Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

+ - ICU Project Patches Memory Vulnerabilities->

Submitted by msm1267
msm1267 writes: Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched.

Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buffer overflow and integer overflow bugs in versions 52 through 54. Older versions of the library could also be affected, said researcher Pedro Ribeiro of Agile Information Security, who discovered the vulnerabilities while fuzzing LibreOffice, one of the numerous open source and enterprise software packages that are built using the library.

Link to Original Source

+ - The Usbkill Anti-Forensics Script That Renders PCs Useless

Submitted by Trailrunner7
Trailrunner7 writes: The idea of needing to disable a computer quickly as the police–or another potential adversary–comes through the door typically has been the concern of criminals. But in today’s climate activists, journalists, and others may find themselves wanting to make their laptops unusable in short order, and that’s where usbkill comes in.

The new tool is a small Python script that users can download and run on any machine. The script then will monitor the machine for any changes in state on the USB ports, like when someone removes or plugs in a USB drive. If a state change is detected, the usbkill script then will disable the machine immediately.

“Usbkill keeps watch on the computer’s usb ports, and if any change is observed it will shut down (kill) the computer. This means that if you add or remove a usb drive, the computer (running usbkill) will immediately crash,” the script's developer, who uses the name Hephaest0s, said.

“For additional security one might attach a usb key to one’s wrist (using a lace) and plug it into the computer, to start the usbkill program ofter the usb is inserted. If your computer is forcefully removed from you, the usb attached to your wrist will likely be removed from your computer, killing it. This essentially means you have a usb-dead-switch for your computer.”

+ - Researchers Bypasses Google Password Alert for Second Time

Submitted by Trailrunner7
Trailrunner7 writes: A security researcher has developed a method–actually two methods–for defeating the new Chrome Password Alert extension that Google released earlier this week.

The Password Alert extension is designed to warn users when they’re about to enter their Google passwords into a fraudulent site. The extension is meant as a defense against phishing attacks, which remain a serious threat to consumers despite more than a decade of research and warnings about the way the attacks work.

Just a day after Google released the extension, Paul Moore, a security consultant in the U.K., developed a method for bypassing the extension. The technique involved using Javascript to look on a given page for the warning screen that Password Alert shows users. The method Moore developed then simply blocks the screen, according to a report on Ars Technica. In an email, Moore said it took him about two minutes to develop that bypass, which Google fixed in short order.

However, Moore then began looking more closely at the code for the extension, and Chrome itself, and discovered another way to get around the extension. He said this one likely will be more difficult to repair.

“The second exploit will prove quite difficult (if not near impossible) to resolve, as it leverages a race condition in Chrome which I doubt any single extension can remedy. The extension works by detecting each key press and comparing it against a stored, hashed version. When you’ve entered the correct password, Password Alert throws a warning advising the user to change their password,” Moore said.

+ - Once a Forgotten Child, OpenSSL's Future Now Looks Bright

Submitted by Trailrunner7
Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed.

For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

“Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed,” says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. “OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it.”

To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn’t healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.

+ - Congress and Its Crypto Craziness

Submitted by Trailrunner7
Trailrunner7 writes: Crazy is never in short supply in Washington. Through lean times and boom times, regardless of who is in the White House or which party controls the Congress, the one resource that’s reliably renewable is nuttery.

This is never more true than when that venerable and voluble body takes up a topic with some technical nuance to it. The appearance of words such as “Internet”, “computers” or “technology” in the title of a committee hearing strike fear into the hearts of all who use such things. This is the legislative body, after all, that counted among its members the late Sen. Ted Stevens, who so eloquently described the Internet as a series of tubes.

And so when a panel with the wonderfully Orwellian name of the House Committee on Oversight and Government Reform announced a hearing titled “Encryption Technology and Potential U.S. Policy Responses”, the expectations in the security and crypto communities were for plenty of crazy. And it delivered in spades, but perhaps not in the way observers had expected.

The committee hearing was a response to the recent conversations in Washington circles about the need for backdoors in encryption technologies to enable lawful access by the FBI and other agencies. Cryptographers have said consistently that such systems simply don’t work, as they inevitably will allow access for attackers as well as law enforcement, never mind the huge technical challenges of implementing them.

That fact that the decisions by Apple and Google are a result of the NSA's actions did not get past Rep. Ted Lieu (D-Calif.), a man with computer science and law degrees and a clear grasp of the issue at hand.

“I take great offense to your testimony today,” Lieu said to Conley. “It’s a fundamental misunderstanding of the problem. Why do you think companies like Apple and Google are doing this? It’s not to make less money. It’s because the public is asking for it.

“This is a private sector response to government overreach. Let me make another statement, that somehow these technology companies aren’t credible because they collect private data. Here’s the difference: Apple and Google don’t have coercive powers. District attorneys do. The FBI does. The NSA does. And to me it’s very simple to draw the privacy balance when it comes to law enforcement privacy. Just follow the damn Constitution. And because the NSA and other law enforcement agencies didn’t do that, you’re seeing a vast public reaction to this."

+ - New Zero Day Disclosed in WordPress Core Engine

Submitted by Trailrunner7
Trailrunner7 writes: WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver.

Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported.

The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, Pynnonen said.

“An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” Pynnonen said. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts.”

+ - Researcher Discloses Methods For Bypassing All OS X Security Protections

Submitted by Trailrunner7
Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn’t much of a challenge at all.

Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.

“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,” Wardle said in a talk at the RSA Conference here Thursday. “It only verifies the app bundle.”

“If Macs were totally secure, I wouldn’t be here talking,” Wardle said. “It’s trivial for any attacker to bypass the security tools on Macs.”

+ - New SMB Flaw Affects iTunes, All Versions of Windows

Submitted by Trailrunner7
Trailrunner7 writes: There is a serious vulnerability in all supported versions of Windows that can allow an attacker who has control of some portion of a victim’s network traffic to steal users’ credentials for valuable services. The bug is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.

The vulnerability, disclosed Monday by researchers at Cylance, is an extension of research done by Aaron Spangler nearly 20 years ago, and it’s known as Redirect to SMB. This weakness can enable an attacker to force victims to try to authenticate to an attacker-controlled server.

“This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks. While tools like KARMA, Metasploit, and Responder.py depend on the user to make a SMB connection back to the attacker, the Cylance research improves on the attack by abusing how HTTP redirects are handled by callers of the URLMon API,” said HD Moore, chief research officer at Rapid 7.

“The Cylance research shows that instead of waiting for the user to open their browser or manually connect to a network share, an attacker can look for automated HTTP requests sent by background applications and redirect these to file:// URLs, triggering a SMB connection and automatic authentication. Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks."

+ - Github Attack Perpetrated by China's Great Cannon Traffic Injection Tool ->

Submitted by Gunkerty Jeb
Gunkerty Jeb writes: Chinese attackers used the Great Firewall’s offensive sister-system, named the Great Cannon, to launch a recent series of distributed denial of service attacks targeting the anti-censorship site, GreatFire.org, and the code repository, Github, which was hosting content from the former.
Link to Original Source

+ - Apples Leaves Chinese CNNIC Root in OSX and iOS Trust Stores

Submitted by Trailrunner7
Trailrunner7 writes: When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether, Apple has kept the root certificates in its trusted store for both iOS and OSX.

Apple on Wednesday released major security upgrades for both of its operating systems and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remain in the trusted stores for iOS and OSX. The company has not made any public statements on the incident or the continued inclusion of CNNIC’s certificates in the trusted stores.

+ - TrueCrypt Alternatives Step Up Post-Cryptanalysis-> 1

Submitted by msm1267
msm1267 writes: What's next for TrueCrypt now that a two-phase audit of the code and its cryptography uncovered a few critical vulnerabilities, but no backdoors? Two alternative open source encryption projects forked TrueCrypt once its developers decided to abandon the project in early 2014, giving rise to VeraCrypt and CipherShed--and both are ready to accelerate growth, compatibility and functionality now that the TrueCrypt code has been given a relative clean bill of health.
Link to Original Source

+ - Is this ET? Mystery of strange radio bursts from space->

Submitted by schwit1
schwit1 writes: Telescopes have been picking up so-called fast radio bursts (FRBs) since 2001. They last just a few milliseconds and erupt with about as much energy as the sun releases in a month. Ten have been detected so far, most recently in 2014, when the Parkes Telescope in New South Wales, Australia, caught a burst in action for the first time. The others were found by sifting through data after the bursts had arrived at Earth. No one knows what causes them, but the brevity of the bursts means their source has to be small – hundreds of kilometres across at most – so they can't be from ordinary stars. And they seem to come from far outside the galaxy.

The weird part is that they all fit a pattern that doesn't match what we know about cosmic physics.

Link to Original Source

+ - Students Build Open Source Web-Based Threat Modeling Tool->

Submitted by msm1267
msm1267 writes: Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design.

The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so.

Link to Original Source

+ - Google Drops Chinese CA From Chrome After Incident

Submitted by Trailrunner7
Trailrunner7 writes: Google has taken the unusual step of completely removing trust from Chrome for the Chinese certificate authority CNNIC in the wake of an incident in which certificates issued by the CA were misused.

Google officials announced the severe decision on Wednesday, saying that it was made after an investigation by the company and CNNIC. The decision comes a couple of weeks after Google officials discovered that a certificate issued by CNNIC to MCS Holdings, an intermediate CA, was being used in a man-in-the-middle proxy to intercept traffic to some Google domains. Google and other browser vendors had removed trust from their browsers for the misused certificate, but Google has now taken the further step of dropping CNNIC from the Chrome trust store altogether.

The removal of CNNIC from Chrome’s trust store will have the effect of causing all of the certificates issued by the company to be marked as untrusted by the browser. This could leave users confused about the authenticity of the sites they’re visiting if they’re unaware of the decision by Google.

One historical analog for the CNNIC incident is a similar one in 2012 involving Trustwave, which issued a certificate to a customer that was intended to be used in a DLP system. Google did not completely remove Trustwave from Chrome’s trust store after that incident.

+ - Firefox 37 Adds Opportunistic Encryption for HTTP

Submitted by Trailrunner7
Trailrunner7 writes: Mozilla has released Firefox 37, and along with the promised addition of the OneCRL certificate revocation list, the company has included a feature that enables opportunistic encryption on connections for servers that don’t support HTTPS.

The new feature gives users a new defense against some forms of monitoring and doesn’t require any setup from users. When Web servers are configured correctly to provide a specific response header, Firefox will begin sending requests to the indicated encrypted port rather than in cleartext to port 80. Opportunistic encryption isn’t a replacement for SSL, as it’s not authenticated, but it can provide a alternative for organizations that can’t migrate fully to HTTPS for one reason or another.

“OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial,” Patrick McManus of Mozilla wrote in a post explaining the new feature.

We are experiencing system trouble -- do not adjust your terminal.

Working...