msm1267 writes: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process.
The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer.
“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.”
GoDaddy said it was not aware of any compromises related to the bug.
msm1267 writes: Burlington Electric Department general manager Neale Lunderville explains how his Vermont electric distribution utility was dragged into the center of a potential geopolitical nightmare shortly before the start of the New Year weekend.
Lunderville recaps the three days that thrust Burlington Electric into the national spotlight after the Washington Post wrongly reported that the utility was penetrated by Russian hackers.
Those reports came on the heels of a DHS alert on Grizzly Steppe, activities by two Russian APT groups alleged to have hacked the DNC. Lunderville also covers how benign indicators of compromise shared by DHS played a role in a long, disruptive weekend for his organization.
msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it’s a classic case of users accidentally oversharing. Neis isn’t convinced and says Box.com’s so-called Collaboration links shouldn’t have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove confidential data and fodder for phishing scams.
Given that the firmware is customizable and used by dozens airlines in hundreds of aircraft models, the researchers said it’s almost impossible to determine whether the vulnerabilities no longer exist across the board.
IOActive said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to passenger entertainment domains. Whether an attacker could cross those domains and affect critical avionics systems would depend on specific devices and configurations, IOActive said, given that a physical path could exist that connects those systems through satellite communications terminals that provide in-flight updates to critical systems. The concern is that whether in some configurations, IFEs would share access to these devices and provide the physical path an attacker would need to reach critical systems.
As for the vulnerabilities in passenger systems, IOActive said there is a lack of authentication and encryption between an on-board server and clients at passenger seats. This could allow an attacker on board to send commands to the IFE system to manipulate what's displayed to passengers, or read payment card data swiped at seats.
msm1267 writes: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.
This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.
According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn’t exercise due diligence on the software libraries used in their project.
msm1267 writes: A team of New York University students architected a permissioned blockchain system called Votebook that could be applied to secure electronic voting. Their solution was the winning entry of the Cybersecurity Case Study Competition sponsored by Kaspersky Lab and The Economist.
Their system avoids the burden of wholesale changes to the voting process; votes would still be cast on touchscreens and the process of securing it happens seamlessly in the background. Unlike the Bitcoin implementation of blockchain which is trustless and open to anyone, using blockchain to secure an election requires trust and parameters limiting voting to local or national jurisdictions. To insert that trust into their system, the NYU team places that responsibility with a central authority and allows it to administer the blockchain.
The NYU team describes how with Votebook, the nodes must have prior permission from the central authority to make changes to the blockchain ledger. The voting machines will generate a private and public key pair and send its public key to an election commission, which will compile the public keys into a table and redistribute that table to all voting machines. Once votes are collected, they are organized into a block and proposed to the network.
Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introduced in August 2011. A patch was pushed to the mainline Linux kernel Dec. 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes.
The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.
msm1267 writes: A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data.
Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they’re likely vulnerable.
Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria.
According to a post published to the Full Disclosure mailing list, the vulnerability (CVE-2016-4484) affects packages 2.1 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs – a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven’t tested them yet.
The researchers examined 600 top U.S. and Chinese mobile apps that use OAuth 2.0 APIs from Facebook, Google and Sina—which operates Weibo in China—and support SSO for third-party apps. The researchers found that 41.2 percent of the apps they tested were vulnerable to their attack, including popular dating, travel, shopping, hotel booking, finance, chat, music and news apps. None of the apps were named in the paper, but some have been downloaded hundreds of millions of times and can be exploited for anything from free phone calls to fraudulent purchases.
msm1267 writes: Microsoft has extended the end of life deadline for its Enhanced Mitigation Experience Toolkit to July 2018. EMET includes more than a dozen mitigations for memory-based attacks that acted as a stopgap against active attacks until Microsoft could either develop a patch or update Windows.
Microsoft, however, has long slowed down EMET's update cycle and has packed new mitigations into Windows 10 that are meant to counter modern attacks. Experts believe EMET's usefulness has slipped away as many of today's exploits can bypass its mitigations.
Windows 10, meanwhile, offers Control Flow Guard and others protections native to the operating system that can respond to advanced attacks in a way that the EMET add-on could not.
msm1267 writes: A researcher has disclosed an Exchange Server weakness, in which Outlook Web Access and Exchange Web Services are exposed on the same webserver and port, a configuration that allows an attacker to bypass two-factor authentication on OWA.
Beau Bullock of Black Hills Information Security said that Exchange Web Services isn't covered by two-factor authentication, and an attacker can take advantage of this situation to access an organization's email services, contacts, calendar information and more.
Microsoft, Bullock believes, may not be able to fix this without re-architecting the service. Any mitigations may also break thick clients such as Outlook for Mac that require Exchange Web Services to access Exchange Servers.
Researchers at Flashpoint dismissed numerous claims of responsibility that separately linked the attack to the Russian government, WikiLeaks or the New World Hackers group. Instead, the threat intelligence company said with “moderate confidence” that the attacks are linked to the Hackforums community. Hackforums is an English-speaking hacking forum and the place where the source code for the Mirai malware was publicly released by a hacker known as Anna-Senpai.
Director of National Intelligence James Clapper said today as well that it’s likely the attack was not carried out by nation-state actors during testimony at the Council on Foreign Relations.
“That appears to be preliminarily the case,” Clapper was quoted in The Hill. “But I wouldn’t want to be conclusively definitive about that, specifically whether a nation state may have been behind that or not.”
Flashpoint hinges its conclusion on a number of factors, starting with public release of the Mirai source code. Mirai scans the Internet for IoT devices such as those used in the attack on Dyn, Krebs on Security and French webhost OVH. The malware uses 60 known weak and default credentials on the IP-enabled cameras, DVRs and home networking gear to access the devices before corralling them into giant botnets used to DDoS targets. Since the source code was made public, the number of bots compromised by the malware has more than doubled, Level 3 Communications, a Colorado telco and ISP, said.
msm1267 writes: A nine-year-old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw, nicknamed Dirty Cow because it lives in the copy-on-write (COW) feature in Linux, is worrisome because it can give a local attacker root privileges.
While the Linux kernel was patched on Wednesday, the major distributions are preparing patches. Red Hat, for example, told Threatpost that it has a temporary mitigation available through the kpatch dynamic kernel patching service that customers can receive through their support contact.
Dirty Cow is a privilege escalation vulnerability in copy-on-write, CVE-2016-5195. A race condition exists that allows local users to gain write-access to read-only memory and elevate their privileges to root.
Exploits were discovered recently by researcher Phil Oester, who published an informational website on the bug that includes links to details on the flaw and a proof-of-concept exploit.
Oester said the bug has been in the kernel since version 2.6.22, released in 2007. “This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,” Oester said on his website.
msm1267 writes: A leftover factory debugger in Android firmware made by Taiwanese electronics manufacturer Foxconn can be flipped into a backdoor by an attacker with physical access to a device.
The situation is a dream for law enforcement or a forensics outfit wishing to gain root access to a targeted device. Android researcher Jon Sawyer on Wednesday publicly disclosed the situation, which he’s called Pork Explosion as a swipe at what he calls overhyped and branded vulnerabilities.
“As a physical threat, it’s bad; game over,” Sawyer said. “It’s easy to do and you get complete code execution on the device, even if it’s encrypted or locked down. It’s exactly what a forensics company or law enforcement officials would love to have.”
The backdoor was found in a bootloader built by Foxconn, Sawyer said. Foxconn builds phones and some low level software for firmware. Two vendors’ devices have been impacted so far—InFocus’ M810 and Nextbit’s Robin phones—but Sawyer cautioned that there are likely more.