msm1267 writes "A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.
Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government.
Filiol said he submitted the presentation, entitled “Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,” to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.
“They told me that this presentation was unsuitable for being public,” Filiol said in an email. “It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).”"Link to Original Source
msm1267 writes "Researchers have built new attack techniques against HTTPS traffic that have been effective in learning details on users' surfing habits, leaking sensitive data that could impact privacy.
They tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in a research paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.
“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”"Link to Original Source
msm1267 writes "The similarities between the GnuTLS bug and Apple’s goto fail bug begin and end at their respective failure to verify TLS and SSL certificates. Otherwise, they’re neither siblings, nor distant cousins.
The GnuTLS bug is very different, though like Apple’s infamous goto fail error, it will also treat bogus digital certificates as valid.
“This one was more of a dumb coding mistake, whereas Apple could have been a cut-and-paste error. It looks like [GnuTLS] failed to cast a return variable correctly. C is hard," said cryptographer Matthew Green of Johns Hopkins University.
While the goto command appears in the buggy code in both vulnerabilities, the GnuTLS bug veers off in a different direction. Goto fail, for example is a standard C paradigm for error handling. Goto, in this case, is being used correctly, said Melissa Elliott, a security researcher with Veracode. The problem, she said, is related to variable typing and an improper mixing of error codes that led to this mess."Link to Original Source
msm1267 writes "Exploits bypassing Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its bounty program.
The tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the Operation SnowMan espionage campaign against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.
That’s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP in three days could spark a surge in EMET installations as a stopgap."Link to Original Source
msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company’s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.
The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer.
The exploit bypasses all of EMET’s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR and DEP mitigations."Link to Original Source
msm1267 writes "Phony Bitcoin ticker apps hosted on popular sites Download.com and MacUpdate.com are fronts for the OSX/CoinThief Trojan, which was built to steal Bitcoin wallet credentials and keys, and to date has drained a small number of accounts.New variants of the Trojan targeting Mac OS X users were found on the sites and also include a browser extension for Firefox. Previous versions of CoinThief spread through a GitHub page that has since been taken down and included extensions for Safari and Google Chrome only."Link to Original Source
Gunkerty Jeb writes "A group of high-level, nation-state attackers has been targeting government agencies, embassies, diplomatic offices and energy companies with a cyber-espionage campaign for more than five years that researchers say is the most sophisticated APT operation they’ve seen to date. The attack, dubbed the Mask, includes a number of unique components and functionality and the group behind it has been stealing sensitive data such as encryption and SSH keys and wiping and deleting other data on targeted machines."Link to Original Source
msm1267 writes "Exploits for a newly reported zero-day vulnerability in Adobe’s Flash Player drop a password-grabbing Trojan that targets the email and social media accounts of users and organizations in China, researchers at Kaspersky Lab said today.
The attacks appear to be an isolated campaign and there is no connection between these exploits and a new advanced espionage campaign called The Mask that Kaspersky researchers are expected to unveil next week at the company’s Security Analyst Summit."Link to Original Source
The technique makes it highly unlikely a virus scanner would catch it because the injection method is so deeply engrained in the image’s metadata."Link to Original Source
msm1267 writes "Researchers are ready to unveil Honey Encryption, an encryption system that pulls a bit of deception against hackers who have stolen encrypted data. The tool produces a ciphertext, which, for every wrong guess a hacker tries presents a plausible-looking yet incorrect plaintext password or encryption key. With traditional encryption, an attacker making an incorrect guess gets gibberish in return to their request. With Honey Encryption, the hacker gets something that looks like real context. An attacker would have no way of knowing which plausible-looking value is the correct one."Link to Original Source
msm1267 writes "A malicious Java application that infects Windows, Mac and Linux machines for the purpose of building a DDoS botnet has been discovered. The botnet communicates over IRC and can carry out distributed denial of service attacks using either HTTP or UDP flood attacks. Researchers said today that the malicious Java application exploits a patched Java vulnerability,"Link to Original Source
msm1267 writes "Hasbro[.]com, a leading toy and game distributor in the United States, is infected and serving malware to visitors of the site. Researchers at Barracuda Networks said the site remained infected and Hasbro has not responded to an email from the security firm disclosing the issue.
The Java-based attack is similar to one conducted against popular humor website cracked[.]com, which was found in November to also be hosting a drive-by download attack, and as of two weeks ago, was again serving up malware in drive-by attacks.
Like Cracked, Hasbro is a popular website that, based on traffic analysis from Alexa.com from 2013, gets upwards of 215,000 daily visitors. Barracuda estimates that given current Java installations and patching levels, the site could potentially be infecting up to 20,000 visitors a day. While the Cracked and Hasbro attacks don’t seem to be related, Barracuda research scientist Daniel Peck said, the possibility exists that these compromises are recruiting zombie endpoints for a botnet."Link to Original Source
msm1267 writes "A class of SCADA vulnerabilities discussed at a recent conference is getting attention not only for the risks they pose to master control systems at electric utilities, but also for illuminating a dangerous gap in important critical infrastructure regulations."Link to Original Source
msm1267 writes "A new spambot has been discovered that generates copious amounts of network traffic in an attempt to disguise what it’s really up to and throw off the scent of detection capabilities. The spambot, identified as Wigon.PH_44, is being served on compromised websites hosted on the WordPress platform. To date, there are up to 200 sites serving the malicious executable and there have been 15,000 hits in the wild on the malware signature, most of those in the United States."Link to Original Source
msm1267 writes "The Icefog cyberespionage malware campaign uncovered last September was originally thought to be limited to the military supply chain, primarily in Japan and South Korea. But new details emerged today that a Java-based version of the malware exists and infected three US-based oil and gas companies. All three have been notified; two have removed the infections so far."Link to Original Source