Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 1 hour 57 min ago

NSA Targets Sys Admins to Infiltrate Networks

Fri, 03/21/2014 - 13:27

The latest set of Snowden documents reveal details on perhaps the biggest no-brainer from the National Security Agency’s point of view during these nine months of leaks: the targeting of system administrators.

Classified presentations, documents and notes portray the NSA as confident and unrelenting in their ability to build a database of personal email and social media activity correlated to network and system administrators worldwide. Those reconnaissance efforts would aid the NSA in hacking the sys admins’ work computers that ultimately could be tapped at a moment’s notice by the agency’s QUANTAM program.

QUANTAM involves the use of hacking tools to inject malware onto a target’s system. In the past, the NSA has used these techniques to hack computers by injecting malware implants posing as legitimate Facebook traffic. The malware gives agency analysts a foothold on a compromised machine for the exfiltration of data and system information.

The latest documents, entitled “I hunt sys admins” were written two years ago by an official whose job it is to hack into foreign networks via weaknesses in routers, said a report in The Intercept. The publication said it is keeping the author’s identity a secret. The documents specify the agency’s hunt not only for infrastructure credentials, but also network topology, access lists that detail which machines are allowed access to which resources, and other network configuration intelligence.

“Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of,” the document said. “Sys admins are a means to an end.”

These ventures are by law supposed to be limited to foreign targets only, but in the past, the agency’s dragnet surveillance efforts around phone call metadata, for example, has also snared activity of Americans, whose data is not supposed to be targeted or collected without a warrant or court order.

Much like advanced hackers who scour social networks and discussion forums for any scrap of usable insight into a target, the NSA, too, is adept at Facebook creeping. The author, for example, writes in the documents that in order to get computer network exploitation (CNE) access to the admin, a webmail or Facebook account is a better first step than spamming the target.

“There’s a couple ways you could try this: dumpster-dive for alternate selectors in the big SIGINT (signals intelligence) trash can, or pull out your wicked Google-fu to see if they’ve posted on any forums and list both their official and non-official emails in a signature block,” the author wrote.

The how-to written by this unnamed person is littered with arrogance, snark and hacker jargon—even a swipe at the quality of content presented at the Black Hat and Def Con security conferences. There are detailed instructions on a number of techniques for finding personal accounts and using those to hack upstream to the agency’s ultimate target should the need arise. The NSA was also interested in building a database of sys admin contact information that could be utilized by its elite Tailored Operations Unit (TAO).

“Who better to target than the person that already has the keys to the kingdom,” the author wrote. “Many times, as soon as I can see a target show up on a network, one of my first goals is ‘Can we get CNE access to the admins on that network in order to get access to the infrastructure the target is using.”

Cisco Patches AsyncOS Code Execution Vulnerability

Fri, 03/21/2014 - 12:15

Cisco fixed serious vulnerabilities this week in its email and content security management products that could have let an attacker execute code with the privileges of the root user.

The company pushed a fix for its AsyncOS Software in both its Email Security Appliance (ESA) and the Content Security Management Appliance (SMA) products Thursday. According to an advisory, until patched all versions of the products are considered vulnerable as they both run a version of AsyncOS that could be exploited through FTP.

“The vulnerability is due to insufficient validation of the SLBL database file. An attacker could exploit this vulnerability by substituting a valid SLBL database file with a tampered file,” the advisory says.

That file could be rigged to include shell code that could later be executed, provided that FTP and Safelist/Blocklist (SLBL) are enabled, in turn granting the attacker the right to execute arbitrary code on the system with the privileges of the root user.

While users could disable both the FTP service and the SLBL service – this could prevent the SLBL database with getting replaced with a malicious one – there are no real workarounds.

Updates that resolve the vulnerability can be obtained through Cisco’s regular update channel.

Cisco’s ESA allows email management and incorporates antivirus and encryption while SMA aggregates employees run-time data and helps oversee the company’s email products and its web security appliances.

Siemens Patches Security Vulnerabilities in ICS Equipment

Fri, 03/21/2014 - 11:43

P { margin-bottom: 0.08in; }A:link { }
-->Industrial control systems manufacturer, Siemens, has released new versions of its SIMATIC S7-1200 CPU family, resolving six security vulnerabilities in that product, and its SIMATIC S7-1200 PLC (programmable logic controller), resolving an addition two vulnerabilities there.

These patches are critical enough to have warranted alerts on the Industrial Control Systems Cyber Emergency Response Team’s website.

All six of the bugs in the SIMATIC S7-1200 CPU family are remotely exploitable and affect all product versions prior to V4.0. The vulnerabilities – on out of date systems – could potentially give an attacker the ability to perform denial-of-service attacks by deploying specially crafted HTTP(S), ISO-TSAP, or Profinet network packets. Beyond this, the integrated Web server in this product is also vulnerable to cross-site request forgery and privilege escalation attacks. Each of the attacks is exploitable over the network without authentication.

The SIMATIC S7-1200 PLC systems are vulnerable to a pair of improper input validation vulnerabilities that are also remotely exploitable. Again, a knowledgeable attacker could exploit these bugs to perform a DoS attack.

As is generally the case, the impact of all of the bugs listed is almost entirely dependent on the way each specific system is implemented.

Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from FU Berlin’s work team SCADACS, and Positive Technologies’ researchers Alexey Osipov and Alex Timorin discovered the six holes in Siemens’ SIMATIC S7-1200 CPU family. You can read a more detailed description of those bugs here.

Professor Hartmut Pohl the Swedish Defence Research Agency uncovered the flaws in Siemens’ SIMATIC S7-1200 PLC. You can read more about these vulnerabilities here.

SCADA software, ICS equipment, and critical infrastructure systems are perpetually vulnerable. Worse yet, as the maintainers of operating systems get better and better at security, making it more difficult for attackers to write successful exploits, these people will turn to softer targets. So woeful is the state of critical infrastructure security, that some experts are asking if it is time to establish an ICS security specialist certification.

Comcast Issues First Transparency Report

Thu, 03/20/2014 - 16:03

P { margin-bottom: 0.08in; }A:link { }
-->Another day, another transparency report from a company trying to put some distance between itself and the United States’ broad surveillance apparatus. Today’s report comes from Comcast, the largest Internet service provider in the U.S., who “takes customer privacy very seriously, and [holds] it in the highest regard.”

The company says their report adheres to the Justice Department’s newer and more relaxed reporting guidelines. Thus, they report their reception of National Security Letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) orders and warrants as well as the corresponding numbers of customer accounts affected in bands of 1000. These guidelines, Comcast says, requires them to report FISA orders and warrants with a six month delay, so this report covers only the first six months of 2013.

The mass media company claims to have received 19,377 subpoenas in the first half of 2013. Subpoenas, the report states, typically seek basic customer account information like names and addresses of customers based on telephone numbers or Internet Protocol (IP) addresses associated with accounts.

The company reported receiving 3,893 general court orders, including 93 pen register and trap and trace orders and just two wiretap requests. Court orders, the report indicates, are signed by a judge and seek more detailed – often historical – information than can be obtained through a subpoena. General orders are those that don’t seek a pen register and trap and trace, which essentially seeks incoming and outgoing call information in real time, or wiretaps, which seek real-time access to the contents of those communications.

They also received 253 content warrants and 1,080 non-content warrants. In all, Comcast received 24,698 total criminal requests.

In addition to these, the company is reporting that it received 961 emergency requests. Such requests differ from those listed above in that they are expedited, generally involving an emergency that poses risk of death or serious physical injury to any person. In these cases, Comcast says that it requires the law enforcement officer to provide “a written certification” describing the imminent risk of danger. Comcast claims it then uses that information to verify emergency requests when possible.

Comcast reported between 0 and 999 requests for all of the following categories: NSLs received and customer accounts affected, content-related FISA orders and warrants and customer accounts affected, and non-content-related FISA orders and warrants and customer accounts affected.

“Like all U.S. businesses, we must respond to valid government requests for customer information made in subpoenas, orders, warrants, and other legal processes,” Comcast said in its report. “Before we respond, we review every request carefully to ensure it is authorized by law and is valid.”


EA Games Site Hacked to Steal Apple IDs

Thu, 03/20/2014 - 15:58

Hackers were able to compromise a server belonging to Electronic Arts Games this week and rig one of its websites to resemble an Apple log-in page to dole out phishing attacks.

U.K.-based security firm Netcraft discovered the hacked site on Tuesday and informed EA, which blocked it on Wednesday.

Researchers with the firm speculate that a vulnerability in an outdated version of the PHP app WebCalendar, which was also being hosted on the same server, was used as an attack vector. That vulnerability allows attackers to modify settings and execute arbitrary code in the 2008 version (1.2.0) of the calendar.

“In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server,” Paul Mutton, a security tester with the firm wrote Wednesday.

From there, the attacker could view the calendar’s contents, its source code and any other data on the server.

The fact that the calendar app was outdated naturally made EA’s system a target.

“The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.”

Victims who stumbled across the site were encouraged to input their Apple ID and password, then their full name, credit card number, its expiration date, verification code, date of birth and so on. Only after entering all their information the victim was then sent to a legitimate Apple website,

BitSight, a Cambridge, Mass.-based security rating service, claims that EA’s system may have been riddled with vulnerabilities for up to a year. The service’s CTO purports seeing multiple servers associated with EA under control for the last 12 months.

“Likely under the control of an external adversary, these machines were used to communicate with botnet command and control servers, distribute malware, and participate in DDoS attacks,” Stephen Boyer, the firm’s co-founder and CTO said Thursday.

As it is this is the second problem for EA during the past week. Netcraft also acknowledges in its write up that a phishing site aiming to extort users of the company’s Origin platform surfaced online a week ago. That site, while not hosted on an EA server, is still trying to glean EA users’ credentials, including “email addresses, passwords and security question answers.”

While EA has allegedly blocked the Apple phishing site, it’s unclear if it’s aware of the Origin phishing site. Email inquiries to the company were not immediately returned on Thursday.

Additional vulnerabilities in EA’s Origin platform were identified around this time last year as well. Researchers with ReVuln, Luigi Auriemma and Donato Ferrante, published a paper last March in which they discussed how easy it could be to remotely run malicious code on users’ machines through Origin and one of the company’s games, Crysis 3.

Bitcoin Transaction Malleability Flaw Resolved

Thu, 03/20/2014 - 15:57

The so-called transaction malleability software issue blamed for the dissolution of Bitcoin exchange Mt. Gox has been patched.

Also, the Bitcoin-QT reference client was also rebranded to Bitcoin Core, in order to clear confusion users might have had between the Bitcoin network and software. Bitcoin Core 0.9.0 was made available yesterday that included new features as well as security updates.

Transaction malleability is technically not a flaw in the software, according to a number of experts, including those inside Mt Gox. Users had the ability to change the transaction identifier accompanying any Bitcoin transaction under certain conditions.

Mt. Gox’s demise was a perfect storm of software issues and policy failures that caused the Japanese company to lose hundreds of millions of dollars worth of the digital currency.

The problems began when users complained to Mt. Gox that transactions and funds were being conducted under altered identifiers. A report in the Guardian said hackers had managed to edit the identifiers and then lodge a complaint with Mt. Gox, which would then initiate the transaction a second time, sending more currency to the thief.

According to release notes posted on Github, the transaction malleability issue was addressed by tightening transaction rules preventing “mutated transactions” from being relayed or mined. Bug fixes also addressed incorrect balances being reported for mutated transactions, among other fixes.

The hack and subsequent demise of Mt. Gox negatively affected the value of the electronic currency, which hovered not too long ago at more than $1,000 per Bitcoin; as of today, Bitcoin Exchange lists one Bitcoin at $591.99.

According to sources quoted by the Guardian, the transaction malleability issue was compounded by lax accounting at Mt. Gox, forcing the exchange to go under. The Guardian said a document released by entrepreneur Ryan Selkis also hurried Mt. Gox to the end.

“MtGox has allegedly never conducted a single audit of its customer deposits,” Selkis is quoted, “and it is believed that [Gox CEO Mark] Karpeles may have been the only one within the company to have knowledge of how to actually tap the exchange’s cold storage. It remains unclear exactly how this type of storage leak could have happened over a multi-year period without any knowledge on the part of the executives at MtGox.”

As Bitcoin became a full-fledged phenomenon, hackers took notice too. Malware attacks surfaced targeting Bitcoin wallets credentials on a number of platforms including Mac OS X. The OS X CoinThief Trojan, for example, masqueraded as a phony Bitcoin ticker app on a number of popular download sites.

Another attack involved a phony Bitcoin utility called Bitcoin Alarm which was purportedly a tool for alerting Bitcoin owners of shifts in the currency’s value.

And prior to Mt. Gox, the Sheep Market suffered a $106 million loss when hackers walked off with 96,000 Bitcoins. Attackers hijacked the marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. This allowed them to spoof member accounts and steal the currency.

Google Encrypts All Gmail Connections

Thu, 03/20/2014 - 13:56

Perhaps no company has been as vocal with its feelings about the revelations about the NSA’s collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users’ sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections.

The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user’s machine to the time they leave Google’s infrastructure. This makes life much more difficult for anyone–including the NSA–who is trying to snoop on those Gmail sessions.

“Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet,” Nicolas Lidzborski, Gmail Security Engineering Lead, wrote in a blog post.

“In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers—something we made a top priority after last summer’s revelations.”

Google was in the process of encrypting the links between its data centers last year before the news broke that the NSA had the ability to tap those links and gather email messages and other data. That revelation enraged Google security engineers, and the company accelerated its plans to encrypt the links between data centers.

Gmail users have had the option to enable HTTPS only as the default connection option for more than four years. But the typical user may not have known that option was available. Now, users don’t need to think about it; they’re connections to Gmail will always be encrypted by default.

Malicious iOS Tor Browser in Apple App Store

Thu, 03/20/2014 - 13:50

P { margin-bottom: 0.08in; }
--> An iOS Tor Browser hosted for download on Apple’s notoriously restrictive App Store is reportedly a fake. Worse yet, not only is the application said to be illegitimate, but also allegedly malicious.

According to a support ticket opened by a Tor Project volunteer operating under the handle Phobos, this iOS Tor Browser in the App Store is “full of adware and spyware.”

Threatpost reached out to the Tor Project’s Runa Sandvik and asked of there was any way to confirm that the app did indeed contain adware and spyware.

“Yes, but that would involve using the app and analyzing what it does,” Sandvik responded. “One could also attempt to reverse engineer it.”

Phobos submitted a complaint with Apple regarding the application on Dec. 26. Apple responded shortly thereafter, saying they would give the app’s developer a chance to defend the app. Since that time, more than three months ago, it seems there has been no further response from Apple. As far as we can tell, the malicious application remains available for download.

As recently as six weeks ago, Phobos indicated on the ticket that they would attempt to contact Apple again.

“Maybe we need to bypass their process, since it’s been weeks and they’re still putting users at risk?” chimed in another user on the ticket. “Or said another way, when do we start involving our personal contacts at Apple? And when do we start making a public fuss?”

The time for a public fuss apparently came yesterday:

“I think naming and shaming is now in order,” a third user said on the ticket. “Apple has been putting users at risk for months now.”

Following that, a number of prominent Tor advocates spoke up about the issue on Twitter.

It probably goes without saying that adware and spyware really undercut the efficacy of an application with the stated purpose of “empowering other apps to use the Internet more securely” and helping users “defend against a form of network surveillance that threatens the personal freedom and privacy.”

Much more seriously, the Tor Network provides cover for a wide spectrum of users – from activists to cybercriminals – who can’t afford to have their traffic monitored. In the most extreme cases, the traffic anonymization service that Tor provides is the only thing standing between an individual and persecution or even prosecution.

If you believe you need or just want to anonymize your Web surfing – for whatever reason – the best option is to download the Tor Browser Bundle directly from the Tor Project website.

Weakness in Android Update Service Puts All Devices at Risk for Privilege Escalation

Thu, 03/20/2014 - 12:34

The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks.

Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges.

The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android’s Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said.

An attacker could use a malicious application to exploit this situation to access data on the device such as user credentials, activity logs, SMS data. The researchers also said a successful attack could also give a hacker control of new signature and system permission, leading to a deeper level of trouble.

The paper, “Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating,” was written by Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang of Indiana University Bloomington and Rui Wang of Microsoft. The frequency of Android updates—estimated to be on average of every 3½ months— and the fragmentation of the Android market make it close to impossible to adequately secure devices, the researchers said.

“Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep,” the researchers wrote. “This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws.”

Pileup flaws, short for privilege escalation through updating, ramp up the permissions given to malicious apps once Android is updated without raising an alarm to the user. “Through the app running on a lower version of Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version,” the researchers wrote.

The paper said customized versions of Android, such as those developed by device makers and carriers, are especially vulnerable to Pileup attacks. The researchers said manufacturers are purposely conservative with regard to updates so as not to interfere with the user experience. Users who have apps currently installed, for example, expect them to work seamlessly after OS updates and upgrades; that means data and features must transfer. An attacker can get a seemingly benign app on a device that requests privileges not present on the lower OS version. Generally, the Package Management Service must compare the privileges present between updates and will generally grandfather in existing permission requests so as not to interfere with functionality.

“A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset,” the paper said. “Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious.”

Upon an OS upgrade, the PMS will install new and existing system apps, including third-party apps, and will register the permissions they declare. That means for a malicious app, the PMS recognizes all the permissions it requests and those are silently granted because it supposes that permissions with an existing app have already been approved by the user.

All of the issues have been reported to Google, the researchers said; Google has already patched one of the six vulnerabilities.

As for the team’s SecUP scanner, it inspects Android APKs already installed on a device, identifying those that are likely to cause privilege escalations during an update, the paper said. SecUP is made up of a number of components, including a vulnerability detector, exploit opportunity analyzer and a risk database, in addition to the scanner app, the paper said.

“The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers wrote. “A Pileup flaw is detected once any of those constraints are breached.”

The analyzer then kicks in and searches Android factory images for places where privilege escalation could happen; that information is stored in the risk database. The scanner app uses that database to check third-party apps and alerts the user to any potential risks.

New Zorenium Bot Boasts Ability to Run on iOS

Thu, 03/20/2014 - 11:12

UPDATE–The iOS platform has been remarkably resistant to malware infections over the years and attackers interested in mobile devices mainly have focused their efforts on Android. But the developer of a little-known bot that has the ability to run on Linux and Windows machines now has a version that apparently can run on iOS as well.

The Zorenium bot is not one of the brand-name bots that constantly make headlines. The bot is only a few months old and hasn’t yet gained the attention of many researchers. It has many of the same capabilities that other pieces of custom malware have, including from-grabbing, banker Trojan functionality, DDoS and even Bitcoin mining. But it’s Zorenium’s ability to run on recent version of iOS that sets it apart.

“Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium a relatively new and unknown bot, which has been up for sale in the underground from January 2014 is getting new features in its March 18th update, including, also, ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux and Windows based machines. Also, in this update, the developers have updated the rootkit to TDL4 (This making it vulnerable to anti TDSS tools),” Tanya Koyfman and Assaf Keren of the SenseCy blog, run by Israeli company Terrogence, wrote in a blog post on the bot.

Zorenium has been advertised on Pastebin and the first version of the bot was available for direct download via a link posted on Twitter in December. The full release notes for the latest version of Zorenium detail the bot’s full functionality, including its banking Trojan capability and its use of the TDL family of rootkits. TDL, also known as Alureon, is a nasty rootkit that has been around for several years and has been used to build a number of large botnets. The most recent version, TDL4, has a number of advanced capabilities, including the ability to bypass some Windows code-signing requirements.

The Zorenium developer boasts in his notes for the bot that the malware is not detected by any major antimalware products and says that the bot’s processes and other components are protected from being stopped or removed through the use of a number of different methods. The developer also says Zorenium can trick users into thinking their machine is shutting down.

“After alot of work, testing and money spent. We can now make the victims believe there SYSTEM is being shutdown on victim input. Thus means zorenium will throw fake images to make the user believe hes shutting down his machine. Zorenium will then shut down the screen to standby mode ( until the Poweron button is initialized ). Whilst the user thinks he or she is shutting down there machine, we can stop (Delay) the CPU Fan, and other fans, which will make a racket making the user believe his or her system is still running,” the notes say.

The base model of Zorenium, without the rootkit and banker Trojan and Bitcoin miner, sells for £350, while the version that includes those modukes goes for £2,000. The Zorenium binary with Tor and P2P capability for command and control sells for £5,000.

The Zorenium malware is related to the Betabot malware, which has been used in attacks against financial institutions and other sites since last year. The FBI issued a warning about Betabot on September, warning consumers that the malware will masquerade as a Windows security warning dialog box.

“Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise,” the FBI warning says.

“Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named ‘User Account Control’ that requests a user’s permission to allow the ‘Windows Command Processor’ to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites.”

The security measures, vertical software development and installation model and exploit mitigations included in iOS have made the platform a difficult target for attackers. There have been a small string of code-execution vulnerabilities found in various versions of iOS, many of them discovered by members of the jailbreak community. Apple has patched those, but users who jailbreak their devices typically don’t update them, because that rolls back the jailbreak and restores the normal operating system.

For Zorenium to run on an iOS device, it likely is running on jailbroken phones, unless the bot uses a previously unknown vulnerability in the operating system.

“According to a release note from the developer of the Zorenium malware, dated of the 18th of March, the new version supposedly is able to run on iOS 5-7 , as well as most Debian platforms and the latest Android tablets. One platform stands out of this list, iOS as there aren’t so many threats to run on it. It is currently unclear wether the apple device needs to be jailbroken or not, in order to be infected. However, considering the fact that the Windows versions of Zorenium were far from being advanced threats, it is most likely that it will only run on the jailbroken device,” said Nicolas Brulez, principal security researcher at Kaspersky Lab.

This story was updated on March 20 to add details from the Zorenium release notes. 

Mozilla Patches Pwn2Own Zero Days in Firefox 28

Thu, 03/20/2014 - 06:45

The Firefox web browser took a beating during last week’s Pwn2Own contest with researchers bringing four zero-day vulnerabilities and exploits to the table, walking away with a collective $200,000 in prize money in the process.

Yesterday, Mozilla capped all four bugs among 18 security advisories addressed in Firefox 28.

Firefox was by no means the only browser targeted during the annual contest; all four leading vendors failed to hold up against some of the best white hat hackers in the world. Two days ago, Google led the charge with the first set of patches addressing vulnerabilities disclosed during Pwn2Own. Google also paid out more than $150,000 to the winners of its Pwnium contest which went after bugs in Chromium and the Chrome OS.

George Hotz, known by his handle geohot and for his iPhone and PlayStation 3 jailbreaking, cashed in at both competitions. The 24-year-old claimed a $50,000 prize for a zero-day in Firefox that also affected Thunderbird and Seamonkey, Mozilla said.

Mozilla said in its advisory that Hotz discovered an issue where values are copied from an array into a second, neutered array. “This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution,” Mozilla said in its advisory.

Hotz’s big prize, however, came during the Pwnium event when he scored a $150,000 prize for a persistent code execution bug discovered in the Chrome OS. Pwn2Own and Pwnium veteran hacker Pinkie Pie also found a sandbox code execution and kernel out of bounds vulnerabilities; Google has yet to announce his prize.

Three other Pwn2Own bugs were patched by Mozilla in Firefox 28.

Researcher Juri Aedla, a frequent Google bug-hunter, found a zero-day code execution bug in the browser. Mozilla said in its advisory that:  “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.”

Researchers from French exploit vendor VUPEN were the big winners during Pwn2Own and Pwnium, cashing in six times, including a Firefox zero day. Team VUPEN found a memory corruption issue leading to an exploitable use-after-free condition. Founder Chaouki Bekrar told Threatpost that the discovery of the zero-day required running more than 60 million test cases through a fuzzer.

Polish researcher Mariusz Mlynski was the fourth Pwn2Own contestant to topple Firefox. He combined two vulnerabilities to gain privilege escalation.

“Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution,” Mozilla said in its advisory.

Firefox 28 addressed one more critical vulnerability, actually a set of memory safety hazards, Mozilla said.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in its advisory.

Research Finds MAC Address Hashing Not a Fix for Privacy Problems

Wed, 03/19/2014 - 15:27

UPDATE–Cryptographic algorithms and hash functions are designed to be resistant to a variety of attacks, but one of the things that they can’t defend against is time. Time and the inevitable advancement of technology have turned out to be the greatest enemies of cryptography, and a quick research project done by a graduate student at Stanford on the security of hashed MAC addresses in retail analytics software has shown that to be true once again.

One of the things that has raised the hackles of privacy advocates in recent years is the rise of passive tracking of consumers’ mobile devices as they move through stores, coffee shops, malls and other locations. Retailers can use software that detects the network announcements that cell phones with WiFi and Bluetooth enabled make periodically in order to track a given person’s device. This allows retail analytics firms to build databases that include the various locations that a device has been tracked in over a period of time.

This presents some rather obvious privacy issues, because most consumers have no idea that their devices are sending out these signals, let alone that retailers are gathering the information and building massive databases with the results. In October, a code of conduct surrounding retail analytics was released, and one of the provisions is for firms to hash the MAC addresses of users’ devices after they’re collected as a way to preserve users’ privacy. Jonathan Mayer, a PhD student at Stanford University, decided to take a look at how difficult it would be to reverse the hash of a given device’s MAC address, something that is meant to be quite difficult.

Hash functions take an input, in this case a device’s MAC address, and produce a random series of letters and numbers as the output, the hash value. Attackers should not be able to take the hash value and reverse it to get the MAC address. But Mayer found that this was not only possible but quite cheap and quick to do. Using a rented Amazon AWS server with a fast graphics card, Mayer used the hash-checking program oclHashcat and was able to reverse the hash of his own cell phone’s MAC address in about 12 minutes.

“Some back of the envelope math suggested the task was doable. There are 6 bytes in a MAC address; the first 3 bytes are allocated to the network device vendor, and the last 3 bytes are chosen by the vendor. In total, then, there are 248 possible MAC addresses. Since only 19,130 vendor prefixes have been actually allocated for use, however, there are at most 238.22 validly assigned MAC addresses. That number might sound big, but modern consumer hardware can calculate roughly 230 hashes per second. In other words, it should be possible to check every validly assigned MAC address in just a few minutes,” Mayer wrote.

Mayer was using the SHA-1 algorithm during his test, but said that the same approach would work using other algorithms. His research shows that an attacker who was able to access a database of hash values would have the ability to reverse those values and get the MAC addresses associated with the hashes. The attacker still would need to connect those MAC addresses to individual devices and their owners somehow, but Mayer said that can be done.

“Some businesses and network operators keep a mapping between MAC addresses and individuals. A government agency could subpoena the device vendor for the purchaser’s identity. At any rate, the MLA Code of Conduct seems to concede a MAC address is identifiable; it suggests a MAC has to be hashed to be ‘de-personalized’,” Mayer said via email.

Unless every organization that is recording MAC information is hashing them, then an attacker could be able to link a MAC address

“Hashing is not a silver bullet for electronic privacy. As we have seen, it is possible to test retail analytics data against every possible device. If data is associated with a particular device, it is always linkable back to an individual,” he said.

Most hash functions were produced in a time when the average person had no legitimate access to the kind of computing power it would take to reverse them. Indeed, only a handful of government agencies likely possessed that kind of power until very recently. But the rapid improvement in hardware and the concurrent rise of commodity cloud computing platforms such as AWS have made high-level compute power available to the masses at low prices. Reversing a hash value produced by an older algorithm such as SHA-1 is now within reach for just about any attacker.

“The specific hash function doesn’t matter much, though. All three of the problems I wrote about arise from any hash function. One caveat with respect to reversing hashes: Key stretching would make brute force attacks more difficult. It runs up against practical constraints, though, because retail analytics services have to be able to calculate hashes live in production,” Mayer said.

This story was updated on March 20 to add comments from Mayer.

Image from Flickr photos of Jerry Seaman

NSA Spying on Content of Foreign Phone Conversations

Wed, 03/19/2014 - 12:58

P { margin-bottom: 0.08in; }A:link { }
-->The latest in the slow but steady trickle of leaks dripping out of NSA whistleblower Edward Snowden reportedly shows that the U.S. spying agency has the capacity to recall entire foreign phone call conversations for as long a month after the fact.

The program, according to a Washington Post report citing leaked documents and people with direct knowledge of NSA operations, is called MYSTIC. MYSTIC is a voice intercept program and it reportedly launched in 2009.

The database behind the program stores the contents of each phone conversation for one month, after which point the newest phone call conversation replaces the oldest one. According to the documents viewed by the Washington Post, MYSTIC’s “retrospective retrieval” tool reached it’s operational capacity in its first target country sometime in 2011. The NSA codename for that tool is RETRO.

The Washington Post withheld certain information from its report at the urging of U.S. officials who had expressed concern that the publication could potentially reveal the identity of the target nation in question. Separate planning documents written two years later suggest that the NSA may have initiated the program for use in other countries following its initial success. In fact, the report – citing information procured from secret intelligence budget documents – claims that MYSTIC provides “comprehensive metadata access and content,” from five different countries, with a sixth in the works. It is not clear whether the NSA has full voice intercept and recall capabilities in those countries.

In a summary of the program, the NSA reportedly described RETRO as having the capacity to “retrieve audio of interest that was not tasked at the time of the original call.” The report claims that while law enforcement analysts only listen to a small fraction of one percent of the total calls, they ultimately end up listening to the contents of a large number of conversations.

More specifically, the agency and its analysts are reportedly pulling and sending off millions voice clippings – or “cuts” as they call them – from the contents of these phone conversations for permanent or long term storage every month.

A National Security Council spokeswoman, Caitlin Hayden, declined to comment specifically to the Washington Post. However, more broadly, she did say that threats are “often hidden within the large and complex system of modern global communications, and the United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats.”

NSA spokeswoman Vanee Vines scolded the newspaper in an email statement, saying that “continuous and selective reporting of specific techniques and tools used for legitimate U.S. foreign intelligence activities is highly detrimental to the national security of the United States and of our allies, and places at risk those we are sworn to protect.”

Present and former intelligence officials speaking under the condition of anonymity told the Washington Post that RETRO would certainly end up collecting the phone call contents of U.S. citizens in the country in which it was first rolled out. This – of course – means that MYSTIC and the tool behind it directly contradicts claims made repeatedly by NSA officials and spokespeople, namely that they are not using their tools to spy directly on innocent U.S. citizens.

This latest revelation comes on the heels of another that suggested the NSA had mimicked Web servers belonging to the world’s most populous social network in order to pilfer information via man-on-the-side attacks. Facebook co-founder and CEO Mark Zuckerberg condemned the NSA for this behavior, which – for what it’s worth – the agency has denied.

On Monday, members of the infamous Church Committee (officially known as the United States Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities), penned a letter to President Obama and members of Congress urging them to form a committee to investigate the NSA. The Church Committee very famously investigated intelligence wrongdoings that became apparent following the Watergate scandal.

New Exploits Arrive for Old PHP Vulnerability

Wed, 03/19/2014 - 12:12

Close to two years ago, a serious vulnerability in PHP was accidentally disclosed after it was discovered months prior during a hacking contest. A patch was released in relatively short order, and one would assume that given PHP’s prevalence as a web development framework, the fix would have been applied just as quickly.

But given the discovery last October of a new set of exploits for CVE-2012-1823, that assumption may not be correct.

Researchers at Imperva have been watching since Oct. 29 attacks exploiting the PHP bug. Attackers were using the new exploit to deliver arbitrary code to websites running PHP 5.4.x, 5.3.x before 5.4.2 or 5.3.12; those vulnerable versions account for about 16 percent of the sites on the web according to director of security research Barry Shteiman.

The new exploits were dangerous in that they allowed hackers to abuse an old vulnerability to not only run arbitrary code, but also adapt techniques found in botnets and crimeware kits to inject malware, steal credentials or system data from the server, or move laterally within the data center.

“Not only are we seeing a vulnerability used after it was released so long ago, but what we’re seeing is attackers and professional hackers understanding what vendors understand—people just don’t patch,” Shteiman said. “They can’t or won’t or are not minded to fix these problems.”

PHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.

“With the new exploit, it’s the same relative technique, but what we’ve seen is a lot of automation,” Shteiman said. “The tool that attacked these systems is running an interesting subset of dictionaries that requires an attacker know where PHP is installed on the server. We’ve seen attackers trying different paths to see which backend contains the [PHP] executable.”

The big-picture problem is the number of PHP websites still running vulnerable code despite the availability of a patch for close to two years now.

“PHP is installed as an interpreter,” Shteiman said. “Replacing the existing instance of PHP with a new one means downtime. Sometimes you may have to change applications because some things that are now deprecated may require application changes. For that reason, sometimes organizations don’t patch or go a different route. They might use a new framework instead.”

Original reports on the vulnerability triggered advisories from a number of organizations, including US-CERT. The bug is a relatively simple one; researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary.

“You’d think these bugs would be long forgotten, but it isn’t so; they’re like the undead. Vulnerabilities never die,” Shteiman said. “They don’t die and we realize if we see this executed by botnets trying to onboard servers and by crimeware kits being sold, that means attackers understand they can rely on old problems because people won’t fix them and attackers don’t have to work too hard.”

Full Disclosure Security Mailing List Shuts Down

Wed, 03/19/2014 - 11:00

The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said.

John Cartwright, one of the creators of the Full Disclosure list, posted a message on the list saying that he was suspending the list immediately because someone in the security community had asked that a large number of messages be removed from the list’s archive for an unspecified reason. Cartwright did not name the person who made the request, but said he was unwilling to take a “virtual hatchet to the list archives on the whim of an individual”.

When it began in 2002, Full Disclosure was an alternative to the Bugtraq list, which was moderated, something that annoyed some of the members. The new list was meant to be a more free-form discussion and it often included information on zero day vulnerabilities, along with exploit code, especially in the early days. Many software vendors were not too happy to have data on bugs in their products published on a mailing list, but in 2002, most of those vendors didn’t have established security response processes, bug-reporting guidelines or even email addresses to accept vulnerability advisories. Full Disclosure was a valuable source of information on vulnerabilities in all manner of software and hardware and many vendors over the years began posting their own advisories to the list.

The list had more than its share of trolls and troublemakers and it got the occasional legal threat from vendors. But Cartwright said he never thought that the reason he’d have to shut Full Disclosure down would be the actions of a member of the list and not a vendor.

“I never imagined that request might come from a researcher within the ’community’ itself (and I use that word loosely in modern times).  But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done,” Cartwright wrote in his message.

“I’m not willing to fight this fight any longer.  It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one.  There is no honour amongst hackers any more. There is no real community.  There is precious little skill.  The entire security game is becoming more and more regulated.  This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.”

Full Disclosure appeared on the scene at a time when many vendors were not paying a whole lot of attention to security and security researchers who found flaws in their products. Posting full details of a new bug for the world to see on the mailing list was one of the few methods researchers had to get vendors to pay attention and fix their software. Now, most major vendors have formal security response processes and deal directly with researchers on a regular basis, and some have lucrative bug bounty programs to reward them for their work.

And, for researchers who would rather go another route, they can simply post a link on Twitter or write a blog post and get the word out more quickly than sending a message to a mailing list.

“Most people I know unsubscribed from Full Disclosure a long time ago. The signal-to-noise ratio is very low, and these days vulnerability researchers have no need for traditional mailing lists to publish their findings.  We have blogs and Twitter, not to mention hundreds of security conferences.  I think many will be nostalgic about the early days of Full Disclosure, but closing the list will have no noticeable impact on the industry or our ability to share information,” said Chris Eng, VP of security research at Veracode.

The end of Full Disclosure puts a period at the end of that chapter in the security industry.

“I’m suspending service indefinitely.  Thanks for playing,” Cartwright wrote.

Image from Flickr photos of Rianna_reo.

Windows Spy Tool Also Monitors Android Devices

Tue, 03/18/2014 - 17:10

Researchers have discovered that a commercial Windows-based spy program now comes equipped with capabilities for spying on Android devices as well.

GimmeRAT, a secondary component of Win-Spy, was spotted during an investigation into a targeted attack against a financial institution in the United States. Win-Spy is generally deployed against home PC users for remote monitoring and administration, but has also popped up in two separate targeted attacks.

“The Android tool has multiple components allowing the victim’s device to be controlled by another mobile device remotely over SMS messages or alternatively through a Windows-based controller,” said researchers at security company FireEye who discovered GimmeRAT. “The Windows-based controller is simplistic and requires physical access to the device.”

Remote access Trojans for Android are nothing new; Dendroid and AndroRAT are two that have been in circulation for some time. But this is the first time that a multiplatform Windows RAT featuring Android capabilities has been discovered.

“It’s more common a tool like this that is publicly available might be used,” said FireEye researcher Hitesh Dharmdasani. “Someone might want to use this tool to [avoid] getting into someone else’s radar. You might look at it as a publicly available tool and not think it’s malicious. The intent is what makes it malicious.”

FireEye said it also detected Win-Spy used in another targeted attack campaign where WinSpy was embedded in macro documents to kick off a spam campaign.

Win-Spy Software Pro v16 is the latest version and includes the new Android monitoring capabilities. The tool’s website promises users to be up and spying within five minutes and that the software package allows users to monitor local and remote PCs as well as Android mobile devices. Using Win-Spy, you can monitor email and FTP transfers, record keystrokes, monitor webcam and microphone activity and more.

Dharmdasani said FireEye had no visibility into the effectiveness of the respective campaigns, where they originated and would not say whether the bank was a customer or how it detected the attacks.

In a blog post on the attacks, FireEye said the command and control infrastructure used in the attack on the financial institution was owned by the WinSpy author who provides use of his servers for C&C and storage of exfiltrated data.

“This feature allowing shared command-and-control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker,” the researchers said.

Both attacks started with phishing campaigns; the financial was targeted with an infected attachment posing as a pay slip acting as a decoy while the RAT installed in the background. The second attack posed as Western Union and other money transfer-themed Excel documents.

Win-Spy supports, in addition to monitoring and data exfiltration, connectivity checks and transfer of victim and system information to the remote server. An attacker can also use this to open a backdoor for remote commands, upload and download of more files and the execution of remote commands.

The new Android components also facilitate surveillance; there are three different apps that are part of the Android package.

“One of the applications requires commandeering via a windows controller and requires physical access to the device while the other two applications can be deployed in a client-server model and allow remote access through a second Android device,” FireEye said.

One component, GlobalService.apk, is used primarily for screen capture and sending screenshots to a remote server. A second component, GlobalNativeService, listens on a local socket for commands from the .apk file. There are also two remote controllers that work in concert to track a device’s location via GPS.

“These attacks and tools reaffirm that we live in an age of digital surveillance and intellectual property theft. Off-the-shelf RATs have continued to proliferate over the years and attackers have continued to increasingly use these tools,” the researchers said. “With the widespread adoption of mobile platforms such as Android, a new market continues to emerge with the demand for RATs to support these platforms.”

Sally Beauty Supply Acknowledges Breach of 25,000

Tue, 03/18/2014 - 16:01

Twelve days after acknowledging that someone attempted to breach its system, Sally Beauty Supply confirmed this week that an attacker was able to penetrate the company and make off with fewer than 25,000 records of its customers’ sensitive banking information.

The chain’s parent company Sally Beauty Holdings, Inc. posted a statement on its site Monday morning that it had detected an “unauthorized attempted intrusion” into its network back on March 5 and that it immediately recruited Verizon Enterprise Solutions to look into the incident.

Once engaged, Verizon discovered that “fewer than 25,000 records containing card-present (track 2) payment card data” had been accessed and possibly removed from the breached system. Track 2 data is the banking information most commonly parsed by ATMs and credit card checkers; it normally includes information about the user’s account and encrypted PIN.

The company confirmed in a FAQ that for this incident the stolen data includes customers’ names, credit or debit card numbers, and the three digit numbers on the back of cards known as the CVV. Sally Beauty claims it doesn’t store its customers’ PIN numbers, insisting that those shouldn’t be at risk and that the company doesn’t believe that customers’ social security numbers or dates of birth were breached either.

Sally Beauty Supplies, a Texas-based distributor of professional beauty supplies with around 2,700 locations in North America, cited an ongoing investigation when asked to comment on any specifics regarding the breach’s scope.

“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation.”

Until the investigation is wrapped up Sally Beauty Supply is asking customers to check their bank statements for fraudulent activity and remain vigilant of phishing attacks.

The confirmation follows a report from Krebs on Security’s Brian Krebs from earlier this month that hackers broke into Sally Beauty Supply’s system and stole as many as 282,000 cards from the retailer.

It was about two weeks ago that a handful of banks purchased some of those cards from the same fraud website that was also peddling cards stolen in the Target breach. The banks discovered the cards had been used at a Sally Beauty Supply store within 10 days prior, which tipped off the banks, and Krebs, who had been looking at the fraud site’s stolen data, to the connection.

Sally Beauty Supply photo via Brave New Films‘s Flickr photostream, Creative Commons

Wide Gap Between Attackers, BIOS Forensics Research

Tue, 03/18/2014 - 12:59

Vendors have made important strides in locking down operating systems, patching memory-related vulnerabilities and other bugs that could lead to remote code execution or give hackers a stealthy presence on a machine. As the hurdles get higher for the bad guys, the better ones will certainly look for other means onto a system.

In some cases, that involves attacking hardware, specifically BIOS and other firmware that loads during boot-up. Successful exploits at that level can give an attacker not only root-level access to a computer, but persistence that survives most mitigation attempts.

Admittedly, experts concede attackers are ahead of the research curve but there is a steady increase in security researchers looking at BIOS forensics with more than a passing curiosity.

“I think we are seeing a renewed interest in this area as it’s becoming obvious that sophisticated adversaries (such as nation states) have the technical prowess to develop agents that live in this domain,” said Corey T. Kallenberg, a researcher with MITRE.

Kallenberg, along with MITRE colleagues Xeno Kovah and John Butterworth, and Intel researchers Yuriy Bulygin and John Loucaides, spent close to four hours at the CanSecWest conference explaining the risks present in this security discipline and some of the tools—such as MITRE’s Copernicus—available to analyze BIOS and its successor UEFI to learn where the weak spots may be and what attackers are doing about it.

BIOS, Kallenberg said, presented a large barrier to entry with regard to research and reverse engineering because it is closed source and extremely complex. Vendors, for example, each had their own flavor, meaning researchers would have to do significant legwork just to understand how one system’s BIOS worked, Kallenberg said. That knowledge, he said, would not always transfer to the next system’s BIOS.

“UEFI has made BIOS reverse engineering somewhat easier, as significant portions of the platform firmware are now standardized,” Kallenberg said. “Despite this, one of the largest difficulties in operating in this domain is debugging.

“BIOS debugging requires expensive equipment and significant electrical engineering know-how,” Kallenberg said. “Also unlike conventional software research, it is entirely possible to permanently break, or ‘brick’, your computer due to an experiment gone-awry. These compounding issues make it non-trivial to start doing firmware research.”

Attackers, meanwhile, have used bootkits, or kernel-level rootkits, to attack code that launches at startup such as the Master Boot Record. These attacks aren’t limited to nation state use either; crimeware kits include some dangerous bootkits such as Rustock and TDSS. Once malware has a grip at this level of a system, it often passes pre-defined checks in order to attack further up the firmware chain and write code to the hard drive as they wish.

“Attackers are significantly ahead of defenders in this area. This is because the information security industry is rarely driven by inherent flaws in their architectures, but instead driven by whatever is biting them the worst currently,” Kallenberg said. “There’s also the problem that it takes a lot of deep system knowledge to build detectors, and such people are in short supply, but if the commercial industry was sufficiently motivated they would be able to work with OEMs to perform BIOS security inspection.”

With the launch of Windows 8 in 2012, Microsoft required that the Trusted Platform Module chip be installed on all Windows machines going forward. TPM measures BIOS and UEFI activity and if any changes are present—changes that could have been introduced by malware—a clean version of the firmware is used instead. MITRE, however, demonstrated that TPM is vulnerable to replay attacks where an attacker could replay hashes known to be good, allowing him to install a bootkit yet still tell the TPM that all is well, Kallenberg said.

Here’s another area where significant gaps exist in research and forensics capabilities. Since the TPM cannot determine whether changes are good or bad, a knowledgeable analyst would still need a forensics tool to dump the flash contents and investigate the changes made to the firmware and determine whether they’re malicious, Kallenberg said.

“This problem with interpreting [TPM Platform Configuration Register] values is further compounded by the fact that OEMs are not supplying consumers with ‘golden PCR values,’” Kallenberg said. “In short, consumers have no idea what their PCRs should be. These issues make using a TPM-supported ‘Measured Boot’ to detect adversaries very difficult.”

Apache Update Resolves Security Vulnerabilities

Tue, 03/18/2014 - 12:51

P { margin-bottom: 0.08in; }
-->Apache has released version 2.4.9 of its ubiquitous HTTP web server (HTTPD), resolving two security vulnerabilities and a number of other bugs in the process.

The Apache Software Foundation is recommending HTTPD 2.4.9 over all previous versions.

The first patch fixes CVE-2014-0098. It aims to mitigate a cookie logging issue by accepting fewer redundant string parsing passes. In its latest iteration, Apache will log only cookies containing value assignments. Valueless cookies will be ignored. In all, the new version will prevent segmentation faults when logging truncated cookies.

The second security bulletin closes off CVE-2013-6438, which – on unpatched systems – could potentially enable a denial of service condition. The bug existed in mod_dav, Apache’s Web distributed authoring and versioning module. The fix will do a better job of properly monitoring the length of character data while removing leading spaces. Ultimately, the fix should eliminate the DoS risk posed by specially crafted DAV write requests in prior versions.

Stay tuned for Apache security update news in the future.

Threatglass Tool Gives Deep Look Inside Compromised Sites

Tue, 03/18/2014 - 11:04

Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it’s not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information on the malicious activity and the threats to visitors to those sites.

Barracuda has been using its technology to scan millions of Web sites every week, looking for malicious activity on legitimate sites. Typically, the tools scan the Alexa top 25,000 sites, along with other suspicious sites. The system hits the sites using a normal browser and waits to see what kind of actions the sites may take, looking for malicious activity like sites serving exploits or trying to download files to visitors’ machines. Now, the company has built a GUI for this system and exposed to the Web so that users and researchers can search the database, dating back to 2011, looking for current or historic compromise data.

Threatglass is set up to give users a variety of information about a give compromised site, including the number of URLs requested and whether the site downloads a binary. The tool also enables researchers to download a packet capture for a given site.

“Threatglass provides detailed information of what happened when visiting each of the infected websites on a given date, such as the screenshots of the browser, whether binary was downloaded or any emails were sent, and number of domains and objects requested. Meanwhile, the requested URLs and anomalous netflow information are presented on each of the infection incident reports. Most importantly, the network package captured during the whole visiting process is freely downloadable, which we’ve found to be well received by many security researchers in the community,” Barracuda Labs said in a blog post.

“With various representations of network traffic including DNS, HTTP, and netflow in both graphical and textual formats displayed to users, we believe that this tool can greatly help casual users to know which websites had been infected, explore how infected websites could damage their browsers and computers, and understand the trending volumes and impacts of malicious websites on the Internet.”

The site’s format also allows users to browse through the most recent group of compromised sites on the home page in a tiled format. The screenshots on the site are obscured until users manually move the window shade, mainly because a good portion of compromised sites contain adult content.

Barracuda Labs often comes across well-known, highly trafficked sites that have been compromised, including the recent example of, the popular humor site. The site, which is ranked in the Alexa top 300, was found to be compromised last fall and was still serving malware earlier this year. The malicious component on the site was serving exploits to visitors via Javascript. Barracuda also discovered similar compromises of and the Hasbro site.

Users of Threatglass also can submit suspicious URLs to Barracuda through the site.