writes "The NSA has a new director, a slew of new challenges and any number of new capabilities at its disposal. But it seems that the agency is intent on fighting the same old battles.
Even as fresh revelations about the extent of the NSA’s efforts to get access to encryption keys for mobile communications continue to unspool, the agency’s director is advocating for some form of legal, direct access to encrypted communications. Mike Rogers, director of the NSA and head of the U.S. Cyber Command, said at an event yesterday that it’s important for a legal framework to be put in place to govern how intelligence agencies can access secure communications.
Bruce Schneier, cryptographer and CTO of Resilient Systems, asked Rogers directly about that problem during the event held by the New America Foundation and was unsatisfied by the answer. For Schneier, the rhetoric and the lack of technical understanding coming from the government are eerily reminiscent of the crypto wars of the 1990s.
“If someone sat Rogers down and described Clipper to him, I think he would say, ‘I want that,'” Schneier said. “He says we need a legal rule, but that can’t solve the technical problems. This is a place where policy and technology collide in a way that it limits the solution space. There’s a belief that this is just a technical problem and we can solve it.”"
writes "Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations. The attackers, known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods, including interdicting physical media such as CDs and inserting their custom malware implants onto the discs.
Some of the techniques the group has used are closely associated with tactics employed by the NSA, specifically the interdiction operations and the use of the LNK vulnerability exploit by Stuxnet.
The Equation Group has a massive, flexible and intimidating arsenal at its disposal. Along with using several zero days in its operations, the attack crew also employs two discrete modules that enable them to reprogram the hard drive firmware on infected machines. This gives the attackers the ability to stay persistent on compromised computers indefinitely and create a hidden storage partition on the hard drive that is used to store stolen data. At the Security Analyst Summit here Monday, researchers at Kaspersky presented on the Equation Group’s operations while publishing a new report that lays out the inner workings of the crew’s tools, tactics and target list. The victims include government agencies, energy companies, research institutions, embassies, telecoms, universities, media organizations and others. Countries targeted by this group include Russia, Syria, Iran, Pakistan, China, Yemen, Afghanistan, India but also US and UK, between and several others."
writes "WordPress has become a huge target for attackers and vulnerability researchers, and with good reason. The software runs a large fraction of the sites on the Internet and serious vulnerabilities in the platform have not been hard to come by lately. But there’s now a bug that’s been disclosed in all versions of WordPress that may allow an attacker to take over vulnerable sites.
The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response.
The consequences of an attack on the bug would be that the attacker might be able to predict the token used to generate a new password for a user’s account and thus take over the account. Arciszewski has developed a patch for the problem and published it, but it has not been integrated into WordPress. He said he has had almost no communication from the WordPress maintainers about the vulnerability, save for one tweet from a lead developer that was later deleted.
Arciszewski said he has not developed an exploit for the issue but said that an attacker would need to be able to predict the next RNG seed in order to exploit it.
“There is a rule in security: attacks only get better, never worse. If this is not attackable today, there is no guarantee this will hold true in 5 or 10 years. Using /dev/urandom (which is what my proposed patch tries to do, although Stefan Esser has highlighted some flaws that would require a 4th version before it’s acceptable for merging) is a serious gain over a userland RNG,” he said by email."
writes "The last year has seen a big swing in the support from the technology community for open-source security tools, many of which are maintained by tiny staffs or volunteers. OpenSSL last year received a large chunk of funding from the Core Infrastructure Initiative, and now it’s GnuPG’s turn.
After a story on ProPublica Thursday publicized the plight of Werner Koch, the creator and lone full-time developer of the encryption software, who was running low on money to fund the project, members of the security and technology communities began a word-of-mouth campaign to raise money to help. These kinds of campaigns can fizzle out quickly, but not this time. In less than a day, the GnuPG project received more than €120,000 in donations from individuals around the world.
In addition to the €120,000 in donations from individual supporters, the CII, which is supported by the Linux Foundation, has given GnuPG a $60,000 grant for this year. Also, both Facebook and Stripe, the payment processor GnuPG uses, have pledged $50,000 each to support the project."
writes "Attackers have compromised Anthem Inc., one of the larger health-care companies in the United States, gaining access to the Social Security numbers, birth dates, names, employment and income data and other personal information of an untold number of customers.
The company says it is not sure yet how many customers are affected, but Anthem claims to have 69 million customers across its product lines. In a statement, Anthem, which was previously known as WellPoint Health Networks, said that the company was the victim of a targeted, sophisticated attack.
Given the size of the Anthem customer base, this could turn out to be one of the larger data breaches in U.S. history. The scope of the information the attackers obtained could give them broad access to victims’ personal lives.
“If confirmed, we are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry. If you are wondering what it means for individuals, in a few words: it is a nightmare,” said Jamie Blasco, vice president and chief scientist at AlienVault."
writes "In the years since Edward Snowden began putting much of the NSA‘s business in the street, including its reliance on the secret FISA court and National security Letters, warrant canaries have emerged as a key method for ISPs, telecoms and other technology providers to let the public know whether they have received any secret orders. But keeping track of the various canaries scattered around the Web is difficult, so a group of legal and civil liberties organizations have come together to launch a new site to monitor the known warrant canaries.
The Canary Watch site is the work of the EFF, the Berkman Center for Internet and Society and NYU’s Technology Law and Policy Center and it works on a simple concept. The site maintains a list of all of the known warrant canaries and periodically checks each organization’s site to see whether the canary is still there and then lists any changes to the status.
Right now, Canary Watch lists 11 organizations, including Lookout, Pinterest, Reddit and Tumblr.
“Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about,” Nadia Kayyali of the EFF said in a blog post."
An anonymous reader writes "Security researcher Simone Margaritelli has reverse engineered the Bluetooth low-energy communications protocol for his Nike+ FuelBand SE, a wrist-worn activity tracker. He learned some disturbing fact: "The authentication system is vulnerable, anyone could connect to your device. The protocol supports direct reading and writing of the device memory, up to 65K of contents. The protocol supports commands that are not supposed to be implemented in a production release (bootloader mode, device self test, etc)." His post explains in detail how he managed this, and how Nike put effort into creating an authentication system, but then completely undermined it by using a hard-coded token. Margaritelli even provides a command list for the device, which can do things like grab an event log, upload a bitmap for the screen, and even reset the device."Link to Original Source
writes "Less than 48 hours after the disclosure of the Ghost vulnerability in the GNU C library (glibc), researchers have uncovered that PHP applications, including the WordPress content management system, could be another weak spot and eventually in the crosshairs of attackers.
Ghost is a vulnerability in glibc that attackers can use against only a handful of applications right now to remotely run executable code and gain control of a Linux server. The vulnerability is a heap-based buffer overflow and affects all Linux systems, according to experts, and has been present in the glibc code since 2000.
“An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”"Link to Original Source
writes "In the wake of a recent enforcement action against Marriott for blocking guests’ WiFi hotspots in their hotels, the FCC is warning other hotel operators and business owners that such blocking is illegal and the commission’s Enforcement Bureau is taking note.
Marriott last year paid a fine of $600,000 to settle an FCC enforcement action that resulted from a customer complaint. A guest complained that while staying at the Gaylord Opryland hotel in Tennessee his personal WiFi hotspot was being blocked and he was being forced to pay to use the hotel’s network. The investigation by the FCC found that in some cases the hotel’s network would send de-authentication packets to the personal hotspots used by guests, forcing their devices to disconnect.
Now, the FCC is making it clear that the Enforcement Bureau is looking closely at this kind of behavior, not just by hotel operators, but by any commercial business.
“Willful or malicious interference with Wi-Fi hot spots is illegal. Wi-Fi blocking violates Section 333 of the Communications Act, as amended.1 The Enforcement Bureau has seen a disturbing trend in which hotels and other commercial establishments block wireless consumers from using their own personal Wi-Fi hot spots on the commercial establishment’s premises. As a result, the Bureau is protecting consumers by aggressively investigating and acting against such unlawful intentional interference,” the Federal Communications Commission said in a statement issued this week."
writes "Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.
The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.
“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report."
writes "The gauges that detect and prevent fuel leaks at more than 5,000 gas stations in the United States are utterly vulnerable to remote attacks, according to new research conducted by HD Moore of Rapid7. The gauges are manufactured by Veeder-Root, who says it is working with its customers better enable available security features.
Automated tank gauges (ATGs), as they are called, monitor fuel levels in gas station storage tanks and trigger alarms in compliance with environmental regulations when fuel tanks are overfilled. The risk posed to these gas stations — roughly three percent of the 150,000 station in the U.S. — are serious and could enable hackers to completely shut down the stations containing the vulnerable ATGs.
“Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board,” Moore explained on Rapid7’s Security Street blog. “In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001.”"
writes "Adobe has released an emergency update for Flash to address a zero-day vulnerability that is being actively exploited. The company also is looking into reports of exploits for a separate Flash bug not fixed in the new release, which is being used in attacks by the Angler exploit kit.
The vulnerability that Adobe patched Thursday is under active attack, but Adobe officials said that this flaw is not the one that security researcher Kafeine said Wednesday was being used in the Angler attacks.
The patch for Flash comes just a day after Kafeine disclosed that some instances of the Angler exploit kit contained an exploit for a previously unknown vulnerability in the software. Adobe officials said Wednesday that they were investigating the reports. Kafeine initially saw Angler attacking the latest version of Flash in IE on Windows XP, Vista, 7 and 8, but said the exploit wasn’t being used against Chrome or Firefox.
On Thursday he said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1."
writes "The dangerous Angler exploit kit has a new piece of ammunition to use in its attacks: a fresh Adobe Flash zero-day vulnerability. The kit is exploiting the previously unknown vulnerability in several versions of Internet explorer running on Windows 7 and Windows 8.
French security researcher Kafeine has spotted a version of the Angler kit that’s firing exploits for several vulnerabilities in Flash, including two known bugs. But the big problem is that the kit also has exploit code for what appears to be a zero-day in the latest version of Flash, version 184.108.40.2067. Kafeine said that he first spotted the exploit for the zero-day in Flash on Wednesday and that it is being used to install a piece of malware known as Bedep.
The researcher said that not all instances of Angler are using the new Flash zero-day exploit, nor is it being used against all of the popular browsers. In his tests, Kafeine found that IE 10 on Windows 8, IE 8 on Windows 7 and IE 6-9 on Windows XP all are being exploited. Chrome is not being targeted and fully patched Windows 8.1 is not exploitable, he said.
Adobe officials said they are looking into the report."
writes "Oracle on Tuesday will release a huge number of security fixes as part of its quarterly critical patch update, and one of them is a patch for a vulnerability that a well-known security researcher said looks a lot like a back door but was likely just a terrible mistake.
The flaw is found in Oracle’s eBusiness Suite, a set of apps that includes financial management, CRM and other functions. David Litchfield, an accomplished security researcher who has been poking holes in Oracle products for more than a decade, discovered the vulnerability and reported it to the vendor last year.
A remote attacker could have the ability gain control of an affected database, which is game over for the target system. Litchfield said that when he discovered the vulnerability on a client’s network, his first thought was that the client had been owned and the attacker had left the back door there for later use.
Despite how bad the vulnerability looks, Litchfield said he doesn’t think that it is actually an intentional back door inserted for law enforcement or an intelligence agency.
“I don’t think Oracle as a company would do that. Could it be a disgruntled employee? Maybe, though, giving them the benefit [of the] doubt, it could be that some dev was testing something and they forgot to turn it off. Who knows. What is concerning however is that Oracle seem not to know who and why this privilege was granted, either,” he said."
writes "Legitimate security researchers, from bug hunters to pen-testers, are buckled in for a bumpy ride as vague language in President Obama’s proposed amendments to the Computer Fraud and Abuse Act (CFAA) is expected to be debated and sorted out as it makes its way through the legislature.
The amendments come with stiffer penalties for those convicted of hacking, with some sentences doubled and some offenses elevated to felonies.
One amendment to the CFAA contains language that is a redefinition of what it means to exceed authorized access; it broadens the scope of the CFAA considerably.
From section six in the amendment: ” ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer (a) that the accesser is not entitled to obtain or alter; or (b) for a purpose that the accesser knows is not authorized by the computer owner.”"Link to Original Source