writes "The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results were a bit eye-opening since the report’s recommendations don’t favor Firefox as a baseline for Tor, rather Google Chrome. But Tor’s handlers concede that budget constraints and Chrome’s limitations on proxy support make a switch or a fork impossible."Link to Original Source
writes "Researchers from Ruhr University in Bochum, Germany, have developed a proof-of-concept attack in which they are able to inject malicious code into a download that runs in parallel to the original application, without modifying the code.
The attack targets free and open source software, in particular those where code signing verification and other integrity checks are lacking in the download process.
Rather than spike the original application with malware, the researchers use a binder that links the binder application, malware and original download."Link to Original Source
writes "Secure mobile phone Blackphone makers SGP Technologies and researcher Justin Case clear the air on how Blackphone was rooted, what circumstances have to be in place to successfully exploit the trio of vulnerabilities in the chain, and what this means for Blackphone going forward."Link to Original Source
writes "The Turla APT campaign has baffled researchers for months as to how its victims are compromised. Peaking during the first two months of the year, Turla has targeted municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle East and Europe.
Researchers at Kaspersky Lab, however, today announced they have discovered a precursor to Turla called Epic that uses a cocktail of zero-days and off-the-shelf exploits against previously unknown and patched vulnerabilities to compromise victims. Epic is the first of a multistage attack that hits victims via spear-phishing campaigns, social engineering scams, or watering hole attacks against websites of interest to the victims.
Epic shares code snippets with Turla and similar encryption used to confound researchers, suggesting a link between the two campaigns; either the attackers are cooperating or are the same group, Kaspersky researchers said."Link to Original Source
writes "Researcher David Litchfield is back at it again, dissecting Oracle software looking for critical bugs. At the Black Hat 2014 conference, Litchfield delivered research on a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities that bypass the data redaction service and trick the system into returning data that should be masked."Link to Original Source
writes "If multipath TCP is the next big thing to bring resilience and efficiency to networking, then there are some serious security issues to address before it goes mainstream. An expert at next week's Black Hat conference is expected to explain how the TCP extension exposes leaves network security gear blind to traffic moving over multiple network streams. Today's IDS and IPS, for example, cannot correlate and re-assemble traffic as it's split over multiple paths. While such attacks are not entirely practical today, as multipath TCP becomes a fixture on popular networking gear and mobile devices, the risks will escalate.
“[Multipath TCP] solves big problems we have today in an elegant fashion,” said Catherine Pearce, security consultant and one of the presenters, along with Patrick Thomas. “You don’t have to replace hardware or software; it handles all that stuff behind the scenes. But security tools are naïve [to MPTCP], and make assumptions that are no longer valid that were valid in the past.”"Link to Original Source
writes "For a little more than six months, attackers were on the Tor network trying to deanonymize users who operate or use Tor hidden services.
Tor issued a security advisory this morning warning users who operated or accessed hidden services between Jan. 30 and July 4 that they were likely affected. Tor officials are also recommending users to upgrade relays to the most recent Tor release, which closes off the vulnerability exploited by the attackers. Hidden service operators are also advised to change the location of their services."Link to Original Source
writes "There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.
The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.
Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.
“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”"
writes "The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG).
The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”
OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.
“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”"Link to Original Source
Jason Z (3746821)
writes "Interview with Sarah Koo, data scientist at BitTorrent. We discuss the technology itself, security potential, and the future of file storage"Link to Original Source
writes "A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of cryptographers it employs and also that it take steps to clarify and define its relationship with the NSA.
The report from the Visiting Committee on Advanced Technology’s Committee of Visitors, released Monday, found that NIST was overly reliant on the input and expertise of NSA cryptographers and that the organization should have paid more attention to outside criticisms of the algorithm.
“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report."
writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit.
Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of “tiny banker”, and researchers say that it’s only about 20 KB in size."Link to Original Source
writes "Got an email today from Microsoft, text is below. They are no longer going to send out emails regarding patches, you have to use RSS or keep visiting their security sites. They blame "governmental policies" as the reason. What could the real reason be? Anybody in the know?
From the email:
Title: Microsoft Security Notifications
Issued: June 27, 2014
Notice to IT professionals:
As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the
* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins
In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website.
For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/s...."Link to Original Source
writes "The United States federal government issued more than 19,000 National Security Letters–perhaps its most powerful tool for domestic intelligence collection–in 2013, and those NSLs contained more than 38,000 individual requests for information.
The new data was released by the Office of the Director of National Intelligence on Friday as part of its effort to comply with a directive from President Obama to declassify and release as much information as possible about a variety of tools that the government uses to collect intelligence. The directive came in the immediate aftermath of the first revelations by former NSA contractor Edward Snowden about the agency’s capabilities, methods and use of legal authorities.
The use of NSLs is far from new, dating back several decades. But their use was expanded greatly after 9/11 and NSLs are different from other tools in a number of ways, perhaps most importantly in the fact that recipients typically are prohibited from even disclosing the fact that they received an NSL. Successfully fighting an NSL is a rare thing, and privacy advocates have been after the government for years to release data on their use of the letters and the number of NSLs issued. Now, the ODNI is putting some of that information into the public record."
writes "Controversial spyware commercially developed by Italy’s HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work.
Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Monk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices."Link to Original Source