Forgot your password?
typodupeerror

+ - Researcher Takes Wraps Off Undisclosed Bash Vulnerabilities->

Submitted by msm1267
msm1267 (2804139) writes "The Bash bug has kept Linux and UNIX administrators busy deploying a half-dozen patches, worrying about numerous Shellshock exploits in the wild, and a laboring over a general uncertainty that the next supposed fix will break even more stuff.

Researcher Michal Zalewski, a longtime bug-hunter, has been front and center on some of the Bash research and last week said he had found two additional bugs in the Bourne Again Shell, details of which he’d kept to himself until yesterday.

Zalewski took the wraps off the vulnerabilities, one of which, CVE-2014-6278, mimics the original vulnerability reported Sept. 24 but affects only systems patched against the original Bash vulnerability, CVE-2014-6271.

Like the original vulnerability, CVE-2014-6278 allows an attacker to remotely drop executable code by exploiting a weaknesses in environment variables in Bash, which is the most common command line shell used by Linux, UNIX and Mac OS X servers."

Link to Original Source

+ - SNMP DDoS Scans Spoof Google DNS Server->

Submitted by msm1267
msm1267 (2804139) writes "The SANS Internet Storm Center is seeing SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.

“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.

Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands."

Link to Original Source

+ - Inside a Critical Webmin Vulnerability->

Submitted by msm1267
msm1267 (2804139) writes "The University of Texas information security office yesterday disclosed the details on a critical vulnerability in Webmin that was patched in May, days after it was reported.

The bug in the UNIX remote management tool provided remote root access to a host server. Authenticated users would then be able to delete files stored on the server. Researcher John Gordon published a report yesterday on the UT ISO website explaining that the problem was discovered in the cron module’s new environment variable. Gordon wrote that an attacker would have been able to use directory traversal and null byte injection techniques to force Webmin to delete any file stored on the system.

The vulnerability, Gordon said, likely cannot be flipped into an attack granting someone remote shell access or code execution on a standard Linux server, for example."

Link to Original Source

+ - Research Finds No Large Scale Heartbleed Exploit Attempts Before Disclosure->

Submitted by msm1267
msm1267 (2804139) writes "In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no exploit attempts in the months leading up to the public disclosure.

Researchers from the University of Michigan, the University of Illinois, the University of California at Berkeley , Purdue University and the International Computer Science Institute took a comprehensive look at the way that the Heartbleed vulnerability affected the Internet as a whole in the months since it was disclosed in April, focusing mainly on the response by organizations to patch vulnerable servers and revoke certificates. As the scope and effect of the Heartbleed vulnerability set in, security teams scrambled to determine which of their servers were vulnerable to the issue and whether they needed to begin revoking a bunch of SSL certificates, as well. Many of the top sites on the Internet were patched almost immediately after the disclosure, but that didn’t extend to the rest of the vulnerable server population."

Link to Original Source

+ - Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted->

Submitted by msm1267
msm1267 (2804139) writes "Mozilla has deprecated 1024-bit RSA certificate authority certificates in Firefox 32 and Thunderbird. While there are pluses to the move such as a requirement for longer, stronger keys, at least 107,000 websites will no longer be trusted by Mozilla.

Data from HD Moore's Project Sonar, which indexes more than 20 million websites, found 107,535 sites using a cert signed by what will soon be an untrusted CA certificate. Grouping those 107,000-plus sites by certificate expiration date, the results show that 76,185 certificates had expired as of Aug. 25; of the 65 million certificates in the total scan, 845,599 had expired but were still in use as of Aug. 25, Moore said."

Link to Original Source

+ - Enumerating Android Apps Failing to Validate SSL ->

Submitted by msm1267
msm1267 (2804139) writes "A growing compilation of close to 350 Android applications that fail to perform SSL certificate validation over HTTPS has been put together by the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University.

Researcher Will Dormann created a large spreadsheet hosted on the CERT/CC site listing Android applications found on both the Google play and Amazon stores that fail to validate digital certificates, leaving them exposed to man-in-the-middle attacks.

Dormann said the spreadsheet is a living document and more applications are currently being tested and will be added to the list. Most of the apps on the list are currently available in the respective app stores. The apps ran the gamut from games, to music, productivity and everything in between. If available, a CVE number is provided for each app, as well as a notation of whether credentials are weak or are otherwise at risk."

Link to Original Source

+ - Mozilla to Support Key Pinning in Firefox 32

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.

Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.

The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites."

+ - IEEE Guides Software Architects Toward Secure Design->

Submitted by msm1267
msm1267 (2804139) writes "The IEEE's Center for Secure Design debuted its first report this week, a guidance for software architects called "Avoiding the Top 10 Software Security Design Flaws." Developing guidance for architects rather than developers was a conscious effort the group made in order to steer the conversation around software security away from exclusively talking about finding bugs toward design-level failures that lead to exploitable security vulnerabilities.
The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration."

Link to Original Source

+ - Tor Browser Security Under Scrutiny->

Submitted by msm1267
msm1267 (2804139) writes "The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results were a bit eye-opening since the report’s recommendations don’t favor Firefox as a baseline for Tor, rather Google Chrome. But Tor’s handlers concede that budget constraints and Chrome’s limitations on proxy support make a switch or a fork impossible."
Link to Original Source

+ - New Attack Binds Malware in Parallel to Software Downloads->

Submitted by msm1267
msm1267 (2804139) writes "Researchers from Ruhr University in Bochum, Germany, have developed a proof-of-concept attack in which they are able to inject malicious code into a download that runs in parallel to the original application, without modifying the code.

The attack targets free and open source software, in particular those where code signing verification and other integrity checks are lacking in the download process.

Rather than spike the original application with malware, the researchers use a binder that links the binder application, malware and original download."

Link to Original Source

+ - Epic Precursor to Turla APT Campaign Uncovered->

Submitted by msm1267
msm1267 (2804139) writes "The Turla APT campaign has baffled researchers for months as to how its victims are compromised. Peaking during the first two months of the year, Turla has targeted municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle East and Europe.

Researchers at Kaspersky Lab, however, today announced they have discovered a precursor to Turla called Epic that uses a cocktail of zero-days and off-the-shelf exploits against previously unknown and patched vulnerabilities to compromise victims. Epic is the first of a multistage attack that hits victims via spear-phishing campaigns, social engineering scams, or watering hole attacks against websites of interest to the victims.

Epic shares code snippets with Turla and similar encryption used to confound researchers, suggesting a link between the two campaigns; either the attackers are cooperating or are the same group, Kaspersky researchers said."

Link to Original Source

+ - Oracle Database Redaction Trivial to Bypass->

Submitted by msm1267
msm1267 (2804139) writes "Researcher David Litchfield is back at it again, dissecting Oracle software looking for critical bugs. At the Black Hat 2014 conference, Litchfield delivered research on a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities that bypass the data redaction service and trick the system into returning data that should be masked."
Link to Original Source

+ - Multipath TCP Introduces Security Blind Spot->

Submitted by msm1267
msm1267 (2804139) writes "If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension exposes leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate.

“[Multipath TCP] solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”"

Link to Original Source

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...