msm1267 writes: Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday.
If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers – essentially anything typed on a keyboard, in clear text.
Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks who discovered the vulnerability.
Bastille gave the manufacturers of the keyboards 90 days to address the vulnerability, but most vendors failed to respond to their findings. Newlin said only Jasco Products, a company that manufactures the affected keyboard (GE 98614) for General Electric, responded and claimed it no longer manufactures wireless devices, like keyboards. As there doesn’t appear to be a way to actually fix the vulnerability, it’s likely the companies will eventually consider the devices end of life.
msm1267 writes: A team of researchers from the University of Florida and the Villanova University have a built a generic ransomware detection utility for Windows machines, one that focuses on how ransomware transforms data rather than the execution of malicious code.
Their utility is called CryptoDrop, and in a test against nearly 500 real-world ransomware samples from 14 distinct families, it detected 100 percent of attacks with relatively little file loss (a median loss of 10 files).
“Our system (built only for Windows) is the first ransomware detection system that monitors user data for changes that may indicate transformation rather than attempting to identify ransomware by inspecting its execution (e.g., API call monitoring) or contents,” the researchers wrote. “This allows CryptoDrop to detect suspicious activity regardless of the delivery mechanism or previous benign activity."
The marketplace provides a platform for the buying and selling of hacked servers. It's original open web domain, xdedic[,]biz, disappeared shortly after a June 16 Kaspersky Lab report on its activities, users and business.
The original market had upwards of 70,000 hacked servers for sale from more than 400 unique sellers. It's unknown how much inventory is being peddled on the new site, which was uncovered by researchers at Digital Shadows, who found a post on a Russian and French criminal forum pointing to a Tor domain as the new home of xDedic.
The new site has the same look and feel as the old one, but Digital Shadows said accounts had not transferred over, and that there is now a $50 USD enrollment fee to join the new market.
msm1267 writes: Google last week announced changes in the way it will handle trusted Certificate Authorities in Nougat, the latest version of the Android operating system. The changes are expected to cut into the likelihood of a successful man-in-the-middle attack, or a device falling victim to an attacker-supplied custom certificate. This also takes a bit of pressure off mobile app developers who may inadvertently introduce trouble by turning off TLS certificate verification, for example.
Chad Brubaker of the Android Security Team said Google has always allowed developers to customize which CAs are trusted by apps, but mistakes happen and Google believes that complex Java TLS APIs are to blame, thus the update to simplify how developers can customize trust.
Google has also implemented another change in which apps at API Level 24 will no longer honor user- and admin-supplied CAs unless the developer opts-in. “This safe-by-default setting reduces application attack surface and encourages consistent handling of network- and file-based application data,” Brubaker wrote. The final noteworthy change allows developers to specify how apps trust CAs, for example, trusting only connections to certain domains as needed.
msm1267 writes: The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say.
In a an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.
KeyStore, which performs key-specific actions through the OpenSSL library, allows Android apps to store and generate their own cryptographic keys. By storing keys in a container, KeyStore makes it more difficult to remove them from the device.
Mohamed Sabt and Jacques Traoré, two researchers with the French telecom Orange Labs, claim the scheme associated with the system is "non-provably secure," and could have "severe consequences."
The two point out in their paper "Breaking Into the KeyStore: A Practical Forgery Attack Against Android KeyStore," that it's the hash-then-encrypt (HtE) authenticated encryption (AE) scheme in cipher block chaining mode (CBC) in KeyStore that fails to guarantee the integrity of keys.
Researchers at Rapid7 who found the flaw disclosed details today, as well as a Metasploit module and a proposed patch for the specification. The matter was privately disclosed in April, but Rapid7 said it never heard a response from Swagger's maintainers.
Swagger produces and consumes RESTful web services APIs; Swagger docs can be consumed to automatically generate client-server code. As of Jan. 1, the Swagger specification was donated to the Open API Initiative and became the foundation for the OpenAPI Specification.
The vulnerability lies in the Swagger Code Generator, and specifically in that parsers for Swagger documents (written in JSON) don't properly sanitize input. Therefore, an attacker can abuse a developer's trust in Swagger to include executable code that will run once it's in the development environment.
msm1267 writes: An APT group known as ScarCruft has used a zero-day vulnerability patched this week by Adobe in targeted attacks against more than two dozen high-profile targets in Russia and Asia.
The attackers gained a foothold on a number of government and technology networks using spear-phishing emails that link to a site compromised by an exploit kit. Malicious code is loaded on the machine that exploits the Flash vulnerability and also includes a technique designed to bypass antivirus detection by abusing the Windows DDE feature.
ScarCruft is a relatively new APT group and has a number of ongoing campaigns, researchers at Kaspersky Lab said, adding they believe that ScarCruft was also in possession of a Windows zero day that was patched by Microsoft in April.
But a team of academics from Cornell University, MIT and a Dropbox security engineer say that the degradation of security from the introduction of such an authentication mechanism is negligible.
The team—Rahul Chatterjee, Ari Juels and Thomas Ristenpart of Cornell University, Anish Athalye of MIT, and Devdatta Akhawe of Dropbox—presented their findings in a paper called “pASSWORD tYPOS and How to Correct Them Securely” at the recent IEEE Symposium on Security and Privacy. The paper describes a framework for what the team calls typo-tolerant passwords that significantly enhances usability without compromising security.
The paper focuses on three common types of password errors that users make while typing: engaging caps lock; inadvertently capitalizing the first letter of a password; or adding or omitting characters to the beginning or end of a password.
By instituting an autocorrect scheme, the researchers said in their paper that they could reduce common mistakes and user frustrations with logins.
Under the law, the FBI is now required to periodically whether non-disclosure around National Security Letters remains appropriate.
“We believe this is an important step toward enriching a more open and transparent discussion about the legal authorities law enforcement can leverage to access user data,” said Chris Madsen, Yahoo’s head of global law enforcement, security and safety.
Two of the letters, one from the FBI’s Dallas office on Aug. 1, 2013 and the other from its Charlotte office May 29, 2015, demand the target of the investigation’s name, address and length of service with Yahoo for all services and accounts.
The remaining letter from the FBI’s Dallas office dated March 29, 2013 also requires Yahoo turn over electronic communications transactional records, which include “existing transaction/activity logs and all electronic (email) header information.”
msm1267 writes: Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: “Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun.”
msm1267 writes: A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East. Researchers at Kaspersky Lab today published a report describing how attackers continue to flourish exploiting CVE-2015-2545, a remote code execution vulnerability where an attacker crafts an EPS image file embedded in an Office document designed to bypass memory protections on Windows systems.
Exploits have been used primarily to gain an initial foothold on targeted systems. Those targets are largely government and diplomatic agencies and individuals in India and Asia, as well as satellite offices of those agencies in Europe and elsewhere. The Office flaw was patched in September in MS15-099 and updated again in November. Yet APT groups seem to be capitalizing on lax patching inside these high-profile organizations to carry out espionage. Some criminal organizations have also made use of exploits against this particular flaw, in particular against financial organizations in Asia, Kaspersky researchers said in their report.
The APT groups, however, seem to be having the most ongoing success with CVE-2015-2545. Kaspersky Lab identified a half-dozen groups, including two new outfits, that have been using modified exploits for the flaw.
msm1267 writes: LinkedIn is striking back against a website attempting to monetize the 117 million usernames and passwords stolen from the company as part of a 2012 data breach.
Website LeakedSource is reporting lawyers representing LinkedIn served the company a cease and desist order on Wednesday alleging the company is in violation of California’s Computer Fraud and Abuse Act because it is “illegally copying and displaying LinkedIn members’ information” without their consent.
Earlier this week, More than 117 million LinkedIn user logins went up for sale on the black market site “The Real Deal” by a hacker known as “Peace” for five Bitcoins ($2,280). LeakedSource, which is selling access to the data via a subscription model, claimed it is in the possession of 117 million of the LinkedIn account records that include email address and unsalted SHA-1 hashed passwords.
David Zuckerman, a computer science professor, and Eshan Chattopadhyay, a graduate student, published a paper in March that will be presented in June at the Symposium on Theory of Computing. The paper describes how the academics devised a method for the generation of high quality random numbers. The work is theoretical, but Zuckerman said down the road it could lead to a number of practical advances in cryptography, scientific polling, and the study of other complex environments such as the climate.
“We show that if you have two low-quality random sources—lower quality sources are much easier to come by—two sources that are independent and have no correlations between them, you can combine them in a way to produce a high-quality random number,” Zuckerman said. “People have been trying to do this for quite some time. Previous methods required the low-quality sources to be not that low, but more moderately high quality. We improved it dramatically."
The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today.
The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps.
The issue lies in the Invoker Servlet, which is part of the standard J2EE specification and enables developers to test custom Java applications. When it is enabled, developers and users can call these servlets over the Internet directly without authentication or authorization controls. Attackers, however, can take advantage of this same functionality to exploit these business critical systems.