msm1267 (2804139) writes "Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code.
The most severe of the vulnerabilities patched in iOS 7.1.1 and OSX Mountain Lion and Mavericks is an issue with the secure transport component of the operating systems. If an attacker was in a man-in-the-middle position on a user’s network, he might be able to intercept supposedly secure traffic or change the connection’s properties." Link to Original Source top
Tor Blacklisting Exit Nodes Vulnerable to Heartbleed
msm1267 (2804139) writes "The Tor Project has published a list of 380 exit relays vulnerable to the Heartbleed OpenSSL vulnerability that it will reject. This comes on the heels of news that researcher Collin Mulliner of Northeastern University in Boston found more than 1,000 vulnerable to Heartbleed where he was able to retrieve plaintext user traffic.
Mulliner said he used a random list of 5,000 Tor nodes from the Dan.me.uk website for his research; of the 1,045 vulnerable nodes he discovered, he recovered plaintext traffic that included Tor plaintext announcements, but a significant number of nodes leaked user traffic in the clear." Link to Original Source top
A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.
The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly." Link to Original Source top
One Billion Android Devices Open to Privilege Escalation
msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks.
Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.
The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Link to Original Source top
Wide Gap Between Attackers, BIOS Forensics Research
msm1267 (2804139) writes "Advanced attackers who target BIOS and firmware with bootkits and other malware have a decided edge on security research and defense in this discipline. These attacks are dangerous because they enable persistence on a PC or server that is difficult to repair without bricking a machine. Researchers at MITRE and chip companies, however, are trying to reverse that trend with research into vulnerabilities in hardware and firmware as well as developing tools that help analyze problems present in BIOS." Link to Original Source top
msm1267 (2804139) writes "A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled “Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,” to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities. “They told me that this presentation was unsuitable for being public,” Filiol said in an email. “It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).”" Link to Original Source top
msm1267 (2804139) writes "Researchers have built new attack techniques against HTTPS traffic that have been effective in learning details on users' surfing habits, leaking sensitive data that could impact privacy. They tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in a research paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.
“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”" Link to Original Source top
msm1267 (2804139) writes "The similarities between the GnuTLS bug and Apple’s goto fail bug begin and end at their respective failure to verify TLS and SSL certificates. Otherwise, they’re neither siblings, nor distant cousins. The GnuTLS bug is very different, though like Apple’s infamous goto fail error, it will also treat bogus digital certificates as valid. “This one was more of a dumb coding mistake, whereas Apple could have been a cut-and-paste error. It looks like [GnuTLS] failed to cast a return variable correctly. C is hard," said cryptographer Matthew Green of Johns Hopkins University. While the goto command appears in the buggy code in both vulnerabilities, the GnuTLS bug veers off in a different direction. Goto fail, for example is a standard C paradigm for error handling. Goto, in this case, is being used correctly, said Melissa Elliott, a security researcher with Veracode. The problem, she said, is related to variable typing and an improper mixing of error codes that led to this mess." Link to Original Source top
Hackers Paying Attention to Microsoft EMET Bypasses
The tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the Operation SnowMan espionage campaign against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.
That’s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP in three days could spark a surge in EMET installations as a stopgap." Link to Original Source top
msm1267 (2804139) writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company’s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.
The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer.
The exploit bypasses all of EMET’s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR and DEP mitigations." Link to Original Source top
msm1267 (2804139) writes "Phony Bitcoin ticker apps hosted on popular sites Download.com and MacUpdate.com are fronts for the OSX/CoinThief Trojan, which was built to steal Bitcoin wallet credentials and keys, and to date has drained a small number of accounts.New variants of the Trojan targeting Mac OS X users were found on the sites and also include a browser extension for Firefox. Previous versions of CoinThief spread through a GitHub page that has since been taken down and included extensions for Safari and Google Chrome only." Link to Original Source top
Adobe Zero Day Targets China; No 'Mask' Connection
msm1267 (2804139) writes "Exploits for a newly reported zero-day vulnerability in Adobe’s Flash Player drop a password-grabbing Trojan that targets the email and social media accounts of users and organizations in China, researchers at Kaspersky Lab said today. The attacks appear to be an isolated campaign and there is no connection between these exploits and a new advanced espionage campaign called The Mask that Kaspersky researchers are expected to unveil next week at the company’s Security Analyst Summit." Link to Original Source top
Honey Encryption Tricks Hackers with Decryption Deception
msm1267 (2804139) writes "Researchers are ready to unveil Honey Encryption, an encryption system that pulls a bit of deception against hackers who have stolen encrypted data. The tool produces a ciphertext, which, for every wrong guess a hacker tries presents a plausible-looking yet incorrect plaintext password or encryption key. With traditional encryption, an attacker making an incorrect guess gets gibberish in return to their request. With Honey Encryption, the hacker gets something that looks like real context. An attacker would have no way of knowing which plausible-looking value is the correct one." Link to Original Source top
Java-Based DDoS Bot Hits Windows, Mac, Linux Computers
msm1267 (2804139) writes "A malicious Java application that infects Windows, Mac and Linux machines for the purpose of building a DDoS botnet has been discovered. The botnet communicates over IRC and can carry out distributed denial of service attacks using either HTTP or UDP flood attacks. Researchers said today that the malicious Java application exploits a patched Java vulnerability," Link to Original Source top
Hasbro, Cracked Still Owned; Providing Zombies for Botnets?
msm1267 (2804139) writes "Hasbro[.]com, a leading toy and game distributor in the United States, is infected and serving malware to visitors of the site. Researchers at Barracuda Networks said the site remained infected and Hasbro has not responded to an email from the security firm disclosing the issue. The Java-based attack is similar to one conducted against popular humor website cracked[.]com, which was found in November to also be hosting a drive-by download attack, and as of two weeks ago, was again serving up malware in drive-by attacks. Like Cracked, Hasbro is a popular website that, based on traffic analysis from Alexa.com from 2013, gets upwards of 215,000 daily visitors. Barracuda estimates that given current Java installations and patching levels, the site could potentially be infecting up to 20,000 visitors a day. While the Cracked and Hasbro attacks don’t seem to be related, Barracuda research scientist Daniel Peck said, the possibility exists that these compromises are recruiting zombie endpoints for a botnet." Link to Original Source top
Electric Cybersecurity Regulations Have a Serial Problem
msm1267 (2804139) writes "A class of SCADA vulnerabilities discussed at a recent conference is getting attention not only for the risks they pose to master control systems at electric utilities, but also for illuminating a dangerous gap in important critical infrastructure regulations." Link to Original Source top
msm1267 (2804139) writes "A new spambot has been discovered that generates copious amounts of network traffic in an attempt to disguise what it’s really up to and throw off the scent of detection capabilities. The spambot, identified as Wigon.PH_44, is being served on compromised websites hosted on the WordPress platform. To date, there are up to 200 sites serving the malicious executable and there have been 15,000 hits in the wild on the malware signature, most of those in the United States." Link to Original Source top
msm1267 (2804139) writes "The Icefog cyberespionage malware campaign uncovered last September was originally thought to be limited to the military supply chain, primarily in Japan and South Korea. But new details emerged today that a Java-based version of the malware exists and infected three US-based oil and gas companies. All three have been notified; two have removed the infections so far." Link to Original Source top
msm1267 (2804139) writes "Giant retailer Target has clarified that the partial personal information--including names, addresses, phone numbers and email addresses--of another 70 million individuals was also stolen during a two-week long breach of its systems starting the day before Thanksgiving. Target said: "These are two distinct groups and are not linked. While there may some overlap between the two groups (the 40 million and the 70 million) but we don’t know to what extent at this time."" Link to Original Source