Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

+ - NSA Planned to Hijack Google App Store to Hack Smartphones->

Submitted by Advocatus Diaboli
Advocatus Diaboli writes: "The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals. The surveillance project was launched by a joint electronic eavesdropping unit called the Network Tradecraft Advancement Team, which includes spies from each of the countries in the “Five Eyes” alliance — the United States, Canada, the United Kingdom, New Zealand and Australia."

"The newly published document shows how the agencies wanted to “exploit” app store servers – using them to launch so-called “man-in-the-middle” attacks to infect phones with the implants. A man-in-the-middle attack is a technique in which hackers place themselves between computers as they are communicating with each other; it is a tactic sometimes used by criminal hackers to defraud people. In this instance, the method would have allowed the surveillance agencies to modify the content of data packets passing between targeted smartphones and the app servers while an app was being downloaded or updated, inserting spyware that would be covertly sent to the phones."

Link to Original Source

+ - Stanford Research Outs Would-Be Hacker Marketplace

Submitted by Anonymous Coward
An anonymous reader writes: What if there were an Uber for hackers? Well, there is. It's called Hacker's List, and it made the front page of the New York Times this year. Anyone can post or bid on an 'ethical' hacking project.

According to new Stanford research, however, the site is a wreck. 'Most requests are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal.'

And it gets worse. 'Many users on Hacker’s List are trivially identifiable,' with an email address or Facebook account. The research dataset includes thousands of individuals soliciting federal crimes.

+ - Researchers Uncover TLS Bug Likely Used by NSA to Break VPNs

Submitted by Trailrunner7
Trailrunner7 writes: Researchers have uncovered a flaw in the way that some servers handle the Diffie-Hellman key exchange, a bug that’s somewhat similar to the FREAK attack and threatens the security of many Web and mail servers. The bug affects all of the major browsers and any server that supports export-grade 512-bit Diffie-Hellman cryptography.

The most serious threat from this issue likely is from advanced attackers with significant resources, i.e., intelligence agencies and other state-level attackers. The researchers behind the new attack technique say that information contained in the NSA documents stolen and leaked by Edward Snowden shows that the agency may have been able to break the prime numbers used in Diffie-Hellman key exchange. That would give the agency access to the traffic to and from the VPN, HTTPS and SSH servers whose security depends upon those primes.

The vulnerability can be exploited by a technique being called the Logjam attack, which allows an attacker to downgrade a vulnerable server to a weak, 512-bit connection. As in the FREAK attack, this requires the attacker to be in a man-in-the-middle position, but if the attack is successful, it would give the attacker the ability to read any of the supposedly secure traffic on that connection. The vulnerability derives from an issue in the TLS protocol itself.

But the newest discovery may be the most important, given the implications for the security of systems such as VPNs and SSH servers.

“Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputa- tions for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?,” the researchers say in their paper.

+ - The Wonderfully Terrible Finale of CSI: Cyber

Submitted by Trailrunner7
Trailrunner7 writes: It’s been a couple of months since we left our heroes on CSI: Cyber, and boy, have they been busy. They have apparently solved many crimes using cyber-sleuthing, acquired some decidedly non-cyber firearms skills, and, in the case of our man Krumitz, taken up running. We wanted to check in and see how our merry band of crime solvers is getting along, so the Threatpost staff, Mike Mimoso, Dennis Fisher, Chris Brook and Brian Donohue, decided to sit down for a running chat during the first part of the two-episode season finale. Because some of us are old and can’t stay up that late, and honestly, who can sit through two straight hours of this?

The cast of characters is still the same. Avery Ryan, the head of the FBI’s Cyber Crime Division, leads her crew of mismatched misfits into the deep web to tackle a cyber theft of some weird imaginary currency called “Bitcoins”. These coins, which apparently are made up of red electricity, were stolen from a laptop at a family owned jewelry store. The laptop was locked in a vault, because of course it was. Our heroes are called in to recover the valuable electrons and save the shop owners’ retirement plans. (This is a little-known service the FBI provides.)

+ - The Mathematician Who Loves Hitting People 1

Submitted by HughPickens.com
HughPickens.com writes: Kate Murphy writes at NYT about mathematician John Urschel whose latest contribution to the mathematical realm was a paper for the Journal of Computational Mathematics with the impressively esoteric title, "A Cascadic Multigrid Algorithm for Computing the Fiedler Vector of Graph Laplacians." "Believe me, I am aware that terms such as multigrid, Fiedler, and vector are not words that people use in their daily lives," says Urshel.

But as an offensive guard for the Baltimore Ravens, John Urschel regularly goes head to head with the top defensive players in the NFL and does his best to keep quarterback Joe Flacco out of harm's way. "I play because I love the game. I love hitting people," Urshel writes. "There's a rush you get when you go out on the field, lay everything on the line and physically dominate the player across from you. This is a feeling I'm (for lack of a better word) addicted to, and I'm hard-pressed to find anywhere else."

Urschel acknowledges that he has faced questions from NFL officials, journalists, fans and fellow mathematicians about why he runs the risk of potential brain injury from playing football when he has "a bright career ahead of me in mathematics" but doesn't feel able to quit. "When I go too long without physical contact I'm not a pleasant person to be around. This is why, every offseason, I train in kickboxing and wrestling in addition to my lifting, running and position-specific drill work."

+ - Smart Grid Meter Homegrown Security Protocol Crushed By Researchers

Submitted by plover
plover writes: According to this article in ThreatPost,

Two researchers, Phillip Jovanovic of the University of Passau in Germany and Samuel Neves of the University of Coimbra in Portugal, published a paper exposing encryption weaknesses in the protocol.

The paper, “Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol” explains how the authenticated encryption scheme used in the OSGP is open to numerous attacks—the paper posits a handful—that can be pulled off with minimal computational effort. Specifically under fire is a homegrown message authentication code called OMA Digest.

+ - Windows 10 Edge Browser Seen as Major Security Upgrade

Submitted by Trailrunner7
Trailrunner7 writes: For many years now, the browser has been the most dangerous piece of software on most users’ machines. Attackers love to target browsers and a remote code execution bug in a major browser is gold for them. The browser vendors have been making gradual changes to better protect users in recent years, and now Microsoft is completely revamping the security of its main browser, adding a slew of new protections and exploit mitigations.

The browser included with the upcoming release of Windows 10 will be known as Edge, and it will have a number of security features designed to protect against the most common memory corruption and phishing attacks. And, significantly, Edge will not include support for many of the more dangerous and commonly abused extensions, such as ActiveX and VB Script.

Most of the changes that Microsoft is making with Edge are behind the scenes and won’t be visible to users. That includes the new exploit mitigations and some improvements to the sandbox, which was introduced in Internet Explorer 7 several years ago. Edge will include two features designed to protect against memory corruption attacks, MemGC and Control Flow Guard, that are on by default. The former is a mitigation that will help the browser defend against attacks on use-after-free vulnerabilities, which have become prevalent recently.

“When it comes to protecting the browser itself, Microsoft has been making some pretty big leaps forward in terms of security. We have to continue to applaud them for making the right decisions. For example, the choice to remove support for antiquated and insecure technology like ActiveX is a move long overdue. Better containerization of the application and better memory protections are also much needed and appreciated steps in the right direction,” Andrew Storms, VP of security services at New Context, said.

+ - NFL Releases Deflategate Report

Submitted by _xeno_
_xeno_ writes: You may remember back in February that Slashdot covered the NFL asking Columbia University for help investigating Deflategate, a scandal where the New England Patriots were caught deflating their footballs in order to make them easier to catch. The Patriots claimed this was simply a result of the weather, while their opponents disagreed. Well, it's been months, but we finally have our answer: the balls were, in fact, knowingly deflated by the Patriots (to no one's surprise). And while science can explain a little deflation, it cannot explain the amount of deflation seen during the game. Which isn't stopping Boston fans from attacking the science.

+ - Sorority Files Lawsuit After Sacred Secrets Posted on Penny Arcade Forums-> 1

Submitted by Limekiller42
Limekiller42 writes: Lawyers for the Phi Sigma Sigma sorority have filed suit in Seattle's King County Superior Court against an unidentified person for "publicizing the sorority’s secret handshake, robe colors and other practices." The well-written article is by Levi Pulkkinen of the Seattle Post-Intelligencer and states that the sorority is seeking a restraining order and financial compensation for damages.
Link to Original Source

+ - ICU Project Patches Memory Vulnerabilities->

Submitted by msm1267
msm1267 writes: Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched.

Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buffer overflow and integer overflow bugs in versions 52 through 54. Older versions of the library could also be affected, said researcher Pedro Ribeiro of Agile Information Security, who discovered the vulnerabilities while fuzzing LibreOffice, one of the numerous open source and enterprise software packages that are built using the library.

Link to Original Source

+ - The Usbkill Anti-Forensics Script That Renders PCs Useless

Submitted by Trailrunner7
Trailrunner7 writes: The idea of needing to disable a computer quickly as the police–or another potential adversary–comes through the door typically has been the concern of criminals. But in today’s climate activists, journalists, and others may find themselves wanting to make their laptops unusable in short order, and that’s where usbkill comes in.

The new tool is a small Python script that users can download and run on any machine. The script then will monitor the machine for any changes in state on the USB ports, like when someone removes or plugs in a USB drive. If a state change is detected, the usbkill script then will disable the machine immediately.

“Usbkill keeps watch on the computer’s usb ports, and if any change is observed it will shut down (kill) the computer. This means that if you add or remove a usb drive, the computer (running usbkill) will immediately crash,” the script's developer, who uses the name Hephaest0s, said.

“For additional security one might attach a usb key to one’s wrist (using a lace) and plug it into the computer, to start the usbkill program ofter the usb is inserted. If your computer is forcefully removed from you, the usb attached to your wrist will likely be removed from your computer, killing it. This essentially means you have a usb-dead-switch for your computer.”

+ - Researchers Bypasses Google Password Alert for Second Time

Submitted by Trailrunner7
Trailrunner7 writes: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they’re about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

“The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you’ve entered the correct password, Password Alert throws a warning advising the user to change their password,” Moore said.

+ - Once a Forgotten Child, OpenSSL's Future Now Looks Bright

Submitted by Trailrunner7
Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed.

For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

“Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed,” says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. “OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it.”

To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn’t healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.

+ - Congress and Its Crypto Craziness

Submitted by Trailrunner7
Trailrunner7 writes: Crazy is never in short supply in Washington. Through lean times and boom times, regardless of who is in the White House or which party controls the Congress, the one resource that’s reliably renewable is nuttery.

This is never more true than when that venerable and voluble body takes up a topic with some technical nuance to it. The appearance of words such as “Internet”, “computers” or “technology” in the title of a committee hearing strike fear into the hearts of all who use such things. This is the legislative body, after all, that counted among its members the late Sen. Ted Stevens, who so eloquently described the Internet as a series of tubes.

And so when a panel with the wonderfully Orwellian name of the House Committee on Oversight and Government Reform announced a hearing titled “Encryption Technology and Potential U.S. Policy Responses”, the expectations in the security and crypto communities were for plenty of crazy. And it delivered in spades, but perhaps not in the way observers had expected.

The committee hearing was a response to the recent conversations in Washington circles about the need for backdoors in encryption technologies to enable lawful access by the FBI and other agencies. Cryptographers have said consistently that such systems simply don’t work, as they inevitably will allow access for attackers as well as law enforcement, never mind the huge technical challenges of implementing them.

That fact that the decisions by Apple and Google are a result of the NSA's actions did not get past Rep. Ted Lieu (D-Calif.), a man with computer science and law degrees and a clear grasp of the issue at hand.

“I take great offense to your testimony today,” Lieu said to Conley. “It’s a fundamental misunderstanding of the problem. Why do you think companies like Apple and Google are doing this? It’s not to make less money. It’s because the public is asking for it.

“This is a private sector response to government overreach. Let me make another statement, that somehow these technology companies aren’t credible because they collect private data. Here’s the difference: Apple and Google don’t have coercive powers. District attorneys do. The FBI does. The NSA does. And to me it’s very simple to draw the privacy balance when it comes to law enforcement privacy. Just follow the damn Constitution. And because the NSA and other law enforcement agencies didn’t do that, you’re seeing a vast public reaction to this."

+ - New Zero Day Disclosed in WordPress Core Engine

Submitted by Trailrunner7
Trailrunner7 writes: WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver.

Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported.

The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, Pynnonen said.

“An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” Pynnonen said. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts.”

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...