Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

End of Windows XP Support Era Signals Beginning of Security Nightmare

Trailrunner7 Chord?? (646 comments)

"cuts the chord"? Are they dissecting sheet music now? Cripes.

more than 2 years ago
top

US Inadvertently Enabled Chinese Google Hackers

Trailrunner7 Olllddd (103 comments)

This is a month old, and Schneier has since backed off this assertion.

more than 4 years ago
top

Microsoft's Risky Tablet Announcement

Trailrunner7 Re:I don't understand... (338 comments)

How exactly can Microsoft be responding to an event that hasn't taken place yet (the Apple tablet announcement)? Is that "pre-sponding"?

more than 4 years ago
top

Spafford: Cybersecurity Czar Job is Useless

Trailrunner7 part of the story (2 comments)

It's also worth having a look at the blog posts that Spafford has written on this topic in the last few months. There's more background and context in there and some excellent reasoning on why this position is built to fail. http://www.cerias.purdue.edu/site/blog/

more than 4 years ago
top

Spammer Lance Atkinson Fined $16 Million

Trailrunner7 Re:Damn moronic 'anti-spam' laws. (100 comments)

According to the original documentation, 'In early 2008, a security company identified one botnet -- which it dubbed "Mega-D" -- that sent sparn promoting Affking's VPXL and King Replica products as the worst botnet in the world, accounting for 32% of all spam.'

The Mega-D botnet consisted at least 264,784 computers.

That's 264,784 UNAUTHORIZED COMPUTER ACCESS FELONIES.

Why the FUCK are we 'fining' someone who committed at least 264,784 felonies? We invade goddamn countries and charge people with war crimes for that level of criminality!

Anti-spam laws are nonsense. Forget the damn anti-spam laws. Lock them up for the felonies they're committing. Extradition would be a lot easier, too. (Of course, we could just find a few hundred IPs this guy hijacked in Australia, turn them over, and have him locked up there his entire life, instead.)

The laws are completely useless and always have been. They were passed to make consumers think that government is doing something. But the extradition and prosecution is a lot harder than it sounds, even when the criminal is in a friendly country like Australia. It takes forever and costs a lot of money, so the law enforcement agencies pass.

more than 4 years ago
top

The Root of the Botnet Epidemic

Trailrunner7 Bad isn't the word for it (2 comments)

I think people sort of lose focus on how bad this threat is. The scope of it is ridiculous. There are tens of millions of bot-infected machines out there, and I'd bet that 99% of the owners have no idea they're infected and wouldn't know what to do about it if they did. The bad guys are way ahead of the good guys on this and it's not clear when or how it will get better.

more than 4 years ago
top

TCP DoS Flaw Finally Patched by Microsoft, Cisco

Trailrunner7 Re:Closed source in a nutshell (3 comments)

I'm sure they do possess that knowledge, but that's got nothing to do with this. Microsoft, Cisco and all of the other vendors have the same, or higher, level of skill on their staffs but they other priorities, too. It's not a simple fix and didn't involve just one version of one product.

more than 4 years ago
top

Hackers send malware-infected CDs to credit unions

Trailrunner7 Re:If they really wanted it to work... (2 comments)

Excellent point. And that wouldn't be difficult to accomplish either, with a little money slipped to someone at the NCUA or something.

more than 4 years ago
top

Many sites use silent Flash cookies to track users

Trailrunner7 not Adobe's problem (2 comments)

I see this as the sites' failing, not a problem for Adobe to fix. It's their fault for not telling users what they're doing and how.

about 5 years ago
top

New Linux kernel flaw allows null pointer exploits

Trailrunner7 Re:Other versions? (6 comments)

Right now it looks like just that version, but it won't be long I'd bet before others are testing it against older releases.

more than 5 years ago
top

Facebook Violates Canadian Privacy Law

Trailrunner7 Re:Draconian Laws (179 comments)

wait wait wait. They have computers in Canada?

more than 5 years ago
top

New Mac OS X rootkit to be revealed at Black Hat

Trailrunner7 Re:Oh noes! Macs can be attacked? (7 comments)

May not be many Macs in enterprises, but there are millions of them in homes, and they're just as valuable as bots as any windows box. And owning any box gets you access to banking passwords, whatever else.

more than 5 years ago
top

Hackers Find Remote iPhone Crack

Trailrunner7 Re:Misleading Title/Summary (114 comments)

Exactly. And this was on 2.0, and 3.0 is out already. Nothing to see here.

more than 5 years ago
top

US Plans To Bulldoze 50 Shrinking Cities

Trailrunner7 Re:Suggestion: (806 comments)

Are nominations still open? DC, B'more and Orlando should be at the top of the list. Maybe Dallas too.

more than 5 years ago
top

New attack exploits virtually all intranets, VPNs

Trailrunner7 Thanks IETF!! (1 comments)

I think this is similar to a problem that networking people have been dealing with for like 15 years. The main problem is in the RFC, which was written before there were hundreds of millions of machines on the interwebs.

more than 5 years ago
top

Schneier Says We Don't Need a Cybersecurity Czar

Trailrunner7 Re:Makes sense (173 comments)

That's exactly it. The czar concept in general is flawed, even in departments or industries that have a clear mission and control of that mission. Neither is true in cyber security. We don't need another figurehead creating the illusion of action.

more than 5 years ago
top

Snow Leopard security not good enough

Trailrunner7 Apple doesn't care security (2 comments)

Apple has clearly shown it's not interested in security. If it were, it wouldn't wait and release 49 patches at once or only include portions of ASLR in OS X.

more than 5 years ago
top

Schneier: We don't need a cybersecurity czar

Trailrunner7 Re:Cybersecurity czar != better security (3 comments)

None of these czars has gotten us anywhere in any other industry either. Consumer, car, health care, Russia...

more than 5 years ago

Submissions

top

New Cridex Malware Copies Tactics From GameOver Zeus

Trailrunner7 Trailrunner7 writes  |  about a week ago

Trailrunner7 (1100399) writes "The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM’s X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

“There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators,” Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware."
top

Inside the CryptoLocker Takedown

Trailrunner7 Trailrunner7 writes  |  about two weeks ago

Trailrunner7 (1100399) writes "The takedown of the GameOver Zeus malware operation in June got more than its share of attention, but it was the concurrent demolition of the CryptoLocker ransomware infrastructure that may prove to have been the most important part of the operation. That outcome was the culmination of months of behind the scenes work by dozens of security researchers who cooperated with law enforcement to trace, monitor and ultimately wreck the careful work and planning of the CryptoLocker crew.

“This was something new. This was ransomware done right,” said John Bambenek, president of Bambenek Consulting, who was involved in the working group that tracked CryptoLocker and talked about the operation at the Black Hat USA conference here Thursday. “It made for a good case study on how to do threat intelligence.”

The working group that came together to defeat CryptoLocker was global and had people with all kinds of different skill sets: malware reverse engineering, math, botnet tracking and intelligence. Some members worked on taking part the domain-generation algorithm while others looked at the command-and-control infrastructure and still others broke down the malware itself. What the researchers began to notice as they dug deeper into the CryptoLocker operation was that the crew behind the ransomware had done a lot of things right, but had also exhibited some oddly inconsistent behaviors."
top

In the Wake of Snowden's Revelations, A Wave of Innovation

Trailrunner7 Trailrunner7 writes  |  about two weeks ago

Trailrunner7 (1100399) writes "It was an absurd scene. Keith Alexander, the director of the NSA and a four-star general in the Army, stood alone on the stage, squinting through the floodlights as members of the standing-room-only crowd shouted insults and accusations. Armed men in dark suits roamed the area in front of the stage, eyeing the restless crowd. Nearby, a man sat with a carton of eggs at his feet, waiting for a chance to let fly.

There were loud calls for Alexander’s resignation throughout the summer, and previous whistleblowers, security experts and some lawmakers said that there was a clear need for reform at Fort Meade. Critics said the agency had taken the expanded powers granted it after 9/11 and run with them. Concurrent advancements in technology gave the NSA a deep bag of tricks for conducting offensive operations and as the details of the TAO toy catalog and other capabilities emerged, the anger and outrage in the security and privacy communities festered. Something had to be done. Things needed to change. And then, oddly enough, things began to change.

As the implications of the NSA’s deep penetration of the Internet began to sink in, small groups of smart technologists and engineers began looking for ways to help users secure their communications. Some of the folks from Silent Circle started a new venture, Blackphone, to produce secure, surveillance-resistant phones for consumer use. Another group of executives from Silent Circle, along with Ladar Levison, the founder of Lavabit, established the Dark Mail Alliance to create a new secure email service. And just last week, Moxie Marlinspike’s Open Whisper Systems released Signal, a new iPhone app that provides secure, encrypted phone calls for free.

There’s no way of knowing whether all of these technologies and changes would’ve come to pass without the Snowden leaks; some of them almost certainly would have. Google was on the path to encrypting its data center links, and Yahoo would likely have followed suit eventually. But there’s no question that the leaked documents, the avalanche of news stories and the massive backlash that followed contributed to the innovation that has followed."
top

Critical Android FakeID Bug Allows Apps to Impersonate Trusted Apps

Trailrunner7 Trailrunner7 writes  |  about three weeks ago

Trailrunner7 (1100399) writes "There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.

The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.

Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.

“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”"
top

Flaw in TAILS Privacy OS is in Its I2P Component

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "The critical vulnerability in the TAILS operating system discovered by researchers at Exodus Intelligence lies in the I2P software that’s bundled with the OS and the company has released some details and a video demonstrating an exploit against the bug. Exodus researchers said that the vulnerability can be used for remote code execution as well as de-anonymization of targeted users on TAILS.

I2P is an anonymity network, somewhat analogous to Tor, that encrypts all of its communications from end to end and enables private and anonymous use of the Internet and resources such as email, chat and Web browsing. Unlike Tor, however, I2P is a packet switched network, rather than a circuit switched one, and the communications its users send and receive are message-based. Each I2P node has an identical level of importance in the network and there are no central servers routing traffic.

Exodus researchers said that the flaw they discovered is present in TAILS for several versions, meaning its effect could be quite widespread.

“The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work,” the Exodus team wrote in a post explaining a bit about the flaw."
top

Researcher Finds Hidden Data-Dumping Services in iOS

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users’ personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.

Zdziarski discussed his findings in a talk at the HOPE X conference recently and published the slides and paper, as well. The file_relay service has been in iOS for some time and originally was benign, but Zdziarski said that in recent versions it has turned into a tool that can dump loads of user data on command. The file_relay tool can dump a list of the email and social media accounts, the address book, the user cache folder, which contains screenshots, offline content, copy/paste data, keyboard typing cache and other personal data. The tool can also provide a log of periodic location snapshots from the device."
top

New Critroni Crypto Ransomware is First to Use Tor for Command and Control

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "There’s a new kid on the crypto ransomware block, known as Critroni, that’s been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it’s the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims’ machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim’s PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”"
top

Panel Finds NIST Relied Too Much on NSA in Dual EC Debacle

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of cryptographers it employs and also that it take steps to clarify and define its relationship with the NSA.

The report from the Visiting Committee on Advanced Technology’s Committee of Visitors, released Monday, found that NIST was overly reliant on the input and expertise of NSA cryptographers and that the organization should have paid more attention to outside criticisms of the algorithm.

“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report."
top

Microsoft Settles with No-IP After Malware Takedown

Trailrunner7 Trailrunner7 writes  |  about a month and a half ago

Trailrunner7 (1100399) writes "It’s been a weird couple of weeks for Microsoft. On June 30 the company announced its latest malware takedown operation, which included a civil law suit against Vitalwerks, a small Nevada hosting provider, and the seizure of nearly two dozen domains the company owned. Now, 10 days later, Microsoft has not only returned all of the seized domains but also has reached a settlement with Vitalwerks that resolves the legal action.

Some in the security research community criticized Microsoft harshly for what they saw as heavy handed tactics. Within a few days of the initial takedown and domain seizure Microsoft returned all of the domains to Vitalwerks, which does business as No-IP.com. On Wednesday, the software giant and the hosting provider released a joint statement saying that they had reached a settlement on the legal action.

“Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services,” the companies said in a joint statement.

“Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.”"
top

Microsoft Malware Takedown Causes Waves in Security Community

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Microsoft’s latest takedown of a malware operation, announced Monday and involving the infrastructure of several malware families, has, like many of the company’s actions, elicited strong opinions on both sides of the issue from security researchers, activists and others with a stake in the game. This takedown didn’t involve simply hitting the C2 infrastructure of a botnet, but also includes legal action against a hosting company, No-IP.com, which has called out Microsoft for its tactics and raised a lot of questions in the security community, as well.

Microsoft officials said No-IP was a nest of malware activity, but officials at the hosting provider denied this and said Microsoft never even contacted them. Meanwhile, security researchers aren't too happy with Redmond's tactics either. Claudio Guarnieri, an independent botnet researcher, said Microsoft severely overstepped.

“Any other way would have been a better one. Microsoft is building legal precedents to be able to indiscriminately police the Internet at their own discretion. It is absolutely intolerable that Microsoft feels entitled to “take to task” another company and seize its assets, apparently without having explored all possible avenues as No-IP’s statement indicates. Microsoft’s DCU has been disrespectful and uncooperative in many of its recent operations and I’m sure the community will start protesting and refusing to work with them in the future,” he said.

“Whether No-IP was or was not cooperative is irrelevant (still consider that it’s a very small organization), the fact that Microsoft decided “school” them and severely damage their business because they didn’t live up to Microsoft’s own standards is ludicrous.”"
top

FBI Issued 19,000 National Security Letters in 2013

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "The United States federal government issued more than 19,000 National Security Letters–perhaps its most powerful tool for domestic intelligence collection–in 2013, and those NSLs contained more than 38,000 individual requests for information.

The new data was released by the Office of the Director of National Intelligence on Friday as part of its effort to comply with a directive from President Obama to declassify and release as much information as possible about a variety of tools that the government uses to collect intelligence. The directive came in the immediate aftermath of the first revelations by former NSA contractor Edward Snowden about the agency’s capabilities, methods and use of legal authorities.

The use of NSLs is far from new, dating back several decades. But their use was expanded greatly after 9/11 and NSLs are different from other tools in a number of ways, perhaps most importantly in the fact that recipients typically are prohibited from even disclosing the fact that they received an NSL. Successfully fighting an NSL is a rare thing, and privacy advocates have been after the government for years to release data on their use of the letters and the number of NSLs issued. Now, the ODNI is putting some of that information into the public record."
top

Mass. Supreme Court Says Defendant Can be Compelled to Decrypt Data

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Encryption software has been enjoying a prolonged day in the sun for about the last year. Thanks to the revelations of Edward Snowden about the NSA’s seemingly limitless capabilities, security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops.

The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so.

The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt’s Fifth Amendment rights."
top

Bug Lets Attackers Bypass PayPal Two Factor Authentication

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "There’s a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim’s account to any recipient he chooses.

The flaw lies in the way that the PayPal authentication flow works with the service’s mobile apps for iOS and Android. It’s on the server side, and researchers at Duo Security developed a proof-of-concept app that can exploit the vulnerability. PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July.

Using the app they built to exploit the vulnerability, the researchers were able to transfer money from a 2FA-protected account with just the username and password. In an interview, Lanier said there were any number of ways to accomplish that task, none of which is very complicated.

“There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing,” he said. “That approach is already being used. People have long been and are continuing to do so. The whole two factor thing was supposed to make you feel all warm and fuzzy if your password is compromised. I’d probably use one of these techniques that are pretty darn efficient or maybe iterate through the public dumps of passwords.”"
top

Researchers Map HackingTeam Malware Servers, Reveal iOS, Android Modules

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Controversial spyware commercially developed by Italy’s HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work.

Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Monk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices.

The new modules enable governments and law enforcement officers with extensive monitoring capabilities over victims, including the ability to report on their location, steal data from their device, use the device’s microphone in real time, intercept voice and SMS messages sent via applications such as Skype, WhatsApp, Viber, and much more."
top

Hacker Puts Hosting Provider Code Spaces Out of Business

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Code Spaces, a code-hosting and software collaboration platform, has been put out of business by an attacker who deleted the company’s data and backups.

Officials wrote a lengthy explanation and apology on the company’s website, promising to spend its current resources helping customers recover whatever data may be left.

“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility,” read the note. “As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.”

The beginning of the end was a DDoS attack initiated yesterday that was accompanied by an intrusion into Code Spaces’ Amazon EC2 control panel. Extortion demands were left for Code Spaces officials, along with a Hotmail address they were supposed to use to contact the attackers."
top

Dyreza Banker Trojan Can Bypass SSL, Two-Factor Authentication

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Banker Trojans have proven to be reliable and effective tools for attackers interested in quietly stealing large amounts of money from unwitting victims. Zeus, Carberp and many others have made piles of money for their creators and the attackers who use them, and researchers have been looking at a newer banker Trojan that has the ability to bypass SSL protection for banking sessions by redirecting traffic through the attackers’ own domains.

The Trojan, which is being called either Dyre or Dyreza by researchers, uses a technique known as browser hooking to intercept traffic flowing between the victim’s machine and the target Web site. The malware arrives in users’ inboxes through spam messages, many of which will look like messages from a financial institution. The list of targeted banks includes Bank of America, Natwest, Citibank, RBS and Ulsterbank. Researchers say that much of the activity from the Trojan so far is in the U.K.

“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,” an analysis by Peter Kruse at CSIS says."
top

Austrian Teen at Heart of TweetDeck Mess Says it Was All a Mistake

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "The last 24 hours have been a sad, scary and frustrating time for an 19-year-old aspiring programmer in Austria who found himself smack in the middle of Wednesday’s TweetDeck mess—all because of a Unicode heart.

Twitter’s real-time account dashboard was taken down for a brief time yesterday before a cross-site scripting vulnerability in the TweetDeck Chrome plug-in was properly addressed. But not before code exploiting the bug in a benign manner spread to Twitter users worldwide.

Ground zero for the incident was the Austrian teen who identified himself only as Florian to Threatpost. The youngster said things began yesterday when he tweeted out an HTML hearts symbol (&hearts) that was graphically displayed in the message.

“TweetDeck is not supposed to display this as an image, because it’s simple text, which should be escaped to “♥,” he said.

“I didn’t know that there is such a big problem. So I experimented with this in a public environment, there was no reason not to do so,” Florian said. “And that was the point where I reported this to TweetDeck.

“TweetDeck actually did not react in any way,” Florian said. “Their next Tweet was saying that there is a security-issue and the users should log in again.”"
top

Auditors Release Verified Repositories of TrueCrypt

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.

The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a.

“These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit,” said Kenn White, part of the team involved in the TrueCrypt audit."
top

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software.

The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That’s not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle.

Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998."
top

OpenSSL to Undergo Security Audit, Gets Cash for 2 Developers

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "Scarcely a month after announcing the formation of a group designed to help fund open source projects, the Core Infrastructure Initiative has decided to provide the OpenSSL Project with enough money to hire two full-time developers and also will fund an audit of OpenSSL by the Open Crypto Audit Project.

The CII is backed by a who’s who of tech companies, including Google, Microsoft, IBM, the Linux Foundation, Facebook and Amazon, and the group added a number of new members this week, as well. Adobe, Bloomberg, HP Huawei and Salesforce.com have joined the CII and will provide financial backing.

Now, the OCAP team, which includes Johns Hopkins professor and cryptographer Matthew Green, will have the money to fund an audit of OpenSSL, as well. OpenSSL took a major hit earlier this year with the revelation of the Heartbleed vulnerability, which sent the Internet into a panic, as the software runs on more than 60 percent of SSL-protected sites."

Journals

Trailrunner7 has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>