Threatpost for B2B
The Syrian Electronic Army, a group known for attacking high-profile media sites in the last year or so, has in the last few hours compromised the domain information for a large number of sites, including the New York Times home page and some of Twitter’s domains. Security researchers say that the most likely attack vector was the domain registrar used by the companies.
Both the Times and Twitter, as well as a long list of other companies including Google and Yahoo, use a company called Melbourne IT as a domain registrar. Researchers following the attack say that the WHOIS and domain information for the Times and Twitter domains was changing back and forth between legitimate data and the hacked SEA data for much of the last few hours. The Times home page was offline sporadically Tuesday afternoon and the paper reported that the company’s CIO told employees to be cautious sending email “until this situation is resolved”.
The SEA’s attack enabled the group to redirect visitors to the affected sites to a server controlled by the attackers. Researchers say that the attackers also could have the ability to redirect email, Web and other traffic from the compromised sites.
“All three domains use MelbourneIT as their domain registrar. Once access to the registrar is obtained, the SEA can redirect all DNS, email, and web traffic going to these sites to a server of their choosing,” said HD Moore, chief research officer at Rapid7.
Around 5 pm EDT Tuesday the SEA tweeted a picture of a WHOIS record showing the compromised data. About 90 minutes later they tweeted a picture of a number of Twitter’s domain names in what appeared to be a registrar’s back end. The tweet’s text said, “Twitter, are you ready?”
The domains compromised by the SEA included a pair of domains used by Twitter to host images. Here’s what the WHOIS data for twitter.com looked like during the attack:
Admin Name……….. SEA SEA
Admin Address…….. 1355 Market Street
Admin Address…….. Suite 900
Admin Address. San Francisco
Admin Address…….. 94103
Admin Address…….. CA
Admin Address…….. UNITED STATES
Admin Email………. email@example.com
Admin Phone………. +1.4152229670
Admin Fax………… +1.4152220922
The data for the Times and the other compromised Twitter domains was similar. Jaime Blasco at AlienVault Labs has a long list of the domains that have been pointing to the SEA’s server during the attack. It’s not clear how the registrar may have been compromised.
In addition to Tuesday’s attacks, the SEA also has claimed responsibility for recent attacks on the Washington Post, The Onion, the Associated Press and other media companies.
Image from Flickr photos of Alexander Torrenegra.
It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure bet, and SSL has had its problems in recent years. But a new browser extension for Firefox is designed to help address some of these issues by only accepting HTTPS requests.
The extension is a kind of spiritual descendant of the EFF’s HTTPS Everywhere plug-in, an extension for Google Chrome and Firefox that forces the browser to use a secure HTTPS connection whenever one is available from a given site. The HTTP Nowhere extension, written by Chris Wilper, takes a different tack to achieve a similar result. Rather than simply looking for HTTPS connections with a site, HTTP Nowhere gives the user the ability to click a button that ensures that the browser is only making and receiving HTTPS requests and rejects plaintext HTTP requests.
When a user visits a site that he wants to connect with securely, he presses the button on the browser that puts it into encrypted-only mode. The browser then will reject any unsecure requests during the session and will inform the user anytime a request is rejected.
“Since the web isn’t going to be fully encrypted anytime soon, we need to find ways to improve people’s awareness of when their communication is and is not encrypted. More conspicuous and consistently implemented visual cues would be an improvement, but those are still just passive indicators. I think something more active is needed. I call it encrypted-only mode,” Wilper said in a blog post.
“The idea is that entering this mode would provide an additional layer of protection by temporarily disabling all unencrypted traffic. It would also be a conscious decision, and therefore difficult to ignore.”
Wilper said that another benefit of the extension is that it could serve as a warning about sites that have pages that aren’t using secure connections.
“It hasn’t been tested extensively on ecommerce sites, but I can say with some confidence that if it breaks functionality of any secure sites, it’s a good indication that those sites are not as secure as their users might think. Since the extension reports on every non-https request that it blocks, it might actually serve as a good tool for auditing such sites,” Wilper said by email.
Although the HTTP Nowhere extension is only for Firefox, Wilper said he’d like to see it ported to Chrome as well.
“There’s currently not a Chrome version, but I’d like to see one developed. Either by me or a contributor. I don’t see any technical impediments to doing that at this time,” he said.
Facebook, a holdout among major technology companies in divulging figures on the numbers of government requests for its users’ data, today delivered its first semblance of a transparency report.
The Global Government Requests Report quantifies the number of data requests against how many accounts, as well as the percentage of those requests that were fulfilled.
For the first six months of this year, the U.S. government made between 11,000 and 12,000 request on as many as 21,000 accounts; Facebook fulfilled 79 percent of those requests. Those numbers are slightly up from June figures released in the wake of the Edward Snowden whistleblower scandal, and almost double those made to Apple during the first half of this year. Google, as have Facebook, Apple, Microsoft and Yahoo, made a request in June to Attorney General Eric Holder and FBI Director Robert Mueller to share more data on requests in order to refute claims the National Security Agency had direct access to the tech giant’s user information, yet no response has been offered.
Facebook, meanwhile, complies with a higher percentage of requests than Google, for example, which in its last transparency report said it met 66 percent of requests, while the number of requests it fielded was close to 22,000 for the six months ending 2012. Facebook said it will regularly produce such reports with more detail.
“We scrutinize each request for legal sufficiency under our terms and the strict letter of the law, and require a detailed description of the legal and factual bases for each request,” Facebook general counsel Colin Stretch wrote in the report. “We fight many of these requests, pushing back when we find legal deficiencies and narrowing the scope of overly broad or vague requests. When we are required to comply with a particular request, we frequently share only basic user information, such as name.”
Facebook was much more stringent in pushing back on foreign government requests, meeting 68 percent of requests from the United Kingdom, 54 percent from Greece, 53 percent from Italy, 39 percent from France and 37 percent from Germany.
“We hope this report will be useful to our users in the ongoing debate about the proper standards for government requests for user information in official investigations. And while we view this compilation as an important first report – it will not be our last,” Stretch said. “In coming reports, we hope to be able to provide even more information about the requests we receive from law enforcement authorities.”
Facebook’s U.S. numbers include not only government and law enforcement requests, but also National Security Letter requests. Details on NSL requests cannot be shared by law, throwing some question into the clarity of Facebook’s report.
Stretch, meanwhile, said Facebook will continue to be aggressive advocates for greater disclosure.
“We believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent,” he said. “Government transparency and public safety are not mutually exclusive ideals. Each can exist simultaneously in free and open societies, and they help make us stronger.”
The Department of Homeland Security and the FBI are warning police and fire departments as well as emergency medical service providers and other security personnel that out-of-date Android devices pose a serious security risk to those organizations. The warning came via an unclassified memo distributed to those groups and obtained by the transparency advocates at Public Intelligence.
The bulletin – issued by the DHS and FBI in late July and made public by Public Intelligence over the weekend – cites unspecified industry statistics claiming that 44 percent of Android users are running the out-of-date Gingerbread version of the operating system. Gingerbread was released in 2011. However, Google monitors the platform version of every Android devices that visits the Google Play store, and the figures they’ve collected over the most recent 14-day period (ending August 1) indicate that 37.9 percent of visitors are running Gingerbread or earlier versions of the mobile operating system.
Regardless of which is the accurate number, both are statistically significant given that Android is the most widely used mobile operating system in the world. In fact, the latest survey from the technology research group Gartner claims that Android’s mobile operating system commanded 79 percent of the mobile market-share in the second quarter of this year. Apple’s iOS had the second biggest share, accounting for just 14.2 percent of that market.
The reason for the warning is that the Gingerbread variety of the Android operating system contains a slew of vulnerabilities fixed in later versions and is therefore vulnerable to numerous threats. The bulletin seems to indicate that federal law enforcement agencies are concerned that employees of local law enforcement and other emergency response departments are exposing critical networks to unnecessary risk by failing to update their personal devices. Corporations have been dealing with this problem for years, as bring-your-own-device policies are the ever-increasing norm at offices around the world.
Among the threats, according to the joint DHS-FBI roll call release, are premium-rate SMS Trojans, rootkits, and fake Google Play domains that attackers use to trick users into installing malicious applications. The bulletin urges users to update devices as early and as often as possible, to run an “Android security suite,” and to make sure they only download applications from the official Google Play store and avoid third party market places.
The bulletin contains a pie chart illustrating that the lion’s share of mobile malware threats targeting Android. According to information prepared and provided by the office of Intelligence and Analysis’s Cyber Intelligence Analysis Division, the National Protection and Programs Directorate of the US Computer Readiness Team and the FBI’s Directorate of Intelligence, 79 percent of mobile malware targets Android, 17 percent targets Symbian, 0.7 percent targets iOS, and 0.3 percent targets Windows Mobile and Blackberry respectively. The release does not supply specifics beyond that.
Drive, a variant of the do-it-yourself DDoS toolkit DirtJumper, holds a unique position among malware that organizations targeted by these debilitating attacks need to be aware of.
Researchers at Arbor Networks revealed today that a new version of Drive has been spotted with features that enable it to bypass DDoS mitigation techniques. That capability could force enterprises that employ particular mitigation strategies to shun them going forward, otherwise they stand the risk of whitelisting the malware behind these attacks.
Some of the mitigations that are now relatively obsolete include a set-cookie header which essentially requires a cookie be placed for authentication. The malware now is capable of parsing out either the cookie value or new URL location and using those values in subsequent packets, making it look like a legitimate request. Similarly, a bot can look for a redirect upon making an HTTP request, parsing out the URL and using that redirect in any requests that follow.
“Those are some of the common, basic, low-level mitigations,” said Jason Jones, a researcher with Arbor’s Security Engineering and Response Team (ASERT), adding they will start recommending to customers under active attack to start turning off these mitigations, forcing them to rely on more advanced techniques to stem high-volume attacks. “This makes us think more about how we communicate stuff to customers; we have to think on our feet more because of this.”
Drive and DirtJumper are toolkits that facilitate creation of a homegrown botnet fairly quickly and without the need for a lot of technical savvy on the attacker’s end. It’s thought to be a Russian kit and has been in circulation for at least two years; an upgrade made in June enhanced the DDoS engine and researchers saw the malware connect with 15 unique command and control servers that enable simultaneous attacks on dozens of targets.
For now, the latest Drive capabilities have been found in a handful of samples, Arbor’s Jones said.
“These are diverging much more from older DirtJumpers,” Jones said. “It’s a step up on their hand. I haven’t seen DDoS malware before with mitigation bypass. We’re not sure how widespread it is; someone is at least testing how it works.”
He said he’s seen four new attacks coming out of this variant, but only one with the mitigation bypass capabilities called -smart. The least interesting, according to Jones, is called –icmp which attempts to flood a target with standard icmp echo requests.
Jones said he has not figured out the purpose of another attack called –byte. It sends only one random lowercase alpha byte before a socket is closed. This attack targets port 80 and it can also send small payloads toward a target.
The fourth attack is called –long because it tries to keep a socket open for a period of time while sending data.
“A random payload is generated, sent and then a randomly sleeps for two to six seconds before executing the send up to 10240 times,” Jones said. “It seems unlikely that this attack will succeed for the maximum time as most services will close a socket upon receiving malformed data defined by their service, but it is possible some may not and allow the attack to continue long enough to exhaust available connections.”
Jones speculates that more websites are likely adding DDoS mitigation technologies or appliances, forcing Drive authors to up their game.
“Their customer base is probably clamoring for it like a normal software business would,” he said. “They want updates so the authors have to figure out what the mitigations are doing and this is what they came up with.”
Dennis Fisher talks with Jeremiah Grossman about his days cobbling together old x8s machines, designing Web sites in the heyday of the spinning GIF, becoming Yahoo’s first hacker and then founding WhiteHat Security.
As political and financial leaders from around the world gear up for the upcoming G20 Summit, attackers have been making their plans, as well. A spate of known cyberespionage groups have been using the summit as a lure for new waves of attacks, and security researchers say one of the groups is likely the same one that was responsible for the attack on the New York Times earlier this year.
The group behind that operation is known as Calc Team and it’s a team that security researchers have been watching for several years as it goes after various targets. Now, the team has turned its focus to the powerful bankers, politicians and world leaders who are heading to Russia for the G20 Summit or are following the event from afar. The attacks are using social engineering and spear-phishing attacks with documents–many of them copies of legitimate ones associated with the summit–that are loaded with embedded PDFs containing malware with keyloggers and other capabilities. These attacks by Calc Team have been going on since at least May, researchers from Rapid7 say.
“Generally, I believe the majority of the targets all are somewhat involved in financial policy making/banking and so on,” Claudio Guarnieri, a security researcher at Rapid7 who did the research into Calc Team, said by email.
The attackers are using several different documents in the campaigns, but all of the malware is from the same family and all of the samples call out to the same IP address for command and control purposes. Each of the malware samples includes a Windows executable with a PDF embedded inside. When the user runs the executable file, it will display a PDF as a distraction for the installation of the malware in the background. The displayed document is one of several G20-themed documents. One of the attacks is using a document that is a copy of a real paper that describes the Russian administration’s preparations for the summit in St. Petersburg, while another is related to the Global Partnership for Financial Inclusion.
“Both are clearly Windows executable files that try to disguise as PDF documents. As commonly happen, no exploit has been used here and the attacker uniquely relied on social engineering the targets to open and execute the files contained in the archive,” Guarnieri wrote in a detailed analysis of the attacks.
“Upon execution, both these files extract an actual embedded PDF to the %Temp% folder and display them to the victim, in order to not raise suspicion.”
Guarnieri said that the samples of the malware that have been uploaded to VirusTotal thus far have come from all over the map, including Canada, France and Hungary. While the documents used as bait in the attacks vary, the malware dropped on infected machines is similar and is used to download more malware and log users’ keystrokes.
“Clearly, these samples are just an initial stage of a larger suite of malware, possibly including Aumlib and Ixeshe, which it will try to download from a fixed list of URLs embedded in the binary,” Guarnieri said. “While this download procedure is running on a separate thread, the malware continues into its main procedure by initiating its keylogging functionality. In order to intercept keystrokes, the malware constantly loops through an embedded list of keys and checks the state for each key withGetKeyState Windows API.”
The IP address of the C&C server used in these attacks resolves to a machine at UbiquityServers, a hosting company in Chicago. The IP address is hosting a long list of domains and VirusTotal data on the address, 188.8.131.52, shows that there are a number of malicious files being downloaded from the address. Some of the files are detected by a handful of AV companies, while others are undetected at this point.
Guarnieri said that there are other groups using G20-themed attacks, as well, and he’s in the process of analyzing them. He added that it’s somewhat odd that the Calc Team hasn’t curtailed its operations after being exposed publicly following the New York times attack.
“Assuming that the chain of attribution to Calc is correct, it’s interesting to observe that despite major international exposure after the New York Times incident, the intrusion group/s behind these attacks is still operational and doesn’t seem to have been affected by the sudden attention received by newspapers and researchers,” he said.
“Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but it’s remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect.”
Image from Flickr photos of Arian Zwegers.
An attacker is going to a lot of trouble to post spam messages to Craigslist.
Researchers at Solera Networks have come across an attack where malware is using compromised machines to post poorly worded ads for an Android application marketed at parents for the purposes of monitoring the activities of their teens. The software reportedly tracks the device’s location, as well as SMS and phone logs.
Three command and control servers have been discovered and are linked to this attack; while two of them are privately registered, a third is registered to a U.S.-based individual with the same name, city and state as the person on the manifest for the StealthNanny app in question, said Andrew Brandt, director of threat research.
While the attack isn’t especially malicious and likely to be flagged as a potentially unwanted application by most antivirus products, it does go to great lengths to bypass Craigslist’s spam prevention mechanisms. For example, before an ad goes live on Craigslist, the submitter must click on a link in a separate validation email sent from Craigslist. The malware retrieves that email from Craigslist from a domain called myemail3[.]info that hosts the three C&C servers. Brandt said the full text is delivered, including headers and the message.
“The bot goes through the log, parses out the validation links from Craigslist and clicks them,” Brandt said. “That makes it live and bypasses their spam filtering.”
Compromised machines, meanwhile, are able to make only one post per day, or in some cases, only one post per infected machine. Brandt said the attacks have been going on for a few weeks and the posts do get flagged as spam fairly quickly. Posts are made to random categories on Craigslist, some that make sense such as baby and kid stuff, and others that don’t in categories such as tickets for sale.
Brandt said he is unaware of how the initial infection happens; he first saw the attack on the Emerging Threats list. Researchers there shared a Snort signature for this attack and a link to download the malware being used. Brandt said he did so on a number of virtual machines and each time the malware connects to a command and control server which returns data that includes an Outlook.com email address and password, and the body of the Craigslist post. It also does an SSL connection to Craigslist and uses its internal systems to figure out the best local Craigslist where to post, Brandt said.
Brandt added that the initial infection vector is still unknown, but there is a link that’s is being promoted that encourages the victim to visit a site to look at images. The images on the attack site are broken and the user sees a pop-up informing them of a missing plug-in called Adobe Photo Loader, which does not exist. When the user clicks on the installation link, the malicious executable is pushed to their machine.
“I haven’t seen the front end of this attack, I don’t know how people get there,” Brandt said. “But it is checking its email inbox with dozens of messages in there, so the guy is getting infections.”
He’s also dropping two other pieces of malware, one an ad clicker that’s likely part of a click-fraud campaign, and another that is just checking in repeatedly with a command and control server.
Brandt said he has tried to reach out to Craigslist to no avail; an email from Threatpost was not answered in time for publication either. In the meantime he said he is compiling a list of Outlook addresses from the bot and plans to share those with Microsoft.
“This is not a massive attack, but it’s interesting to me to see the lengths people will go through to bypass spam filtering on a service,” Brandt said. “It seems like it’s becoming more common for malware that’s purpose-built to become commonly available to use.”
By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium earlier this month.
The hack involves modifying the baseband processor on some Motorola phones and tricking some older 2G GSM networks into not delivering calls and messages. By “watching” the messages sent from phone towers and not delivering them to users, the hack could effectively shut down some small localized mobile networks.
The technique was discussed in detail in a talk at USENIX by Kévin Redon, a Berlin-based telecommunications researcher. The research by Redon, who was joined by fellow researchers Nico Golde and Jean-Pierre Siefert, is available on Usenix’s website in video, slideshow (.PDF) and white paper format (.PDF).
Essentially the hacked firmware – named OsmocomBB – can block some calls and messages – also known as pages- by responding to them before the phones that were initially intended to receive them do, something Redon and company called during their research “the race for the fastest paging response time.”
The paper notes that while 4G has been rolled out en masse in most countries, most of the globe remains at the mercy of the Global System for Mobile Communications (GSM) infrastructure.
GSM had been notoriously difficult to crack in its early days but the group had help thanks to the recent proliferation of cheap tools such as the Universal Software Radio Peripheral, a glorified computer–hosted software radio. In 2004, the source code for the Vitelcom TSM30 phone was leaked as well, which allowed researchers to better manipulate and study GSM stack implementations.
The researchers added their OsmocomBB baseband processor (which ran a simple version of the GSM stack) to two different Motorola phones, the C123 and the C118, to observe on air traffic and respond to specific paging requests, or calls.
The exploit’s success generally depends on the response time of the attacker and victim devices. The researchers’ timing differs depending on the device, vendor and network – but according to their research, Redon and company were able to get their hacked phones to respond to signals in about 180 milliseconds.
While the investigation was primarily conducted in and around Berlin, the trio claims it’s possible to “perform targeted denial of service attacks against single subscribers and as well against large geographical regions within a metropolitan area,” suggesting the hack can be adapted regardless of the setting.
The trio was able to carry out the attack on a variety of German cell phone operators including O2, Vodaphone, T-Mobile and E-Plus.
It would clearly take more than one phone – almost a mobile phone botnet of sorts, however – to disrupt an entire channel and answer all of the “paging requests.” For example, the researchers conclude that they’d be able to knock down a localized network belonging to E-Plus, the third largest mobile operator in Germany, with only 11 phones.
“The results indicate the required resources for a large-scale attack do not extensively exhaust the resources provided by a cell,” the paper says, adding that there “is no technical limitation” when it comes to combining cell phones for an attack.
The group is hoping their research brings to light the archaic GSM system that hasn’t changed much since the 1980s – and breaks the “inherent trust” subscribers have placed in telecommunication companies and their users to “play by the rules.”
Long fingered as the source of denial-of-service attacks and other hacks against foreign interests, China’s .cn domain was targeted on Sunday and approximately one-third of the sites registered to that domain were kept offline for a period of time. A statement from the China Internet Network Information Center blamed the outage on the largest ever denial of service attack the country has faced.
Service was reportedly returned to normal Sunday hours after the attack began. The CINIC apologized to its users for slow and interrupted access to the Internet and said that DNS security specific contingency plans were under way. The center also condemned the attack, which began at 4 a.m. UTC and intensified two hours later, though the source of the attack was not identified.
Security services company Cloudflare was quoted in a Wall Street Journal article that the attack targeted a registry for the .cn top-level domain. The company said during the peak of the attack that traffic to thousands of domains dropped more than 30 percent compared to the previous 24 hours.
Initially, Cloudflare CEO Matthew Prince blamed the outage on a technical error.
“What could have happened is that an attacker likely found a bottleneck in the registry infrastructure overwhelmed it with traffic to make it unavailable,” Prince told Threatpost.
Prince said the attacks lasted upwards of four hours before they were mitigated.
“The DNS system has a series of caches with a time-to-live on them, so any recursive DNS provider upstream, if they had the entry cached and it didn’t expire during that four-hour window, it wouldn’t be a problem,” Prince said. “Otherwise, the DNS lookup would have failed. So it’s not that one-third of the domains were not available, it’s that one-third of the visitors to the .cn domain were not able to access those sites.”
Arbor Networks director of research Dan Holden said his company’s ATLAS research team also monitored the attacks and witnessed approximately a 4x increase over average traffic.
“The number of attacks more than doubled and ATLAS traffic statistics show a significant increase in attack size, indicating a serious attack was carried out,” Holden said in an email.
Banks and other financial institutions in the United States have been targeted by large distributed denial of service attacks since September. Unprecedented levels of traffic have been pointed at high profile organizations such as Bank of America, PNC, JP Morgan and others, keeping online banking services unavailable for periods of time and forcing banks to spend significant money on mitigation.
While a hacktivist group known as the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for at least three phases of these attacks in numerous Pastebin posts, the size and funding of the attacks left some in the security and political communities skeptical as to the source. Some blamed the Iranian government while others pointed toward China. Whoever was behind the banking DDoS attacks set a high bar using automated toolkits, including Brobot, to carry out high-volume attacks of upwards of 70-100 GBps against simultaneous targets. The bank attackers also used compromised web servers to fire off these requests, using first simple Google searches to find vulnerable servers that were easily exploitable.
“DDoS attacks are the equivalent of a caveman with a club,” Prince said. “These often don’t take masterminds to execute. All that’s necessary is ability to generate more traffic than some part of the infrastructure they’re attacking can withstand.
“What is unknown is how much infrastructure .cn had backing it up,” Prince said. “Some TLD with liminted resources could be vulnerable to attack like that. What this demonstrates is this race to have cute domain names shows you have to verify whether the domain you’re registering for has the infrastructure to withstand attacks.”
A security researcher has discovered a vulnerability in Pinterest, the rapidly growing social network, that enables an attacker who knows a target’s username or user ID to discover that user’s email address. The bug is quite simple to exploit and could give an ambitious attacker a huge target list for phishing attacks.
The researcher who discovered the vulnerability, Dan Melamed, said that the Pinterest security team responded to his report quickly and has patched the bug already. The vulnerability is about as simple as they come. Melamed discovered that by replacing a short string in a specific Pinterest URL with a user’s username or user ID, he could return a page that showed him the target’s email address. The trick worked with any username.
So, a link that looks like the one below will show the attacker the email address for the user Pinterest.
“The link above will show the email address that belongs to the user ‘pinterest’. This flaw works with any user on Pinterest. It works with either a username or a user id. And it works with any access token,” Melamed said in a blog post explaining the vulnerability. “A solution to this problem, is to check the owner of the access token against the user whose information is being requested.”
Melamed said that he discovered a similar flaw in StumbleUpon, which was more severe, in that it enabled him to find the user’s full name, email address, age, gender and location. That flaw has been patched as well.
Pinterest has slowly been drawing more attention from attackers in the last year or two as the site has ben growing in popularity and scope. Last year, the site had to move to lock down some users’ accounts after widespread reports of account compromises. A few months earlier, scammers had targeted Pinterest users in a phishing scam, too.
Norwich University, a small military college nestled in the Green Mountains of Vermont, secured another round of funding for cybersecurity research this week. The grant, $9.9 million in federal funds, will feed into a project that ensures groups in the private and public sector can better plan for cyberattacks.
Senator Patrick Leahy (D-VT) announced the news Thursday in a press conference at the school in Northfield, Vt.
The school’s Applied Research Institute (NUARI) is receiving the money for use in its Distributed Environment for Critical Infrastructure Decision-making Exercises (DECIDE) program. The software being developed by the program essentially helps multiple corporations defend against cyber attacks.
DECIDE falls under the Homeland Security umbrella and is funded through the DHS’s Science and Technology directorate and a group that is sort of like the DHS’s DARPA, the Homeland Security Advanced Research Projects Agency (HSARPA).
The institute plans to update the program to “improve the exercise’s user interface and to expand the segments of the financial industry that can be involved in such exercises in the future,” according to a press release issued in tandem with Leahy’s visit yesterday.
The contract for the simulation-based cyber exercise tool is expected to add about a dozen jobs at the institute, according to reports.
NUARI’s President Phil Susmann continues to see DECIDE as a beneficial learning experience.
“Realistic training, with measurable consequences to an organization’s value chain, encourages individual and institutional information sharing, cooperation and coordination,” Susmann said Thursday.
It’s the second round of funding that Leahy, who also serves as the most senior member of the Senate’s Appropriations Committee and of its Defense Subcommittee, has helped the school secure.
In 2009 Leahy helped the school get $7.7 million to train police and fire departments in computer security skills and lay the groundwork for DECIDE – which at the time was known as WebDECIDE. In 2010 the school landed an additional $1.6 million through the Homeland Security National Training Program
Vermont doesn’t exactly have a reputation for being a cybersecurity hub but Norwich has actually enjoyed over a decade in the spotlight. In 2002 Congress named it a national resource for counter terrorism and cyber crime and in 2003 the National Science Foundation (NSF) donated $2.4 million in scholarships for those studying information assurance or computer science. Over the past few years, as the real world implications of cyber attacks have become more fully realized, so has the school.
*Patrick Leahy image via the Secretary of Defense‘s Flickr photostream, Creative Commons
*Norwich University image via btaroli‘s Flickr photostream, Creative Commons
The Mozilla security team is developing a new proposed standard that will make it easier for researchers to integrate some of their tools with Firefox and other browsers. The standard, known as Plug-n-Hack, is an open project that Mozilla hopes will be adopted by researchers and tool makers.
A lot of security research is done via the browser these days and integrating custom testing tools with various browsers can be a time-consuming task. So the Mozilla team was looking for a way to make this process simpler and faster and came up with the concept of Plug-n-Hack, which serves as a go-between for browsers and security tools.
“Without integration between security tools and browsers, a user must often switch between the tool and their browser several times to perform a simple task, such as intercepting an HTTP(S) request. PnH allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser,” Simon Bennetts of Mozilla said in a blog post.
“A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool. While some of the PnH capabilities do have a fixed meaning, particularly around proxy configuration, most of the capabilities are completely generic, allowing tools to expose whatever functionality they want.”
The current version of the Plug-n-Hack protocol has been implemented in Firefox, but Bennetts said that the company hopes other browser vendors and security researchers will incorporate it into their tools and applications. The protocol already has been integrated with the OWASP Zed Attack Proxy, a pen-testing framework.
“The next phase of PnH is still being planned but is intended to allow browsers to advertise their capabilities to security tools. This will allow the tools to obtain information directly from the browser, and even use the browser as an extension of the tool,” Bennetts said.
“While this project has been started by the Mozilla Security Team and has been validated with Firefox and OWASP ZAP, this is an open project and we welcome involvement from anyone, especially people working on other browsers and security tools.”
Image from Flickr photos of Paul Schultz.
Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn’t like people messing with its users–or its executives.
That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him–or any other user–to post comments on the walls of other users who aren’t their friends. That shouldn’t be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him that the issue wasn’t a vulnerability. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg.
That got Facebook’s attention. But it didn’t get him a reward. Instead, Facebook temporarily disabled his account and told him he had violated the company’s terms of service, so he wasn’t eligible for a bug bounty. As it turns out, Shreateh is going to get a lot more than the $500 or so he would’ve gotten from Facebook.
On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher.
“I hope this has raised awareness of the importance of independent researchers. I equally hope it has reminded other researchers that while working with technology companies can sometimes be frustrating, we can never forget the greater goal; to help the Internet community at large, just as that community has helped donate over ten thousand dollars to Khalil within a day,” Maiffret said in a statement on the fund-raising site.
The episode with Facebook and Shreateh isn’t the first time that a researcher and a company have been at odds over the value of a bug and whether it qualifies for a reward. In May, PayPal officials butted heads with a teenage German security researcher who reported a cross-site scripting flaw to the company. PayPal acknowledged the flaw, but refused to pay a reward to 17-year-old Robert Kugler, saying that he was too young to qualify, because participants are required to have a valid PayPal account, and the minimum age for that is 18. PayPal officials also told Kugler that another researcher had reported the same bug before Kugler did.
Image from Flickr photos of epsos.de.
VMware has fixed a privilege-escalation flaw in two of its major products that could allow a local attacker to gain root privileges on a vulnerable machine. The bug affects VMware Workstation and Player on certain Linux platforms.
The vulnerability, which VMware patched on Thursday, does not enable an attacker to jump from the host operating system to the guest OS or vice versa, which mitigates some of the seriousness of the bug. VMware said that the problem affects its products running on Debian-based systems.
“VMware Workstation and Player contain a vulnerability in the handling of the vmware-mount command. A local malicious user may exploit this vulnerability to escalate their privileges to root on the host OS. The issue is present when Workstation or Player are installed on a Debian-based version of Linux.” the VMware advisory says.
“The vulnerability does not allow for privilege escalation from the Guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System.”
The vulnerability affects VMware Workstation 9.x and 8.x and also Player 5.x and 4.x. VMware said that customers can also work around the vulnerability by removing the setuid bit from vmware-mount.
Image from Flickr photos of Ferran Rodenas.
In the wake of a parade of problems with certificate authorities and attackers using stolen digital certificates, both Google and Mozilla are poised to enforce new rules in their browsers for how long end-entity certificates should be trusted.
The changes will begin taking effect at the beginning of 2014, at least in Google Chrome, and will result in the browser no longer trusting any certificate that’s more than 60 months old. Mozilla also is considering a similar move for its Firefox browser. The change is the result of the adoption of the CA/Browser Forum Baseline Requirements, a document that lays out a long list of requirements for the operation of a certificate authority and issuance of certificates. The requirements specify that CAs should not issue any certificates with a validity period longer than five years.
In a message Aug. 19 on the CA/B Forum mailing list, a Google employee said that the company is planning to comply with this rule in Chrome and Chrome OS beginning in 2014 with Developer and Beta channel builds, eventually moving to the Stable channel sometime during the first quarter.
“These checks, which will be landed into the Chromium repository in the beginning of 2014, will reject as invalid any and all certificates that have been issued after the Baseline Requirements Effective Date of 2012-07-1 and which have a validity period exceeding the specified maximum of 60 months. Per the Chromium release cycle, these changes can be expected to be seen in a Chrome Stable release within 1Q 2014, after first appearing Dev and Beta releases,” Ryan Sleevi of Google said in the message.
“Our view is that such certificates are non-compliant with the Baseline Requirements. Chrome and Chromium will no longer be considering such certificates as valid for the many reasons that have been discussed previously on this list.”
Mozilla developers also have begun the process of making the same change to Firefox, creating an entry in its Bugzilla change system.
Certificate authorities have had a rough go of it for the last couple of years, beginning with the attacks on Comodo and DigiNotar and following with the use of stolen digital certificates in a number of pieces of malware recently. One of the results of the attacks on CAs is that the browser vendors end up being the ones who have to clean up the mess, removing trust for compromised certificates and helping to make sure users aren’t harmed by attackers using the bad certificates. The new restriction on the validity period of certificates won’t solve those problems, but it is a move to help limit the practice of continuously reissuing certificates once they’ve been approved.
Cisco has again pushed out an update for its Unified Communications Manager product, fixing several vulnerabilities that if left unpatched could lead to a denial of service attack, allow attackers to modify data or execute arbitrary commands, among other problems.
The problems exist in versions 7.1, 8.5, 8.6, 9.0 and 9.1 of the company’s popular VoIP processing system and there are no workarounds, according to an advisory from Cisco.
The company’s Product Security Incident Response Team (PSIRT) adds that it isn’t aware that any of the vulnerabilities are being maliciously exploited.
The DoS vulnerability is present on all of the versions listed above. On 7.1 all an attacker would have to do is send a malformed registration message to the device to trigger the vulnerability. On the other versions an attacker could rapidly send UDP packets to ports on the device and trigger the vulnerability due to an insufficient rate limiting of traffic on the device’s Session Initiation Protocol (SIP) port.
All of the of the versions also feature a buffer overflow vulnerability stemming from insufficient bounds checking. An authenticated, remote attacker could exploit that vulnerability by overwriting a memory buffer on a device and let them corrupt data, disrupt services and run arbitrary commands.
Patches are available on for all three versions (7, 8 and 9) of the software although 8.5 users are explicitly being asked to upgrade to 8.6 to ensure they fix all the issues.
While these are the first vulnerabilities identified in UCM since May, Cisco has had a busy summer patching up flaws in its other products. The company pushed fixes for a variety of networking products in June and earlier this month fixed a remotely exploitable bug in its Telepresence system.
Newly declassified documents released in response to a Freedom of Information Act request by the EFF show that the secret Foreign Intelligence Surveillance Court in 2011 declared that the National Security Agency’s techniques for collecting upstream Internet communications was unconstitutional and illegal. The court opinion provides a unique insight into the kind of techniques that the NSA uses to conduct its surveillance and the court’s views of the agency’s increasingly aggressive collection of data, including domestic communications.
The opinion of the FISC, handed down in October 2011, shows that the court was concerned about the way that the NSA was attempting to minimize the chances of collecting wholly domestic communications, as well as the agency’s mounting number of misrepresentations about the scope of its collection efforts. In the opinion, which was released Wednesday and it heavily redacted in some sections, FISC judge John D. Bates says that the NSA’s efforts to minimize the collection of domestic communications were deficient and violated the Fourth Amendment.
“NSA’s minimization procedures, as the government proposes to apply them to MCTs as to which the ‘active user’ is not known to be a tasked selector, do not meet the requirements of 50 USC § 1881 a(e) with respect to retention and; NSA’s targeting and minimization procedures, as the government proposes to apply them to MCTs as to which the ‘active user’ is not known to be a tasked selector are inconsistent with the requirements of the Fourth Amendment,” the order says in part.
The MCTs referenced in the order are “multi-communication transactions”, a vague term that refers to the collection of things such as the contents of a person’s webmail inbox in the form of a screenshot, which shows the timestamps, senders and other data for the emails. In a conference call with reporters on Wednesday, an unnamed government attorney said that the MCTs present specific problems for the NSA when it comes to separating domestic and foreign communications.
“Those are all transmitted across the Internet as one communication, even though there are 15 separate emails mentioned in them. And for technological reasons, NSA was not capable of breaking those down into their — and still is not capable — of breaking those down into their individual components,” the attorney explained, according to a partial transcript from the EFF.
The FISC opinion and order cover a large number of different elements that the government is trying to get the court to either approve or renew. In most of the cases, the court approved the government’s petitions, finding that the government’s techniques meet the constitutional requirements. The thing that sticks out, though, is the court’s tone of alarm about the NSA’s increasing number of problems properly representing the scope of its collection efforts. In a footnote in the opinion, Bates says that the NSA has had three separate misrepresentations in less than three years up to that point in 2011.
“The Court is troubled that the government’s revelation regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program,” the footnote says.
The EFF, which filed the FOIA request to declassify the opinion and order, said that the release of the opinion is a milestone.
“Release of the opinion today is just one step in advancing a public debate on the scope and legality of the NSA’s domestic surveillance programs. EFF will keep fighting until the NSA’s domestic surveillance program is reined in, federal surveillance laws are amended to prevent these kinds of abuse from happening in the future, and government officials are held accountable for their actions,” Mark Rumold of the EFF said in a blog post.Image from Flickr photos of Abir Anwar.