Feed aggregator

Threatpost News Wrap, January 16, 2015

Threatpost for B2B - Fri, 01/16/2015 - 12:15
Dennis Fisher and Mike Mimoso discuss the security news of the past week, including the proposed changes to the CFAA, David Cameron's encryption comments, the NSA's quasi-apology regarding Dual EC and the Microsoft-Google disclosure feud.

Mozilla Patches Nine Vulnerabilities With Firefox 35

Threatpost for B2B - Fri, 01/16/2015 - 11:35
Mozilla released the latest version of its flagship browser this week, Firefox 35, fixing nine vulnerabilities, including three critical bugs.

Teen Arrested in UK for Xbox, PlayStation Attacks

Threatpost for B2B - Fri, 01/16/2015 - 10:50
Police in the UK, working in cooperation with the FBI, arrested an 18-year-old man Friday in connection with recent DDoS attacks on the PlayStation Network and Xbox Live services. The authorities arrested the unnamed man in Southport, and he is being held on suspicion of computer crime and unauthorized access to computer material. UK officials […]

Round 2: Google Deadline Closes on Pair of Microsoft Vulnerabilities

Threatpost for B2B - Fri, 01/16/2015 - 08:04
Google Project Zero has disclosed a pair of unpatched Windows vulnerabilities after the expiration of its 90-day deadline. Microsoft said it will patch one bug in February, and both sides agree the second does not merit a security bulletin.

Proposed CFAA Amendments Could Chill Security Research

Threatpost for B2B - Fri, 01/16/2015 - 07:00
Vague language in the White House's proposed amendments to the CFAA leave the door open to a chilling effect on legitimate security research.

Google AdWords Campaigns Hijacked by Malvertisers

Threatpost for B2B - Thu, 01/15/2015 - 16:38
Two Google AdWords campaigns have been hijacked by malvertisers and users are being redirected to fraud sites without even clicking the poisoned ads.

Pirelli Home Broadband Routers Exposed for Two Years

Threatpost for B2B - Thu, 01/15/2015 - 15:04
Administration files for Pirelli routers, issued by the biggest ISP in Spain, can be accessed from anywhere putting WPA keys, PINs, certificates and more at risk.

Matthew Green on the NSA and Compromising Crypto Standards

Threatpost for B2B - Thu, 01/15/2015 - 14:41
Dennis Fisher talks with Matthew Green of Johns Hopkins University about the NSA's "regret" for continuing to support Dual EC after it had been shown to be compromised, the effects of the agency's influence on crypto standards and the hope for more secure standards in the future.

Parking Services Confirm Payment Card Breaches

Threatpost for B2B - Thu, 01/15/2015 - 13:27
Two services that allow users to reserve offsite parking spots at airports over the internet announced this week that they recently suffered breaches and its customers’ data may be at risk.

Marriott Agrees to Stop Blocking Guest WiFi Devices

Threatpost for B2B - Thu, 01/15/2015 - 11:24
Marriott, which last year paid a $600,000 fine for blocking customers’ WiFi devices in its hotels, has said that it no longer will prevent guests from using personal hotspots or similar devices. The situation resulted from a complaint by a guest who stayed at Marriott’s Gaylord Opryland hotel in 2013 and found that he couldn’t […]

Government Demands for Verizon Customer Data Drop

Threatpost for B2B - Thu, 01/15/2015 - 09:15
The number of subpoenas, total orders and warrants that the United States government delivered to Verizon all dropped in the second half of 2014, according to the company’s latest transparency report. The giant telecom provider released data on Thursday that showed a decrease in subpoenas of about 10 percent from the first half of last […]

Microsoft Security Updates January 2015

Secure List feed for B2B - Wed, 01/14/2015 - 19:34

Microsoft's security team begins 2015 with a minimal set of Security Bulletins, MS15-001 through MS15-008. The set included one critical vulnerability in a service that probably shouldn't be shipped any longer (telnet), and seven bulletins rated "Important" patches for elevation of privilege, DoS, and security bypass issues.

The critical Bulletin effects the telnet service. The telnet service is an ancient piece of software that provides shell access to a system, mostly available on router installations. Only it's over unencrypted, plain text communications, and should not be used. It was also a bit of a bear to configure and make useful, but may have been useful in development and IT environments. Luckily, this service is not enabled by default on supported windows systems (but it is installed by default on Windows Server 2003). A quick search in shodan shows a pretty reduced set of users, and its presence in our Ksn data is very limited. And, on the public internet, the number of Windows telnet servers listening on port 23 and providing a related banner is only a couple hundred. So, this patch effects very few customers.

But, if someone didn't install an alternative like OpenSSH, uses the PowerShell facility, WinSCP, RDP, or other facilities, and oddly installed this service, they may be running a server vulnerable to remote malformed packet delivery leading to remote code execution. Meaning it's a severe issue that really "shouldn't" effect many users. And it appears to not be exploited on our user base. When installed and enabled, Microsoft's telnet server runs as "Tlntsess.exe" on all Windows systems since Windows Server 2003. And on a somewhat related note, Ksn shows infected Tlntsess.exe files on new customer systems running a first scan or enabling a scan after running infected code:
Virus.Win32.Virut.ce
Worm.Win32.Mabezat.b
Virus.Win32.Sality.gen
Virus.Win32.Parite.b
Virus.Win32.Nimnul.a
Virus.Win32.Tenga.a
Virus.Win32.Expiro.w
Virus.Win32.Slugin.a

It's always surprising to still see the viral stuff, but it's certainly more prevalent than telnet service exploitation at this point.

The other Security Bulletins are rated "Important", and the escalation of privilege issues are somewhat interesting and the kind of thing businesses should be aware of - they are frequently used as a part of target attack activity.

One of these EoP vulnerabilities was reported privately and exposed publicly by Google's Project Zero two days prior to the scheduled and known patch release. The project maintains a database of exploitable vulnerabilities, each of which has a deadline of 90 days from reporting before the bug goes public: "Deadline exceeded - automatically derestricting". This EoP was fixed and the fix released by Microsoft as MS015-003 on its scheduled "patch tuesday" release, two days after Google exposed their bug issue publicly. It's strange that Google would do such a thing, it's not as if Microsoft doesn't commit to reasonable time frames for fixes and proper testing anymore. Microsoft responded with a lengthy writeup on responsible disclosure and cooperation within the industry, and mentioned Google's approach in particular.

The flawed code has yet to be seen as abused in the wild, but it will likely happen. You can find a set of executive summaries for the Bulletins here.

And one last note, the Advanced Notification Service is coming to an end. Microsoft ended their practice of broadcasting advance notice of security updates to all customers, and offers it only to paying Premiere-level customers. For the most part, it seems that this works out just fine and possibly frustrates people less with security maintenance. However, I think that it would be useful for Microsoft to pre-release forecasted download file sizes and reboot requirements for the updates, along with their ratings of critical or not, etc. For example, knowing that I will have to download over 200mb of critical software updates requiring system reboots would be helpful. That information would be useful to their customers both large and small. Time will tell if they bring it back, but likely, they will not need to.

Skeleton Key Malware Opens Door to Espionage

Threatpost for B2B - Wed, 01/14/2015 - 16:00
The Skeleton Key malware bypasses single-factor authentication on Active Directory domain controllers and paves the way to stealthy cyberespionage.

Phony Oracle Patches Making the Rounds

Threatpost for B2B - Wed, 01/14/2015 - 11:42
Attackers are circulating fake fixes for Oracle error messages and the company is warning users not to download any patches that don’t come directly from Oracle.

New Strain of Crowti Ransomware Moving in I2P Network

Threatpost for B2B - Wed, 01/14/2015 - 11:35
A new strain of the Crowti ransomware, also dubbed Cryptowall 3.0, is moving on the I2P anonymity network.

NSA Official: Support for Compromised Dual EC Algorithm Was ‘Regrettable’

Threatpost for B2B - Wed, 01/14/2015 - 11:29
In a new article in an academic math journal, the NSA’s director of research says that the agency’s decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice. Michael Wertheimer, the director of researcher at the National […]

GE Ethernet Switches Have Hard-Coded SSL Key

Threatpost for B2B - Wed, 01/14/2015 - 09:24
There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely. The vulnerability exists in a number of GE Ethernet switches, including the GE Multilink […]
Syndicate content