Feed aggregator

Microsoft to Update XP Malware Signatures Beyond Support Cutoff

Threatpost for B2B - Fri, 01/17/2014 - 09:53

Microsoft announced yesterday that it plans to continue updating signatures on the antimalware engine it uses to protect Windows XP for more than a year beyond the date from which it plans to cut off support for the operating system.

That means enterprises still running System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune on XP systems have until July 14, 2015 to find an alternative. This also applies to Microsoft’s consumer product, Microsoft Security Essentials.

For a while now, Microsoft has been spreading the word that it will stop providing support for 12-year-old Windows XP on April 8. On that date, Microsoft no longer issue security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates to the operating system, which is still widely used.

Not until July 2015 will Microsoft stop updating the antimalware engine that protects XP users from viruses, worms, Trojans, and other threats.

“Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited,” the company wrote on its Threat Research and Response Blog. “Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”

Windows XP is most certainly outside the realm of “modern software.” Despite this, according to the analytics firm NetMarketShare, Windows XP still commands 28.98 percent of the operating system market. Other than Windows 7, XP remains the most popular operating system in use today.

Privacy Advocates Anxious Ahead of Obama NSA Speech

Threatpost for B2B - Thu, 01/16/2014 - 13:29

It’s been more than seven months since Edward Snowden began feeding stolen NSA documents to reporters, and in that time, virtually everyone in Washington who could find a microphone or keyboard has voiced an opinion on the agency’s methods and Snowden’s actions. Everyone except President Barack Obama, that is. Obama has been mostly silent on the subject, preferring to let NSA officials and lawmakers speak, but that’s set to change Friday when he is due to speak publicly about proposed reforms for the NSA.

Obama is expected to address some of the 46 recommendations contained in a report produced by his own handpicked panel of lawyers, professors and security experts, the President’s Review Group on Intelligence and Communications Technologies. Much of what the panel addressed in its report comprised recommendations on how to limit the scope of certain NSA collection programs or increase the transparency around their use. However, privacy advocates and other observers say that is just the beginning of what needs to change about the agency’s surveillance methods and data retention. One of the key issues is the NSA’s use of dragnet surveillance methods to collect electronic communications such as phone calls, emails and Web traffic.

Lawyers at the EFF say limiting scope of this kind of surveillance isn’t enough. Rather, the NSA should go back to performing highly targeted surveillance.

“The NSA has disingenuously argued that simply acquiring this data isn’t actually “collecting” and that no privacy violation can take place unless the information it stores is actually seen by a human or comes up through an automated searches of what it has collected. That’s nonsense. The government’s current practices of global dragnet surveillance constitute general warrants that violate the First and Fourth Amendments, and fly in the face of accepted international human rights laws. Obama needs to direct the NSA to engage only in targeted surveillance and stop its programs of mass surveillance, something he can do with a simple executive order,” Cindy Cohn and Rainey Reitman of the EFF wrote in an assessment of what Obama may discuss Friday.

An alternative to the cell phone metadata program, recommended by the president’s panel, is to remove the NSA’s ability to store all of that data in-house and put the onus on the communications companies instead. That would require companies such as Verizon and AT&T to hold such data in reserve, for some undefined period of time, awaiting requests from the NSA. The EFF worries that this will turn the companies into nothing but arms of the agency.

“But companies shouldn’t be pressed into becoming the NSA’s agents by keeping more data than they need or keeping it longer than they need to. To the contrary, companies should be working on ways to store less user data for less time—decreasing the risks from data breaches and intrusions like the one that just happened to Target. Data retention heads in the wrong direction for our security regardless of whether the government or private parties store the information,” they said.

The EFF also encouraged Obama to pressure the NSA not to engage in activities that subvert the security of protocols or encryption algorithms, something that has become a major discussion point in security circles in recent months.

“These practices include weakening standards, attacking technology companies, and preventing security holes from being fixed. As the president’s review group recognized, this has serious consequences for any industry that relies on digital security—finance, medicine, transportation, and countless others, along with anyone in the world who relies on safe, private communication. Obama should follow the recommendations of his review group and immediately stop the NSA’s efforts to undermine or weaken the security of our technologies,” Cohn and Reitman wrote.

All in all, privacy advocates are not expecting Obama to announce major changes to the NSA’s programs or mission.

“Many people are skeptical that the president will create meaningful limits to the NSA’s practice of sweeping up the digital communications of millions of people worldwide. Instead of actually stopping the spying, Obama could just make pronouncements calling for more transparency or additional layers of bureaucratic oversight. Basically, he could duck the most important thing he could do to show leadership: rein in government surveillance,” Cohn and Reitman said.

ICS-CERT Advising Users Update Schneider Electric ClearSCADA

Threatpost for B2B - Thu, 01/16/2014 - 08:56

The Department of Homeland Security is warning the maintainers of industrial control systems (ICS) about a remotely exploitable uncontrolled resource consumption vulnerability in Schneider Electric’s ClearSCADA software.

Schneider Electric says that it has developed a new version of ClearSCADA that resolves the vulnerability reported by Adam Crain of Automatak and independent security researcher Chris Sistrunk. The company further claims it has no evidence suggesting that these vulnerabilities have been exploited in a production environment. The ICS computer emergency response team (ICS-CERT) is also unaware of any in-the-wild attacks targeting these bugs, though their advisory notes that “An attacker with a medium skill would be able to exploit this vulnerability.”

ClearSCADA is secure remote management software designed for use in large, geographically dispersed critical infrastructure systems.

On machines running pre-November 2013 versions of ClearSCADA, an attacker could generate specially crafted, unsolicited frames that – in turn – could cause excessive event logging, slowing driver operation and potentially leading to a denial of service condition in the distributed network protocol (DNP3).

Schneider is recommending that users of its ClearSCADA software monitor DNP3 traffic and their system’s event journal in order to detect excessive amounts of traffic or logging which may be representative of a fuzzing attack attempting to exploit the vulnerabilities. Beyond that, users are advised to upgrade their ClearSCA DA server to SCADA Expert ClearSCADA 2013 R2 or a more recent version. Users can also update to a service pack released later than November 2013.

Affected products include, ClearSCADA 2010 R2 (Build 71.4165), ClearSCADA 2010 R2.1 (Build 71.4325), ClearSCADA 2010 R3 (Build 72.4560), ClearSCADA 2010 R3.1 (Build 72.4644), SCADA Expert ClearSCADA 2013 R1 (Build 73.4729), SCADA Expert ClearSCADA 2013 R1.1 (Build 73.4832), SCADA Expert ClearSCADA 2013 R1.1a (Build 73.4903), and SCADA Expert ClearSCADA 2013 R1.2 (Build 73.4955).

Model Predicts Optimal Timing for Targeted Attacks

Threatpost for B2B - Thu, 01/16/2014 - 08:56

Security researchers from the Ford School of Public Policy at the University of Michigan have published a mathematical model they said will produce the proper timing for the delivery of offensive cyberweapons. Defenders can also make use of the model to understand attackers and when an targeted attack might occur.

“A simple mathematical model is offered to clarify how the timing of such a choice can depend on the stakes involved in the present situation, as well as the characteristics of the resource for exploitation,” wrote Robert Axelrod and Rumen Iliev in a paper called Timing of Cyber Conflict.”

The two researchers used the Stuxnet and Saudi Aramco attacks, as well as the persistent targeted attacks attributed to the Chinese government, as a baseline for their analysis of cyber conflicts. The researchers’ goal is to mitigate the harm destructive cyberattacks can do and understand their capabilities.

The experiment conducted by the researchers is done so from the point of view of the attacker in order to make a best guess as to the conditions and timing under which a potentially destructive attack is launched. The model takes into account the fact that a zero-day launched today will likely be less effective at a later date, especially once an attack is discovered and mitigations are put in place.

“The heart of our model is the trade-off between waiting until the stakes of the present situation are high enough to warrant the use of the resource, but not waiting so long that the vulnerability the resource exploits might be discovered and patched even if the resource is never used,” Axelrod and Iliev wrote.

The model makes a number of assumptions about what’s at stake in a particular conflict, be it an all-out war, or an espionage engagement for trade or military secrets. The stakes change relevant to time, but the model focuses only on the current environment. It also looks at resource, or weapon, characteristics and its sustainability based on its stealth and persistence abilities. A benchmark for stealth used in the study is the average duration of a zero-day attack, 312 days, according to Leyla Bilge and Tudor Dumitras, while a persistence benchmark is that within three to five years, only three percent to five percent of vulnerabilities in Chrome and Firefox are rediscovered. The target’s patching practices also impact the stealth and persistence of an attack, the researchers said.

“Because stakes are not under your control, your best policy is to wait until the stakes are high enough to risk losing the resource because of its limited stealth,” they wrote. In short, an attacker will want to use his available resources often, but only when the stakes are their highest.

Another assumption made in the model is the value of a weapon, which is dependent on its persistence and stealth, the researchers said. Within their paper, the researchers present an equation that helps an attacker or defender determine the value of a resource, which helps determine how to best use it based on particular thresholds.

The researchers concluded that in situations where the stakes are constant, such as the payoff for stealing payment card data, a cyberweapon should be used quickly and often. For high stakes events, attackers and defenders need to evaluate three factors before deciding how long to wait to launch an attack: low stealth, high persistence and large stakes, the researchers wrote.

For a comparison, the researchers looked at the Stuxnet worm, which they said likely had low persistence because it relied on multiple zero-day exploits to get the job done. This meant the attackers had to quickly use their malware, therefore, stealth was important. Stuxnet accomplished this in spades, lasting 17 months inside the Natanz network before it was detected. As for the stakes, they were high for the attackers, whose goal was to derail Iran’s nuclear program.

Another factor to consider is the legitimate market for zero-day exploits and competing vendor bounties for mitigation bypass attacks. The researchers go against the grain of thinking that says the market would be saturated with new exploits, but the pool of undiscovered vulnerabilities is deep.

“With new versions of commonly used software being introduced at a high rate to patch recently discovered vulnerabilities and to add new features, the pool of zero-day exploits waiting to be discovered is ever renewable,” the researchers wrote.

Turning their model on the zero-day market, the researchers concluded that the more effort that goes into finding zero days, persistence will go down because a resource is likely to also be discovered by others and possible sold before it is used. Lower prices will be instituted because supply will be greater and less persistence means weapons are worth less, they said.

“The implications of our model are easy to summarize: Stealth and Persistence are both desirable properties of a resource, and increase its Value,” they wrote. “However, they have opposite effects on the best time to use the resource. Persistence leads to more patience, meaning the stakes need to meet   a higher Threshold before the resource is worth using.”

Blog: Big box LatAm hack (1st part - Betabot)

Secure List feed for B2B - Wed, 01/15/2014 - 21:42
Betabot is now used by cybercriminals from LatAm to attack local victims. We found it installed on a purely malicious server located in Russian with a domain registered in Panama. This is the 1st part of the research.

Starbucks App Stores User Information, Passwords in Clear Text

Threatpost for B2B - Wed, 01/15/2014 - 15:03

A vulnerability in Starbucks’ mobile app could be putting coffee drinkers’ information–including their usernames, email addresses and passwords–at risk.

The problem stems from the way session.clslog, the Crashlytics log file, handles those credentials in the event of a crash. Within the file there are “multiple instances” where the credentials are stored in clear text, something that could allow attackers to recover and later leverage the information to access a users’ account, either on the device in question or online at Starbucks’ account log-in page.

The vulnerability exists in the most recent build of the app, version 2.6.1 for iOS.

Starbucks’ app lets users connect their Starbucks card to their smartphone, reload funds via Paypal or credit card and allows them to treat the device like cash in stores worldwide. Ardent java fans can manage their card through the app and accrue Rewards with each purchase.

Daniel Wood, a Minneapolis-based security researcher and pen tester discovered the vulnerability last year, reported it to Starbucks in December but has yet to hear from the company regarding a fix.

It wasn’t until Monday however that Wood went public and published his findings on seclists.org’s Full Disclosure.

According to Wood, the file, which can be found at /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog, contains more than just the user’s login information.

In re-testing the vulnerability last night Wood discovered that the user’s full name, address, device ID and geolocation data are all being stored in clear text as well. This information popped up after Wood reinstalled the app and monitored the session.cslog file during user signup.

Wood also found the app’s OAuth token and the OAuth signature attached to the device in question.

“It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service,” Wood said in his write-up.

It’s unclear if a fix is in the works for the app but Starbucks hasn’t released an update since May 2, 2013.

Wood, a member of Open Web Application Security Project (OWASP), recommends future versions of the app adhere to best practices.

In this case, Starbucks should filter and sanitize data upon output “to prevent these data elements from being stored in the Crashlytics log files in clear text, if at all,” Wood writes in his disclosure.

When reached Wednesday, Crashlytics, a Boston-based firm that specializes in crash reporting solutions, couldn’t comment on specific customers but did reiterate that the firm doesn’t recommend developers log sensitive information.

Crashlytics Cofounder Wayne Chang said via email that the issue appears to involve one of the service’s plaintext logging features and that Crashlytics doesn’t collect usernames or passwords automatically. The feature, CLSLog, is an “optional feature that developers can use to log additional information.”

Wood admits he’s only done static analysis of the application so far and has yet to examine network traffic but suspects there is a privacy issue.

“During my static analysis I noticed some JSON requests which contain some sensitive data in the request,” Wood said, suggesting a vulnerability could be present.

Maggie Jantzen, a spokeswoman for Starbucks claimed the company was aware of Wood’s research and what it has deemed “theoretical vulnerabilities” but insisted Wednesday that there isn’t a direct impact to its customers at this time.

“To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way,” Jantzen said.

Cisco Fixes Three Bugs in Secure ACS Platform

Threatpost for B2B - Wed, 01/15/2014 - 14:09

Cisco has released patches for three vulnerabilities in its Secure Access Control System, including two flaws that could enable a remote attacker to take complete control of an affected system.

Cisco’s Secure ACS is part of the company’s TrustSec solution, which the company says “supports the increasingly complex policies needed to meet today’s new demands for access control management and compliance.” The system contains three separate vulnerabilities: a privilege-escalation flaw, an unauthenticated user access bug and an operating system command-injection flaw. The latter two are the most serious, Cisco said.

“A vulnerability in the RMI interface of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to access the ACS via the RMI interface,” the Cisco advisory says.

“The vulnerability is due to insufficient authentication and authorization enforcement. An attacker could exploit this vulnerability by accessing the ACS via the RMI interface. An exploit could allow the attacker to access the ACS and perform administrative actions.”

The second remotely exploitable bug is the command-injection flaw.

“A vulnerability in the web interface of Cisco Secure ACS could allow an authenticated, remote attacker to inject operating system-level commands,” the advisory says.

“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting operating system commands into a specific location of the ACS web interface. An exploit could allow the attacker to perform operating system-level commands without shell access, impacting the confidentiality, integrity, or availability of the system.”

The privilege escalation flaw is far less serious and can only be exploited by a local authenticated user.

“A vulnerability in the RMI interface of Cisco Secure ACS could allow an authenticated, remote attacker to perform actions as superadmin,” Cisco says.

All Twitter Apps Must Deploy SSL/TLS

Threatpost for B2B - Wed, 01/15/2014 - 12:56

UPDATE: As of yesterday, Twitter’s application programming interface (API) will only recognize traffic traveling via Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Any applications connecting to the API in plaintext will no longer work.

There is a vast selection of third-party Twitter applications such as Hootsuite and Tweetdeck available to Twitter users, and these apps draw information from Twitter through the service’s API. From Jan. 14 onward, Twitter is forcing developers to connect to its API over an encrypted HTTPS connection.

Developers of existing apps that connect to the API over HTTP will need to change upgrade their apps to HTTPS or they will stop functioning.

The move will improve the security and privacy of Twitter users who opt to connect to the micro-blogging service through a third party application rather than Twitter’s official Web interface.

“Connecting to the API using the SSL protocol builds a safe communication channel between our servers and your application, meaning that no sensitive data can be accessed or tampered by unauthorized agents in the middle of this communication path,” the company wrote on a developers forum back in mid-December.

We reached out to the Electronic Frontier Foundation’s technology projects director, Peter Eckersley, who told Threatpost that this is exactly the right step for Twitter.

“We know that HTTP is completely, fundamentally, inconsolably insecure,” Eckersley said. “Any website that is using HTTP is leaving its users vulnerable to eavesdropping and account hijacking.  Any API that allows HTTP is a giant invitation for hackers and intelligence agencies to slurp up data,” Eckersley said.

Eckersley’s comment about national intelligence agencies is particularly resonant given the daily reminders from the New York Times, Guardian, Washington Post, and others that the National Security Agency is allegedly doing just that: slurping up any data they can get their hands on.

“There are some cognitive barriers for a lot of developers to deploying HTTPS because of the broken certificate authority bureaucracy.  But you can go and get a free certificate from StartCom, so there’s really no excuse for any user of the Twitter API not to be HTTPS,” he said. “And for larger sites that need to deploy HTTPS/SSL/TLS at very large scales, EFF is working to promote knowledge sharing amongst site operators (google for ‘crypto ops’) and to produce better documentation on where to start.”

This article was updated at 2 p.m. ET with comments from the EFF.

Oracle Patch Update Takes on 36 Java Vulnerabilities

Threatpost for B2B - Wed, 01/15/2014 - 12:28

All has been relatively quiet of late on the Java security front, which is in stark contrast to a year ago when Java was the scourge of the Internet. Vulnerabilities in Java were being exploited at an alarming rate in a number of targeted attacks including watering hole attacks against prominent government agencies, manufacturers and activists.

Yesterday’s quarterly Critical Patch Update from Oracle served as a reminder that the Java house still is not in order. The big database company released 36 Java patches with the CPU, which patched 144 vulnerabilities across just about all of Oracle’s product lines.

While enterprise IT departments thought they were getting a reprieve with relatively light Patch Tuesday security updates from Microsoft and Adobe, Oracle brought them back down to Earth with its first set of patches for 2014.

Of the 36 Java bugs Oracle addressed, 34 could be exploited remotely. Five vulnerabilities were given Oracle’s highest criticality rating of 10 and another five rated out at 9.3; most apply only to client deployments of Java, Oracle said, adding that just one is a server-side vulnerability. Oracle director of software security assurance Eric Maurice wrote on his department’s blog yesterday that an attacker can exploit the server-side bug by sending malicious data to the API of the vulnerable component, therefore bypassing Java sandbox protections.

“While a successful exploitation of a number of the vulnerabilities addressed by this Critical Patch Update may not be possible in many customers’ deployments because the affected component is not installed or cannot be easily accessed by malicious attacker,” Maurice wrote, “a prompt application of the Critical Patch Update will help ensure that security in depth is maintained in the environment.”

Java far and away had the highest number of critical patches; patches for only three other products merited the most severe rating: MySQL server; Oracle Financial Services Software component called FLEXCUBE; and Oracle Fusion Middleware.

The critical MySQL patch was one of 18 fixes released for the database server. Three of those patches were for remotely exploitable bugs, including one in MySQL Enterprise Monitor which was rated a 10 by Oracle.

As for the Oracle Fusion Middleware patches, Oracle cautions users to also prioritize patches for vulnerabilities in Oracle Database Server as some of those components could also expose Fusion products. Oracle released 22 Fusion Middleware patches, 19 of which are remotely exploitable including the most severe in the Oracle WebCenter Sites Community component.

There was a relatively light load of Oracle Database patches, five in all, one of which patches a remotely executable flaw in the Core RDBMS.

Private Messaging App Vendor Wickr Offers Hackers $100,000 for Bugs

Threatpost for B2B - Wed, 01/15/2014 - 11:41

Bug bounty programs, for the most part, have been the domain of large software vendors and Web companies such as Google, Mozilla, Microsoft, PayPal and Facebook. But some smaller companies are now getting involved, with the latest one to announce a bounty being Wickr, the maker of secure messaging apps for Android and iOS, and the potential payoff is huge: up to $100,000.

Wickr’s bug bounty program is quite similar to the one announced last year by Microsoft. That program offers hackers up to $100,000 for new offensive techniques that can defeat the memory protections in the latest version of Windows. The Microsoft bug bounty program also offers $50,000 to researchers who develop a defensive technique that can stop an existing mitigation bypass.

Wickr is doing something similar, enticing hackers with a payment of up to $100,000 for submitting a new vulnerability “that substantially affects the confidentiality or integrity of user data.” The company also is offering additional cash for a defensive technique, submitted at the same time, that can protect against the new vulnerability. Wickr makes a text messaging app for both Android and iOS that is designed to be secure and protect users’ privacy by shredding deleted files on users’ devices.

“The Wickr Bug Bounty Program is designed to encourage responsible security research in Wickr software. It is impossible to overstate the importance of the role the security research community plays in securing modern software. White-hats, academics, security engineers and evangelists have been responsible for some of the most cutting-edge, eye-opening security revelations to date. Their research speeds the pace of advancing security to the benefit of all. With this program and partnership, we pledge to drive constant improvement relating to the security interests of our users, with the goal of keeping Wickr the most trusted messaging platform in the world,” Robert Statica, co-founder of Wickr, wrote in a blog post announcing the bug bounty program.

Bug bounties have been quite successful for a number of the companies who have established them in recent years, with Google and others attributing the contributions of external researchers to the improved security of their products. In October, Microsoft paid its first bounty to researcher James Forshaw, and the company also recently extended its system to include incident response teams and forensics investigators.

Wickr’s program requires that researchers submit their vulnerabilities privately to the company and not publicly disclose them within three months of the submission. It’s open to anyone, of any age, who isn’t a resident of a country that’s on the United States embargo list, and the rewards will range form $10,000 to $100,000.

Image from Flickr photos of Pascal

Metadata Program ‘Not Uniquely Valuable Enough’ to Justify Privacy Intrusions

Threatpost for B2B - Tue, 01/14/2014 - 17:47

In a mostly friendly and non-confrontational hearing on Tuesday, members of the Senate Judiciary Committee spent a couple of hours talking to members of the White House-appointed NSA review board about the extent of the agency’s surveillance and the panel’s recommendations for reform. The hearing covered almost no new ground, with committee members spending much of the time asking questions about intelligence collection and sharing pre-9/11 and whether the metadata program could have helped prevent those attacks or has prevented any since then.

The hearing, which was included only a handful of committee members most of the time, was ostensibly about the report produced by the White House panel in December and the 46 recommendations in it regarding intelligence collection programs and potential abuses by the NSA. The panel recommended a number of changes to the controversial Section 215 and 702 collection programs, and the committee members asked a litany of questions about those, specifically about the metadata program, which has drawn shard criticism from lawmakers and privacy advocates.

Committee Chairman Sen. Patrick Leahy (D-Vt.) said that he did not believe the Section 215 program produced enough results to justify its existence.

“I’ve concluded that the phone record program is not uniquely valuable enough to justify a massive intrusion on Americans’ privacy,” he said.

Michael J. Morell, the former acting director of the CIA and a member of the President’s Review Group on Intelligence and Communications Technologies, said that the panel did not believe it was necessary to eliminate the metadata program, but had no evidence that it had prevented any terror attacks, either.

“We did not recommend the end of the 215 program,” he said. “It is absolutely true that the 215 program hasn’t played a significant role in disrupting any attacks to this point. But it only has to be successful once to be important.”

NSA officials and some lawmakers have defended the metadata program on the grounds that it does not collect the content of calls, but rather the information about the originating and terminating numbers and the length of the call. However, Morell said that during the research for the report the panel wrote, he came to the conclusion that metadata can tell observers a lot about a target’s activities.

“There is quite a bit of content in metadata and when you have the records of the phone calls an individual made, you can learn quite a bit about an individual,” he said.

The committee also spent some time addressing the issue of whether the metadata program would have prevented the attacks of 9/11, something that NSA officials have asserted in recent months. Asked whether that was the case, Richard Clarke, the former White House security adviser, said that it was impossible to know.

“It’s impossible to go back and reconstruct history,” Clarke said. “It’s very difficult to say with accuracy if one fact had been changed whether the outcome would’ve been significantly different.”

Adobe Updates Security for Flash, Reader, Acrobat

Threatpost for B2B - Tue, 01/14/2014 - 15:50

Adobe has issued security bulletins addressing five critical vulnerabilities in its Flash, Reader and Acrobat Players that could give attackers the ability to cause crashes and wrest control of affected machines.

Adobe claims it is not aware of any in-the-wild exploits targeting these bugs.

CVE-2014-0491 and CVE-2014-0492, reported by Masato Kinugawa and the Zero Day Initiative respectively, resolve problems in Adobe Flash and AIR. Users will need to update Flash Player 11.9.900.170 and earlier versions for Windows and Mac and and earlier versions for Linux. Users of Adobe AIR, including versions and earlier for Windows, Mac, Android, SDK, and compiler, will need to update those systems as well.

All the Flash bugs received Adobe’s highest priority rating while the AIR bugs received its lowest.

Gynvael Coldwind and Mateusz Jurczyk of Google’s security team discovered CVE-2014-0493 and CVE-2014-0495, while a researcher named Saroush Dalili reported CVE-2014-0496 to Adobe. All of these bugs affect either Adobe Acrobat or Reader and received Adobe’s highest priority rating.

Affected versions include, Adobe Reader XI (11.0.05) and earlier 11.x versions for Windows and Mac, Reader X (10.1.8) and earlier 10.x versions for Windows and Mac, Acrobat XI (11.0.05) and earlier 11.x versions for Windows and Mac, and Acrobat X (10.1.8) and earlier 10.x versions for Windows and Mac.

You can find the full Flash bulletin here and the full Acrobat and Reader bulletins here.

Microsoft Patch Tuesday Security Updates Address Windows XP Zero Day

Threatpost for B2B - Tue, 01/14/2014 - 15:32

Microsoft is entering softly into 2014 with a minimalist version of Patch Tuesday, which is likely to be a welcome reprieve. Windows shops can expect a busy re-tooling year ahead as Microsoft not only ends support—including security updates—for Windows XP, but also will restrict the use of MD5 in digital certificates and bring changes to Windows Authenticode verification that could render some programs untrusted if they don’t pass muster.

All of today’s bulletins were rated “Important” by Microsoft, but experts urge prioritization of MS14-002 which is a patch for a zero-day vulnerability in Windows XP and Windows Server 2003. The vulnerability was publicly disclosed in November and is being exploited in conjunction with an Adobe Reader vulnerability. That flaw was patched by Adobe in May.

Today’s patch repairs a privilege escalation bug in the ND Proxy Driver that manages Microsoft’s Telephony API. Microsoft had released a mitigation that would have rendered the API unusable.

The vulnerability was rated important because it could not be exploited remotely. An attacker would need to log in to a system with valid credentials and run a malicious application in order to exploit the vulnerability locally.

“This was typically exploited by an attacker sending your user a spear phishing email with a bad Adobe link. Once clicked, that attacker could then gain administrator access to the machine,” said Russ Ernst of Lumension. “Keeping your Adobe applications fully patched will mitigate this vulnerability, but it’s important to apply MS14-002 as a defense in depth.”

Microsoft also patched a remote code execution bug in Microsoft Word and Office Web applications that merits attention, experts said. MS14-001 patches three vulnerabilities that could allow an attacker to remotely run code on a compromised machine; the hacker would have to entice the victim to open an infected attachment. The update patches Microsoft Word 2003, 2007, 2010, 2013, and 2013RT, and Office services and Web apps supported on SharePoint Server 2010, 2013 and Microsoft Web Apps Server 2013.

“On their own these vulnerabilities might not be critical, but combined they can be much more serious,” said Ben Hayak, a researcher with Trustwave’s SpiderLabs. “If an attacker used a malicious Office document to execute code that takes advantage of the privilege elevation vulnerability, then a phishing email to an unsuspecting user would be all that’s necessary.”

Microsoft also addressed another privilege escalation bug in Windows with MS14-003. This bulletin patches one vulnerability in Widows Kernel-Mode Drivers that can be exploited only with local access and valid credentials. Windows 7 and Windows Server 2008 R2 are affected by this vulnerability, Microsoft said.

“The vulnerability occurs when the driver improperly uses window handle thread-owned objects,” said Marc Maiffret, CTO of BeyondTrust. “Attackers can exploit this vulnerability to gain the ability to execute arbitrary code in the context of the kernel. This is very similar to the vulnerability fixed by MS14-002, which also provides attackers kernel level privileges if properly exploited.”

The final bulletin, MS14-004, patches a denial-of-service flaw in Microsoft Dynamics AX. An attacker could exploit the vulnerability by sending malicious data to an AX Application Object Server instance, causing it to stop responding to client requests, Microsoft said.

“This is a server side vulnerability and note that the updated service will not automatically restart, so if you are applicable, it would be best practice to manually restart the impacted service after applying the update,” Lumension’s Ernst said.

Microsoft also re-released MS13-081, addressing a stability issue that caused the original update to fail or partially install on some systems with third-party USB drivers, Microsoft said.

Google Blocks Malicious File Downloads Automatically in Chrome

Threatpost for B2B - Tue, 01/14/2014 - 15:27

Google has fixed five vulnerabilities in its Chrome browser and also has activated a feature that will block malicious file downloads automatically. The change is a major security upgrade for Chrome and will help prevent users from unwittingly downloading harmful files, an attack vector that attackers count on for the success of drive-by downloads and other attacks.

Attackers rely on their ability to install files on victims’ machines, either with the cooperation of the user or through an automatic download in the background. That’s the essence of many Web-based attacks today and the change in Chrome will give users an extra layer of protection, even if they happen to click on a malicious file or visit a site that’s serving malware.

Along with that change to Chrome’s security, Google also fixed five separate security flaws in the browser, including one that could have been used to force the browser to sync with an attacker’s Google account. Here’s the list of the vulnerabilities patched in Chrome 32:

In addition to those vulnerabilities, reported by external researchers, Google also fixed nearly 20 other flaws that were discovered during the company’s internal security efforts.

Blog: Adobe's first Patch Tuesday of 2014

Secure List feed for B2B - Tue, 01/14/2014 - 13:59
This month's Adobe Patch Tuesday release sees fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating.

US-CERT Warns of NTP Amplification Attacks

Threatpost for B2B - Tue, 01/14/2014 - 13:45

US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol (NTP) servers.

Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists is a classic set-and-forget feature and is used generally to sync clocks between servers and computers. The protocol is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

“This response is much bigger than the request sent making it ideal for an amplification attack,” said John Graham-Cumming of Cloudflare.

According to US-CERT, the MON_GETLIST command allows admins to query NTP servers for traffic counts. Attackers are sending this command to vulnerable NTP servers with the source address spoofed as the victim.

“Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” the US-CERT advisory says. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”

To mitigate these attacks, US-CERT advises disabling the monlist or upgrade to NTP version 4.2.7, which also disables monlist.

NTP amplification attacks have been blamed for recent DDoS attacks against popular online games such as League of Legends, Battle.net and others. Ars Technica today reported that the gaming servers were hit with up to 100 Gbps of UDP traffic. Similar traffic amounts were used to take down American banks and financial institutions last year in allegedly politically motivated attacks.

“Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built-in commands will send a long reply to a short request,” Graham-Cumming said. “That makes it ideal as a DDoS tool.”

Graham-Cumming added that an attacker who retrieves a list of open NTP servers, which can be located online using available Metasploit or Nmap modules that will find NTP servers that support monlist.

Graham-Cumming demonstrated an example of the type of amplification possible in such an attack. He used the MON_GETLIST command on a NTP server, sending a request packet 234 bytes long. He said the response was split across 10 packets and was 4,460 bytes long.

“That’s an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate,” Graham-Cumming said.

“This particular NTP server only had 55 addresses to tell me about. Each response packet contains 6 addresses (with one short packet at the end), so a busy server that responded with the maximum 600 addresses would send 100 packets for a total of over 48k in response to just 234 bytes. That’s an amplification factor of 206x!”

Rich Mogull on the Target Data Breach

Threatpost for B2B - Tue, 01/14/2014 - 13:44

Dennis Fisher talks with Rich Mogull of Securosis about the Target data breach, how the attack may have worked, why these breaches are still so common and what can be done to improve the situation.



Java Version of Icefog Espionage Campaign Hit 3 US Oil, Gas Companies

Threatpost for B2B - Tue, 01/14/2014 - 12:46

When the curtain was peeled back on the Icefog targeted espionage campaign in September, a new type of operator was unveiled, one that took the persistence out of advanced persistent threats (APT).

Researchers at Kaspersky Lab noted in uncovering Icefog that the attacks against the defense supply chain—including military contractors, ship builders, satellite operators, high tech companies and others in Japan and South Korea—were hit-and-run operations. Icefog was likely pulled off by a small group of attackers, one that used a mix of custom malware and attacks against known vulnerabilities in Windows and Mac OS X machines. The group knew its victim, knew what it needed from a campaign, and once that objective was achieved, the target was abandoned.

This goes against the grain of APT attacks where an organization is likely owned for a considerable amount of time as hackers pivot about internally under the cover of poor detection mechanisms or stolen credentials.

Icefog went dark after the September report, but researchers at Kaspersky Lab continued to dig into domains used in the attack that had been sinkholed by the security company, as well as looking at victim connections. This morning, additional details on the attack emerge that indicate the attackers also had a Java version of the campaign in their arsenal and used that to target three oil and gas companies in the United States.

The three companies were notified, and two have rid themselves of the infection, Kaspersky Lab said today. Individuals within these companies were likely duped by a phishing email that contained an Office exploit. Once inside, the attacks launched the Java-based attacks, dubbed Javafog, and also used a new command and control for backdoor communication. The Java attacks, Kaspersky Lab said, would be stealthier, and in another twist on this story, give the attackers a longer-term presence.

“The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target,” said the Kaspersky report. “This brings another dimension to the Icefog gang’s operations, which appear to be more diverse than initially thought.”

The latest pieces to the puzzle came together in October when Kaspersky Lab took over an Icefog domain called lingdona[.]com. The domain was originally hosted in Hong Kong and raised suspicions because it matched other known Icefog domains. Immediately, the domain began receiving connections every 10 seconds from a Java application, a new turn since other variants used IE User-Agent strings.

Unable to find a sample of the malware connecting to lingdona[.]com, the researchers were able to find a URL submitted to a public JSUNPACK service that was hosted on a known Icefog domain that referenced a Java applet called policyapplet.jar. The researchers decoded a long hexadecimal string parameter tagged to policyapplet reference and found another Java applet with a main class JavaTool.class that was compiled in 2010.

Once installed it, latches onto the computer’s registry for persistence at start up and then begins connecting to lingdona[.]com/news and sending system information. If the attackers determine this to be a target of value, they can then send back any number of commands ordering the malware encrypt and upload local files, migrate to a new command and control server URL, or execute a string specified and upload the results.

“It allows the attackers to control the infected system and download files from it,” the Kaspersky Lab report said. “Simple, yet very effective.”

This particular operation was small; eight IPs belonging to the three U.S. oil and gas companies connected to the lingdona domain. Researchers noted as well that two of the victims updated Java from Java 1.7 update 25 to update 45.

Blog: The Icefog APT Hits US Targets With Java Backdoor

Secure List feed for B2B - Tue, 01/14/2014 - 05:30
Previously unknown version of Icefog, named Javafog, founded in the US.

Syrian Electronic Army Takes Aim at Microsoft, Xbox Twitter Accounts, Blogs

Threatpost for B2B - Mon, 01/13/2014 - 15:30

Just a few days after it hacked Microsoft’s Skype blog and Twitter account, the Syrian Electronic Army (SEA) took to some of the company’s other social media accounts over the weekend, hacking both its @MSFTNews and @XboxSupport Twitter handles along with the company’s official blog.

It all started Saturday when the SEA’s primary Twitter account, @Official_SEA16, posted screenshots of Xbox’s Instagram and Twitter accounts,  hacking them to apparently promote a fake game “Syrian Arab Army: Fighting the Terrorists.”

From there the account posted screenshots of a compromised @MSFTNews account, Microsoft’s verified news Twitter handle. The account was hijacked to display re-tweets from the SEA account, a Syrian flag and a warning: “Don’t use Microsoft emails (hotmail, outlook), They are monitoring you accounts and selling the data to the governments. #SEA @Official_SEA16.”

The post reiterated the same anti-surveillance message – word for word – that the SEA broadcast over Skype’s Twitter account last week.

Meanwhile Microsoft’s official blog, hosted on Technet, the company’s blog network, was rigged to display a series of pro-Syrian sentiments (SEA Was Here… Long live Syria! etc.) before redirecting some users to the SEA’s website.

The same SEA Twitter account went on to tweet screenshots purportedly taken from conversations between Microsoft insiders – although it isn’t entirely clear if the SEA had direct access to Microsoft employee emails.

Microsoft dealt with the hacks swiftly on Saturday – compromised accounts remained offline for just a few hours – but the company insisted that no customer information was compromised by the hack.

“Microsoft is aware of targeted cyberattacks that temporarily affected the Xbox Support and Microsoft News Twitter accounts. The accounts were quickly reset and we can confirm that no customer information was compromised,” the statement read.

A SEA member that goes by the pseudonym “Syrian Eagle” told Mashable over the weekend the group has more documents and details it has yet to publish and warned the attack was “just the beginning.” Further comments made by “Syrian Eagle” went on to echo the group’s anti-surveillance stance.

The Microsoft hacks are the latest in a long line of attacks by the pro-Syrian group. Last year saw the group breach high profile media sites like the New York Times and the Washington Post but it appears the NSA surveillance revelations from the last few months and Microsoft’s alleged stance on them may have sparked a new wave of hacks.

Syndicate content