Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Slashdot Deals: Prep for the CompTIA A+ certification exam. Save 95% on the CompTIA IT Certification Bundle ×

Submission + - Browser Makers to Sever RC4 Support in Early 2016->

msm1267 writes: Google, Microsoft and Mozilla today announced they’ve settled on an early 2016 timeframe to permanently deprecate the shaky RC4 encryption algorithm in their respective browsers.

Mozilla said Firefox's shut-off date will coincide with the release of Firefox 44 on Jan. 26. Google and Microsoft said that Chrome and Internet Explorer 11 and Microsoft Edge respectively will also do so in the January-February timeframe.

Practical attacks against RC4 are growing increasingly practical, rendering the algorithm more untrustworthy by the day.

Link to Original Source

Submission + - WordPress Hacks Behind Surging Neutrino EK Traffic->

msm1267 writes: More than 2,000 websites running WordPress have been compromised and are responsible for a surge this week in traffic from the Neutrino Exploit Kit.

Attacks against sites running older versions of the content management system, 4.2 and earlier, were spotted by Zscaler. Those sites are backdoored and redirect a victim’s browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits. The exploits generally target Internet Explorer, Zscaler said, and victims’ computers are eventually infected with CryptoWall 3.0 ransomware.

This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.

Link to Original Source

Submission + - Reflection DDoS Attacks Abusing RPC Portmapper ->

msm1267 writes: Attackers have figured out how to use Portmapper, or RPC Portmapper, in reflection attacks where victims are sent copious amounts of responses from Portmapper servers, saturating bandwidth and keeping websites and web-based services unreachable.

Telecommunications and Internet service provider Level 3 Communications of Colorado spotted anomalous traffic on its backbone starting in mid-June almost as beta runs of attacks that were carried out Aug. 10-12 against a handful of targets in the gaming and web hosting industries.

There are 1.1 million Portmapper servers accessible online, and those open servers can be abused to similar effect as NTP servers were two years ago in amplification attacks.

Link to Original Source

Submission + - Stagefright Patch Incomplete, Android Devices Still Vulnerable->

msm1267 writes: A patch distributed by Google for the infamous Stagefright vulnerability found in 950 million Android devices is incomplete and users remain exposed to simple attacks targeting the flaw.

Researchers at Exodus Intelligence discovered the issue in one of the patches submitted by Zimperium zLabs researcher Joshua Drake. Google responded today by releasing a new patch to open source and promising to distribute it next month in a scheduled OTA update for Nexus devices and to its partners.

Drake's original patch failed to account for an integer discrepancy between 32- and 64-bit, Exodus Intelligence said. By inputting a specific 64-bit value, researchers were able to bypass the patch.

Exodus, which submitted a bug fix of its own to Google, said it decided to go public with its findings for several reasons, including the fact that the vulnerability was widely publicized by Zimperium before and during Black Hat, not to mention that Google has had the original bug report since April, yet neither party noticed the discrepancy in the patch.

Link to Original Source

Submission + - Zero Day in Android Google Admin App Can Bypass Sandbox

Trailrunner7 writes: The Android security team at Google is having a busy month. First the Stagefright vulnerabilities surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.

The vulnerability lies in the way that the Google Admin application on Android phones handles some URLs. If another application on the phone sends the Admin app a specific kind of URL an attacker can bypass the Same Origin Policy and get data from the Admin sandbox.

“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,”the advisory from MWR Labs says.

Google did not respond to a request for comment on this story. The vulnerability affects the current version of the app, and may affect earlier versions as well.

Submission + - Manipulating Microsoft WSUS to Own Enterprises->

msm1267 writes: Microsoft's enterprise-grade Windows Server Update Services (WSUS), used to download and distribute security and driver updates,poses a significant weak spot if not configured properly.

Researchers Paul Stone and Alex Chapman during last week's Black Hat conference presented research on the the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL.

While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could, with some work, tamper with the unencrypted communication and inject a malicious homegrown update.

Link to Original Source

Submission + - Latest Samy Kamkar Hack Unlocks Most Cars->

msm1267 writes: Samy Kamkar has built a new device called Rolljam that is about the size of a wallet and can intercept the codes used to unlock most cars and many garage doors. The device can be hidden underneath a vehicle and when the owner approaches and hits the unlock button on her key or remote, the device grabs the unique code sent by the remote and stores it for later use.

The device takes advantage of an issue with the way that vehicles that use rolling codes for unlocking produce and receive those codes. Kamkar said that the device works on most vehicles and garage doors that use rolling, rather than fixed codes.

Link to Original Source

Submission + - OwnStar Device Can Remotely Find, Unlock and Start GM Cars

Trailrunner7 writes: Car hacking just jumped up a few levels. A security researcher has built a small device that can intercept the traffic from the OnStar RemoteLink mobile app and give him persistent access to a user’s vehicle to locate, unlock, and start it.

The device is called OwnStar and it’s the creation of Samy Kamkar, a security researcher and hardware hacker who makes a habit of finding clever ways around the security of various systems, including garage doors, wireless keyboards, and drones. His newest creation essentially allows him to take remote control of users’ vehicles simply by sending a few special packets to the OnStar service. The attack is a car thief’s dream.

Kamkar said that by standing near a user who has the RemoteLink mobile app open, he can use the OwnStar device to intercept requests from the app to the OnStar service. He can then take over control of the functions that RemoteLink handles, including unlocking and remotely starting the vehicle.

Submission + - Samy Kamkar's ProxyGambit Picks Up for Defunct ProxyHam->

msm1267 writes: Hardware hacker Samy Kamkar has picked up where anonymity device ProxyHam left off. After a DEF CON talk on ProxyHam was mysteriously called off, Kamkar went to work on developing ProxyGambit, a similar device that allows a user to access the Internet from anywhere without revealing their physical location.

A description on Kamkar’s site says ProxyGambit fractures traffic from the Internet through long distance radio links or reverse-tunneled GSM bridges that connects and exits the Internet through wireless networks far from the user’s physical location.

ProxyHam did not put as much distance between the user and device as ProxyGambit, and routed its signal over Wi-Fi and radio connections. Kamkar said his approach makes it several times more difficult to determine where the original traffic is coming from.

Link to Original Source

Submission + - New RC4 Encryption Attacks Reduces Plaintext Recovery Time->

msm1267 writes: Two Belgian security researchers from the University of Leuven have driven new nails into the coffin of the RC4 encryption algorithm. A published paper, expected to be delivered at the upcoming USENIX Security Symposium next month in Washington, D.C., describes new attacks against RC4 that allow an attacker to capture a victim’s cookie and decrypt it in a much shorter amount of time than was previously possible.

The paper “All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS,” written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Link to Original Source

Submission + - OpenSSL Patches Critical Certificate Forgery Bug->

msm1267 writes: The mystery OpenSSL patch released today addresses a critical certificate validation issue where anyone with an untrusted TLS certificate can become a Certificate Authority. While serious, the good news according to the OpenSSL Project is that few downstream organizations have deployed the June update where the bug was introduced.
Link to Original Source

Submission + - Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving->

msm1267 writes: Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload. Traffic patterns as of yesterday are almost unrecognizable compared to those of as recent as three weeks ago.
Link to Original Source

Submission + - Emergency Adobe Flash Patch Fixes Zero Day Under Attack->

msm1267 writes: Adobe released an emergency patch for a Flash zero day used in targeted attacks by APT3, the same group behind 2014’s Clandestine Fox attacks.

Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year’s attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.

Link to Original Source

Submission + - US Navy Solicits Zero Days->

msm1267 writes: The US Navy posted a RFP, which has since removed from FedBizOpps.gov, soliciting contractors to share vulnerability intelligence and develop zero day exploits for most of the leading commercial IT software vendors.

The Navy said it was looking for vulnerabilities, exploit reports and operational exploit binaries for commercial software, including but not limited to Microsoft, Adobe, [Oracle] Java, EMC, Novell, IBM, Android, Apple, Cisco IOS, Linksys WRT and Linux, among others.

The RFP seemed to indicate that the Navy was not only looking for offensive capabilities, but also wanted use the exploits to test internal defenses.The request, however, does require the contractor to develop exploits for future released CVEs. “Binaries must support configurable, custom, and/or government owned/provided payloads and suppress known network signatures from proof of concept code that may be found in the wild,” the RFP said.

Link to Original Source

Submission + - New Duqu 2.0 APT Hits High-Value Victims, Including Kaspersky

Trailrunner7 writes: The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.

The new spate of attacks was discovered by researchers at Kaspersky Lab after they uncovered evidence that some of the company’s own systems had been compromised by the platform, which is being called Duqu 2.0. Kaspersky’s investigation into the incident showed that the Duqu attackers had access to a small number of systems and were especially interested in the company’s research into APT groups, its anti-APT technology, and some Kaspersky products, including the Secure Operating System and Kaspersky Security Network. Kaspersky officials said that although the initial infection vector isn’t known, the attackers used as many as three Windows zero-day in the course of the operation.

The company said that is confident that its technologies and products have not been affected by the incident.

The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.

“The Equation Group always used some form of ‘persistence, accepting a bigger risk of being discovered. The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence – it means the attackers are sure there is always a way for them to maintain an infection – even if the victim’s machine is rebooted and the malware disappears from the memory,” Kaspersky’s researchers said.

How many NASA managers does it take to screw in a lightbulb? "That's a known problem... don't worry about it."

Working...