Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com)

msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction.

The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected tomorrow to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version this week as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks.

The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic--from a connection that is kept alive for a long period of time--to recover the session cookie.

Submission + - Windows UAC Bypass Permits Code Execution (threatpost.com)

msm1267 writes: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk.

The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC.

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Submission + - SPAM: Windows UAC Bypass Permits Code Execution

msm1267 writes: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk.

The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC.

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Link to Original Source

Submission + - Bluetooth Hack Leaves Many Smart Locks, IoT Devices Vulnerable (threatpost.com)

msm1267 writes: A growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems that are vulnerable to man-in-the-middle attacks.

The problem is traced back to devices that use the Bluetooth Low Energy (BLE) feature for access control. Researchers last week at Black Hat said too often companies do not correctly implement the bonding and encryption protections offered in the standard.

This shortcoming could allow attackers to clone BLE devices and gain unauthorized access to a physical asset when a smartphone is used as a device controller.

Submission + - Misuse of Language: 'Cyber' (threatpost.com)

msm1267 writes: The terms “cyber war” and “cyber weapon” are thrown around casually, often with little thought to their non-“cyber” analogs. Many who use the terms “cyber war” and “cyber weapon” relate these terms to “attack,” framing the conversation in terms of acceptable responses to “attack” (namely, “strike-back,” “hack-back,” or an extreme interpretation of the vague term “active defense”).

In this op-ed, information security experts Dave Dittrick and Katherine Carpeneter discuss two problematic issues: first, we illustrate the misuse of the terms “cyber war” and “cyber weapon,” to raise awareness of the potential dangers that aggressive language brings to the public and the security community; and second, we address the reality that could exist when private citizens (and/or corporations) want to act aggressively against sovereign nations and the undesirable results those actions could produce.

Dittrich and Carpenter discuss these topics through the lens of the recent furor around the cyber incident at the Democratic National Committee.

Submission + - Advanced Espionage Hacking Platform on Par with Flame, Duqu (threatpost.com)

msm1267 writes: A state-sponsored APT platform on par with Equation, Flame and Duqu has been used since 2011 to spy on government agencies and other critical industries.

Known as ProjectSauron, or Strider, the platform has all the earmarks of advanced attackers who covet stealth, and rely on a mix of zero-day exploits and refined coding to exfiltrate sensitive data, even from air-gapped machines.

Researchers at Kaspersky Lab and Symantec today published separate reports on ProjectSauron, and said large-scale attacks have targeted government agencies, telecommunications firms, financial organizations, military and research centers in Russia, Iran, Rwanda, China, Sweden, Belgium and Italy. Campaigns were still active this year, said researchers at Kaspersky Lab.

While researchers still do not know how the attackers are infiltrating these critical networks, much of their activity on compromised networks has been uncovered.

The attack platform, for example, is modular framework called Remsec that once deployed allows for lateral movement, data theft and the injection of more attack code. To complicate detection and attribution, the attackers customize artifacts used in campaigns to each target, making them less useful as indicators of compromise, Kaspersky Lab said.

Submission + - Apple Announces Bug Bounty At Black Hat (threatpost.com)

msm1267 writes: Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty.

The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope.

Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.

Submission + - Vulnerability Allows Hackers to Snoop on Wireless Keyboards (threatpost.com)

msm1267 writes: Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday.

If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers – essentially anything typed on a keyboard, in clear text.

Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks who discovered the vulnerability.

Bastille gave the manufacturers of the keyboards 90 days to address the vulnerability, but most vendors failed to respond to their findings. Newlin said only Jasco Products, a company that manufactures the affected keyboard (GE 98614) for General Electric, responded and claimed it no longer manufactures wireless devices, like keyboards. As there doesn’t appear to be a way to actually fix the vulnerability, it’s likely the companies will eventually consider the devices end of life.

Submission + - Generic Ransomware Detection System Built for Windows (threatpost.com)

msm1267 writes: A team of researchers from the University of Florida and the Villanova University have a built a generic ransomware detection utility for Windows machines, one that focuses on how ransomware transforms data rather than the execution of malicious code.

Their utility is called CryptoDrop, and in a test against nearly 500 real-world ransomware samples from 14 distinct families, it detected 100 percent of attacks with relatively little file loss (a median loss of 10 files).

The tool is described in a paper called “CryptoLock (and Drop it): Stopping Ransomware Attacks on User Data,” written by Nolen Scaife, Patrick Traynor, Kevin R. B. Butler of the University of Florida, and Henry Carter of Villanova University.

“Our system (built only for Windows) is the first ransomware detection system that monitors user data for changes that may indicate transformation rather than attempting to identify ransomware by inspecting its execution (e.g., API call monitoring) or contents,” the researchers wrote. “This allows CryptoDrop to detect suspicious activity regardless of the delivery mechanism or previous benign activity."

Submission + - xDedic Resurfaces on Tor Domain (threatpost.com)

msm1267 writes: The defunct xDedic marketplace has resurfaced again, this time on a Tor network domain.

The marketplace provides a platform for the buying and selling of hacked servers. It's original open web domain, xdedic[,]biz, disappeared shortly after a June 16 Kaspersky Lab report on its activities, users and business.

The original market had upwards of 70,000 hacked servers for sale from more than 400 unique sellers. It's unknown how much inventory is being peddled on the new site, which was uncovered by researchers at Digital Shadows, who found a post on a Russian and French criminal forum pointing to a Tor domain as the new home of xDedic.

The new site has the same look and feel as the old one, but Digital Shadows said accounts had not transferred over, and that there is now a $50 USD enrollment fee to join the new market.

Submission + - Google Updates CA Trust Mechanisms in Android Nougat (threatpost.com) 1

msm1267 writes: Google last week announced changes in the way it will handle trusted Certificate Authorities in Nougat, the latest version of the Android operating system. The changes are expected to cut into the likelihood of a successful man-in-the-middle attack, or a device falling victim to an attacker-supplied custom certificate. This also takes a bit of pressure off mobile app developers who may inadvertently introduce trouble by turning off TLS certificate verification, for example.

Chad Brubaker of the Android Security Team said Google has always allowed developers to customize which CAs are trusted by apps, but mistakes happen and Google believes that complex Java TLS APIs are to blame, thus the update to simplify how developers can customize trust.

Google has also implemented another change in which apps at API Level 24 will no longer honor user- and admin-supplied CAs unless the developer opts-in. “This safe-by-default setting reduces application attack surface and encourages consistent handling of network- and file-based application data,” Brubaker wrote. The final noteworthy change allows developers to specify how apps trust CAs, for example, trusting only connections to certain domains as needed.

Submission + - Android KeyStore Encryption Scheme Broken (threatpost.com)

msm1267 writes: The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say.

In a an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.

KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys. By storing keys in a container, KeyStore makes it more difficult to remove them from the device.

Mohamed Sabt and Jacques Traoré, two researchers with the French telecom Orange Labs, claim the scheme associated with the system is "non-provably secure," and could have "severe consequences."

The two point out in their paper "Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore," that it's the hash-then-encrypt (HtE) authenticated encryption (AE) scheme in cipher block chaining mode (CBC) in KeyStore that fails to guarantee the integrity of keys.

Submission + - Unpatched Swagger Vulnerabilities Lead to Arbitrary Code Injection (threatpost.com)

msm1267 writes: A serious parameter injection vulnerability exists in the Swagger Code Generator that could allow an attacker to embed executable code in a Swagger JSON file. The flaw affects NodeJS, Ruby, PHP, Java and likely other programming languages.

Researchers at Rapid7 who found the flaw disclosed details today, as well as a Metasploit module and a proposed patch for the specification. The matter was privately disclosed in April, but Rapid7 said it never heard a response from Swagger's maintainers.

Swagger produces and consumes RESTful web services APIs; Swagger docs can be consumed to automatically generate client-server code. As of Jan. 1, the Swagger specification was donated to the Open API Initiative and became the foundation for the OpenAPI Specification.

The vulnerability lies in the Swagger Code Generator, and specifically in that parsers for Swagger documents (written in JSON) don't properly sanitize input. Therefore, an attacker can abuse a developer's trust in Swagger to include executable code that will run once it's in the development environment.

Submission + - ScarCruft APT Putting Latest Flash 0Day to Use (threatpost.com)

msm1267 writes: An APT group known as ScarCruft has used a zero-day vulnerability patched this week by Adobe in targeted attacks against more than two dozen high-profile targets in Russia and Asia.

The attackers gained a foothold on a number of government and technology networks using spear-phishing emails that link to a site compromised by an exploit kit. Malicious code is loaded on the machine that exploits the Flash vulnerability and also includes a technique designed to bypass antivirus detection by abusing the Windows DDE feature.

ScarCruft is a relatively new APT group and has a number of ongoing campaigns, researchers at Kaspersky Lab said, adding they believe that ScarCruft was also in possession of a Windows zero day that was patched by Microsoft in April.

Submission + - Autocorrect Passwords Without Compromising Security (threatpost.com)

msm1267 writes: Intuitively, auto-correcting passwords would seem to be a terrible idea, and the worst security-for-convenience tradeoff in technology history.

But a team of academics from Cornell University, MIT and a Dropbox security engineer say that the degradation of security from the introduction of such an authentication mechanism is negligible.

The team—Rahul Chatterjee, Ari Juels and Thomas Ristenpart of Cornell University, Anish Athalye of MIT, and Devdatta Akhawe of Dropbox—presented their findings in a paper called “pASSWORD tYPOS and How to Correct Them Securely” at the recent IEEE Symposium on Security and Privacy. The paper describes a framework for what the team calls typo-tolerant passwords that significantly enhances usability without compromising security.

The paper focuses on three common types of password errors that users make while typing: engaging caps lock; inadvertently capitalizing the first letter of a password; or adding or omitting characters to the beginning or end of a password.

By instituting an autocorrect scheme, the researchers said in their paper that they could reduce common mistakes and user frustrations with logins.

Slashdot Top Deals

"Don't tell me I'm burning the candle at both ends -- tell me where to get more wax!!"

Working...