msm1267 - Slashdot User

Submission + - Tracing Cloud-Based Data Leaks to the Source (threatpost.com)

Submitted by msm1267 on Monday November 06, 2017 @08:57PM

msm1267 writes: Companies rushing workloads to the cloud are leaving behind a trail of 1.3 billion leaked files from a mere two-dozen incidents.

In the past few months, we've seen devastating exposures of sensitive data, ranging from the entire Chicago voter roll to NFL player and agent data to Verizon business data. The cause of these leaks are a generally traced to misconfigurations by data owners or third parties managing a subset of data for specific projects. Organizations are changing default settings on Amazon S3 buckets from private to public, or poorly managing access controls, data security and vulnerability management in data and apps hosted outside their environments.

One expert said: “I’m seeing organizations moving to the cloud that just aren’t ready Far too often in the rush to migrate, IT organizations turn into the Wild West, where no one really has control or visibility into the infrastructure."

Submission + - Down The Rabbit Hole with a BLU Phone Infection (threatpost.com)

Submitted by msm1267 on Thursday October 12, 2017 @12:29PM

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.

Submission + - Macs Missing Critical Firmware Updates (threatpost.com)

Submitted by msm1267 on Friday September 29, 2017 @10:31AM

msm1267 writes: Apple now bundles EFI firmware updates with its regular OS and security updates, but researchers at Duo Security have discovered that many Mac models are missing those critical hardware updates.

This is bad news for businesses and should perk up the ears of advanced attackers who have increasingly gone after hardware level access and persistence on targeted machines.

Duo Security said it analyzed data such as the build version and hardware model of more than 73,000 Macs, and compared that information to the respective EFI versions that should be running. On average, Duo said, 4.2 percent of machines in production environments did not match their expected EFI versions. The numbers were much worse for particular Mac models.

Submission + - Tasty Android Oreo Security Enhancements to Consider (threatpost.com)

Submitted by msm1267 on Friday September 22, 2017 @02:07PM

msm1267 writes: With Android Oreo, Google has elevated security, introducing improvements to important device hardening features such as Project Treble, System Alerts, device permissions and Verified Boot.

The introduction of Project Treble in O is a major security milestone for Google. Project Treble is Google’s revamp of the Android OS framework—separating the vendor implementation (device-specific, lower-level software written by third-party manufacturers) from the Android OS framework.

One of the goals of Project Treble is to streamline the often maligned Android patching process that security experts say is one of the weakest links in Android security defenses.

Submission + - 20-Year-Old SMB Vulnerability to be Disclosed at DEF CON (threatpost.com)

Submitted by msm1267 on Wednesday July 26, 2017 @07:16PM

msm1267 writes: A 20-year-old Windows SMB vulnerability is expected to be disclosed Saturday during a talk at DEF CON. Microsoft has said it will not patch the vulnerability, which allows an attacker to remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi.

The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. The attack is called SMBloris because it is comparable to Slowloris, a 2009 attack developed by Robert Hansen. Both attacks can use a single machine to crash or freeze a much more powerful server, but Slowloris, unlike SMBloris, targets webservers.

Submission + - Victims of FruitFly BackDoor For Macs are 'Everyday Users' (threatpost.com) 1

Submitted by msm1267 on Monday July 24, 2017 @11:38AM

msm1267 writes: Spyware built for Macs called Fruitfly has snared at least 400 victims, most of which are located in the U.S. and appear to be everyday users, according to the researcher who found a variant and analyzed it.

Fruitfly is capable of executing shell commands, retrieving screen captures, manipulating mouse movements, killing processes and even triggering an alert to the attacker when the user is active again on their Mac. The original version has been in the wild for years and had largely gone undetected until earlier this year.

The victims, meanwhile, are anomaly in that they’re “normal, everyday users,” as characterized by researcher Patrick Wardle, who during his analysis was able to register a number of backup command servers included in the code and learn valuable victim information that he shared with law enforcement, along with the C&C servers he registered.

Unlike other spyware samples—including the FruitFly sample disclosed earlier this year by Malwarebytes—this variant did not appear to target researchers, high-profile organizations or defense contractors. In fact, most of the victims are in the United States, including a noteworthy concentration of them in Ohio.

Submission + - Free Digital Certificates Come with a Cost (threatpost.com)

Submitted by msm1267 on Monday July 17, 2017 @11:53AM

msm1267 writes: Let’s Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.

However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let’s Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.

Submission + - Oracle Won't Fix Two OAM Remote Session Hijacking Bugs (threatpost.com)

Submitted by msm1267 on Wednesday July 12, 2017 @08:42AM

msm1267 writes: Oracle’s next quarterly Critical Patch Update is slated for July 18, but two vulnerabilities in an older version of the company’s Oracle Access Manager (OAM) solution won’t be among the bugs patched.

Version 10g of the software, Oracle’s solution for web access management and user administration, suffers from two issues: an open redirect vulnerability, and the fact that it sends cookie values in GET requests.

The software features a proprietary multiple network domain SSO capability. Critical to that is ObSSOCookie, a super cookie of sorts. If a user was tricked into clicking through a link via phishing email, for example, and logging into the OAM portal, a remote attacker could read that cookie value and hijack that session, researchers said.

Submission + - Telegram-Controlled Hacking Tool Attacks SQLi Bugs at Scale (threatpost.com)

Submitted by msm1267 on Tuesday July 11, 2017 @05:01PM

msm1267 writes: A black market hacking tool has the potential to rapidly conduct website scans for SQL injection vulnerabilities at a large scale, all managed from a smartphone through the Telegram messenger.

The Katyusha Scanner is a relative newcomer available to black hats that surfaced in early April. It’s a blend of the Anarchi Scanner open source penetration testing tool and Telegram; it has already been updated seven times since its introduction, and now Pro and Lite versions are available for between $250 and $500.

Researchers at Recorded Future who found the tool for sale declined to name the site where it’s being offered, and said they have informed law enforcement. They said the seller is Russian speaking, and that top-tier Russian hackers frequent the forum. The seller is known for selling data stolen from ecommerce websites.

Submission + - This Retail Website Considers Password Security Optional (threatpost.com)

Submitted by msm1267 on Monday July 03, 2017 @10:46AM

msm1267 writes: Most gaping security holes are terrible mistakes. But for one major Hong Kong-based online retailer called Strawberrynet, its security shortcomings are a feature.

Like many ecommerce sites, registered users have an option for express checkout. What makes beauty-products website Strawberrynet unique is when it comes to security, the site allows you to sign-in to your private account using only your email address. That’s right, no password required.

That sparked the attention of Troy Hunt, who runs the data breach repository HaveIBeenPwned.com. He calls Strawberrynet’s privacy policy “insanity.”

“I’ve never seen another site that’s consciously built a feature like this and assumed it must have been an accident when I first saw it,” Hunt told Threatpost. “It’s hard to justify or rationalize this in any way; there’s no technical justification for exposing personal data like this publicly.”

The glaring privacy issues tied to Strawberrynet’s site have been chronicled by Hunt for almost a year. Last August, Hunt got wind of the security snafu. He visited the site and tried to guess email addresses for users. Without much effort, an email address pulled up the billing and delivery address for Strawberrynet users. Data beyond the address included home and mobile phone numbers. Hunt was also allowed to make account changes. No credit card information was exposed.

“Now all I did here was enter a very common female name to @gmail.com and wammo! There’s all her data,” Hunt wrote in his latest blog post on the Strawberrynet saga.

Submission + - Stack Clash Linux Flaw Enables Root Access; Patch Now (threatpost.com)

Submitted by msm1267 on Monday June 19, 2017 @01:07PM

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root.

Major Linux and open source distributors have made patches available today, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

The vulnerability was found in the stack, a memory management region on these systems. The attack bypasses the Stack guard-page mitigation introduced in Linux in 2010 after attacks in 2005 and 2010 targeted the stack.

Submission + - Rare XP Patches Fix 3 Remaining Leaked NSA Exploits (threatpost.com)

Submitted by msm1267 on Wednesday June 14, 2017 @08:55AM

msm1267 writes: The unusual decision Microsoft made to release patches on Tuesday for unsupported versions of Windows was prompted by three NSA exploits that remained unaddressed from April’s ShadowBrokers leak.

The worst of the bunch, an attack called ExplodingCan (CVE-2017-7269), targets older versions of Microsoft’s Internet Information Services (IIS) webserver, version 6.0 in particular, and enables an attacker to gain remote code execution on a Windows 2003 server.

All three attacks allow an adversary to gain remote code execution; one is EsteemAudit, a vulnerability in the Windows Remote Desktop Protocol (RDP) (CVE-2017-0176), while the other is EnglishmanDentist (CVE-2017-8487), a bug in OLE (Object Linking and Embedding). Microsoft said the patches are available for manual download.

ExplodingCan merits a closer look because of the wide deployment of IIS 6.0.

“Generally, when you put a Windows machine on the internet, it’s going to be a server and it’s going to run a webserver, so there are production machines on the internet running IIS 6.0 right now,” said Sean Dillon, senior analyst at RiskSense and one of the first to analyze the NSA’s EternalBlue exploit that spread WannaCry ransomware on May 12.

“It’s probably already been exploited for months now,” Dillon said. “At least now there’s a fix that’s publicly available.”

Submission + - Attackers Mining Cryptocurrency by Exploiting Samba Vulnerability (threatpost.com)

Submitted by msm1267 on Monday June 12, 2017 @10:08AM

msm1267 writes: Unknown attackers are using a recently patched vulnerability in Samba to spread a resource-intensive cryptocurrency mining utility. To date, the operation has netted the attackers just under $6,000 USD, but the number of compromised computers is growing, meaning that a significant number of Samba deployments on *NIX servers remain unpatched.

The attack also demonstrates that the vulnerability in Samba, CVE-2017-7494, can extend EternalBlue-like attacks into Linux and UNIX environments.

The Samba vulnerability is similar to the SMB bug exploited on May 12 by attackers using the NSA’s EternalBlue exploit to spread WannaCry ransomware. Experts warned that EternalBlue can be fitted with any measure of attack, and they have a similar message about this flaw, which has been nicknamed SambaCry.

Submission + - NSA's EternalBlue Exploit Ported to Windows 10 (threatpost.com)

Submitted by msm1267 on Tuesday June 06, 2017 @11:29AM

msm1267 writes: EternalBlue, the NSA-developed attack used criminals to spread WannaCry ransomware last month, has been ported to Windows 10 by security researchers.

The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks.

These mitigations were introduced prior to a March security update from Microsoft, MS17-010, and any computer running Windows that has yet to install the patch is vulnerable.

Submission + - WannaCry Author Speaks Chinese and English (threatpost.com)

Submitted by msm1267 on Thursday May 25, 2017 @02:13PM

msm1267 writes: The WannaCry ransom note was likely written by Chinese- and English-speaking authors, adding more intrigue to the investigation into whether it was indeed a North Korean APT using stolen NSA exploits to spread ransomware worldwide.

Analysts at Flashpoint, including some fluent in Chinese, said the Simplified and Traditional Chinese notes differ significantly from the others and that they were likely the original notes. The English note was then the source note for the remaining translations and was flushed through Google Translate to create them.

Many of the notes, Flashpoint director of Asia-Pacific research Jon Condra said, contained glaring grammatical errors that a native would not make. Ironically, the version of the note written in Korean was among the most poorly translated.

“It was interesting to us and we were kind of shocked after hearing the links to the Lazarus group that the Korean note was so badly translated,” Condra said. “That could be intentional, or maybe the person who wrote it didn’t speak Korean.”

Condra said the analyst who looked at it said it was about 65 percent correct and there were some basic mistakes made in the translation.

Slashdot Top Deals