msm1267 writes: Linux providers are busy developing and pushing out patches for a vulnerability in an obscure networking protocol that could allow a local attacker to crash the kernel and elevate privileges.
Google software engineer Andrey Konovalov privately disclosed the vulnerability on Monday. The use-after-free bug could expose Linux servers to memory-based attacks that would allow an attacker to gain root-level privileges and execute code. Konovalov said he will give admins a few days to patch before publishing his proof-of-concept exploit.
The vulnerability, CVE-2017-6074, affects only the IPv6 implementation of the Linux kernel’s Datagram Congestion Control Protocol (DCCP). DCCP is used to manage network traffic congestion on the application layer; it works on both IPv4 and IPv6. No known exploits are in the wild for this bug. In fact, DCCP is largely turned off in most Linux implementations; Red Hat said it combed years-worth of customer support cases and was unable to find any reports of customers having turned it on.
The Linux kernel has been patched, while Linux providers are rolling out patches for their various implementations.
ad454 writes: Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We've summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
msm1267 writes: Recent attacks against insecure MongoDB, Hadoop and CouchDB installations represent a new phase in online extortion, born from ransomware’s roots with the promise of becoming a nemesis for years to come.
“These types of attacks have grown from ones of opportunity to full-scale automated and systematic assaults targeting misconfigured servers containing sensitive data that can be easily hijacked,” said Zohar Alon, co-founder and CEO, security firm Dome9.
Security researchers at Rapid7 estimate that 50 percent of the 56,000 vulnerable MongoDB servers have been ransomed. When it comes to similar misconfigured databases; 58 percent of the 18,000 vulnerable Elasticsearch servers have been ransomed and of the 4,500 CouchDB servers vulnerable 10 percent have been ransomed.
“It’s about the path of least resistance for hackers interested in the biggest potential reward,” said Bob Rudis, chief data security officer at Rapid7. “Hackers have decided it’s easier to end-run an enterprise’s multi-million dollar security system and instead simply target an open server.”
msm1267 writes: Macro-based malware has crossed the divide between the Windows and Mac platforms.
A cybercrime group whose command and control infrastructure resolves to an IP address geo-located in Russia is using a Word document laced with a malicious macro that executes solely on macOS.
Following the same script as similar Windows-based attacks, the attached documents have a luring subject line, in this case: “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.” Once a user tries to open the attachment, they’re presented with a familiar dialogue box instructing them that macros must be enabled to view the document. If the macro is enabled, it executes its payload which then tries to download the open source EmPyre post-exploitation agent.
msm1267 writes: Microsoft will not rush out an emergency patch for a zero-day vulnerability disclosed on Wednesday in the Windows implementation of the Server Message Block protocol.
Researcher Laurent Gaffie found a zero-day vulnerability in SMBv3 and released a proof-of-concept exploit. He privately disclosed the issue to Microsoft on Sept. 25 and said that Microsoft told him it had a patch ready for its December patch release, but decided to wait until its scheduled February update to release several SMB patches rather than a single fix in December. Microsoft considers vulnerability, a remotely triggered denial-of-service bug, a low-risk vulnerability.
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule," a Microsoft spokesperson said in an email statement. The next scheduled Microsoft update is Feb. 14.
Gaffie said the vulnerability is specifically a null pointer dereference in SMB and it affects Windows Server 2012 and 2016. He added that a joint analysis between himself and Microsoft concluded that code execution doesn’t seem possible through an exploit of this vulnerability.
Google responded on Wednesday with news that it would begin blocking.js files in Gmail attachments, starting Feb. 13, because of such security concerns.
“Similar to other restricted file attachments, you will not be able to attach a.js file and an in-product warning will appear, explaining the reason why,” Google said.
Google already blocks more than 30 file types as attachments in Gmail, including.cmd,.exe,.jar,.lib,.scr,.vbs and many others.
Google acknowledges that there may be business cases necessitating the sharing of.js files, but will not allow it in email, instead suggests sharing via Google Drive or other cloud-based storage options.
The Feb. 13 start date will be rapid release only, Google said, with a scheduled release set for two weeks later.
msm1267 writes: A sizable and dormant Twitter botnet has been uncovered by two researchers from the University College London, who expressed concern about the possible risks should the botmaster decide to waken the accounts under his control.
Research student Juan Echeverria Guzman and his supervisor and senior lecturer at the college Shi Zhou said the 350,000 bots in the Star Wars botnet could be used to spread spam or malicious links, and also, more in line with today’s social media climate, it could start phony trending topics, attempt to influence public opinion, or start campaigns that purport a false sense of agreement among Twitter users.
Compounding the issue is a larger botnet of more than a half-million bots that the researchers have uncovered since their initial research. That research, the two academics said, will be shared in a future paper. In the meantime, the Star Wars botnet dataset is available for study; the researchers said the data is tens of times larger than any public collection on Twitter bots.
The researchers also said they have not shared their data with Twitter yet because they are waiting for their current research to be approved in a scientific journal.
“We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted,” Echeverria Guzman said.
msm1267 writes: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process.
The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer.
“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.”
GoDaddy said it was not aware of any compromises related to the bug.
msm1267 writes: Burlington Electric Department general manager Neale Lunderville explains how his Vermont electric distribution utility was dragged into the center of a potential geopolitical nightmare shortly before the start of the New Year weekend.
Lunderville recaps the three days that thrust Burlington Electric into the national spotlight after the Washington Post wrongly reported that the utility was penetrated by Russian hackers.
Those reports came on the heels of a DHS alert on Grizzly Steppe, activities by two Russian APT groups alleged to have hacked the DNC. Lunderville also covers how benign indicators of compromise shared by DHS played a role in a long, disruptive weekend for his organization.
msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it’s a classic case of users accidentally oversharing. Neis isn’t convinced and says Box.com’s so-called Collaboration links shouldn’t have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove confidential data and fodder for phishing scams.
Given that the firmware is customizable and used by dozens airlines in hundreds of aircraft models, the researchers said it’s almost impossible to determine whether the vulnerabilities no longer exist across the board.
IOActive said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to passenger entertainment domains. Whether an attacker could cross those domains and affect critical avionics systems would depend on specific devices and configurations, IOActive said, given that a physical path could exist that connects those systems through satellite communications terminals that provide in-flight updates to critical systems. The concern is that whether in some configurations, IFEs would share access to these devices and provide the physical path an attacker would need to reach critical systems.
As for the vulnerabilities in passenger systems, IOActive said there is a lack of authentication and encryption between an on-board server and clients at passenger seats. This could allow an attacker on board to send commands to the IFE system to manipulate what's displayed to passengers, or read payment card data swiped at seats.
msm1267 writes: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.
This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.
According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn’t exercise due diligence on the software libraries used in their project.
msm1267 writes: A team of New York University students architected a permissioned blockchain system called Votebook that could be applied to secure electronic voting. Their solution was the winning entry of the Cybersecurity Case Study Competition sponsored by Kaspersky Lab and The Economist.
Their system avoids the burden of wholesale changes to the voting process; votes would still be cast on touchscreens and the process of securing it happens seamlessly in the background. Unlike the Bitcoin implementation of blockchain which is trustless and open to anyone, using blockchain to secure an election requires trust and parameters limiting voting to local or national jurisdictions. To insert that trust into their system, the NYU team places that responsibility with a central authority and allows it to administer the blockchain.
The NYU team describes how with Votebook, the nodes must have prior permission from the central authority to make changes to the blockchain ledger. The voting machines will generate a private and public key pair and send its public key to an election commission, which will compile the public keys into a table and redistribute that table to all voting machines. Once votes are collected, they are organized into a block and proposed to the network.
Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introduced in August 2011. A patch was pushed to the mainline Linux kernel Dec. 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes.
The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.