Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Android

Submission + - T-Mobile Security Flaw Allowed Eavesdropping of Wi-Fi Calls, Texts (securityweek.com)

wiredmikey writes: A vulnerability discovered by researchers at UC Berkeley enabled attackers to eavesdrop on and modify calls and text messages sent using T-Mobile's "Wi-Fi Calling" feature.

According to Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, when an affected Android device connected to a server via T-Mobile's Wi-Fi Calling feature, it did not correctly validate the server's security certificate, exposing calls and text messages to a "man-in-the-middle" (MiTM) attack.

In short, by executing a MiTM attack, and using decrypted SIP (Session Initiation Protocol) dialog, an attacker could record all incoming and outgoing calls and text messages. “[An attacker] could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic,” the report, released Tuesday, said.

Beekman and Thompson said they notified T-Mobile of their discoveries in December 2012, and worked with the mobile operator to confirm and fix the problem. As of March 18, all affected T-Mobile customers have received the security update fixing the vulnerability, the researchers said.

This is not the first time TLS/SSL issues have come to the forefront of mobile world. Last October, researchers from two universities in Germany published a paper (PDF) that exposed the state of SSL within Android applications, which revealed that many applications failed to properly implement SSL, leaving millions of users exposed to basic Man-In-The-Middle attacks.

Security

Submission + - Apple Hit In Malware Attack, Releasing Updated Malware Removal Tool (securityweek.com)

wiredmikey writes: Apple on Tuesday acknowledged that Mac OS X computers at the Cupertino, California-based company were attacked and infected with malware. The attack is assumed to be the same one Facebook acknowledged on Friday that it fell victim to, which used zero-day exploit taking advantage of a flaw in Java.

Last week, Facebook said that hackers appeared to be targeting developers and technology firms based on a website that was "booby-trapped" with malicious code. As it turns out, Apple was included in the victim list, and in a rare occurrence, acknowledged that hackers had hit its systems with some level of success.

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers,” an Apple spokesperson told SecurityWeek.

While attackers managed to penetrate Apple’s systems and infect a limited number with malware, the tech giant said there is no evidence that data was taken. Apple also said that it would release a software utility later today to protect users from malware used in the attacks. “To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found."

Networking

Submission + - UPnP Security Flaws Put Millions of Devices at Risk (securityweek.com)

wiredmikey writes: Security researchers from Rapid7 have uncovered that roughly 40-50 million network-enabled devices are at risk due to vulnerabilities in the Universal Plug and Play (UPnP) protocol.

Universal Plug and Play (UPnP) is a set of networking protocols that allows communication between computers and network-enabled devices. It is enabled by default on millions of devices, from routers to printers to IP cameras and network storage servers. UPnP support is also enabled by default on Microsoft Windows, Mac OS X and many distributions of Linux.

In its research, Rapid7 declares (PDF) that the UPnP protocol "suffers from a number of basic security problems" ranging from a lack of authentication implemented by device manufacturers to privileged common programming flaws plague common UPnP software implementations. These issues, the report notes, are endemic across UPnP-enabled applications and network devices.

According to Rapid7's HD Moore, the two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. "In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet," Moore noted. "All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself."

Moore suggested organizations take immediate action to identify and disable any Internet-exposed UPnP endpoints in their environments.

Java

Submission + - Oracle to Java Community: "We Have to Fix Java" (securityweek.com)

wiredmikey writes: Oracle's approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

In a public acknowledgement of these concerns, Oracle's Milton Smith, head of Java security, held a conference call with members of the Java user community.

"The plan for Java security is really simple," he said. "It's to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can't have one without the other."

Earlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.

According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security. "No amount of talking or smoothing over is going to make anybody happy or do anything for us," he said. "We have to fix Java."

Java

Submission + - Oracle to Java Community: "We Have fo Fix Java" (securityweek.com)

wiredmikey writes: Oracle's approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

In a public acknowledgement of these concerns, Oracle's Milton Smith, head of Java security, held a conference call with members of the Java user community.

"The plan for Java security is really simple," he said. "It's to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can't have one without the other."

Earlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.

According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security. "No amount of talking or smoothing over is going to make anybody happy or do anything for us," he said. "We have to fix Java."

Encryption

Submission + - GitHub Search Exposes Encryption Keys, Passwords In Code (securityweek.com)

wiredmikey writes: GitHub's new internal search has made it easy to uncover passwords, encryption keys, and other security missteps in software development projects that are hosted on the site. GitHub announced its internal search on Jan.23, which lets users search for any string through public and private repositories they have access to.

Some users discovered yet another way to use the search tool: finding files containing private encryption keys and source code with login credentials. Scarily enough, there were thousands of them.

Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Other developers had hardcoded passwords for privileged user accounts, such as root, sa, and admin.

"With a simple script or tool, external hackers or malicious insiders can quickly discover these lost keys and use them to gain access to critical information assets," Jason Thompson, director of global marketing, SSH Communications Security said. "If the key grants a high level of administrative access, such as root, the potential threat to the business grows exponentially.

To be clear, GitHub is not at fault, since the company is just a hosting service. It just stores whatever files the developer wants to save. The search engine is not accidentally leaking confidential information. The data was already saved on GitHub, it is just making it easier for someone to find these mistakes.

Developers should note that GitHub has a Help page on how to make sure sensitive data is not saved to the repository.

Open Source

Submission + - Researcher Discloses New Batch of MySQL Vulnerabilities (securityweek.com)

wiredmikey writes: Over the weekend, a security researcher disclosed seven security vulnerabilities related to MySQL. Of the flaws disclosed, CVE assignments have been issued for five of them. The Red Hat Security Team has opened tracking reports, and according to comments on the Full Disclosure mailing list, Oracle is aware of the zero-days, but has not yet commented on them directly.

Researchers who have tested the vulnerabilities themselves state that all of them require that the system administrator failed to properly setup the MySQL server, or the firewall installed in front of it. Yet, they admit that the disclosures are legitimate, and they need to be fixed. One disclosure included details of a user privilege elevation vulnerability, which if exploited could allow an attacker with file permissions the ability to elevate its permissions to that of the Mysql admin user.

Given that MySQL is mission critical in many environments, the vulnerabilities are worth examining, especially given that the the disclosures were published with working proof-of-concept scripts.

Security

Submission + - Adobe Revoking Code Signing Certificate Used To Sign Malware (securityweek.com)

wiredmikey writes: Adobe said Thursday that will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe's credentials. Two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, both came from the same source and were signed with valid Adobe digital certificates, Adobe's Brad Arkin said. Adobe plans to revoke the impacted certificate on Oct. 4. After initial investigation, the company identified a compromised build server which had been used to access the code signing infrastructure, Brad Arkin wrote in a blog post. The build server did not have rights to any public key infrastructure functions other than the ability to issue requests to the signing service and did not have access to any Adobe products such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR, Arkin said. According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions in response.
Security

Submission + - Shamoon Malware Likely From Amateur, Not Elite Developers (securityweek.com)

wiredmikey writes: The Disttrack/Shamoon malware, while destructive, appears to be the work of amateurs and not elite and sophisticated developers, according to the latest analysis.

The malware proved that it was possible for developers to subvert legitimate kernel-mode applications for malicious purposes, but it appears that the malware could have been even more destructive and dangerous, if it had not been for a series of programming mistakes in the code, according to recent analysis from Kaspersky Lab.

Other suggestions that the developers behind the Shamoon malware are not high-profile programmers include the fact that The command-and-control server is hard-coded as two addresses, which limits the tool since if the address ever changes, the infected machine can no longer receive instructions.

The developers were most likely motivated by political reasons, as the malware overwrote existing files with a fragment of an image of a burning American flag. The Malware has also been reported to be linked to the recent Saudi Aramco attack, which some reports have suggested that insiders may have been partly involved. Saudi Aramco hasn't officially said what type of malware hit its systems.

Java

Submission + - New Java Exploit Spotted in the Wild (securityweek.com)

wiredmikey writes: Security researchers have discovered new zero-day Java vulnerability being targeted in the wild.

According to FireEye, the exploit was found on a server in China, and if it successfully attacks a given endpoint, the payload that is delivered is hosted on the same server. They were able to successfully exploit a test machine against latest version of Firefox with JRE version 1.7 update 6 installed.

On Monday, the Metasploit Exploit team at Rapid7 said they had developed a working exploit that they say enables a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.

Once again, it’s wise to remove Java if it isn’t absolutely needed in your environment. Most home users have little need for the software these days, and most experts agree the risk outweighs the reward when it comes to installing it. If you must have Java installed, be sure to be relentless about patching Java with the latest security updates.

Security

Submission + - Georgia Tech Launches "Titan" Threat Intelligence System (securityweek.com)

wiredmikey writes: A new malware intelligence system developed at Georgia Tech Research Institute is helping organizations share threat intelligence and work together to understand malware and cyber attacks. Dubbed Titan, the system lets members submit threat data and collaborate on malware analysis and classification. Unlike some other systems, members contribute data anonymously so no one would know which specific organizations had been affected by a specific attack. Titan users also get reports on malware samples they have submitted, such as the potential harm, the likely source, the best remedy, and the risks posed by the sample. The analysis is based on what GTRI researchers learn by reverse-engineering the malware. The project currently analyzes and classifies an average of 100,000 pieces of malicious code each day and growing. While other information sharing initiatives have been launched, many are by vendors, which sometimes sparks concern that the vendor may have some bias, and may be pushing a certain product. Not the case with Titan.
Microsoft

Submission + - Microsoft Releases Attack Surface Analyzer Tool (securityweek.com) 1

wiredmikey writes: Microsoft has released the public version of Attack Surface Analyzer, a tool designed to help software developers and independent software vendors assess the attack surface of an application or software platform. The tool was pushed out of beta with Version 1.0 released on Thursday.

Since ASA doesn't require the original source code, managers and executives can also use the tool to determine how a new application or software being considered would affect the organization's overall security before deploying it.

The tool takes snapshots of the system before and after an application was installed, and compares them to identify changes made when new applications were installed. A stand-alone wizard guides users through the scanning and analysis process and a command-line version is available for use with automated tools.

Attack Surface Analyzer 1.0 can be downloaded from Microsoft here.

Software

Submission + - Crowd Sourced Malware Reverse Engineering Platform Launched (securityweek.com)

wiredmikey writes: Security startup CrowdStrike has launched CrowdRE, a free platform that allows security researchers and analysts to collaborate on malware reverse engineering. CrowdRE is adapting the collaborative model common in the developer world to make it possible to reverse engineer malicious code more quickly and efficiently.

Collaborative reverse engineering can take two approaches, where all the analysts are working at the same time and sharing all the information instantly, or in a distributed manner, where different people work on different sections and share the results. This means multiple people can work on different parts simultaneously and the results can be combined to gain a full picture of the malware.

Google is planning to add CrowdRE integration to BinNavi, a graph-based reverse engineering tool for malware analysis, and the plan is to integrate with other similar tools. Linux and Mac OS support is expected soon, as well.

Microsoft

Submission + - Flame Malware Hijacks Windows Update (securityweek.com)

wiredmikey writes: As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing.

According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing.

The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how.

China

Submission + - Microsoft Drops Chinese Firm From Active Protections Program (securityweek.com)

wiredmikey writes: DPTech Technologies, a security vendor in China, has been removed from Microsoft’s Active Protections Program (MAPP) for leaking proof-of-concept (PoC) code shared with them during the creation of the MS12-020 security bulletin. The leak violated the NDA they had signed with Microsoft, resulting in their expulsion from the program.

In March, Microsoft issued a patch in order to correct a flaw within Remote Desktop Protocol (RDP) (MS12-020). The patch was ranked as critical by the software giant, and security experts predicted that exploit code for the RDP flaw would arrive sooner rather than later. As it turns out, proof of concept code appeared within hours of the patch’s release, and Microsoft was indirectly responsible for the PoC code’s appearance.

When the PoC itself arrived on the Web, the researcher who discovered the vulnerability in the first place (Luigi Auriemma) recognized his own code within the source. Given that he turned his work over to ZDI, and ZDI quickly denied leaking the code, that left Microsoft as the only likely source.
This was later confirmed when elements of the PoC contained markers used by MSRC. Thus, the security industry quickly came to the realization that someone within MAPP committed a serious breach of trust.

On Thursday, Microsoft called them out by name as the ones responsible for disclosure of the confidential data.

Slashdot Top Deals

Recent research has tended to show that the Abominable No-Man is being replaced by the Prohibitive Procrastinator. -- C.N. Parkinson

Working...