Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Submission + - Bug in iOS, OSX Allows AirDrop to Write Files Anywhere on File System

Trailrunner7 writes: There is a major vulnerability in a library in iOS that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog.

The vulnerability lies in a library in both iOS and OS X, and Mark Dowd, the security researcher who discovered it, said he’s been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device.

In fact, an attacker can exploit the vulnerability even if the victim doesn’t agree to accept the file sent over AirDrop.

Submission + - Bugzilla Hacked to Steal Private Vulnerability Data

Trailrunner7 writes: Security experts constantly tell users not to reuse passwords on multiple accounts, but the message often falls on deaf ears. Now, officials at Mozilla are finding that advanced users don’t always follow that advice either after discovering that an attacker was able to compromise a Bugzilla user’s account by using a password taken from a data breach on a separate site.

The attacker may have known who he was hitting, because the target was a privileged user who had restricted access to sensitive information about security bugs in Mozilla products. Bugzilla is the big-tracking system used by Mozilla for its various projects, and while much of the information is public, a subset of it is kept private. Specifically, information about security flaws that are in the process of being fixed or evaluated is kept private until a patch is available or the company decides not to fix it.

Mozilla officials say the attacker in this instance may have had access to the victim’s account since September 2013. The earliest confirmed access was in September 2014. Once in the victim’s account, the attacker apparently was able to steal information about a Firefox vulnerability that Mozilla fixed last month, but only after an exploit for it was seen in the wild.

Submission + - Pile of Bugs in Belkin Routers Allow DNS Spoofing, Credential Theft 1

Trailrunner7 writes: The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers.

The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren’t any practical workarounds for them.

“DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker’s control,” the CERT/CC advisory says.

Submission + - Zero Day in Android Google Admin App Can Bypass Sandbox

Trailrunner7 writes: The Android security team at Google is having a busy month. First the Stagefright vulnerabilities surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.

The vulnerability lies in the way that the Google Admin application on Android phones handles some URLs. If another application on the phone sends the Admin app a specific kind of URL an attacker can bypass the Same Origin Policy and get data from the Admin sandbox.

“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,”the advisory from MWR Labs says.

Google did not respond to a request for comment on this story. The vulnerability affects the current version of the app, and may affect earlier versions as well.

Submission + - Attackers Seen Installing Malicious Bootstrap Images on Cisco IOS Devices

Trailrunner7 writes: Cisco is warning enterprise customers about a spike in attacks in which hackers use valid credentials on IOS devices to log in as administrators and then upload malicious ROMMON images to take control of the devices.

The ROM Monitor is the program that initializes the hardware and software on IOS devices, and an attacker who is able to install a modified, malicious image would have persistent access to the compromised device. Cisco’s security team has been contacting customers to warn them about the attacks, which are ongoing.

“Cisco PSIRT has contacted customers to describe an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image,” the advisory from Cisco says.

Submission + - OwnStar Device Can Remotely Find, Unlock and Start GM Cars

Trailrunner7 writes: Car hacking just jumped up a few levels. A security researcher has built a small device that can intercept the traffic from the OnStar RemoteLink mobile app and give him persistent access to a user’s vehicle to locate, unlock, and start it.

The device is called OwnStar and it’s the creation of Samy Kamkar, a security researcher and hardware hacker who makes a habit of finding clever ways around the security of various systems, including garage doors, wireless keyboards, and drones. His newest creation essentially allows him to take remote control of users’ vehicles simply by sending a few special packets to the OnStar service. The attack is a car thief’s dream.

Kamkar said that by standing near a user who has the RemoteLink mobile app open, he can use the OwnStar device to intercept requests from the app to the OnStar service. He can then take over control of the functions that RemoteLink handles, including unlocking and remotely starting the vehicle.

Submission + - Honeywell Home Controllers Open to Any Hacker Who Can Find Them Online

Trailrunner7 writes: The accumulation of automation and Internet-connected devices in many homes these days has led observers to coin the term smart homes. But as researchers take a closer look at the security of these devices, they’re finding that what these homes really are is naive.

The latest batch vulnerabilities to hit home automation equipment are in the Tuxedo Touch controller made by Honeywell, a device that’s designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet and researcher Maxim Rupp discovered that there are two vulnerabilities in the Tuxedo Touch that could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.

Submission + - VUPEN Launches New Zero-Day and Exploit Buyer Called Zerodium

Trailrunner7 writes: In the weeks since the Hacking Team breach, the spotlight has shone squarely on the small and often shadowy companies that are in the business of buying and selling exploits nd vulnerabilities. One such company, Netragard, this week decided to get out of that business after its dealings with Hacking Team were exposed. But now there’s a new entrant in the field, Zerodium, and there are some familiar names behind it.

The company is affiliated with VUPEN, a vulnerability and exploit broker that often is at the center of discussions about the legality and ethics of such businesses. VUPEN, run by researcher Chaouki Bekrar, is one of the rare companies in that field that does all of its own research and development; it does not buy vulnerabilities or exploits form outside sources. But now, at a time when there has never been more attention from lawmakers, media, and governments, Bekrar has created a new venture that will wade fully into the purchase bugs and exploits.

Zerodium plans to focus exclusively on buying high-risk vulnerabilities, leaving aside the lower end of the spectrum. The company will use the vulnerabilities it acquires to make up a feed of vulnerabilities, exploits, and defensive measures, that it provides to customers.

Submission + - Four Remotely Exploitable Zero Days Disclosed in Internet Explorer

Trailrunner7 writes: As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren’t enough for organizations to deal with, HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution.

Each of the four vulnerabilities is in a different component of the browser, but they all are remotely exploitable. The advisories from ZDI say that attackers could exploit these vulnerabilities through typical drive-by attacks.

The oldest vulnerability was discovered as part of the Mobile Pwn2Own contest in November and ZDI disclosed it to Microsoft at the time. ZDI has a policy of disclosing privately reported vulnerabilities after 120 days, even if the affected vendor has not released a patch. Microsoft has not issued patches for any of the four vulnerabilities disclosed by ZDI this week.

Submission + - Hacking Team Claims It Always Sold 'Strictly Within the Law'

Trailrunner7 writes: Hacking Team officials are disputing reports that the company sold its surveillance and intrusion software to oppressive regimes in countries that were under sanction. The company said it sold its products “strictly within the law and regulation as it applied at the time any sale was made.”

The new statement from Hacking Team comes after two weeks of stories resulting from the compromise of the company’s network earlier this month. The Hacking Team breach was devastating, involving the release of 400 GB of data stolen from the company’s system, including emails, customer invoices, and some of the source code for the hacking Team Remote Control System platform. Some of the more damaging information to emerge from the cache includes documents showing the company sold its surveillance tools to government agencies in Ethiopia, Syria, Sudan, and other oppressive countries.

“The company has always sold strictly within the law and regulation as it applied at the time any sale was made. That is true of reported sales to Ethiopia, Sudan, Russia, South Korea and all other countries,” a statement from the company released Wednesday says.

Marietje Schaake, a Dutch member of the European Union Parliament who has been critical of Hacking Team and other companies that deal in exploits and intrusion software, said Wednesday on Twitter that perhaps laws need to be changed to deal with such sales.

“If #hackingteam acted legally, we must update laws but companies always have choice to act ethically and morally,” she wrote.

Submission + - Netragard Ends Exploit Acquisition Program After Hacking Team Breach

Trailrunner7 writes: Netragard, one of the small number of companies that buys and sells exploits, has shut down its exploit acquisition program in the wake of the HackingTeam breach.

Among the revelations in the cache of documents leaked after the attack on HackingTeam was information about Netragard selling an exploit to the Italian maker of intrusion and surveillance software. The HackingTeam documents also showed that the company sold its products to a variety of customers associated with oppressive regimes, including Egypt and Ethiopia. In the last, HackingTeam officials had denied that they dealt with such customers, but the leaked emails and other documents from the attack earlier this month showed otherwise.

Now, CEO Adriel Desautels said the company has decided to end its exploit acquisition program altogether due to the ethical and political issues it involves.

We’ve decided to terminate our Exploit Acquisition Program (again). Our motivation for termination revolves around ethics, politics, and our primary business focus. The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it,” he said in a blog post over the weekend.

Submission + - OPM hack included fingerprints (nationaljournal.com)

schwit1 writes: The Office of Personnel Management announced last week that the personal data for 21.5 million people had been stolen. But for national security professionals and cybersecurity experts, the more troubling issue is the theft of 1.1 million fingerprints.

Much of their concern rests with the permanent nature of fingerprints and the uncertainty about just how the hackers intend to use them. Unlike a Social Security number, address, or password, fingerprints cannot be changedâ"once they are hacked, they're hacked for good. And government officials have less understanding about what adversaries could do or want to do with fingerprints, a knowledge gap that undergirds just how frightening many view the mass lifting of them from OPM.

"It's probably the biggest counterintelligence threat in my lifetime," said Jim Penrose, former chief of the Operational Discovery Center at the National Security Agency and now an executive vice president at the cybersecurity company Darktrace. "There's no situation we've had like this before, the compromise of our fingerprints. And it doesn't have any easy remedy or fix in the world of intelligence."

Submission + - Mozilla Disables Flash in Firefox by Default

Trailrunner7 writes: As the zero days in Adobe Flash continue to pile up, Mozilla has taken the unusual step of disabling by default all versions of Flash in Firefox.

The move is a temporary one as Adobe prepares to patch two vulnerabilities in Flash that were discovered as a result of the HackingTeam document dump last week. Both vulnerabilities are use-after-free bugs that can be used to gain remote code execution. One of the flaws is in Action Script 3 while the other is in the BitMapData component of Flash.

Exploits for these vulnerabilities were found in the data taken from HackingTeam in the attack disclosed last week. An exploit for one of the Flash vulnerabilities, the one in ActionScript 3, has been integrated into the Angler exploit kit already and there’s a module for it in the Metasploit Framework, as well.

Submission + - OPM Director Resigns in Wake of Massive Data Breach

Trailrunner7 writes: The ever-expanding data breach at the Office of Personnel Management has now spread to include the Social Security numbers and other personal data of a total of 21.5 million people, and the toll also now includes the agency’s director, Katherine Archuleta, who resigned Friday morning.

Archuleta had been under an increasing amount of pressure ever since the hack came to light last month. Legislators last month took Archuleta and CIO Donna Seymour to task for not addressing security deficiencies and failing to implement controls such as database encryption and two-factor authentication agency wide. Archuleta said during the hearing before the House Committee on Oversight Government Reform that protecting users was her highest priority.

“You have completely and utterly failed, if that was your mission,” Rep. Jason Chaffetz (R-Utah) said during the hearing.

Archuleta informed President Barack Obama on Friday that she was resigning.

Submission + - OpenSSL Patches Critical Certificate-Validation Vulnerability

Trailrunner7 writes: Organizations that installed the June 11 OpenSSL update need to pull it back immediately after a serious certificate validation error was discovered and patched today in a new update.

The bug was reported two weeks ago to the OpenSSL project by Google researcher Adam Langley and BoringSSL’s David Benjamin, and affects only OpenSSL 1.0.1 and 1.0.2.

“It’s a bad bug, but only affects anyone who installed the release from June,” said Rich Salz, a member of the OpenSSL development team. The bug was introduced during that update and affected relatively few organizations. “It’s a bad bug, but the impact is low. We haven’t heard any reports of it being used in production.”

The vulnerability allows an attacker with an untrusted TLS certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic.

I was playing poker the other night... with Tarot cards. I got a full house and 4 people died. -- Steven Wright