The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a “catastrophic failure of the PRNG.”
OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is “overblown” because Ayer’s test program is unrealistic. Ayer’s test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.
“It is actually only a problem with the author’s contrived test program,” Beck said. “While it’s a real issue, it’s actually a fairly minor one, because real applications don’t work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article.”" Link to Original Source top
msm1267 (2804139) writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit.
Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of “tiny banker”, and researchers say that it’s only about 20 KB in size." Link to Original Source top
HackingTeam Mobile Malware, Infrastructure Uncovered
msm1267 (2804139) writes "Controversial spyware commercially developed by Italy’s HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work.
Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Monk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices." Link to Original Source top
Microsoft Opens Preview of Interflow Information Sharing Platform
msm1267 (2804139) writes "Much like the Year of PKI that has never come to be, information sharing has been one of security’s more infamous non-starters. While successful in heavily siloed environments such as financial services, enterprises industry-wide are hesitant to share threat and security data for fear of losing a competitive edge or exposing further vulnerabilities.
Microsoft hopes the latest tweak to its Microsoft Active Protections Program (MAPP) will calm the waters a bit and engage companies and industries to share threat data in an effort to stem the effects of targeted and persistent attacks and speed up incident response recovery.
A private preview is scheduled to open this week for Microsoft Interflow, a distributed platform for information exchange that is built on open specifications such as the Structured Threat Information eXpression (STIX), the Trusted Automation eXchange of Indicator Information (TAXII), and the Cyber Observable eXpression standards (CybOX). Today’s announcement comes 11 months after Microsoft expanded MAPP, its vendor partner information-sharing program to include incident responders." Link to Original Source top
msm1267 (2804139) writes "Much has been written about the insecurity of the IPMI protocol present inside embedded baseboard management controllers (BMCs). Serious vulnerabilities can be exploited to gain remote control over big servers running BMCs, in particular in hosting environments where the controllers help admins with remote management of crucial industrial functions, for example. And despite alerts and warnings from prominent figures in computer security such as Dan Farmer and HD Moore, and patches from vendors, the news keeps getting worse.
The security incident response team for San Diego-based cloud-based hosting provider CARI.net yesterday disclosed that a file storing passwords in plain text is open over port 49152. Close to 32,000 vulnerable systems responded to a GET/PSBlock query on the Shodan search engine over port 49152; more than 9.8 million hosts responded in total.
“You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” said Zachary Wikholm, senior security engineer with CARI.net.
The PSBlock password file is found in a XML file stored inside a particular directory, Wikholm said, adding that he notified Supermicro of the issue in November to no avail. Wikholm said anything stored in the directory, including server.pem files, wsman admin passwords and netconfig files, are available." Link to Original Source top
Research Project Pays People to Download, Run Executables
The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users.
The study was released recently in a paper called: “It’s All About The Benjamins: An empirical study on incentivizing users to ignore security advice.” While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1." Link to Original Source top
msm1267 (2804139) writes "A new banking Trojan has surfaced on hacker forums called Pandemiya. While the malware offers many of the same features criminals would find in Zeus, Citadel or Carberp, the malware is a completely new offering, a yearlong project, written from scratch featuring more than 25,000 lines of original C code." Link to Original Source top
IPMI Protocol Vulnerabilities Have Long Shelf Life
msm1267 (2804139) writes "If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies’ IT organizations should be aware of: IPMI.
Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.
Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore.
Yesterday, Farmer released a paper called “Sold Down the River,” in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit." Link to Original Source top
msm1267 (2804139) writes "A cryptanalysis of TrueCrypt will proceed as planned, said organizers of the Open Crypto Audit Project who announced the technical leads of the second phase of the audit and that there will be a crowdsourcing aspect to phase two. The next phase of the audit, which will include an examination of everything including the random number generators, cipher suites, crypto protocols and more, could be wrapped up by the end of the summer." Link to Original Source top
Embedded Devices Leak Authentication Data Via SNMP
The data could be extracted by gaining access to the read-only public SNMP community string, which enables outside access to device information. While only vulnerabilities in three brands were disclosed today, a Shodan search turns up potentially hundreds of thousands of devices that are exposing SNMP to the Internet that could be equally vulnerable." Link to Original Source top
Facebook said it believes STARTTLS support has achieved “critical mass,” and backs that up with data that indicates 76 percent of unique MX (mail exchange) hostnames that receive email from Facebook, such as notifications, support the extension. Facebook said that 58 percent of its notification email messages were successfully encrypted and that certificate validation passed for about half of the encrypted email. The other half were opportunistically encrypted, Facebook said." Link to Original Source top
Decades-old RSA-based handshakes don’t cut it anymore, according to experts, who are anxious to put a modern protocol in place, one that can fend off an intense commitment from cybercriminals and intelligence agencies to snoop and steal data. The consensus is to support Diffie-Hellman Exchange or Elliptic Curve Diffie-Hellman Exchange, both of which support perfect forward secrecy, which experts are urging developers and standards-bearers to instill as a default encryption technology in new applications and build-outs." Link to Original Source top
msm1267 (2804139) writes "Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update. At the same time, researchers said they are now seeing attacks specifically targeting XP users.
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said.
Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch." Link to Original Source top
msm1267 (2804139) writes "DNS service provider UltraDNS dealt with a DDoS attack for most of yesterday. Parent company Neustar announced late yesterday that it had mitigated the attack for most of its customers, but Western U.S. customers were still down. Meanwhile, the SANS Institute received reports from UltraDNS customers that a 100 Gbps DDoS attack was causing latency issues." Link to Original Source top
msm1267 (2804139) writes "Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code.
The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user’s network, he might be able to intercept supposedly secure traffic or change the connection’s properties." Link to Original Source top
Tor Blacklisting Exit Nodes Vulnerable to Heartbleed
msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 vulnerable to Heartbleed where he was able to retrieve plaintext user traffic.
Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear." Link to Original Source top
A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.
The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly." Link to Original Source top
One Billion Android Devices Open to Privilege Escalation
msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks.
Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.
The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Link to Original Source top
Wide Gap Between Attackers, BIOS Forensics Research
msm1267 (2804139) writes "Advanced attackers who target BIOS and firmware with bootkits and other malware have a decided edge on security research and defense in this discipline. These attacks are dangerous because they enable persistence on a PC or server that is difficult to repair without bricking a machine. Researchers at MITRE and chip companies, however, are trying to reverse that trend with research into vulnerabilities in hardware and firmware as well as developing tools that help analyze problems present in BIOS." Link to Original Source top
msm1267 (2804139) writes "A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled “Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,” to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities. “They told me that this presentation was unsuitable for being public,” Filiol said in an email. “It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).”" Link to Original Source