msm1267 writes: A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data.
Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they’re likely vulnerable.
Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria.
According to a post published to the Full Disclosure mailing list, the vulnerability (CVE-2016-4484) affects packages 2.1 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs – a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven’t tested them yet.
The researchers examined 600 top U.S. and Chinese mobile apps that use OAuth 2.0 APIs from Facebook, Google and Sina—which operates Weibo in China—and support SSO for third-party apps. The researchers found that 41.2 percent of the apps they tested were vulnerable to their attack, including popular dating, travel, shopping, hotel booking, finance, chat, music and news apps. None of the apps were named in the paper, but some have been downloaded hundreds of millions of times and can be exploited for anything from free phone calls to fraudulent purchases.
msm1267 writes: Microsoft has extended the end of life deadline for its Enhanced Mitigation Experience Toolkit to July 2018. EMET includes more than a dozen mitigations for memory-based attacks that acted as a stopgap against active attacks until Microsoft could either develop a patch or update Windows.
Microsoft, however, has long slowed down EMET's update cycle and has packed new mitigations into Windows 10 that are meant to counter modern attacks. Experts believe EMET's usefulness has slipped away as many of today's exploits can bypass its mitigations.
Windows 10, meanwhile, offers Control Flow Guard and others protections native to the operating system that can respond to advanced attacks in a way that the EMET add-on could not.
msm1267 writes: A researcher has disclosed an Exchange Server weakness, in which Outlook Web Access and Exchange Web Services are exposed on the same webserver and port, a configuration that allows an attacker to bypass two-factor authentication on OWA.
Beau Bullock of Black Hills Information Security said that Exchange Web Services isn't covered by two-factor authentication, and an attacker can take advantage of this situation to access an organization's email services, contacts, calendar information and more.
Microsoft, Bullock believes, may not be able to fix this without re-architecting the service. Any mitigations may also break thick clients such as Outlook for Mac that require Exchange Web Services to access Exchange Servers.
Researchers at Flashpoint dismissed numerous claims of responsibility that separately linked the attack to the Russian government, WikiLeaks or the New World Hackers group. Instead, the threat intelligence company said with “moderate confidence” that the attacks are linked to the Hackforums community. Hackforums is an English-speaking hacking forum and the place where the source code for the Mirai malware was publicly released by a hacker known as Anna-Senpai.
Director of National Intelligence James Clapper said today as well that it’s likely the attack was not carried out by nation-state actors during testimony at the Council on Foreign Relations.
“That appears to be preliminarily the case,” Clapper was quoted in The Hill. “But I wouldn’t want to be conclusively definitive about that, specifically whether a nation state may have been behind that or not.”
Flashpoint hinges its conclusion on a number of factors, starting with public release of the Mirai source code. Mirai scans the Internet for IoT devices such as those used in the attack on Dyn, Krebs on Security and French webhost OVH. The malware uses 60 known weak and default credentials on the IP-enabled cameras, DVRs and home networking gear to access the devices before corralling them into giant botnets used to DDoS targets. Since the source code was made public, the number of bots compromised by the malware has more than doubled, Level 3 Communications, a Colorado telco and ISP, said.
msm1267 writes: A nine-year-old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw, nicknamed Dirty Cow because it lives in the copy-on-write (COW) feature in Linux, is worrisome because it can give a local attacker root privileges.
While the Linux kernel was patched on Wednesday, the major distributions are preparing patches. Red Hat, for example, told Threatpost that it has a temporary mitigation available through the kpatch dynamic kernel patching service that customers can receive through their support contact.
Dirty Cow is a privilege escalation vulnerability in copy-on-write, CVE-2016-5195. A race condition exists that allows local users to gain write-access to read-only memory and elevate their privileges to root.
Exploits were discovered recently by researcher Phil Oester, who published an informational website on the bug that includes links to details on the flaw and a proof-of-concept exploit.
Oester said the bug has been in the kernel since version 2.6.22, released in 2007. “This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,” Oester said on his website.
msm1267 writes: A leftover factory debugger in Android firmware made by Taiwanese electronics manufacturer Foxconn can be flipped into a backdoor by an attacker with physical access to a device.
The situation is a dream for law enforcement or a forensics outfit wishing to gain root access to a targeted device. Android researcher Jon Sawyer on Wednesday publicly disclosed the situation, which he’s called Pork Explosion as a swipe at what he calls overhyped and branded vulnerabilities.
“As a physical threat, it’s bad; game over,” Sawyer said. “It’s easy to do and you get complete code execution on the device, even if it’s encrypted or locked down. It’s exactly what a forensics company or law enforcement officials would love to have.”
The backdoor was found in a bootloader built by Foxconn, Sawyer said. Foxconn builds phones and some low level software for firmware. Two vendors’ devices have been impacted so far—InFocus’ M810 and Nextbit’s Robin phones—but Sawyer cautioned that there are likely more.
msm1267 writes: An attack group known as StrongPity has used watering hole attacks to redirect users to Trojanized versions of popular encryption software TrueCrypt and WinRAR.
Victims were located primarily in Belgium in Italy, as well as North Africa and the Middle East. The attackers posted redirects on legitimate download sites redirecting users to sites hosting malicious versions of the encryption tools.
The goal of the attackers was to compromise systems and drop additional malware that intercepts communication bound for Filezilla, Putty, Winscp and Windows RDP tools before the data is encrypted. Researchers at Kaspersky Lab published a report on the group's activities, which peaked during the sumemr.
Sometime in the early part of 2015, the Justice Department reportedly went to Yahoo officials with an order to search its users’ incoming email messages for certain words. Yahoo complied by building a custom piece of software that sat in the mail system and looked for the terms, which haven’t been made public. The revelations about the mail scanning program last week caused an uproar among security experts and civil liberties groups.
Now, experts at the EFF and Sen. Ron Wyden say that the order served on Yahoo should be made public according to the text of a law passed last year. The USA Freedom Act is meant to declassify certain kinds of government orders, and the EFF says the Yahoo order fits neatly into the terms of the law.
“If the reports about the Yahoo order are accurate – including requiring the company to custom build new software to accomplish the scanning – it’s hard to imagine a better candidate for declassification and disclosure under Section 402," Aaron Mackey of the EFF said.
msm1267 writes: A new macro-based malware has been spotted that goes to novel lengths to avoid detection. Once a computer is compromised, the malware will count the number of Word documents stored on the local drive; if it's more than two, the malware executes. Otherwise, it figures it's landed in a virtual environment or is executing in a sandbox and stays dormant.
A typical test environment consists of a fresh Windows computer image loaded into a VM. The OS image usually lacks documents and other telltale signs of real world use.
If no Microsoft Word documents are found, the VBA macro's code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.
msm1267 writes: A researcher has published details and a limited proof-of-concept exploit for a critical vulnerability in MySQL that has been patched by some vendors, but not yet by Oracle. The vulnerability allows an attacker to remotely or locally exploit a vulnerable MySQL database and execute arbitrary code, researcher Dawid Golunski of Legal Hackers said.
The flaw affects MySQL 5.7.15, 5.6.33 and 5.5.52. It has been patched in vendor deployments of MySQL in MariaDB and PerconaDB. Golunski said he reported the vulnerability to Oracle and other affected vendors on July 29. MariaDB and PerconaDB patched their versions of the database software before the end of August. Golunski said that since more than 40 days have passed and the two vendor fixes are public, he decided to disclose.
msm1267 writes: Chrome users who navigate to some HTTP sites will be notified, starting in January, they’re on a site that isn’t secure.
Google said today the browser will begin explicitly labeling HTTP connections that feature either a password or credit card form as insecure. The company said the plan is its first step toward marking all HTTP sites as such, though it didn’t provide a timetable for the undertaking.
Google said the move will improve on the browser’s current iteration of a warning, which indicates HTTP connections with a neutral indicator. Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.
msm1267 writes: The Android ecosystem may have dodged another Stagefright-type of vulnerability.
Google’s monthly Android Security Bulletin released on Tuesday not only patched the remaining Quadrooter vulnerabilities, but also fixed another wide-ranging flaw that could allow an attacker to easily compromise—or at least brick—any Android device dating back to version 4.2.
The key to staving off another Stagefright is that yesterday’s patch features a complete overhaul of the offending jhead library, mitigating the possibility of recurring critical bugs, which, for example, continue to plague Mediaserver on an almost-monthly basis.
Tim Strazzere, director of mobile research at SentinelOne, found the vulnerability (CVE-2016-3862) and that that it would require just a specially crafted jpeg file in order to exploit the issue.
Strazzere, admittedly not a proficient exploit writer, said he was able to cause his brand new Nexus 6P device to crash and reboot, and added that the bug could also likely be used by an advanced attacker to gain remote code execution on an Android device. This is especially true on older versions of Android where there are fewer exploit mitigations built into the operating system.
“This bug I found specifically is in a library that tries to read Exif data out of jpegs,” Strazzere said. “Any app using that library is affected by this.”
Redis is an open source tool used by web application developers for the purpose of quickly caching data. The tool’s developers configure Redis to be accessed only by trusted clients inside trusted environments, and are adamant that Redis instances are not meant to be exposed to the Internet.
Researchers at Duo Labs, however, found 18,000 insecure Redis implementations online, and discovered evidence of attacks against 13,000.
The Fairware attacks, meanwhile, were reported in posts to the forums at BleepingComputer independently of Duo Labs’ research. In both cases, attackers were deleting web folders on the servers and leaving behind a link to a Pastebin site hosting a ransom note.
Comparisons between a number of the notes and other artifacts, such as IP addresses and SSH keys used by the attackers, are enough evidence to connect the attacks, researchers at Duo Labs and BleepingComputer said.
The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.
Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.
Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.