Forgot your password?
typodupeerror

+ - New Cridex Malware Copies Tactics From GameOver Zeus

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM’s X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

“There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators,” Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware."

+ - NSA BIOS Backdoor a.k.a. God Mode Malware Part 1: DEITYBOUNCE->

Submitted by Advocatus Diaboli
Advocatus Diaboli (1627651) writes "This article is the first part of a series on NSA BIOS backdoor internals. Before we begin, I’d like to point out why these malwares are classified as “god mode.” First, most of the malware uses an internal (NSA) codename in the realms of “gods,” such as DEITYBOUNCE, GODSURGE, etc. Second, these malwares have capabilities similar to “god mode” cheats in video games, which make the player using it close to being invincible. This is the case with this type of malware because it is very hard to detect and remove, even with the most sophisticated anti-malware tools, during its possible deployment timeframe."
Link to Original Source

+ - Inside the CryptoLocker Takedown

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "The takedown of the GameOver Zeus malware operation in June got more than its share of attention, but it was the concurrent demolition of the CryptoLocker ransomware infrastructure that may prove to have been the most important part of the operation. That outcome was the culmination of months of behind the scenes work by dozens of security researchers who cooperated with law enforcement to trace, monitor and ultimately wreck the careful work and planning of the CryptoLocker crew.

“This was something new. This was ransomware done right,” said John Bambenek, president of Bambenek Consulting, who was involved in the working group that tracked CryptoLocker and talked about the operation at the Black Hat USA conference here Thursday. “It made for a good case study on how to do threat intelligence.”

The working group that came together to defeat CryptoLocker was global and had people with all kinds of different skill sets: malware reverse engineering, math, botnet tracking and intelligence. Some members worked on taking part the domain-generation algorithm while others looked at the command-and-control infrastructure and still others broke down the malware itself. What the researchers began to notice as they dug deeper into the CryptoLocker operation was that the crew behind the ransomware had done a lot of things right, but had also exhibited some oddly inconsistent behaviors."

+ - In the Wake of Snowden's Revelations, A Wave of Innovation

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "It was an absurd scene. Keith Alexander, the director of the NSA and a four-star general in the Army, stood alone on the stage, squinting through the floodlights as members of the standing-room-only crowd shouted insults and accusations. Armed men in dark suits roamed the area in front of the stage, eyeing the restless crowd. Nearby, a man sat with a carton of eggs at his feet, waiting for a chance to let fly.

There were loud calls for Alexander’s resignation throughout the summer, and previous whistleblowers, security experts and some lawmakers said that there was a clear need for reform at Fort Meade. Critics said the agency had taken the expanded powers granted it after 9/11 and run with them. Concurrent advancements in technology gave the NSA a deep bag of tricks for conducting offensive operations and as the details of the TAO toy catalog and other capabilities emerged, the anger and outrage in the security and privacy communities festered. Something had to be done. Things needed to change. And then, oddly enough, things began to change.

As the implications of the NSA’s deep penetration of the Internet began to sink in, small groups of smart technologists and engineers began looking for ways to help users secure their communications. Some of the folks from Silent Circle started a new venture, Blackphone, to produce secure, surveillance-resistant phones for consumer use. Another group of executives from Silent Circle, along with Ladar Levison, the founder of Lavabit, established the Dark Mail Alliance to create a new secure email service. And just last week, Moxie Marlinspike’s Open Whisper Systems released Signal, a new iPhone app that provides secure, encrypted phone calls for free.

There’s no way of knowing whether all of these technologies and changes would’ve come to pass without the Snowden leaks; some of them almost certainly would have. Google was on the path to encrypting its data center links, and Yahoo would likely have followed suit eventually. But there’s no question that the leaked documents, the avalanche of news stories and the massive backlash that followed contributed to the innovation that has followed."

+ - Critical Android FakeID Bug Allows Apps to Impersonate Trusted Apps

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.

The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.

Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.

“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”"

+ - Flaw in TAILS Privacy OS is in Its I2P Component

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "The critical vulnerability in the TAILS operating system discovered by researchers at Exodus Intelligence lies in the I2P software that’s bundled with the OS and the company has released some details and a video demonstrating an exploit against the bug. Exodus researchers said that the vulnerability can be used for remote code execution as well as de-anonymization of targeted users on TAILS.

I2P is an anonymity network, somewhat analogous to Tor, that encrypts all of its communications from end to end and enables private and anonymous use of the Internet and resources such as email, chat and Web browsing. Unlike Tor, however, I2P is a packet switched network, rather than a circuit switched one, and the communications its users send and receive are message-based. Each I2P node has an identical level of importance in the network and there are no central servers routing traffic.

Exodus researchers said that the flaw they discovered is present in TAILS for several versions, meaning its effect could be quite widespread.

“The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work,” the Exodus team wrote in a post explaining a bit about the flaw."

+ - Researcher Finds Hidden Data-Dumping Services in iOS

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users’ personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.

Zdziarski discussed his findings in a talk at the HOPE X conference recently and published the slides and paper, as well. The file_relay service has been in iOS for some time and originally was benign, but Zdziarski said that in recent versions it has turned into a tool that can dump loads of user data on command. The file_relay tool can dump a list of the email and social media accounts, the address book, the user cache folder, which contains screenshots, offline content, copy/paste data, keyboard typing cache and other personal data. The tool can also provide a log of periodic location snapshots from the device."

+ - New Critroni Crypto Ransomware is First to Use Tor for Command and Control

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "There’s a new kid on the crypto ransomware block, known as Critroni, that’s been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it’s the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims’ machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim’s PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”"

+ - LibreSSL PRNG Vulnerability Patched ->

Submitted by msm1267
msm1267 (2804139) writes "The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG).

The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”

OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”"

Link to Original Source

+ - Manuel Noriega sues Activision over Call of Duty

Submitted by mrspoonsi
mrspoonsi (2955715) writes "Manuel Noriega, the former dictator of Panama, is suing Call of Duty's video games publisher.

The ex-military ruler is seeking lost profits and damages after a character based on him featured in Activision's 2012 title Black Ops II. The 80-year-old is currently serving a jail sentence in Panama for crimes committed during his time in power, including the murder of critics. One lawyer said this was the latest in a growing trend of such lawsuits. "In the US, individuals have what's called the right to publicity, which gives them control over how their person is depicted in commerce including video games," explained Jas Purewal, an interactive entertainment lawyer. "There's also been a very well-known action by a whole series of college athletes against Electronic Arts, and the American band No Doubt took action against Activision over this issue among other cases. "It all focuses upon the American legal ability for an individual to be only depicted with their permission, which in practice means payment of a fee. "But Noriega isn't a US citizen or even a resident. This means that his legal claim becomes questionable, because it's unclear on what legal basis he can actually bring a case against Activision.""

+ - A Hacker Artist Sent the NSA an 'Uncrackable' Encrypted Mixtape->

Submitted by Jason Koebler
Jason Koebler (3528235) writes "In late May, hacker artist David Huerta, co-organizer of Art Hack Day and Cryptoparty, sent the NSA one hell of a snail mail. Huerta built a DIY encrypted mixtape using an Arduino board and a transparent acrylic case, containing a "soundtrack for the modern surveillance state." It's a mixtape the NSA won't be able to listen to because of the power of private key-based cryptography."
Link to Original Source

+ - Panel Finds NIST Relied Too Much on NSA in Dual EC Debacle

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of cryptographers it employs and also that it take steps to clarify and define its relationship with the NSA.

The report from the Visiting Committee on Advanced Technology’s Committee of Visitors, released Monday, found that NIST was overly reliant on the input and expertise of NSA cryptographers and that the organization should have paid more attention to outside criticisms of the algorithm.

“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report."

+ - Microsoft Settles with No-IP After Malware Takedown

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "It’s been a weird couple of weeks for Microsoft. On June 30 the company announced its latest malware takedown operation, which included a civil law suit against Vitalwerks, a small Nevada hosting provider, and the seizure of nearly two dozen domains the company owned. Now, 10 days later, Microsoft has not only returned all of the seized domains but also has reached a settlement with Vitalwerks that resolves the legal action.

Some in the security research community criticized Microsoft harshly for what they saw as heavy handed tactics. Within a few days of the initial takedown and domain seizure Microsoft returned all of the domains to Vitalwerks, which does business as No-IP.com. On Wednesday, the software giant and the hosting provider released a joint statement saying that they had reached a settlement on the legal action.

“Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services,” the companies said in a joint statement.

“Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.”"

+ - "Evolution = Satan" part of Atlanta Public Schools' Biology Curriculum->

Submitted by McGruber
McGruber (1417641) writes "The young journalists at The Southerner (http://thesoutherneronline.com), the student newspaper at Grady High School in Atlanta, Georgia, recently broke the news that creationism and other Christian religious views are incorporated into the Biology curriculum used by the City of Atlanta Public Schools. As the newspaper put it (http://thesoutherneronline.com/frontpage/?p=29658):

A PowerPoint shown to a freshman biology class featured a cartoon depicting dueling castles, one labeled “Creation (Christ)” and the other labeled “Evolution (Satan).” Balloons attached to the evolution castle were labeled euthanasia, homosexuality, pornography, divorce, racism and abortion...... The PowerPoint, which has more than 50 slides largely consisting of material about evolution, was downloaded from SharePoint, an APS file-sharing database for teachers. It was uploaded by Mary E. King, a project manager at APS who has also uploaded more than 2,000 other documents. Phone calls and emails to King have not been returned. Tommy Molden, science coordinator for APS, also did not respond to requests for comment.

Students were offended by the cartoon:

“[I] have gay parents, and [the cartoon] said that evolution caused homosexuality and it implied that to be negative, so I was pretty offended by it,” [freshman Seraphina Cooley] said.

Cooley said that another student emailed the administration complaining about the PowerPoint.

Freshman Griffin Ricker, who is also in Jones’ class, said [Biology class teacher Anquinette Jones] got angry with the class when she found out students had notified the administration.

“She had a 10-minute rant,” Ricker said. “She yelled and said, ‘This is on the APS website, and it was certified.’”

In case of slashdotting, the student reporting is also posted on a local newspaper's blog (http://www.ajc.com/weblogs/get-schooled/2014/jul/03/evolution-vs-creationism-why-still-issue-grady-or-/)."
Link to Original Source

+ - Microsoft Malware Takedown Causes Waves in Security Community

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Microsoft’s latest takedown of a malware operation, announced Monday and involving the infrastructure of several malware families, has, like many of the company’s actions, elicited strong opinions on both sides of the issue from security researchers, activists and others with a stake in the game. This takedown didn’t involve simply hitting the C2 infrastructure of a botnet, but also includes legal action against a hosting company, No-IP.com, which has called out Microsoft for its tactics and raised a lot of questions in the security community, as well.

Microsoft officials said No-IP was a nest of malware activity, but officials at the hosting provider denied this and said Microsoft never even contacted them. Meanwhile, security researchers aren't too happy with Redmond's tactics either. Claudio Guarnieri, an independent botnet researcher, said Microsoft severely overstepped.

“Any other way would have been a better one. Microsoft is building legal precedents to be able to indiscriminately police the Internet at their own discretion. It is absolutely intolerable that Microsoft feels entitled to “take to task” another company and seize its assets, apparently without having explored all possible avenues as No-IP’s statement indicates. Microsoft’s DCU has been disrespectful and uncooperative in many of its recent operations and I’m sure the community will start protesting and refusing to work with them in the future,” he said.

“Whether No-IP was or was not cooperative is irrelevant (still consider that it’s a very small organization), the fact that Microsoft decided “school” them and severely damage their business because they didn’t live up to Microsoft’s own standards is ludicrous.”"

Some people have a great ambition: to build something that will last, at least until they've finished building it.

Working...