msm1267 writes: A unique scareware campaign targeting Mac OS X machines has been discovered, and it’s likely the developer behind the malware has been at it a while since the installer that drops the scareware is signed with a legitimate Apple developer certificate.
“Sadly, this particular developer certificate (assigned to a Maksim Noskov) has been used for probably two years in similar attacks,” said Johannes Ullrich, dean of research of the SANS Institute’s Internet Storm Center, which on Thursday publicly disclosed the campaign. “So far, it apparently hasn’t been revoked by Apple.”
msm1267 writes: Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime.
“The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p,” the advisory said. “Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.”
Socat said it has generated a new prime that is 2048 bits long; versions 220.127.116.11 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.
msm1267 writes: Vulnerabilities in the Web APIs for both Fisher-Price’s Smart Toy Bear and hereO’s GPS platform could be abused to put children’s personal data, and possibly safety, at risk. Since the flaws were found in the in the respective toys’ Web APIs, the fix was be applied on the vendor’s end and required no patches on the toys. Researchers at Rapid7 found and disclosed the flaws to the toymakers. The vulnerabilities in the Fisher-Price could allow an attacker to learn personal details about the children using the toys, opening the door to future social engineering and phishing scams.
The hereO flaw is a bit more concerning since the toy watch acts as a GPS locator for parents, who can use these features to track a child’s whereabouts. Rapid7 found an authorization bypass flaw in the Web API of the device that allows an attacker to invite and accept themselves into a family group; the platform supports messaging, location features and panic alerts for members of each respective group. An attacker could learn the location of anyone in the group and more.
msm1267 writes: Cisco’s Talos security intelligence and research group found and privately disclosed a serious and trivially exploitable client-side bug in Mini UPnP that was patched in September of last year.
Now four months later, it’s unclear how many vendor products that make use of the library were patched, nor is it known how many devices on private networks—things such as Xboxes, home and business routers and peer-to-peer applications such as the Bitcoin-qt wallet—have been patched.
Cisco today published technical details of the vulnerability and to demonstrate the widespread nature of the bug and its potential impact, released a proof-of-concept attack against the default Bitcoin wallet which opens the door to remote code execution. Cisco’s exploit bypasses the Stack Smashing Protection (SSP) mitigation, which protects vulnerable buffers in a stack with a stack cookie, or canary. The Cisco attack bypasses the stack cookie on Linux systems.
msm1267 writes: A group of privacy advocates whose Twitter accounts were targeted by state-sponsored hackers want answers from the social media platform. A handful of the estimated 50 people who received notifications in December from Twitter are still in the dark as to why they were targeted, what information the attackers were after, and who exactly was after them.
The group made a public plea this week to Twitter, putting up a website with more than a dozen pointed questions it hopes Twitter will answer. The plea was signed by 30 people who were notified, most of whom have ties to Internet freedom and advocacy, including the Tor project and digital rights initiatives in Europe.
Twitter is not alone in beginning such a notification service; it follows on the heels of similar efforts by Google, Facebook and Yahoo.
msm1267 writes: A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today.
The vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, the company added.
An attacker would require local access to exploit the vulnerability on a Linux server. A malicious mobile app would get the job done on an Android device. The vulnerability is a reference leak that lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications.
msm1267 writes: Researcher Patrick Wardle has found a number of issues in Apple's Mac OS X Gatekeeper that would allow an attacker to bypass the security feature and compromise Apple computers. Apple has twice attempted to fix the flaws, but Wardle says the manner in which Apple addressed the vulnerabilities is incomplete and his attacks still enable Gatekeeper bypasses.
msm1267 writes: OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys.
The attacker would have to control a malicious server in order to force the client to give up the key, OpenSSH and researchers at Qualys said in separate advisories. Qualys’ security team privately disclosed the vulnerability Jan. 11 and the OpenSSH team had it patched within three days.
The vulnerability was found in a non-documented feature called roaming that supports the resumption of interrupted SSH connections. OpenSSH said client code between versions 5.4 and 7.1 are vulnerable as it contains the roaming support. OpenSSH said that organizations may disable the vulnerable code by adding “UseRoaming no” to the global ssh_config(5) file.
Researchers at Qualys said organizations should patch immediately and regenerate private keys.
msm1267 writes: A Silverlight zero day vulnerability patched yesterday by Microsoft has already been used in limited targeted attacks, and could be linked to an exploit developer who sold a previous zero day in the platform to the infamous Hacking Team.
Researchers at Kaspersky Lab found and reported the Silverlight flaw to Microsoft, and today disclosed a technical analysis of the vulnerability and links to exploit writer Vitaliy Toropov. Emails from Toropov to Hacking Team were found this summer in data stolen from the company. Kaspersky researchers pieced together clues from older Silverlight exploits written by Toropov and linked the latest flaw to him.
The vulnerability allows for remote code execution and is a cross-platform bug that, for now, has been used only in attacks against Windows machines.
msm1267 writes: Juniper Networks has removed the backdoored Dual_EC DRBG algorithm from its ScreenOS operating system, but new developments show Juniper deployed Dual_EC long after it was known to be backdoored.
Stephen Checkoway, assistant professor of computer science at the University of Illinois at Chicago, said that he and a number of crypto experts looked at dozens of versions of Juniper's NetScreen firewalls and learned that ANSI X9.31 was used exclusively until ScreenOS 6.2 when Juniper added Dual_EC. It also changed the size of the nonce used with ANSI X9.31 from 20 bytes to 32 bytes for Dual_EC, giving an attacker the necessary output to predict the PRNG output.
“And at the same time, Juniper introduced what was just a bizarre bug that caused the ANSI generator to never be used and instead just use the output of Dual_EC. They made all of these changes in the same version update.”
msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the device’s modem and perform any number of actions.
Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more.
Blackphone is marketed toward privacy-conscious users; it includes encrypted messaging apps such as SilentText and Silent Phone, and it runs on a customized, secure version of Android, called PrivatOS.
msm1267 writes: A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures that not only tested the boundaries of the social network’s bug bounty program, but he said, also prompted hints of legal and criminal action, which Facebook has since denied.
Wesley Wineberg, a contract employee of security company Synack, said today that he had found some weaknesses in the Instagram infrastructure that allowed him to access source code for recent versions of Instagram, SSL certificates and private keys for Instagram.com, keys used to sign authentication cookies, email server credentials, and keys for more than a half-dozen critical other functions, including iOS and Android app signing keys and iOS push notification keys.
Wineberg also accessed employee accounts and passwords, some of which he cracked, and had access to Amazon buckets storing user images and other data prompting claims of user privacy violations from Facebook.
msm1267 writes: Experts say the success tied to a recent spate of DDoS-for-hire groups may be because many are copycat collectives operating with a shorter lifespan.
Researchers with Recorded Future, a Massachusetts-based firm that tracks real time threat intelligence, said Monday that they’ve noticed an increase in would-be hackers asking for guidance on forums when it comes to carrying out such attacks.
In particular, it has observed several requests on the dark web for instructions on how to perform DDoS attacks, set up Bitcoin wallets, and so forth. The frequency of the posts really picked up steam after publicity around the group DDoS 4 Bitcoin, it said.
msm1267 writes: Adobe seems to have taken its first steps to move developers away from the notoriously insecure Flash and onto HTML5. But none of it will be quick enough for security experts who loathe Flash's expansive attack surface, which has made it the preferred attack vector for criminal and state-sponsored hackers.
msm1267 writes: A second root certificate and private key, similar to eDellRoot, along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions, and starting today will push a software update that checks for the eDellroot cert and removes it.