writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn’t much of a challenge at all.
Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.
“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,” Wardle said in a talk at the RSA Conference here Thursday. “It only verifies the app bundle.”
“If Macs were totally secure, I wouldn’t be here talking,” Wardle said. “It’s trivial for any attacker to bypass the security tools on Macs.”
writes: There is a serious vulnerability in all supported versions of Windows that can allow an attacker who has control of some portion of a victim’s network traffic to steal users’ credentials for valuable services. The bug is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.
The vulnerability, disclosed Monday by researchers at Cylance, is an extension of research done by Aaron Spangler nearly 20 years ago, and it’s known as Redirect to SMB. This weakness can enable an attacker to force victims to try to authenticate to an attacker-controlled server.
“This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks. While tools like KARMA, Metasploit, and Responder.py depend on the user to make a SMB connection back to the attacker, the Cylance research improves on the attack by abusing how HTTP redirects are handled by callers of the URLMon API,” said HD Moore, chief research officer at Rapid 7.
“The Cylance research shows that instead of waiting for the user to open their browser or manually connect to a network share, an attacker can look for automated HTTP requests sent by background applications and redirect these to file:// URLs, triggering a SMB connection and automatic authentication. Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks."
writes: Chinese attackers used the Great Firewall’s offensive sister-system, named the Great Cannon, to launch a recent series of distributed denial of service attacks targeting the anti-censorship site, GreatFire.org, and the code repository, Github, which was hosting content from the former.Link to Original Source
writes: When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether, Apple has kept the root certificates in its trusted store for both iOS and OSX.
Apple on Wednesday released major security upgrades for both of its operating systems and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remain in the trusted stores for iOS and OSX. The company has not made any public statements on the incident or the continued inclusion of CNNIC’s certificates in the trusted stores.
writes: What's next for TrueCrypt now that a two-phase audit of the code and its cryptography uncovered a few critical vulnerabilities, but no backdoors? Two alternative open source encryption projects forked TrueCrypt once its developers decided to abandon the project in early 2014, giving rise to VeraCrypt and CipherShed--and both are ready to accelerate growth, compatibility and functionality now that the TrueCrypt code has been given a relative clean bill of health.Link to Original Source
writes: Telescopes have been picking up so-called fast radio bursts (FRBs) since 2001. They last just a few milliseconds and erupt with about as much energy as the sun releases in a month. Ten have been detected so far, most recently in 2014, when the Parkes Telescope in New South Wales, Australia, caught a burst in action for the first time. The others were found by sifting through data after the bursts had arrived at Earth. No one knows what causes them, but the brevity of the bursts means their source has to be small – hundreds of kilometres across at most – so they can't be from ordinary stars. And they seem to come from far outside the galaxy.
The weird part is that they all fit a pattern that doesn't match what we know about cosmic physics.Link to Original Source
writes: Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design.
The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so.Link to Original Source
writes: Google has taken the unusual step of completely removing trust from Chrome for the Chinese certificate authority CNNIC in the wake of an incident in which certificates issued by the CA were misused.
Google officials announced the severe decision on Wednesday, saying that it was made after an investigation by the company and CNNIC. The decision comes a couple of weeks after Google officials discovered that a certificate issued by CNNIC to MCS Holdings, an intermediate CA, was being used in a man-in-the-middle proxy to intercept traffic to some Google domains. Google and other browser vendors had removed trust from their browsers for the misused certificate, but Google has now taken the further step of dropping CNNIC from the Chrome trust store altogether.
The removal of CNNIC from Chrome’s trust store will have the effect of causing all of the certificates issued by the company to be marked as untrusted by the browser. This could leave users confused about the authenticity of the sites they’re visiting if they’re unaware of the decision by Google.
One historical analog for the CNNIC incident is a similar one in 2012 involving Trustwave, which issued a certificate to a customer that was intended to be used in a DLP system. Google did not completely remove Trustwave from Chrome’s trust store after that incident.
writes: Mozilla has released Firefox 37, and along with the promised addition of the OneCRL certificate revocation list, the company has included a feature that enables opportunistic encryption on connections for servers that don’t support HTTPS.
The new feature gives users a new defense against some forms of monitoring and doesn’t require any setup from users. When Web servers are configured correctly to provide a specific response header, Firefox will begin sending requests to the indicated encrypted port rather than in cleartext to port 80. Opportunistic encryption isn’t a replacement for SSL, as it’s not authenticated, but it can provide a alternative for organizations that can’t migrate fully to HTTPS for one reason or another.
“OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial,” Patrick McManus of Mozilla wrote in a post explaining the new feature.
writes: A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust the source.
The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. Researcher David Sopas of WebSegura in Portugal found that by using the access token from any user’s account, pasting some code into the bio field in a user’s account and using some other little tricks, he could produce a file download link that seems to be hosted on a legitimate Instagram domain.
The attacker could host any malicious file he chooses at the target location, including malware. Sopas said he has been unable to convince Facebook security engineers that RFD issues are security vulnerabilities. He said they told him the issue was not a priority.
“Many companies still don’t understand that RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” Sopas said via email.
writes: Google security engineers, investigating fraudulent certificates issued for several of the company’s domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain.
Google’s engineers were able to block the fraudulent certificates in the company’s Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered.
But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic.
writes: The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks.
The Obama administration has proposed an amendment to existing United Stated federal law that would give it a more powerful tool to go after botnets such as GameOver Zeus, Asprox and others. In recent years, Justice, along with private security firms and law enforcement agencies in Europe, have taken down various incarnations of a number of major botnets, including GameOver Zeus and Coreflood. These actions have had varying levels of success, with the GOZ takedown being perhaps the most effective, as it also had the effect of disrupting the infrastructure used by the CryptoLocker ransomware.
In order to obtain an injunction in these cases, the government would need to sue the defendants in civil court and show that its suit is likely to succeed on its merits.
“The Administration’s proposed amendment would add activities like the operation of a botnet to the list of offenses eligible for injunctive relief. Specifically, the amendment would permit the department to seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim computers have been hacked. This numerical threshold focuses the injunctive authority on enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread attacks on computers using malicious software (such as “ransomware” ),” Caldwell wrote.
writes: Spies thrive only when they’re able to quietly infiltrate targets and slither away unnoticed; this principle is the same whether we’re talking about the physical world, or digital.
The recently uncovered Equation APT group is prime example of the investment nation-state sponsored attackers make in stealth. The group, which researchers at Kaspersky Lab speculate has been active since 2001—perhaps as far back as 1996—took great pains to avoid detection with this super valuable espionage platform. It was selective about against whom it was deployed, found unique ways to store stolen data, and developed more than 100 plug-ins, each with a specific function, that are deployed only to certain targets holding certain information.
Today, researchers at Kaspersky Lab released a deeper analysis of the older attack platform used by the Equation group. EquationDrug is a complete platform that is selectively installed on targets’ computers. It is used to deploy any of 116 modules (Kaspersky says it has found only 30 so far); the modules support a variety of cyberespionage functions ranging from data exfiltration to monitoring a target’s activities local activities and on the Web.
The 30 modules analyzed by Kaspersky represent a wide cut of capabilities present in the EquationDrug platform. Many of the modules perform system-level functions, gathering data specific to the target computer such as operating system versions, time zone details, Windows management instrumentation, and much more. There are also modules that allow the attackers to manage target computers, enabling them to manipulate processes, load drivers and libraries or manage files and directories. Network traffic can be stolen or re-routing; there are modules for tampering with DNS resolution, for example.
Yet other modules keep tabs on user activity, learning what network shares and resources the machine has access to, steal cached passwords, monitor live user activity in web browsers and browser history, monitor removable storage drive usage, log keystrokes and clipboard storage, and run a passive backdoor that runs Equation shellcode from raw traffic.
writes: A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010.
Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010.
“That patch didn’t completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch,” said Brian Gorenc, manager of vulnerability research with HP's Zero Day Initiative. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.
The vulnerability was submitted to ZDI by German researcher Michael Heerklotz.Link to Original Source
writes: Software, from web apps, to operating systems to firmware, has been abused and exploited every which way from Sunday for decades by both researchers and attackers. Now, it is hardware’s turn in the spotlight, as researchers have published details of a new method for exploiting a problem with some DRAM memory devices that can allow attackers to get low-level access to target machines.
The problem is being called “rowhammer”, as it’s a method for repeatedly hammering on rows of cells of memory in DRAM devices to induce cells to flip from one state to another. Using a new technique to exploit the rowhammer issue, researchers at Google were able to produce these bit flips in cells and gain kernel-level privileges. Security researchers say the technique is some of the more important work done on exploitation in recent years and could affect a huge number of laptops and desktop machines.
Researcher Mark Seaborn on Monday published a detailed technical explanation of techniques to exploit the rowhammer issue, which was described earlier in an academic paper by researchers from Intel and Carnegie Mellon University. The basic concept behind rowhammer relies on the fact that the cells of memory on DRAM devices have become closer and closer together over time, meaning that it has become more difficult to prevent electrons from jumping from one cell to another. By accessing target cells in DRAM over and over again, an attacker can disturb a cell adjacent to the target cells, causing it to “bit flip” under some circumstances.
“‘Rowhammer’ is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process,” Seaborn wrote in his post.
“[It] is a brilliant attack and because it’s a hardware flaw, there are really no ways to patch it,” said Alfredo Ortega, a longtime security researcher and co-founder of Groundworks Technologies.