Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Submission + - OwnStar Device Can Remotely Find, Unlock and Start GM Cars

Trailrunner7 writes: Car hacking just jumped up a few levels. A security researcher has built a small device that can intercept the traffic from the OnStar RemoteLink mobile app and give him persistent access to a user’s vehicle to locate, unlock, and start it.

The device is called OwnStar and it’s the creation of Samy Kamkar, a security researcher and hardware hacker who makes a habit of finding clever ways around the security of various systems, including garage doors, wireless keyboards, and drones. His newest creation essentially allows him to take remote control of users’ vehicles simply by sending a few special packets to the OnStar service. The attack is a car thief’s dream.

Kamkar said that by standing near a user who has the RemoteLink mobile app open, he can use the OwnStar device to intercept requests from the app to the OnStar service. He can then take over control of the functions that RemoteLink handles, including unlocking and remotely starting the vehicle.

Submission + - Samy Kamkar's ProxyGambit Picks Up for Defunct ProxyHam->

msm1267 writes: Hardware hacker Samy Kamkar has picked up where anonymity device ProxyHam left off. After a DEF CON talk on ProxyHam was mysteriously called off, Kamkar went to work on developing ProxyGambit, a similar device that allows a user to access the Internet from anywhere without revealing their physical location.

A description on Kamkar’s site says ProxyGambit fractures traffic from the Internet through long distance radio links or reverse-tunneled GSM bridges that connects and exits the Internet through wireless networks far from the user’s physical location.

ProxyHam did not put as much distance between the user and device as ProxyGambit, and routed its signal over Wi-Fi and radio connections. Kamkar said his approach makes it several times more difficult to determine where the original traffic is coming from.

Link to Original Source

Submission + - New RC4 Encryption Attacks Reduces Plaintext Recovery Time->

msm1267 writes: Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm. A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow an attacker to capture a victim’s cookie and decrypt it in a much shorter amount of time than was previously possible.

The paper “All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS,” written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Link to Original Source

Submission + - OpenSSL Patches Critical Certificate Forgery Bug->

msm1267 writes: The mystery OpenSSL patch released today addresses a critical certificate validation issue where anyone with an untrusted TLS certificate can become a Certificate Authority. While serious, the good news according to the OpenSSL Project is that few downstream organizations have deployed the June update where the bug was introduced.
Link to Original Source

Submission + - Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving->

msm1267 writes: Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload. Traffic patterns as of yesterday are almost unrecognizable compared to those of as recent as three weeks ago.
Link to Original Source

Submission + - Emergency Adobe Flash Patch Fixes Zero Day Under Attack->

msm1267 writes: Adobe released an emergency patch for a Flash zero day used in targeted attacks by APT3, the same group behind 2014’s Clandestine Fox attacks.

Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year’s attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.

Link to Original Source

Submission + - US Navy Solicits Zero Days->

msm1267 writes: The US Navy posted a RFP, which has since removed from FedBizOpps.gov, soliciting contractors to share vulnerability intelligence and develop zero day exploits for most of the leading commercial IT software vendors.

The Navy said it was looking for vulnerabilities, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others.

The RFP seemed to indicate that the Navy was not only looking for offensive capabilities, but also wanted use the exploits to test internal defenses.The request, however, does require the contractor to develop exploits for future released CVEs. “Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild,” the RFP said.

Link to Original Source

Submission + - New Duqu 2.0 APT Hits High-Value Victims, Including Kaspersky

Trailrunner7 writes: The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.

The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own systems had been compromised by the platform, which is being called Duqu 2.0. Kaspersky’s investigation into the incident showed that the Duqu attackers had access to a small number of systems and were especially interested in the company’s research into APT groups, its anti-APT technology, and some Kaspersky products, including the Secure Operating System and Kaspersky Security Network. Kaspersky officials said that although the initial infection vector isn’t known, the attackers used as many as three Windows zero-day in the course of the operation.

The company said that is confident that its technologies and products have not been affected by the incident.

The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.

“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s researchers said.

Submission + - Of Bug Bounties and Wassenaar in the US->

msm1267 writes: If the proposed US Wassenaar rules are enacted, researchers who make a living contributing to and participating in the numerous industry bug bounties may feel the pinch in their wallets. Worse may be the impact on the security of software worldwide since many independent researchers find a good number of the bugs that get patched.

Researchers are starting to speak out, not only about the rules' broad definition of intrusion software, but also about the potential need to share vulnerability details with a government if forced to apply for the required export license. Many may soon question whether it's worth the time and effort to go through the export process if governments are acting as a clearinghouse.

Link to Original Source

Submission + - Bug Bounties in the Crosshairs of Wassenaar Rules

Trailrunner7 writes: Bug bounties have gone from novelty to necessity, not only for enterprises looking to take advantage of the skills of an organized pool of vulnerability hunters, but also for a slew of independent researchers who make a living contributing to various vendor and independent bounty and reward programs.

The proposed U.S. rules for the Wassenaar Arrangement pose a real challenge for all sides of that equation.

Under the rules, researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor in question. As a result, there will be occasions when a foreign researcher, for example, would have to share details on a zero-day with their government before the vendor in question.

“There are lots of concerns from researchers if this gets implemented,” said Kymberlee Price, senior director of operations at Bugcrowd, a private company that provides a platform for organizations wishing to start bug bounty programs. “Is it worth the effort to continue to report vulnerabilities if you have to go through a government and are likely to have to disclose details on that vulnerability? Do we want foreign governments knowing about it before it’s reported directly to the vendor so it can be patched?”

Submission + - Researchers Comment on Proposed Wassenaar Rules->

msm1267 writes: Influential security researchers, including Halvar Flake and Jonathan Zdziarski, have begun publishing their comments, objections and concerns regarding the proposed U.S. export control rules under the Wassenaar Arrangement. The bug-hunters are worried that the rules' definition of intrusion software is too broad and would curtail vulnerability research, proof-of-concept exploit development, the use of certain scanners, pen-testing software, and other potential dual-use tools.
Link to Original Source

Submission + - Exploit Kit Delivers Pharming Attacks Against SOHO Routers->

msm1267 writes: For the first time, DNS redirection attacks against small office and home office routers are being delivered via exploit kits. French security researcher Kafeine said an offshoot of the Sweet Orange kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure.The risk to users is substantial he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.
Link to Original Source

Submission + - Security Researchers Wary of Wassenaar Rules->

msm1267 writes: The Commerce Department’s Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries.

For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.

Link to Original Source

Submission + - ICU Project Patches Memory Vulnerabilities->

msm1267 writes: Multitudes of software packages that make use of the ICU Project C/C++ and Java libraries may need to update after a pair of memory-based vulnerabilities were discovered and subsequently patched.

Version 55.1 of the ICU Project ICU4C library, released yesterday, addresses separate heap-based buffer overflow and integer overflow bugs in versions 52 through 54. Older versions of the library could also be affected, said researcher Pedro Ribeiro of Agile Information Security, who discovered the vulnerabilities while fuzzing LibreOffice, one of the numerous open source and enterprise software packages that are built using the library.

Link to Original Source

Submission + - OpenSSL Past, Present and Future->

msm1267 writes: Heartbleed made the world notice what kind of shape OpenSSL development was in from a financial and human resources standpoint. In the year since, the project has been funded enough to hire full-time engineers and a crucial refactoring of the codebase has the project in the right direction.
Link to Original Source

FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background.

Working...