botnet to the list of offenses eligible for injunctive relief. Specifically, the amendment would permit the department to seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim computers have been hacked. This numerical threshold focuses the injunctive authority on enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread attacks on computers using malicious software (such as “ransomware” ),” Caldwell wrote."
writes "Spies thrive only when they’re able to quietly infiltrate targets and slither away unnoticed; this principle is the same whether we’re talking about the physical world, or digital.
The recently uncovered Equation APT group is prime example of the investment nation-state sponsored attackers make in stealth. The group, which researchers at Kaspersky Lab speculate has been active since 2001—perhaps as far back as 1996—took great pains to avoid detection with this super valuable espionage platform. It was selective about against whom it was deployed, found unique ways to store stolen data, and developed more than 100 plug-ins, each with a specific function, that are deployed only to certain targets holding certain information.
Today, researchers at Kaspersky Lab released a deeper analysis of the older attack platform used by the Equation group. EquationDrug is a complete platform that is selectively installed on targets’ computers. It is used to deploy any of 116 modules (Kaspersky says it has found only 30 so far); the modules support a variety of cyberespionage functions ranging from data exfiltration to monitoring a target’s activities local activities and on the Web.
The 30 modules analyzed by Kaspersky represent a wide cut of capabilities present in the EquationDrug platform. Many of the modules perform system-level functions, gathering data specific to the target computer such as operating system versions, time zone details, Windows management instrumentation, and much more. There are also modules that allow the attackers to manage target computers, enabling them to manipulate processes, load drivers and libraries or manage files and directories. Network traffic can be stolen or re-routing; there are modules for tampering with DNS resolution, for example.
Yet other modules keep tabs on user activity, learning what network shares and resources the machine has access to, steal cached passwords, monitor live user activity in web browsers and browser history, monitor removable storage drive usage, log keystrokes and clipboard storage, and run a passive backdoor that runs Equation shellcode from raw traffic."
writes "A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010.
Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010.
“That patch didn’t completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch,” said Brian Gorenc, manager of vulnerability research with HP's Zero Day Initiative. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.
The vulnerability was submitted to ZDI by German researcher Michael Heerklotz."Link to Original Source
writes "Software, from web apps, to operating systems to firmware, has been abused and exploited every which way from Sunday for decades by both researchers and attackers. Now, it is hardware’s turn in the spotlight, as researchers have published details of a new method for exploiting a problem with some DRAM memory devices that can allow attackers to get low-level access to target machines.
The problem is being called “rowhammer”, as it’s a method for repeatedly hammering on rows of cells of memory in DRAM devices to induce cells to flip from one state to another. Using a new technique to exploit the rowhammer issue, researchers at Google were able to produce these bit flips in cells and gain kernel-level privileges. Security researchers say the technique is some of the more important work done on exploitation in recent years and could affect a huge number of laptops and desktop machines.
Researcher Mark Seaborn on Monday published a detailed technical explanation of techniques to exploit the rowhammer issue, which was described earlier in an academic paper by researchers from Intel and Carnegie Mellon University. The basic concept behind rowhammer relies on the fact that the cells of memory on DRAM devices have become closer and closer together over time, meaning that it has become more difficult to prevent electrons from jumping from one cell to another. By accessing target cells in DRAM over and over again, an attacker can disturb a cell adjacent to the target cells, causing it to “bit flip” under some circumstances.
“‘Rowhammer’ is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process,” Seaborn wrote in his post.
“[It] is a brilliant attack and because it’s a hardware flaw, there are really no ways to patch it,” said Alfredo Ortega, a longtime security researcher and co-founder of Groundworks Technologies."
writes "From the time the first commercials aired during the American pro football championship game last month, CSI: Cyber has been one of the more talked-about and least-anticipated shows in recent memory. At least in tech circles. For normal viewers, it’s one of those shows that you wake up in the middle of at 10:27 after nodding off during Criminal Minds or CSI: Pet Detectives.
The show centers on the Cyber Crime Division at the FBI, a perfectly focus-grouped cast headed by Special Agent Avery Ryan. She is a former behavioral psychiatrist whose practice fell apart when–spoiler alert!–all of her case files were stolen by a hacker who then murdered one of her patients. Now she is on a mission to “turn” hackers one at a time to the path of righteousness. She is aided in this noble quest by the guy who played Dawson, former child rapper Lil Bow Wow, and the two h4x0r caricatures: a bearded, wisecracking guy named Daniel Krumitz who is the “greatest white hat hacker in the world”, and Raven Ramirez, whom we know is a hacker because she has dyed hair. Also, because her name is Raven.
As a public service, the Threatpost team, Mike Mimoso, Dennis Fisher, Brian Donohue and Chris Brook, watched the first episode of CSI: Cyber and kept a running chat log of the “action”."
writes "For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack.
Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keys–known as export-grade keys–without asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers.
“The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to ‘access’ communications, while allegedly providing crypto that was still ‘good enough’ for commercial use. Or if you prefer modern terms, think of it as the original ‘golden master key‘," said cryptographer Matt Green of Johns Hopkins University.
The vulnerability affects a variety of clients, most notably Apple’s Safari browser. The bug was discovered by a large group of researchers from Microsoft Research and the French National Institute for Research in Computer Science and Control, and they found that given a server that supports export-grade ciphers and a client that accepts those weak keys, an attacker with a man-in-the-middle position could force a client to downgrade to the weak keys. He could then take the key and factor it, which researchers were able to do in about seven and a half hours, using Amazon EC2. And because it’s resource-intensive to generate RSA keys, servers will generate one and re-use it indefinitely."
writes "The NSA has a new director, a slew of new challenges and any number of new capabilities at its disposal. But it seems that the agency is intent on fighting the same old battles.
Even as fresh revelations about the extent of the NSA’s efforts to get access to encryption keys for mobile communications continue to unspool, the agency’s director is advocating for some form of legal, direct access to encrypted communications. Mike Rogers, director of the NSA and head of the U.S. Cyber Command, said at an event yesterday that it’s important for a legal framework to be put in place to govern how intelligence agencies can access secure communications.
Bruce Schneier, cryptographer and CTO of Resilient Systems, asked Rogers directly about that problem during the event held by the New America Foundation and was unsatisfied by the answer. For Schneier, the rhetoric and the lack of technical understanding coming from the government are eerily reminiscent of the crypto wars of the 1990s.
“If someone sat Rogers down and described Clipper to him, I think he would say, ‘I want that,'” Schneier said. “He says we need a legal rule, but that can’t solve the technical problems. This is a place where policy and technology collide in a way that it limits the solution space. There’s a belief that this is just a technical problem and we can solve it.”"
writes "Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations. The attackers, known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods, including interdicting physical media such as CDs and inserting their custom malware implants onto the discs.
Some of the techniques the group has used are closely associated with tactics employed by the NSA, specifically the interdiction operations and the use of the LNK vulnerability exploit by Stuxnet.
The Equation Group has a massive, flexible and intimidating arsenal at its disposal. Along with using several zero days in its operations, the attack crew also employs two discrete modules that enable them to reprogram the hard drive firmware on infected machines. This gives the attackers the ability to stay persistent on compromised computers indefinitely and create a hidden storage partition on the hard drive that is used to store stolen data. At the Security Analyst Summit here Monday, researchers at Kaspersky presented on the Equation Group’s operations while publishing a new report that lays out the inner workings of the crew’s tools, tactics and target list. The victims include government agencies, energy companies, research institutions, embassies, telecoms, universities, media organizations and others. Countries targeted by this group include Russia, Syria, Iran, Pakistan, China, Yemen, Afghanistan, India but also US and UK, between and several others."
writes "WordPress has become a huge target for attackers and vulnerability researchers, and with good reason. The software runs a large fraction of the sites on the Internet and serious vulnerabilities in the platform have not been hard to come by lately. But there’s now a bug that’s been disclosed in all versions of WordPress that may allow an attacker to take over vulnerable sites.
The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response.
The consequences of an attack on the bug would be that the attacker might be able to predict the token used to generate a new password for a user’s account and thus take over the account. Arciszewski has developed a patch for the problem and published it, but it has not been integrated into WordPress. He said he has had almost no communication from the WordPress maintainers about the vulnerability, save for one tweet from a lead developer that was later deleted.
Arciszewski said he has not developed an exploit for the issue but said that an attacker would need to be able to predict the next RNG seed in order to exploit it.
“There is a rule in security: attacks only get better, never worse. If this is not attackable today, there is no guarantee this will hold true in 5 or 10 years. Using /dev/urandom (which is what my proposed patch tries to do, although Stefan Esser has highlighted some flaws that would require a 4th version before it’s acceptable for merging) is a serious gain over a userland RNG,” he said by email."
writes "The last year has seen a big swing in the support from the technology community for open-source security tools, many of which are maintained by tiny staffs or volunteers. OpenSSL last year received a large chunk of funding from the Core Infrastructure Initiative, and now it’s GnuPG’s turn.
After a story on ProPublica Thursday publicized the plight of Werner Koch, the creator and lone full-time developer of the encryption software, who was running low on money to fund the project, members of the security and technology communities began a word-of-mouth campaign to raise money to help. These kinds of campaigns can fizzle out quickly, but not this time. In less than a day, the GnuPG project received more than €120,000 in donations from individuals around the world.
In addition to the €120,000 in donations from individual supporters, the CII, which is supported by the Linux Foundation, has given GnuPG a $60,000 grant for this year. Also, both Facebook and Stripe, the payment processor GnuPG uses, have pledged $50,000 each to support the project."
writes "Attackers have compromised Anthem Inc., one of the larger health-care companies in the United States, gaining access to the Social Security numbers, birth dates, names, employment and income data and other personal information of an untold number of customers.
The company says it is not sure yet how many customers are affected, but Anthem claims to have 69 million customers across its product lines. In a statement, Anthem, which was previously known as WellPoint Health Networks, said that the company was the victim of a targeted, sophisticated attack.
Given the size of the Anthem customer base, this could turn out to be one of the larger data breaches in U.S. history. The scope of the information the attackers obtained could give them broad access to victims’ personal lives.
“If confirmed, we are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry. If you are wondering what it means for individuals, in a few words: it is a nightmare,” said Jamie Blasco, vice president and chief scientist at AlienVault."
writes "In the years since Edward Snowden began putting much of the NSA‘s business in the street, including its reliance on the secret FISA court and National security Letters, warrant canaries have emerged as a key method for ISPs, telecoms and other technology providers to let the public know whether they have received any secret orders. But keeping track of the various canaries scattered around the Web is difficult, so a group of legal and civil liberties organizations have come together to launch a new site to monitor the known warrant canaries.
The Canary Watch site is the work of the EFF, the Berkman Center for Internet and Society and NYU’s Technology Law and Policy Center and it works on a simple concept. The site maintains a list of all of the known warrant canaries and periodically checks each organization’s site to see whether the canary is still there and then lists any changes to the status.
Right now, Canary Watch lists 11 organizations, including Lookout, Pinterest, Reddit and Tumblr.
“Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about,” Nadia Kayyali of the EFF said in a blog post."