msm1267 - Slashdot User

Submission + - The White House's Zero Day Sleight of Hand

Submitted by Trailrunner7 on Tuesday April 29, 2014 @01:07PM

Trailrunner7 writes: The White House wants you to know that it did not know about the OpenSSL Heartbleed vulnerability before you did. The White House also wants you to know that administration officials don’t think stockpiling zero days isn’t necessarily good for national security. That’s all well and good, except that it mostly doesn’t matter.

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run.”

Here’s the problem, though: The government doesn’t necessarily need to stockpile zero days, because it has a cadre of contractors doing that job in its stead. One of the conundrums of vulnerability research is that there’s no way to know whether the bug you just discovered is in fact new. The population of skilled researchers around the world is sufficiently large that it’s possible, if not probable, that someone else has found the same bug and is already using it. It’s tempting to think that you’ve discovered a special snowflake, but there’s a good chance someone on the other side of the Web has found the same snowflake. So the fact that the White House has a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure” sounds nice, but it’s not enough.

Submission + - Apple Fixes Serious SSL Issue in OS X, iOS (threatpost.com)

Submitted by msm1267 on Tuesday April 22, 2014 @04:28PM

msm1267 writes: Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code.

The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user’s network, he might be able to intercept supposedly secure traffic or change the connection’s properties.

Submission + - Tor Blacklisting Exit Nodes Vulnerable to Heartbleed (threatpost.com)

Submitted by msm1267 on Thursday April 17, 2014 @11:55AM

msm1267 writes: The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 vulnerable to Heartbleed where he was able to retrieve plaintext user traffic.

Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear.

Submission + - Phase 1 of TrueCrypt Audit Turns up No Backdoors (threatpost.com)

Submitted by msm1267 on Monday April 14, 2014 @01:46PM

msm1267 writes: A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.

A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly.

Submission + - Facebook Bug Bounty Submissions Way Up (threatpost.com)

Submitted by Anonymous Coward on Thursday April 03, 2014 @03:40PM

An anonymous reader writes: Facebook today reported a dramatic increase in 2013 submissions to its bug bounty program, and said that despite reports from researchers that it’s becoming difficult to find severe bugs on its various properties, the social network plans to increase rewards for critical bugs.

“The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs,” Facebook security engineer Collin Greene said. “To encourage the best research in the most valuable areas, we’re going to continue increasing our reward amounts for high priority issues.”

Greene said Facebook paid out $1.5 million in bounties last year, rewarding more than 330 researchers at an average payout of $2,204. Submissions, however, skyrocketed 246 percent over 2012 to 14,763, he said. Most of those, however, were not eligible for a bounty; only six percent were rated high severity.

Submission + - Why bloggers should pitch their stories to themselves (blogswithoutblah.com)

Submitted by Anonymous Coward on Thursday April 03, 2014 @03:37PM

An anonymous reader writes: Professional journalists spend many years practising how to 'pitch' articles to editors. In this blog, pro journalist Mike Peake, founder of BlogsWithoutBlah.com, suggests that bloggers pitch to themselves before posting in order to see how a story stacks up.

Submission + - Brendan Eich Steps Down as Mozilla CEO (mozilla.org)

Submitted by matafagafo on Thursday April 03, 2014 @03:11PM

matafagafo writes: Mozilla Blog says:
Brendan Eich has chosen to step down from his role as CEO. He’s made this decision for Mozilla and our community.
Mozilla believes both in equality and freedom of speech. Equality is necessary for meaningful speech. And you need free speech to fight for equality. Figuring out how to stand for both at the same time can be hard......

Submission + - One Billion Android Devices Open to Privilege Escalation (threatpost.com)

Submitted by msm1267 on Thursday March 20, 2014 @12:50PM

msm1267 writes: The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks.

Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges.
The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said.

Submission + - Wide Gap Between Attackers, BIOS Forensics Research (threatpost.com)

Submitted by msm1267 on Tuesday March 18, 2014 @05:09PM

msm1267 writes: Advanced attackers who target BIOS and firmware with bootkits and other malware have a decided edge on security research and defense in this discipline. These attacks are dangerous because they enable persistence on a PC or server that is difficult to repair without bricking a machine. Researchers at MITRE and chip companies, however, are trying to reverse that trend with research into vulnerabilities in hardware and firmware as well as developing tools that help analyze problems present in BIOS.

Submission + - CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk (threatpost.com)

Submitted by msm1267 on Monday March 10, 2014 @02:55PM

msm1267 writes: A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.
Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government.
Filiol said he submitted the presentation, entitled “Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,” to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.
“They told me that this presentation was unsuitable for being public,” Filiol said in an email. “It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).”

Submission + - HTTPS Traffic Attacks Leak Sensitive Surfing Details (threatpost.com)

Submitted by msm1267 on Friday March 07, 2014 @10:54AM

msm1267 writes: Researchers have built new attack techniques against HTTPS traffic that have been effective in learning details on users' surfing habits, leaking sensitive data that could impact privacy.
They tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in a research paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.

“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”

Submission + - GnuTLS Goto Bug is Not Same as Apple Goto Fail (threatpost.com)

Submitted by msm1267 on Wednesday March 05, 2014 @04:05PM

msm1267 writes: The similarities between the GnuTLS bug and Apple’s goto fail bug begin and end at their respective failure to verify TLS and SSL certificates. Otherwise, they’re neither siblings, nor distant cousins.
The GnuTLS bug is very different, though like Apple’s infamous goto fail error, it will also treat bogus digital certificates as valid.
“This one was more of a dumb coding mistake, whereas Apple could have been a cut-and-paste error. It looks like [GnuTLS] failed to cast a return variable correctly. C is hard," said cryptographer Matthew Green of Johns Hopkins University.
While the goto command appears in the buggy code in both vulnerabilities, the GnuTLS bug veers off in a different direction. Goto fail, for example is a standard C paradigm for error handling. Goto, in this case, is being used correctly, said Melissa Elliott, a security researcher with Veracode. The problem, she said, is related to variable typing and an improper mixing of error codes that led to this mess.

Submission + - Hackers Paying Attention to Microsoft EMET Bypasses (threatpost.com)

Submitted by msm1267 on Wednesday March 05, 2014 @01:18PM

msm1267 writes: Exploits bypassing Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its bounty program.

The tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the Operation SnowMan espionage campaign against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.

That’s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP in three days could spark a surge in EMET installations as a stopgap.

Submission + - Complete Microsoft EMET Bypass Developed (threatpost.com)

Submitted by msm1267 on Monday February 24, 2014 @12:00PM

msm1267 writes: Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company’s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.

The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer.

The exploit bypasses all of EMET’s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR and DEP mitigations.

Submission + - Bitcoin Trojan Found on Popular Download Sites (threatpost.com)

Submitted by msm1267 on Tuesday February 11, 2014 @08:48PM

msm1267 writes: Phony Bitcoin ticker apps hosted on popular sites Download.com and MacUpdate.com are fronts for the OSX/CoinThief Trojan, which was built to steal Bitcoin wallet credentials and keys, and to date has drained a small number of accounts.New variants of the Trojan targeting Mac OS X users were found on the sites and also include a browser extension for Firefox. Previous versions of CoinThief spread through a GitHub page that has since been taken down and included extensions for Safari and Google Chrome only.

Slashdot Top Deals