Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - Malware Counts Word Docs to Evade Detection (threatpost.com) 2

msm1267 writes: A new macro-based malware has been spotted that goes to novel lengths to avoid detection. Once a computer is compromised, the malware will count the number of Word documents stored on the local drive; if it's more than two, the malware executes. Otherwise, it figures it's landed in a virtual environment or is executing in a sandbox and stays dormant.

A typical test environment consists of a fresh Windows computer image loaded into a VM. The OS image usually lacks documents and other telltale signs of real world use.

If no Microsoft Word documents are found, the VBA macro's code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.

Submission + - MySQL Zero Day Awaits Oracle Patch (threatpost.com)

msm1267 writes: A researcher has published details and a limited proof-of-concept exploit for a critical vulnerability in MySQL that has been patched by some vendors, but not yet by Oracle. The vulnerability allows an attacker to remotely or locally exploit a vulnerable MySQL database and execute arbitrary code, researcher Dawid Golunski of Legal Hackers said.

The flaw affects MySQL 5.7.15, 5.6.33 and 5.5.52. It has been patched in vendor deployments of MySQL in MariaDB and PerconaDB. Golunski said he reported the vulnerability to Oracle and other affected vendors on July 29. MariaDB and PerconaDB patched their versions of the database software before the end of August. Golunski said that since more than 40 days have passed and the two vendor fixes are public, he decided to disclose.

Submission + - Chrome to Begin Labeling HTTP Sites Insecure (threatpost.com)

msm1267 writes: Chrome users who navigate to some HTTP sites will be notified, starting in January, they’re on a site that isn’t secure.

Google said today the browser will begin explicitly labeling HTTP connections that feature either a password or credit card form as insecure. The company said the plan is its first step toward marking all HTTP sites as such, though it didn’t provide a timetable for the undertaking.

Google said the move will improve on the browser’s current iteration of a warning, which indicates HTTP connections with a neutral indicator. Eventually, Google plans to mark all HTTP pages as non-secure and use the same red triangle it currently uses for broken HTTPS sites.

Submission + - Android Patch Shuts Down Massive Bug (threatpost.com)

msm1267 writes: The Android ecosystem may have dodged another Stagefright-type of vulnerability.

Google’s monthly Android Security Bulletin released on Tuesday not only patched the remaining Quadrooter vulnerabilities, but also fixed another wide-ranging flaw that could allow an attacker to easily compromise—or at least brick—any Android device dating back to version 4.2.

The key to staving off another Stagefright is that yesterday’s patch features a complete overhaul of the offending jhead library, mitigating the possibility of recurring critical bugs, which, for example, continue to plague Mediaserver on an almost-monthly basis.

Tim Strazzere, director of mobile research at SentinelOne, found the vulnerability (CVE-2016-3862) and that that it would require just a specially crafted jpeg file in order to exploit the issue.

Strazzere, admittedly not a proficient exploit writer, said he was able to cause his brand new Nexus 6P device to crash and reboot, and added that the bug could also likely be used by an advanced attacker to gain remote code execution on an Android device. This is especially true on older versions of Android where there are fewer exploit mitigations built into the operating system.

“This bug I found specifically is in a library that tries to read Exif data out of jpegs,” Strazzere said. “Any app using that library is affected by this.”

Submission + - Redis Hacks at Core of Attacks on Linux Servers (threatpost.com)

msm1267 writes: A recent run of attacks against Linux servers called Fairware has been traced to insecure Internet-facing Redis installations that hackers have abused to delete web folders and, in some cases, install malicious code.

Redis is an open source tool used by web application developers for the purpose of quickly caching data. The tool’s developers configure Redis to be accessed only by trusted clients inside trusted environments, and are adamant that Redis instances are not meant to be exposed to the Internet.

Researchers at Duo Labs, however, found 18,000 insecure Redis implementations online, and discovered evidence of attacks against 13,000.

The Fairware attacks, meanwhile, were reported in posts to the forums at BleepingComputer independently of Duo Labs’ research. In both cases, attackers were deleting web folders on the servers and leaving behind a link to a Pastebin site hosting a ransom note.

Comparisons between a number of the notes and other artifacts, such as IP addresses and SSH keys used by the attackers, are enough evidence to connect the attacks, researchers at Duo Labs and BleepingComputer said.

Submission + - New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com)

msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction.

The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected tomorrow to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version this week as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks.

The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic--from a connection that is kept alive for a long period of time--to recover the session cookie.

Submission + - Windows UAC Bypass Permits Code Execution (threatpost.com)

msm1267 writes: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk.

The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC.

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Submission + - SPAM: Windows UAC Bypass Permits Code Execution

msm1267 writes: A Windows UAC bypass has been publicly disclosed that not only bypasses the security feature meant to prevent unauthorized installs, but can be used to run code on compromised machines without leaving a trace on the hard disk.

The bypass relies on Event Viewer (eventvwr.exe), a native Windows feature used to view event logs locally or remotely. Researcher Matt Nelson said he figured out a way to use eventvwr to hijack a registry process, start Powershell and execute commands on Windows machines; he collaborated with fellow researcher Matt Graeber on a proof-of-concept exploit, which was tested against Windows 7 and 10. A report published today by Nelson said it would work against any version of the OS that implements UAC.

An attacker would already need to be on the machine to use this technique, Nelson said. The attack allows an admin user to execute code in a high-integrity context without requiring the user to approve the administrative action via the UAC pop-up.

Microsoft, the researcher said, does not consider UAC bypasses a security boundary worthy of a bulletin and patch. It's unclear how Microsoft will address this issue.

Link to Original Source

Submission + - Bluetooth Hack Leaves Many Smart Locks, IoT Devices Vulnerable (threatpost.com)

msm1267 writes: A growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems that are vulnerable to man-in-the-middle attacks.

The problem is traced back to devices that use the Bluetooth Low Energy (BLE) feature for access control. Researchers last week at Black Hat said too often companies do not correctly implement the bonding and encryption protections offered in the standard.

This shortcoming could allow attackers to clone BLE devices and gain unauthorized access to a physical asset when a smartphone is used as a device controller.

Submission + - Misuse of Language: 'Cyber' (threatpost.com)

msm1267 writes: The terms “cyber war” and “cyber weapon” are thrown around casually, often with little thought to their non-“cyber” analogs. Many who use the terms “cyber war” and “cyber weapon” relate these terms to “attack,” framing the conversation in terms of acceptable responses to “attack” (namely, “strike-back,” “hack-back,” or an extreme interpretation of the vague term “active defense”).

In this op-ed, information security experts Dave Dittrick and Katherine Carpeneter discuss two problematic issues: first, we illustrate the misuse of the terms “cyber war” and “cyber weapon,” to raise awareness of the potential dangers that aggressive language brings to the public and the security community; and second, we address the reality that could exist when private citizens (and/or corporations) want to act aggressively against sovereign nations and the undesirable results those actions could produce.

Dittrich and Carpenter discuss these topics through the lens of the recent furor around the cyber incident at the Democratic National Committee.

Submission + - Advanced Espionage Hacking Platform on Par with Flame, Duqu (threatpost.com)

msm1267 writes: A state-sponsored APT platform on par with Equation, Flame and Duqu has been used since 2011 to spy on government agencies and other critical industries.

Known as ProjectSauron, or Strider, the platform has all the earmarks of advanced attackers who covet stealth, and rely on a mix of zero-day exploits and refined coding to exfiltrate sensitive data, even from air-gapped machines.

Researchers at Kaspersky Lab and Symantec today published separate reports on ProjectSauron, and said large-scale attacks have targeted government agencies, telecommunications firms, financial organizations, military and research centers in Russia, Iran, Rwanda, China, Sweden, Belgium and Italy. Campaigns were still active this year, said researchers at Kaspersky Lab.

While researchers still do not know how the attackers are infiltrating these critical networks, much of their activity on compromised networks has been uncovered.

The attack platform, for example, is modular framework called Remsec that once deployed allows for lateral movement, data theft and the injection of more attack code. To complicate detection and attribution, the attackers customize artifacts used in campaigns to each target, making them less useful as indicators of compromise, Kaspersky Lab said.

Submission + - Apple Announces Bug Bounty At Black Hat (threatpost.com)

msm1267 writes: Apple closed out Black Hat today with a long-awaited announcement that next month it will launch a bug bounty.

The Apple Security Bounty will be an invitation-only program, open to two dozen researchers at the outset, said Ivan Krstic, head of security engineering and architecture. The maximum payout is $200,000 and five classes of bugs in iOS and iCloud are in scope.

Apple said the maximum reward will be $200,000 for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.

Submission + - Vulnerability Allows Hackers to Snoop on Wireless Keyboards (threatpost.com)

msm1267 writes: Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday.

If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers – essentially anything typed on a keyboard, in clear text.

Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks who discovered the vulnerability.

Bastille gave the manufacturers of the keyboards 90 days to address the vulnerability, but most vendors failed to respond to their findings. Newlin said only Jasco Products, a company that manufactures the affected keyboard (GE 98614) for General Electric, responded and claimed it no longer manufactures wireless devices, like keyboards. As there doesn’t appear to be a way to actually fix the vulnerability, it’s likely the companies will eventually consider the devices end of life.

Submission + - Generic Ransomware Detection System Built for Windows (threatpost.com)

msm1267 writes: A team of researchers from the University of Florida and the Villanova University have a built a generic ransomware detection utility for Windows machines, one that focuses on how ransomware transforms data rather than the execution of malicious code.

Their utility is called CryptoDrop, and in a test against nearly 500 real-world ransomware samples from 14 distinct families, it detected 100 percent of attacks with relatively little file loss (a median loss of 10 files).

The tool is described in a paper called “CryptoLock (and Drop it): Stopping Ransomware Attacks on User Data,” written by Nolen Scaife, Patrick Traynor, Kevin R. B. Butler of the University of Florida, and Henry Carter of Villanova University.

“Our system (built only for Windows) is the first ransomware detection system that monitors user data for changes that may indicate transformation rather than attempting to identify ransomware by inspecting its execution (e.g., API call monitoring) or contents,” the researchers wrote. “This allows CryptoDrop to detect suspicious activity regardless of the delivery mechanism or previous benign activity."

Submission + - xDedic Resurfaces on Tor Domain (threatpost.com)

msm1267 writes: The defunct xDedic marketplace has resurfaced again, this time on a Tor network domain.

The marketplace provides a platform for the buying and selling of hacked servers. It's original open web domain, xdedic[,]biz, disappeared shortly after a June 16 Kaspersky Lab report on its activities, users and business.

The original market had upwards of 70,000 hacked servers for sale from more than 400 unique sellers. It's unknown how much inventory is being peddled on the new site, which was uncovered by researchers at Digital Shadows, who found a post on a Russian and French criminal forum pointing to a Tor domain as the new home of xDedic.

The new site has the same look and feel as the old one, but Digital Shadows said accounts had not transferred over, and that there is now a $50 USD enrollment fee to join the new market.

Slashdot Top Deals

No man is an island if he's on at least one mailing list.

Working...