Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×

Submission + - Down The Rabbit Hole with a BLU Phone Infection (threatpost.com)

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.

Submission + - Free Digital Certificates Come with a Cost (threatpost.com)

msm1267 writes: Let’s Encrypt is the largest certificate authority by volume doling out more than 100,000 free domain certificates a day. The non-profit fulfills a noble mission of securing website communications that is applauded across the internet; it has raised the bar on SSL and TLS security, issuing 100 million HTTPS certificates as of June 2017.

However, despite industry accolades by privacy activists and praise from those in the security community for its mission, some critics are sounding alarm bells and warning that Let’s Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place.

Submission + - Stack Clash Linux Flaw Enables Root Access; Patch Now (threatpost.com)

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root.

Major Linux and open source distributors have made patches available today, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

The vulnerability was found in the stack, a memory management region on these systems. The attack bypasses the Stack guard-page mitigation introduced in Linux in 2010 after attacks in 2005 and 2010 targeted the stack.

Submission + - NSA's EternalBlue Exploit Ported to Windows 10 (threatpost.com)

msm1267 writes: EternalBlue, the NSA-developed attack used criminals to spread WannaCry ransomware last month, has been ported to Windows 10 by security researchers.

The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks.

These mitigations were introduced prior to a March security update from Microsoft, MS17-010, and any computer running Windows that has yet to install the patch is vulnerable.

Submission + - Leaked NSA Exploit Spreading Ransomware Worldwide (threatpost.com)

msm1267 writes: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent ShadowBrokers dump.

Researchers said the attackers behind today’s outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA.

Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they’ve recorded more than 45,000 infections so far on their sensors, and expect that number to climb.

Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems.

Submission + - Many Commercial Drones Insecure by Design (threatpost.com)

msm1267 writes: Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device.

The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models– manufactured by the same company but sold under different names – are also vulnerable.

The drones contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone’s filesystem and modify its root password.

Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but reasons that an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device’s live feed or the drone’s open ports.

Submission + - NSA's DoublePulsar Kernel Exploit A 'Bloodbath' (threatpost.com)

msm1267 writes: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come.

MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish.

“This is a full ring0 payload that gives you full control over the system and you can do what you want to it,” said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday.

“This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it’s still found in a lot of places,” Dillon said. “I find it everywhere. This is the most critical Windows patch since that vulnerability.”

Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he’s running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue.

“This is easily describable as a bloodbath,” Tentler said.

Submission + - US-CERT: HTTPS Interception Weakens TLS (threatpost.com)

msm1267 writes: Recent academic work looking at the degradation of security occurring when HTTPS inspection tools are sitting in TLS traffic streams has been escalated by an alert published Thursday by the Department of Homeland Security.

DHS’ US-CERT warned enterprises that running standalone inspection appliances or other security products with this capability often has a negative effect on secure communication between clients and servers.

“All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected,” US-CERT said in its alert.

HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server. A network administrator can only verify the security between the client and the HTTP inspection tool, which essentially acts as a man-in-the-middle proxy. The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.

Submission + - Buggy Domain Validation Forces GoDaddy to Revoke Certs (threatpost.com)

msm1267 writes: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process.

The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.”

GoDaddy said it was not aware of any compromises related to the bug.

Submission + - Sensitive Data Stored on Box.com Accounts Accessible Via Search Queries (threatpost.com)

msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it’s a classic case of users accidentally oversharing. Neis isn’t convinced and says Box.com’s so-called Collaboration links shouldn’t have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove confidential data and fodder for phishing scams.

Submission + - Aircraft Entertainment Systems Hacks are Back (threatpost.com)

msm1267 writes: Researchers at IOActive today disclosed vulnerabilities in Panasonic Avionics In-Flight Entertainment Systems that were reported to the manufacturer close to two years ago. The flaws could be abused to manipulate in-flight data shown to passengers, or access personal information and credit card data swiped at the seat for premium entertainment or Internet access.

Given that the firmware is customizable and used by dozens airlines in hundreds of aircraft models, the researchers said it’s almost impossible to determine whether the vulnerabilities no longer exist across the board.

IOActive said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to passenger entertainment domains. Whether an attacker could cross those domains and affect critical avionics systems would depend on specific devices and configurations, IOActive said, given that a physical path could exist that connects those systems through satellite communications terminals that provide in-flight updates to critical systems. The concern is that whether in some configurations, IFEs would share access to these devices and provide the physical path an attacker would need to reach critical systems.

As for the vulnerabilities in passenger systems, IOActive said there is a lack of authentication and encryption between an on-board server and clients at passenger seats. This could allow an attacker on board to send commands to the IFE system to manipulate what's displayed to passengers, or read payment card data swiped at seats.

Submission + - Code Reuse a Peril for Secure Software Development (threatpost.com)

msm1267 writes: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.

This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.

According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn’t exercise due diligence on the software libraries used in their project.

Submission + - 5-Year-Old Critical Linux Vulnerability Patched (threatpost.com)

msm1267 writes: A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run a serious security issues in the operating system, most of which have been hiding in the code for years.

Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introduced in August 2011. A patch was pushed to the mainline Linux kernel Dec. 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes.

The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.

Submission + - Linux Crypto Utility Vulnerability Puts Systems at Risk (threatpost.com)

msm1267 writes: A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data.

Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they’re likely vulnerable.

Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria.

According to a post published to the Full Disclosure mailing list, the vulnerability (CVE-2016-4484) affects packages 2.1 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs – a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven’t tested them yet.

Slashdot Top Deals

Hackers are just a migratory lifeform with a tropism for computers.

Working...