Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Apple's "warrant canary" disappears, suggesting new Patriot Act demands

Trailrunner7 Not accurate (3 comments)

This isn't accurate. The language just changed. It now says, "To date, Apple has not received any orders for bulk data." Read the graf on National Security Orders: https://www.apple.com/privacy/...

about a month ago
top

End of Windows XP Support Era Signals Beginning of Security Nightmare

Trailrunner7 Chord?? (646 comments)

"cuts the chord"? Are they dissecting sheet music now? Cripes.

more than 2 years ago
top

US Inadvertently Enabled Chinese Google Hackers

Trailrunner7 Olllddd (103 comments)

This is a month old, and Schneier has since backed off this assertion.

more than 4 years ago
top

Microsoft's Risky Tablet Announcement

Trailrunner7 Re:I don't understand... (338 comments)

How exactly can Microsoft be responding to an event that hasn't taken place yet (the Apple tablet announcement)? Is that "pre-sponding"?

more than 4 years ago
top

Spafford: Cybersecurity Czar Job is Useless

Trailrunner7 part of the story (2 comments)

It's also worth having a look at the blog posts that Spafford has written on this topic in the last few months. There's more background and context in there and some excellent reasoning on why this position is built to fail. http://www.cerias.purdue.edu/site/blog/

more than 4 years ago
top

Spammer Lance Atkinson Fined $16 Million

Trailrunner7 Re:Damn moronic 'anti-spam' laws. (100 comments)

According to the original documentation, 'In early 2008, a security company identified one botnet -- which it dubbed "Mega-D" -- that sent sparn promoting Affking's VPXL and King Replica products as the worst botnet in the world, accounting for 32% of all spam.'

The Mega-D botnet consisted at least 264,784 computers.

That's 264,784 UNAUTHORIZED COMPUTER ACCESS FELONIES.

Why the FUCK are we 'fining' someone who committed at least 264,784 felonies? We invade goddamn countries and charge people with war crimes for that level of criminality!

Anti-spam laws are nonsense. Forget the damn anti-spam laws. Lock them up for the felonies they're committing. Extradition would be a lot easier, too. (Of course, we could just find a few hundred IPs this guy hijacked in Australia, turn them over, and have him locked up there his entire life, instead.)

The laws are completely useless and always have been. They were passed to make consumers think that government is doing something. But the extradition and prosecution is a lot harder than it sounds, even when the criminal is in a friendly country like Australia. It takes forever and costs a lot of money, so the law enforcement agencies pass.

more than 4 years ago
top

The Root of the Botnet Epidemic

Trailrunner7 Bad isn't the word for it (2 comments)

I think people sort of lose focus on how bad this threat is. The scope of it is ridiculous. There are tens of millions of bot-infected machines out there, and I'd bet that 99% of the owners have no idea they're infected and wouldn't know what to do about it if they did. The bad guys are way ahead of the good guys on this and it's not clear when or how it will get better.

more than 4 years ago
top

TCP DoS Flaw Finally Patched by Microsoft, Cisco

Trailrunner7 Re:Closed source in a nutshell (3 comments)

I'm sure they do possess that knowledge, but that's got nothing to do with this. Microsoft, Cisco and all of the other vendors have the same, or higher, level of skill on their staffs but they other priorities, too. It's not a simple fix and didn't involve just one version of one product.

more than 5 years ago
top

Hackers send malware-infected CDs to credit unions

Trailrunner7 Re:If they really wanted it to work... (2 comments)

Excellent point. And that wouldn't be difficult to accomplish either, with a little money slipped to someone at the NCUA or something.

more than 5 years ago
top

Many sites use silent Flash cookies to track users

Trailrunner7 not Adobe's problem (2 comments)

I see this as the sites' failing, not a problem for Adobe to fix. It's their fault for not telling users what they're doing and how.

more than 5 years ago
top

New Linux kernel flaw allows null pointer exploits

Trailrunner7 Re:Other versions? (6 comments)

Right now it looks like just that version, but it won't be long I'd bet before others are testing it against older releases.

more than 5 years ago
top

Facebook Violates Canadian Privacy Law

Trailrunner7 Re:Draconian Laws (179 comments)

wait wait wait. They have computers in Canada?

more than 5 years ago
top

New Mac OS X rootkit to be revealed at Black Hat

Trailrunner7 Re:Oh noes! Macs can be attacked? (7 comments)

May not be many Macs in enterprises, but there are millions of them in homes, and they're just as valuable as bots as any windows box. And owning any box gets you access to banking passwords, whatever else.

more than 5 years ago
top

Hackers Find Remote iPhone Crack

Trailrunner7 Re:Misleading Title/Summary (114 comments)

Exactly. And this was on 2.0, and 3.0 is out already. Nothing to see here.

more than 5 years ago
top

US Plans To Bulldoze 50 Shrinking Cities

Trailrunner7 Re:Suggestion: (806 comments)

Are nominations still open? DC, B'more and Orlando should be at the top of the list. Maybe Dallas too.

more than 5 years ago
top

New attack exploits virtually all intranets, VPNs

Trailrunner7 Thanks IETF!! (1 comments)

I think this is similar to a problem that networking people have been dealing with for like 15 years. The main problem is in the RFC, which was written before there were hundreds of millions of machines on the interwebs.

more than 5 years ago
top

Schneier Says We Don't Need a Cybersecurity Czar

Trailrunner7 Re:Makes sense (173 comments)

That's exactly it. The czar concept in general is flawed, even in departments or industries that have a clear mission and control of that mission. Neither is true in cyber security. We don't need another figurehead creating the illusion of action.

more than 5 years ago
top

Snow Leopard security not good enough

Trailrunner7 Apple doesn't care security (2 comments)

Apple has clearly shown it's not interested in security. If it were, it wouldn't wait and release 49 patches at once or only include portions of ASLR in OS X.

more than 5 years ago

Submissions

top

Schmidt Says Attack on Google Prompted Encryption Changes

Trailrunner7 Trailrunner7 writes  |  about two weeks ago

Trailrunner7 (1100399) writes "Eric Schmidt, executive chairman of Google, said that the changes to Android's encryption model, which have angered law enforcement officials, should have come as no surprise to law enforcement and government agencies, given the events of the last couple of years.

“The people who are criticizing this should’ve expected this. After Google was attacked by the British version of the NSA we were annoyed to no end,” Schmidt said. “We put in encryption end to end, at rest and in transit. Law enforcement has many many ways to get this information without doing this.”

After the details of Apple’s and Google’s encryption changes became public, some in the law enforcement community have suggested that the companies should include a backdoor in their devices. Both Sen. Ron Wyden and Schmidt dismissed this suggestion out of hand.

“U.S. companies shouldn’t be forced to build backdoors into their products,” Wyden said."
top

Twitter Sues DoJ Over Restrictions on National Security Letter Data

Trailrunner7 Trailrunner7 writes  |  about two weeks ago

Trailrunner7 (1100399) writes "Twitter has filed a lawsuit in federal court asking that the United States Department of Justice’s prohibitions on publishing the number and kind of government requests for data the company receives be declared unconstitutional. The suit claims that the rules infringe on Twitter’s right to free speech by requiring that the company “engage in speech that has been preapproved by government officials or else to refrain from speaking altogether.”

The move by Twitter is the first public shot across the bow of the FBI and Justice Department on this issue. Many companies, including Google, Microsoft, Apple and others, have been pressing the government for the ability to publish detailed information about the scope of the requests they receive for user data. The government so far has said that companies can publish only broad ranges of numbers about the volume of National Security Letters they receive, which only gives a vague picture of the situation.

"Twitter’s ability to respond to government statements about national security surveillance activities and to discuss the actual surveillance of Twitter users is being unconstitutionally restricted by statutes that prohibit and even criminalize a service provider’s disclosure of the number of national security letters (“NSLs”) and court orders issued pursuant to FISA that it has received, if any," the suit says."
top

DARPA Working on 'Unhackable' Embedded Software

Trailrunner7 Trailrunner7 writes  |  about three weeks ago

Trailrunner7 (1100399) writes "DARPA is the birthplace of the network that eventually became today’s Internet, and the agency has spent the decades since it released that baby out into the world trying to find new ways defend it. That task has grown ever more complex and difficult, and now DARPA is working on a new kind of software that is provably secure for specific properties.

Arati Prabhakar, the director of DARPA, said that the agency, which performs advanced research and development for the United States military and government, has been working on the software in the hopes that it can run on some embedded systems. The software isn’t meant as a general purpose operating system for servers or desktops, but Prabhakar said that the agency believes it has plenty of applications.

“Unfortunately there’s not going to be a silver bullet. There are pieces of this we think can become tractable. One of our programs is working on software that’s unhackabale for specific security properties,” said Prabhakar, who was speaking at the Washington Post Cybersecurity Summit on Wednesday. “We’re working on a mathematical proof that the software can’t be hacked from the outside. It’s for embedded systems with a modest number of lines of code.”"
top

Google to Pay Researchers Extra Cash for Exploits

Trailrunner7 Trailrunner7 writes  |  about three weeks ago

Trailrunner7 (1100399) writes "Google is again increasing the amount of money it offers to researchers who report vulnerabilities in Chrome as part of the company’s bug bounty program. Now, researchers will be able to earn $15,000 at the high end of the scale, and Google also is offering more cash for researchers who can submit a working exploit for their vulnerability submission.

The range for Google’s vulnerability reward program is now $500-$15,000, and there are a number of factors that go into the company’s decision on what to pay a researcher for a submission. Much of it has to do with the severity of the vulnerability and the likelihood that it will affect a large number of users.

“We’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later," Google's Tim Willis said."
top

FBI Plans to Open Up Malware Analysis Tool to Outside Researchers

Trailrunner7 Trailrunner7 writes  |  about three weeks ago

Trailrunner7 (1100399) writes "The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others.

The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. Once a file is uploaded, the system runs it through a cluster of antimalware engines, somewhat akin to the way that Virus Total handles submissions, and returns a wide variety of information about the file. Users can see what the detection rate is among AV engines, network connection attempts, whether the file has been seen by the system before, destination and source IP addresses and what protocols it uses.

Right now, Malware Investigator is able to analyze Windows executables, PDFs and other common file types. But Burns said that the bureau is hoping to expand the portal’s reach in the near future.

“We are going to be doing dynamic analysis of Android files, with an eye toward other operating systems and executables soon,” he said."
top

Google Funds New Group to Improve Usability of Open Source Security Tools

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "The dramatic revelations of large-scale government surveillance and deep penetration of the Internet by intelligence services and other adversaries have increased the interest of the general public in tools such as encryption software, anonymity services and others that previously were mainly of interest to technophiles and activists. But many of those tools are difficult to use and present major challenges for users, so to help improve the usability of these applications, Google, Dropbox and others are supporting a new project called Simply Secure.

The project is focused on making open-source security and privacy tools easier to use and to remove some of the pain of using crypto packages, off-the-record messaging and other tools that protect users online. The organization’s activities will center on bringing developers of open source security tools together with usability researchers and experts to help solve the difficult problems the developers face. Many open source projects are run by volunteers who don’t have the time or resources to tackle these issues on their own."
top

NSA Director Says Agency is Still Trying to Figure Out Cyber Operations

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "In a keynote speech at a security conference in Washington Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war.

“We’re still trying to work our way through distinguishing the difference between criminal hacking and an act of war,” said Rogers. “If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what’s an act of defense.”

Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad."
top

Major Android Flaw Lets Attackers Bypass Same Origin Policy

Trailrunner7 Trailrunner7 writes  |  about a month ago

Trailrunner7 (1100399) writes "There’s a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there’s now a Metasploit module available to exploit the vulnerability.

The vulnerability was first disclosed in late August, but there has not been much in the way of public discussion of it. Exploiting the flaw is a straightforward matter and allows the attacker to bypass the same-origin policy in the Android browser.

  “What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window — the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.”"
top

Research Finds No Large-Scale Exploits of Heartbleed Before Disclosure

Trailrunner7 Trailrunner7 writes  |  about a month and a half ago

Trailrunner7 (1100399) writes "In the days and weeks following the public disclosure of the OpenSSL Heartbleed vulnerability in April, security researchers and others wondered aloud whether there were some organizations–perhaps the NSA–that had known about the bug for some time and had been using it for targeted attacks. A definitive answer to that question may never come, but traffic data collected by researchers on several large networks shows no large-scale exploit attempts in the months leading up to the public disclosure.

“For all four networks, over these time periods our detector found no evidence of any exploit attempt up through April 7, 2014. This provides strong evidence that at least for those time periods, no attacker with prior knowledge of Heartbleed conducted widespread scanning looking for vulnerable servers. Such scanning however could have occurred during other time periods.”

That result also doesn’t rule out the possibility that an attacker or attackers may have been doing targeted reconnaissance on specific servers or networks. The researchers also conducted similar monitoring of the four networks, and noticed that the first attempted exploits occurred within 24 hours of the OpenSSL disclosure."
top

Twitter Launches Bug Bounty Program

Trailrunner7 Trailrunner7 writes  |  about a month and a half ago

Trailrunner7 (1100399) writes "Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability.

The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to access a pool of hundreds of researchers who perform authorized research against a company’s products. HackerOne is used by a number of prominent companies, including Square, Yahoo and CloudFlare and also is the platform that supports the Internet Bug Bounty.

Twitter’s bug bounty program will pay researchers for finding vulnerabilities in its main Web site and the Twitter apps for iOS and Android. The types of vulnerabilities that are in scope for the program include XSS, CSRF, remote code execution, unauthorized access to private tweets or direct messages.

- See more at: http://threatpost.com/twitter-..."
top

Mozilla to Support Key Pinning in Firefox 32

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.

Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.

The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites."
top

Google Fixes Critical Sandbox Escape Flaw in Chrome

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "Google has fixed 50 security vulnerabilities in its Chrome browser, including a critical string of bugs that can allow an attacker to execute arbitrary code outside of the browser’s sandbox.

This is one of the larger batches of fixes that Google has produced for Chrome recently. The company releases frequent updates for the browser and often will push out a new version with only a handful of security patches. But Chrome 37 includes 50 patches, a huge number by any measure. The most notable vulnerability patched in this version is actually a combo platter of several flaws that can be used to escape the Chrome sandbox and gain remote code execution.

The group of vulnerabilities earned the security researcher who reported them a $30,000 bug bounty from Google, one of the higher rewards that the company has given to a researcher outside of its Pwnium competitions. Google’s bug bounties typically fall into the $1,000-$5,000 range, but the company’ security team sometimes will award significantly higher rewards to researchers who report especially critical or creative bugs."
top

New Cridex Malware Copies Tactics From GameOver Zeus

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM’s X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

“There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators,” Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware."
top

Inside the CryptoLocker Takedown

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "The takedown of the GameOver Zeus malware operation in June got more than its share of attention, but it was the concurrent demolition of the CryptoLocker ransomware infrastructure that may prove to have been the most important part of the operation. That outcome was the culmination of months of behind the scenes work by dozens of security researchers who cooperated with law enforcement to trace, monitor and ultimately wreck the careful work and planning of the CryptoLocker crew.

“This was something new. This was ransomware done right,” said John Bambenek, president of Bambenek Consulting, who was involved in the working group that tracked CryptoLocker and talked about the operation at the Black Hat USA conference here Thursday. “It made for a good case study on how to do threat intelligence.”

The working group that came together to defeat CryptoLocker was global and had people with all kinds of different skill sets: malware reverse engineering, math, botnet tracking and intelligence. Some members worked on taking part the domain-generation algorithm while others looked at the command-and-control infrastructure and still others broke down the malware itself. What the researchers began to notice as they dug deeper into the CryptoLocker operation was that the crew behind the ransomware had done a lot of things right, but had also exhibited some oddly inconsistent behaviors."
top

In the Wake of Snowden's Revelations, A Wave of Innovation

Trailrunner7 Trailrunner7 writes  |  about 2 months ago

Trailrunner7 (1100399) writes "It was an absurd scene. Keith Alexander, the director of the NSA and a four-star general in the Army, stood alone on the stage, squinting through the floodlights as members of the standing-room-only crowd shouted insults and accusations. Armed men in dark suits roamed the area in front of the stage, eyeing the restless crowd. Nearby, a man sat with a carton of eggs at his feet, waiting for a chance to let fly.

There were loud calls for Alexander’s resignation throughout the summer, and previous whistleblowers, security experts and some lawmakers said that there was a clear need for reform at Fort Meade. Critics said the agency had taken the expanded powers granted it after 9/11 and run with them. Concurrent advancements in technology gave the NSA a deep bag of tricks for conducting offensive operations and as the details of the TAO toy catalog and other capabilities emerged, the anger and outrage in the security and privacy communities festered. Something had to be done. Things needed to change. And then, oddly enough, things began to change.

As the implications of the NSA’s deep penetration of the Internet began to sink in, small groups of smart technologists and engineers began looking for ways to help users secure their communications. Some of the folks from Silent Circle started a new venture, Blackphone, to produce secure, surveillance-resistant phones for consumer use. Another group of executives from Silent Circle, along with Ladar Levison, the founder of Lavabit, established the Dark Mail Alliance to create a new secure email service. And just last week, Moxie Marlinspike’s Open Whisper Systems released Signal, a new iPhone app that provides secure, encrypted phone calls for free.

There’s no way of knowing whether all of these technologies and changes would’ve come to pass without the Snowden leaks; some of them almost certainly would have. Google was on the path to encrypting its data center links, and Yahoo would likely have followed suit eventually. But there’s no question that the leaked documents, the avalanche of news stories and the massive backlash that followed contributed to the innovation that has followed."
top

Critical Android FakeID Bug Allows Apps to Impersonate Trusted Apps

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way, enabling an attacker to take a number of actions, including inserting malicious code into a legitimate app or even take complete control of an affected device.

The vulnerability is a result of the way that Android handles certificate validation and it’s present in all versions of Android from 2.1 to 4.4, known as Kit Kat. Researchers at Bluebox Security, who identified the vulnerability, said that in some cases, attackers can exploit the vulnerability to gain full access to a target device. Specifically, devices that run the 3LM administration extension are at risk for a complete compromise. This includes devices from HTC, Pantech, Sharp, Sony Ericsson, and Motorola.

Android apps are signed using digital certificates that establish the identity of the developer and the vulnerability Bluebox discovered is that the Android app installer doesn’t try to authenticate the certificate chain of a given app. That means an attacker can create an app with a fake identity and impersonate an app with extensive privileges, such as an Adobe plug-in or Google Wallet. In the case of the Adobe impersonation, the malicious app would have the ability to escape the sandbox and run malicious code inside another app, the researchers said.

“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” Bluebox CTO Jeff Forristal said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”"
top

Flaw in TAILS Privacy OS is in Its I2P Component

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "The critical vulnerability in the TAILS operating system discovered by researchers at Exodus Intelligence lies in the I2P software that’s bundled with the OS and the company has released some details and a video demonstrating an exploit against the bug. Exodus researchers said that the vulnerability can be used for remote code execution as well as de-anonymization of targeted users on TAILS.

I2P is an anonymity network, somewhat analogous to Tor, that encrypts all of its communications from end to end and enables private and anonymous use of the Internet and resources such as email, chat and Web browsing. Unlike Tor, however, I2P is a packet switched network, rather than a circuit switched one, and the communications its users send and receive are message-based. Each I2P node has an identical level of importance in the network and there are no central servers routing traffic.

Exodus researchers said that the flaw they discovered is present in TAILS for several versions, meaning its effect could be quite widespread.

“The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work,” the Exodus team wrote in a post explaining a bit about the flaw."
top

Researcher Finds Hidden Data-Dumping Services in iOS

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users’ personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called mobile file_relay, can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.

Zdziarski discussed his findings in a talk at the HOPE X conference recently and published the slides and paper, as well. The file_relay service has been in iOS for some time and originally was benign, but Zdziarski said that in recent versions it has turned into a tool that can dump loads of user data on command. The file_relay tool can dump a list of the email and social media accounts, the address book, the user cache folder, which contains screenshots, offline content, copy/paste data, keyboard typing cache and other personal data. The tool can also provide a log of periodic location snapshots from the device."
top

New Critroni Crypto Ransomware is First to Use Tor for Command and Control

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "There’s a new kid on the crypto ransomware block, known as Critroni, that’s been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it’s the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims’ machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim’s PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

“It uses C2 hidden in the Tor network. Previously we haven’t seen cryptomalware having C2 in Tor. Only banking trojans,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”"
top

Panel Finds NIST Relied Too Much on NSA in Dual EC Debacle

Trailrunner7 Trailrunner7 writes  |  about 3 months ago

Trailrunner7 (1100399) writes "A group of outside experts found that the process that led to the inclusion of the weakened Dual EC_DRBG random number generator in a NIST standard was flawed and there were several failures along the way that led to its approval. The committee also recommended that the National Institute of Standards and Technology increase the number of cryptographers it employs and also that it take steps to clarify and define its relationship with the NSA.

The report from the Visiting Committee on Advanced Technology’s Committee of Visitors, released Monday, found that NIST was overly reliant on the input and expertise of NSA cryptographers and that the organization should have paid more attention to outside criticisms of the algorithm.

“The reconstruction of events showed that the issues with the DRBG had been identified several times – formally and informally – during the standards development process, and that they had been discussed and addressed at the time. NIST now concludes, however, that the steps taken to address the issues were less effective than they should have been, and that the team failed to take actions that, in the light of hindsight, clearly should have been taken. The root causes of the failure were identified as trust in the technical expertise provided by NSA, excessive reliance on an insular community that was somewhat impervious to external feedback, group dynamics within the standards development team, and informal recordkeeping over the course of a multi- year development process,” Ellen Richey, one of the committee members and executive vice president and chief enterprise risk officer at Visa, wrote in her recommendations in the report."

Journals

Trailrunner7 has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?