Feed aggregator

Microsoft Closes IE Zero Day, Ships Penultimate XP Patch Tuesday Release

Threatpost for B2B - Tue, 03/11/2014 - 15:50

UPDATE: a previous version of this story mistakenly stated that Microsoft’s March patch Tuesday would be the last one providing support for Windows XP. Windows XP’s last patches will in fact be shipped with next month’s patch Tuesday release.

Microsoft has finally pushed a fix for a stubborn and widely publicized Internet Explorer zero day vulnerability known to have been exploited in a number of recent attacks targeting the website of Veterans of Foreign Wars, a French aeronautical firm, and at least three other sites.

This fix is part of Microsoft’s March edition of Patch Tuesday, a five bulletin affair resolving some 23 vulnerabilities of varying severity.

The top priority this month is – of course – the cumulative update to IE. This bulletin resolves one publicly disclosed bug and 17 privately disclosed ones. On unpatched systems, these vulnerabilities could give an attacker the ability to remotely execute code if a user is compelled to visit a maliciously crafted website. Upon successful exploitation, the attacker would achieve the same rights as the victim. As always, individuals with more privileges would be more impacted by these bugs.

Among this group of vulnerabilities is the now-notorious IE zero day, which is precisely why this bulletin should be considered the highest priority for installation this month. Qualys CTO Wolfgang Kandek noted in an email to Threatpost that – if it weren’t for the zero day fix – one would likely consider this an uneventful patch cycle.

The second critically rated bulletin – also of high installation priority according to Kandek – resolves an issue in Microsoft DirectShow, a Windows-based API for streaming media content. This privately reported vulnerability could allow remote code execution if a user opens a specially crafted image file. Upon exploitation, the attacker would have the same rights as the user.

The few remaining important bulletins resolve two elevation of privilege bugs in the Windows kernel-mode driver, a security feature bypass flaw in the Windows Security Account Manager Remote (SAMR) protocol, and another security feature bypass problem in Microsoft Silverlight.

As a side note, this patch tuesday release pushes us one month closer to the end of an era: after April’s patch Tuesday release, no longer will Microsoft provide security fixes for it’s more-than-a-decade old and once-ubiquitous XP operating system. It’s well-known that XP has for some time been marred by security vulnerabilities. Despite this, the operating system still commands 29.53 percent of the market, according to the market share statistics firm, Net Marketshare.

“All of today’s bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won’t have access to patches for these problems anymore,” says Kandek. “This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.”

Kandek cites different figures than Net Marketshare, claiming that his scans suggest that XP commands 14 percent of the operating system market. Whichever figure is most accurate – and 15 percentage points is a rather large gulf–entirely too many organizations and individuals are still running the archaic operating system, and things are only going to get worse for those people.

Hackers Milk IE Zero Day Before Patch

Threatpost for B2B - Tue, 03/11/2014 - 14:30

Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) set to be fixed by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.

According to a Websense report, the exploit source code deployed in at least two incidents – one targeting a French aerospace manufacturer and another targeting the website of Veterans of Foreign Wars – appears to have been made public. This publication and the subsequent addition of the zero-day to popular crimeware kits seems to have spurred the uptick, at least in part. As Websense notes, once exploit code like this goes public, generating attacks using it is essentially as easy as “copy and paste.”

Another factor contributing to the IE zero day vulnerability’s increased exploitation is likely the sheer amount of press it received, especially after researchers announced they would demonstrate a total bypass of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) at CanSecWest in Vancouver this week. This EMET bypass is both relevant and significant because the Redmond, Wash., computer giant urged its customers to install and run EMET as a temporary mitigation against this very same zero-day.

In addition to the two websites listed above, Websense reports that three others have been targeted using the same bug: hatobus[dot]co[dot]jp, a Japanese travel site hosted in Tokyo; english[dot]com[dot]tw, the site of a Taiwanese English school hosted in San Antonio, Texas; and chemistry[dot]hku[dot]hk, a Hong Kong University Chemistry Department website hosted in Hong Kong.

It all began with a typo-squatted variety of giffo[dot]asso[dot]fr, the website of the French aerospace company. The attackers set up giffo[dot]assso[dot]net and hosted a malicious iframe there that led to another part of the same domain where the exploit was actually located.

Once this attack began garnering media attention, other criminals began copying it, deploying the same code on different lure sites with different payloads.

In the case of Hatobus, the popular Japanese travel site, attackers buried the redirecting iframe in some javascript files on the site. The exploit too was hosted on the site, which makes it all the more inconspicuous since shady redirects are a generally a dead giveaway for protective software. The exploit code in this case, according to Websense, was nearly identical to that used in the first attack. The only real difference is that the attackers piggybacked a second, Java exploit, which aimed to install a banking trojan targeting members of a popular Japanese bank. Unlike earlier, targeted attacks, the Hatobus variety sought to infect as many machines as possible.

Both other attacks were essentially copycats as well. Interestingly, in the case of the Taiwanese English school, the exploit was rather flagrantly hosted on the homepage of that website. The Hong Kong University Chemistry Department attack deployed redirecting iframes similar to those in the other incidents.

“It’s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,” wrote Websense’s Elad Sharf. “We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it “evolved” in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected “under the radar” targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.”

The NSA, Snowden and the Internet’s Offensive Future

Threatpost for B2B - Tue, 03/11/2014 - 12:21

Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he’s revealed. Snowden bemoaned the fact that the NSA specifically and the intelligence community in general have shifted its focus to offensive operations, implying that defense should be focus. But now that those agencies have the tremendous offensive powers they’ve accumulated in the last decade, they’re never giving them back.

Whatever your feelings are about Snowden, listening to him speak about why he did what he did, what he hoped to accomplish and how he feels about the public reaction is informative. He spoke Monday for about an hour from an undisclosed location in Moscow and, while he touched on many subjects, Snowden returned several times to the idea that the NSA and other government agencies have hijacked the Internet for their own purposes, all in the name of protecting us from…something.

“The result has been an adversarial Internet, a global free-fire zone for governments. This is a global issue. They’re setting fire to the Internet,” Snowden said during a discussion at the South By Southwest conference.

In one sense he’s correct. Governments around the world are indeed using the Internet as a platform for offensive operations against foreign governments, terrorist groups and, in some cases, their own citizens. They’re hoarding zero-day vulnerabilities, developing sophisticated malware and building entire catalogs of hardware tools that can compromise every conceivable communications platform. Those are simply the facts. And the NSA is at the forefront of these operations. One part of the agency’s mission is to conduct offensive cyber operations against foreign targets, and the NSA is as good as it gets in that game.

“If you’re a target of the NSA, it’s game over no matter what,” said Chris Soghoian of the ACLU, who participated in the Snowden discussion.

That’s the part of the NSA’s mission that Snowden’s disclosures have centered on, the amazing technical capabilities and the large-scale surveillance programs. But Snowden said Monday that one of the big problems at the agency, where he worked as a contractor, is that the focus on offense has come at the expense of defense, which is the second half of the NSA’s mission. The agency is charged with defending the country’s electronic communications against foreign intruders, but Snowden argues that NSA Director Gen. Keith Alexander and his predecessor, Michael Hayden, made a conscious choice to minimize that mission in the years after 9/11.

“It was Michael Hayden and Keith Alexander in the post-9/11 era who made a very specific change. They elevated offensive operations over the defense of our communications,” he said. “This is a problem because America has more to lose than anyone else when an attack succeeds. It doesn’t make sense for you to be attacking all day and never defending your vault.”

But what Snowden didn’t say is that it was Congress who continued to hand new capabilities to the NSA–indeed it was eager to do so as part of the massive ramp-up of anti-terror programs after 2001. The Section 215 metadata and Section 702 intelligence-gathering provisions in the Foreign Intelligence Surveillance Act and USA PATRIOT Act, respectively, have given the NSA unprecedented ability to vacuum up massive amounts of data, and advances in technology have provided the capability to store and search that data for decades to come. And the deep bench of technical talent the agency has amassed has given it the ability to develop a wish list of spy tools, exploits and implants to do the targeted work that mass surveillance doesn’t accomplish.

Given those abilities, and more importantly, the legal authority to use them, the NSA is, of course, going to do so. If you have a Ferrari, you don’t leave it sitting in the garage, you drive the hell out of it. Technology advances, regardless of our desire for it to slow down sometimes, and, as Bruce Schneier often says, attacks only get better, not worse. And the NSA is the apex predator of this environment. The agency hasn’t abandoned its defensive mission, not by a long shot, but offense is sexy and provides tangible results to show the higher-ups.

Offense is the present and it’s also the future. And, to borrow a phrase, the future will retire undefeated.

Image from Flickr photos of Tim Lucas

Apple iOS 7.1 Fixes More Than 20 Code-Execution Flaws

Threatpost for B2B - Tue, 03/11/2014 - 05:00

Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error.

Unlike that release, which fixed just the one vulnerability, significant though it was, iOS 7.1 is a major security release containing patches for a large number of vulnerabilities in a bunch of different components. Webkit, the framework underlying Safari, got a major security upgrade in iOS 7.1, with Apple fixing 19 separate memory corruption issues. Nearly half of those vulnerabilities were discovered by the Google Chrome security team, and many of the 19 bugs were identified last year.

Among the code-execution vulnerabilities patched in the new release are a pair of buffer overflows in ImageIO, a library that enables the reading and writing of multiple image formats. Apple also fixed a code-execution flaw in the kernel caused by an out of bounds memory access issue in the ARM ptmx_get_ioctl function. There also is a fix for a vulnerability in the way that Office Viewer handled certain Microsoft Word documents.

Along with the more serious code-execution bugs, Apple also pushed out a fix for a vulnerability in the iTunes Store that could allow an attacker to trick a user into downloading a malicious app from the store.

“An attacker with a privileged network position could spoof network communications to entice a user into downloading a malicious app. This issue was mitigated by using SSL and prompting the user during URL redirects,” Apple said in its advisory.

There were patches for several other less-serious vulnerabilities, as well. The full list of fixes is included in the Apple advisory.


Blog: Trust. Trust. Trust

Secure List feed for B2B - Mon, 03/10/2014 - 16:31
Over the past week or so I've been to TrustyCon, Jeffrey Carr's town-hall debate on Privacy v National Security and Georgetown's conference on International Engagement on Cyber. All these conferences had trust as a major focal point.

200 Million Consumer Records Compromised in Experian ID Theft Case

Threatpost for B2B - Mon, 03/10/2014 - 15:31

An ongoing investigative report has revealed that a man posing as a private investigator may have compromised millions of Americans’ personal and financial records from 2007 to 2013.

The news is the latest fallout from last year’s discovery that Experian, one of the “big three” national credit reporting agencies, indirectly sold consumer data to a Vietnamese national, Hieu Minh Ngo, 24, who was masquerading as a Singapore-based P.I.

Ngo pleaded guilty last week and Krebs on Security reporter Brian Krebs, who has been following the story since last year, acquired a transcript of his guilty plea proceedings, according to a post on his blog today.

According to those proceedings (.PDF) Ngo peddled that data through ID theft websites, giving more than 1,300 customers access to a cache of personally identifiable information (PII) belonging to 200 million Americans, including addresses, previous addresses, phone numbers, email addresses, dates of birth, along with the coup de grâce, their Social Security numbers.

Ngo’s customers ponied up around $1.9 million for about 3.1 million queries on Americans over the course of 18 months. The corresponding database, owned by Ohio-based U.S. Info Search, contained the information on 200 million U.S. citizens.

We learned the basics about the case back in October: Experian-owned entity Court Ventures, an aggregator of electronically available public records data, had a deal worked out with a third-party group, U.S. Info Search, that gave both firms complete access to each others’ databases. Using regular cash wire transfers from a bank in Singapore, Ngo was able to secure monthly access to that  database.

While it’s unclear exactly how many Americans may have had their information compromised, Krebs theorizes that since each query exposed multiple records, information about a staggering number of citizens, perhaps as many as 30 million records, may have been divulged.

“At this point the government does not know how many U. S. citizens’ PII was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul Barbadoro in a U.S. District Court in New Hampshire last Monday, according to the report.

Huftalen goes on to add that the way Ngo sold the information, via identity theft websites, customers could access the information by merely just typing in the name of an individual and a state, which makes it much more difficult to get an exact number of those at risk.

Ngo sold customers “fulls,” essentially batches of the information previously described, but also portioned out access to limited bits of information. Ngo charged individuals via Liberty Reserve, a Costa Rica-based currency service.

According to a U.S. Secret Service-led investigation, all of Ngo’s customers claimed they intended to “engage in criminal fraud,” and the government believes the “fulls” were used by carders, criminals who buy, sell, and trade stolen credit card data online, to takeover identities, engage in bank, credit card and ATM fraud, along with the filing of fake U.S. personal income tax returns.

Experian hasn’t said much about the case, citing an ongoing federal investigation but as Krebs notes, in a December hearing the company’s Senior Vice President of Government Affairs Tiny Hadley did acknowledge the incident, stressing that it didn’t find out until the U.S. Secret Service informed them.

“We were a victim, and scammed by this person,” Hadley told Missouri Senator Claire McCaskill at the time.

Hadley later indirectly admitted that the company knows that customers have had their identity stolen but still went on to downplay the incident, adding that “there’s been no allegation that any harm has come.”

CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

Threatpost for B2B - Mon, 03/10/2014 - 14:45

A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.

Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government.

Filiol said he submitted the presentation, entitled “Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,” to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

“They told me that this presentation was unsuitable for being public,” Filiol said in an email. “It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).”

Filiol said his methodology—a combination of information gathered through open source intelligence means, mathematical modeling and infantry techniques—could damage critical infrastructure in the United States, and likely worldwide.

“With a small unit of around 10 people, it is possible in an invisible way to cause major national disruptions,” Filiol said.

Filiol said his research is now classified. “I will present it only to people of the French government in forthcoming days,” Filiol said.

Event organizer Ruiu announced Filiol’s withdrawal on Twitter yesterday, initially blaming the French Department of the Interior, the equivalent of the U.S. Department of Homeland Security, and the U.S. Department of Defense, for Filiol pulling out.

“I’d like to remind all concerned: Security by obscurity is not much security at all,” Ruiu tweeted.

Filiol said he gave in, not only for legal, but also moral reasons.

“Moreover aside the legal responsibility, I have to face a moral responsibility if someone was misusing [this] information against innocent citizens,” Filiol said. “The presentation was very precise with a lot of details. Of course I could not give those details, but it is the problem of proof and attendees would claim that my work was of theoretical interest only (it is often  the way that decision-makers elude the real risks).”

Filiol’s talk is still listed on the CanSecWest agenda in its original time slot on Friday morning, but Ruiu said it will be replaced by a runner up talk organizers had to originally turn away.

“So it is indeed censorship, but self-censorship inspired by legal and moral reasons,” Filiol said. “As long as full disclosure will be risky, then this kind of decision is preferable.”

Snowden: Surveillance Has Damaged Internet, U.S. Economy

Threatpost for B2B - Mon, 03/10/2014 - 14:38

The mass surveillance programs that he revealed through media leaks in the last year have not only compromised the privacy and security of Americans, but have damaged the country’s economy, Edward Snowden said in an interview Monday.

Snowden, the former National Security Agency contractor who stole untold numbers of agency documents last year and has been feeding them to the media, said that because the United States government–and others–have been treating the Internet as a surveillance platform, the network has become far less usable and safe.

“The result has been adversarial Internet, a global free-fire zone for governments. It’s not something we asked for or wanted,” Snowden said, speaking remotely from Russia to an audience at the South By Southwest conference. “This is a global issue. They’re setting fire to the Internet.”

Snowden seemed polished and calm, speaking deliberately and without hesitation. The session he participated in was moderated by Chris Soghoian, principal technologist at the American Civil Liberties Union, and Ben Wizner, director of the ACLU’s Speech, Privacy & Technology Project, and much of the discussion focused on the NSA’s use of mass surveillance techniques and what technologists and users can do to defend themselves. Asked whether the kinds of sweeping phone and Internet surveillance methods that the NSA uses are effective, Snowden said no.

“They’re not. We’ve reached a point where the majority of American’s phones are being recorded. We’ve got to think about what we’re doing with those resources,” he said. “What are we getting out of them?”

Soghoian, who has been a frequent vocal critic of the NSA and surveillance in general, said that not only is the government not helping citizens defend themselves online, it’s actively compromising the integrity of the network itself.

“What should be clear is that the government isn’t doing anything to make us secure. As a country, we have basically been left to ourselves,” Soghoian said. “The government has really been prioritizing its efforts on information collection. Our networks have been designed with surveillance in mind.”

Snowden and Soghoian both emphasized that the thing that gives users the nest chance of protecting themselves against both the NSA and more banal online threats is the use of encryption.

“It’s protection against the dark arts. The government has assembled a massive investigative team into me personally and they still have no idea what documents I have, because encryption works,” Snowden said.

NSA officials, legislators and other government officials have criticized Snowden’s actions and said repeatedly that he has damaged the security of the country. Snowden said that Gen. Keith Alexander, the current NSA director, and Michael Hayden, his predecessor, are the ones who have done the real damage.

“It was Michael Hayden and Keith Alexander in the post-9/11 era who made a very specific change. They elevated offensive operations over the defense of our communications,” he said. “This is a problem because America has more to lose than anyone else when an attack succeeds. It doesn’t make sense for you to be attacking all day and never defending your vault. We rely on the ability to trust our communications and without that our economy can’t succeed.”

Snowden has been in exile in Russia for several months and faces federal prosecution if he ever returns to the U.S. But he said that he doesn’t have any regrets about what he did.

“What I wanted to do was inform the public so they could provide their consent for what we should be doing. The result is that the public has benefited, the government has benefited and every single society has benefited,” Snowden said. “When it comes to would I do this again, the answer is absolutely yes.”

Pinterest’s First Transparency Report Shows Minimal Government Requests

Threatpost for B2B - Mon, 03/10/2014 - 14:02

Pinterest, the social image-sharing site known predominately for wedding planning and recipe dissemination, released its first transparency report on Friday. While the government – unsurprisingly – makes few requests of this most bubbly of social networks, the report seems to carry a broader message: If your company stores user data, the government is likely to ask for it at some point.

The company claims it received seven warrants, five subpoenas, and no other requests between July and December 2013. In all, government requests for user-data affected just 13 accounts.

Only United States law enforcement agencies made requests of Pinterest and among those, 11 of the 12 requests were made by state and local rather than federal agencies. California made four requests, Florida made two, Utah made two, and New York, Oregon, and Wisconsin each made one request.

Pinterest claims its policy is to notify its users when the government comes asking for their data unless they are prohibited by law to do so. Only in three cases was Pinterest prohibited from informing their users.

“Also,” the company says, “while the vast majority of requests are straightforward and routine, there are some occasions where we the nature, scope or content of the request is objectionable or defective in some way, in which case, we’ll reject the request.”

A quarterly breakdown in the report reveals that law enforcement requested user information more frequently in the third quarter than in the fourth.

Other notable transparency reports – like those of CloudFlare and Microsoft – paint a very different picture about the nature of law enforcement data requests.

GnuTLS Bug Exposes Shortcomings in TLS Test Suites

Threatpost for B2B - Mon, 03/10/2014 - 11:24

Code audits are often ugly tasks and can sometimes find ugly things. Case in point: the GnuTLS goto bug.

Chief architect and Red Hat engineer Nikos Mavrogiannopoulos initiated a code audit of the open source crypto library that eventually turned up last week’s critical bug. The bad code has been present since 2005, meaning that for nearly a decade GnuTLS has not been properly verifying x.509 certificates by incorrectly handling certain errors and consequently incorrectly reporting some verifications as successful.

The upshot is that attackers with man-in-the-middle positioning could present a specially crafted certificate that would be accepted by GnuTLS giving them access to supposedly secure communication between parties.

“I was adding new features to the certificate validation procedure of GnuTLS. Then I noticed some issues and that was the point the full audit started,” Mavrogiannopoulos told Threatpost via email. “[The bug is] as serious as it could get.”

Veracode security researcher Melissa Elliott said the faulty code snippet in question is supposed to return either a true or false variable depending on whether the certificate is valid; this paradigm is called Boolean return code. The GnuTLS bug, however, returns specific error codes including some identified by negative numbers, each signifying something different, she said.

“The mistake was that when one of these functions returned an error, it would be treated as though it were Boolean without changing the actual number. Under Boolean rules, anything that is not a zero is ‘true,’” Elliott said. “Hence, an error meant to indicate failure would be passed up the chain as ‘true’ (no error) instead of ‘false’ (error).”

Mavrogiannopoulos said the error was his and has been present since version 1.0.0.

The wonky code has been fixed and patches made available. Reportedly there are anywhere between 200 and 350 open source software packages, including a number of flavors of Red Hat Enterprise Linux, Debian and Ubuntu that make use of GnuTLS as a crypto library. It’s no OpenSSL in terms of deployment, but regardless, it’s still worrisome to many that such a problem existed for so long.

“It is distressingly easy to accidentally write a bug like this. It does not cause anything to crash. Full-featured C compilers can warn you about this bug, but the false positive rate (that is, instances where it can’t possibly do any harm) is high enough that most programmers are inclined to ignore them,” said Elliott. “Unfortunately, this is security-sensitive code, so the consequences of missing the one important warning in a list of benign ones can be catastrophic.”

GnuTLS is a volunteer-driven project, Mavrogiannopoulos pointed out, meaning that code gets reviewed and patched and updated as manpower is available.

“However, due to this incident I received mail from people that were interested in doing code review,
so I’ve provided information to assist them (as an audit competition),” he said, providing additional details on the GnuTLS mailing list.

Experts such as cryptographer and Johns Hopkins professor Matthew Green said that there are an insufficient number of quality TLS code scanners available that could have helped catch this while in development.

“Clearly people need to run their TLS implementations through test harnesses and tools that may not exist yet,” Green said.

Veracode’s Elliott concurred.

“I think learning the lesson about code auditing is more important than fretting about the past exposure risk of this specific bug in this specific product,” Elliott said. “Any one library may have relatively few users but there are more bugs in more libraries, and cumulatively, all of us are exposed somewhere. Systematically flushing out the bugs will help all of us.”

Mavrogiannopoulos wrote in a separate post to the GnuTLS mailing list that the bug went unnoticed for so long because it cannot be detected by any certificate validation tests, including a certificate validation path suite developed for the Department of Defense and another one developed in-house, he said.

“That didn’t help with the issue either, because it requires a specially crafted certificate (and I’m not revealing more details on that yet),” Mavrogiannopoulos said, adding that the code audit was the only means available to catch something like this.

“As this code was on a critical part of the library it was touched and thus read, very rarely. Moreover, the code in question followed the usual form of error checking in the library ‘if(err<0) return err’, making it look correct, unless one would notice that the function returned a boolean value (and we have very few such functions in the library),” Mavrogiannopoulos said.

Blog: RootedCON V

Secure List feed for B2B - Mon, 03/10/2014 - 10:40

It was five years ago when a group of computer security enthusiasts decided to gather together and organize a security conference mainly for a Spanish-speaking audience.

Last week RootedCon celebrated its fifth birthday, gathering more than 1000 attendees. It is now firmly established as the most important security event in Spain.

Microsoft Disclosed User Content in 10% of U.S. Law Enforcement Requests

Threatpost for B2B - Mon, 03/10/2014 - 10:31

Microsoft supplied user content in response to 10.8 percent of the law enforcement requests it received from United States agencies in the second half of 2013. The company got more than 5,600 requests from U.S. agencies in the last six months of the year, and in the vast majority of those–68 percent–it only supplied subscriber or transaction data.

The newest transparency report from Microsoft shows that in most cases, the company supplied some information in response to law enforcement requests, but it usually was simple transaction or subscriber information. Overall, Microsoft got more than 35,000 requests from law enforcement agencies around the world in the second half of 2013, and it supplied user content in 2.32 percent of those cases. Microsoft rejected outright 3.4 percent of requests.

“These reports are part of our ongoing commitment to transparency on these issues. We believe that public availability of such data is important to our customers as well as to an increasingly broad community of advocates and stakeholders working to find the appropriate balance of policies that promote public safety and personal data privacy,” John Frank, Deputy General Counsel and Vice President, Legal and Corporate Affairs at Microsoft, wrote in an analysis of the data.

“Overall, the data in this latest Law Enforcement Requests Report shared today is largely consistent with prior reports.”

The new report doesn’t include information on National Security Letters or FISA court demands. Microsoft, along with several other technology companies, sued the federal government last year for the right to publish more information on the volume and kind of secret demands they get for user data and content and has begun publishing that data separately.

About 80 percent of the requests for user content data came from the U.S., Microsoft said, and most of the law enforcement requests in general come from a small handful of countries, including Turkey, the U.K., Germany, France and the U.S. Interestingly, Turkey sent nearly as many requests to Microsoft–5,330–as the U.S. did. Germany sent 5,200 requests, France sent 4,627 and the U.K. sent 4,213. By comparison, Canada sent 47, Israel sent 15 and Liechtenstein sent one.

Microsoft officials said most of the requests the company receives are for its free consumer services, such as Hotmail or Outlook.com, and very few relate to its commercial offerings.

“As our law enforcement requests reports have shown, the overwhelming majority of law enforcement requests seek information related to our free consumer services. By comparison, we have received few law enforcement requests for data associated with use of our commercial services by our enterprise customers. The law enforcement requests we receive relate to a variety of criminal activity, ranging from kidnappings and suicide threats to terrorism, narcotics trafficking, fraud, and cybercrime,” the company said.

In the first half of 2013 Microsoft received more than 7,000 requests from U.S. law enforcement and supplied user content data in almost an identical percentage of them, 10.7 percent.

Privacy Advocates Want To Halt Facebook Acquisition of WhatsApp

Threatpost for B2B - Fri, 03/07/2014 - 14:08

The appeal of WhatsApp, the cross-platform mobile messaging app recently acquired by Facebook for a stunning $19 billion price tag, was that it kept to its promise of not collecting user information that would be converted to ad revenue.

The acquisition by Facebook, however, likely changes that dynamic, and that worries consumer privacy advocates. Two such groups filed a complaint this week with the U.S. Federal Trade Commission requesting an investigation and possibly an injunction temporarily blocking the acquisition.

The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) filed the complaint recently, stepping up on behalf of WhatsApp’s hundreds of millions of active users. The complaint said Facebook has made it clear it will incorporate WhatsApp user data into its business model, and that’s something users didn’t sign up for.

“The proposed acquisition will therefore violate WhatsApp users’ understanding of their exposure to online advertising and constitutes an unfair and deceptive trade practice,” the complaint said.

Reportedly, 50 billion messages are shared daily between WhatsApp users worldwide. WhatsApp said it collects only mobile phone numbers from its users and any other association of personal information with that number happens on the device and is not stored by WhatsApp, its privacy policy states. The service doesn’t store or copy message content either, it said.

The concern is that Facebook will be able to construct complete profiles on WhatsApp users, most of whom are likely already among Facebook’s 1.2 billion subscribers. WhatsApp users who regard the privacy promises made by the app could not be subject to intrusive targeted advertising which is the heart of Facebook’s revenue model. Facebook, meanwhile, has established precedent with past acquisitions, including Instagram in 2012, where it changes existing privacy policies and terms of service to indeed collect user data.

In backing up its claims of deceptive trade practices, EPIC and the CDD point out that WhatsApp users expect a “privacy-protective messaging service” and could not have anticipated their data would be subject to Facebook’s data collection and mining practices, the complaint said.

EPIC formally asked the FTC to investigate the acquisition on these grounds, in particular concerning Facebook’s ability and intent to access WhatsApp users’ mobile phone numbers and metadata. It also asked that until the investigation is completed that the acquisition be halted.

“In the event that the acquisition proceeds, order Facebook to insulate WhatsApp users’ information from access by Facebook’s data collection practices,” the complaint said.

According to Reuters, Facebook said in a statement that WhatsApp will operate as a separate company and will honor its privacy and security commitments.

New Attacks on HTTPS Traffic Reveal Plenty About Your Web Surfing

Threatpost for B2B - Fri, 03/07/2014 - 09:58

One thing that’s been made abundantly clear by mathematicians and cryptographers alike is that despite the NSA’s dragnet surveillance of phone calls and Internet traffic, the spy agency has not been able to crack the math holding up encryption technology.

Those who wish to spy and steal on the Internet continuously hit a wall when it comes to crypto algorithms, leaving no alternative but to find a way to subvert the technology in order to reach their targets.

In response, security and privacy experts, as well as cryptographers, have urged companies to turn HTTPS on by default for web-based services such as email and social networking. A group of researchers from UC Berkeley, however this week published a paper, that explains new attacks that aid in the analysis of encrypted traffic to learn personal details about the user, right down to possible health issues, financial affairs and even sexual orientation.

The paper “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis” builds on previously successful research on SSL traffic analysis, Tor and SSH tunneling exposing vulnerabilities in HTTPS leading to precise attacks on the protocol that expose sensitive personal information.

The researchers—Brad Miller, Ling Huang, A.D. Joseph and J.D. Tygar—developed new attack techniques they tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in the paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.

“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”

Using the techniques presented in the paper, an attacker could learn much more about a user’s activity only than just the IP address of the website they’re visiting; specific pages on the site can now be deduced with greater accuracy than previous work, the researcher said.

The paper points out a number of privacy consequences as well beyond government surveillance. For example, enhanced SSL traffic analysis by an ISP can lead to be enhanced customer data mining and intrusive targeted advertising. Employers can also more effectively monitor  employees’ traffic and the techniques can also improve the censorship efforts by oppressive regimes, putting the liberties of privacy advocates at risk.

The attacks were tested on a number of heavily visited websites, including the Mayo Clinic, Kaiser Permanente, Planned Parenthood, Wells Fargo, Bank of America, Vanguard, Legal Zoom, the ACLU, Netflix and YouTube. The researchers established a baseline by visiting webpages on the respective sites and recording subtle changes to the URLs, especially those brought upon by browser cookies and caching that affect packet sizes for internal pages compared to homepages that are much more highly trafficked.

The researchers said that their techniques, conducted against more than 6,000 webpages, were able to accurately identify internal pages and information 89 percent of the time on average.

The paper also presents a possible defense against these attacks, which the researchers called Burst, which they demonstrate reduces attack accuracy by 27 percent. The paper said the technique operates between the application and TCP layers and is able to obscure high level features of traffic.

“The Burst defense outperforms defenses which operate solely at the packet level by obscuring features aggregated over entire TCP streams,” the paper said. “Simultaneously, the Burst defense offers deployability advantages over techniques such as HTTPS since the Burst defense is implemented between the TCP and application layers.”

Dexter, Project Hook POS Malware Campaigns Persist

Threatpost for B2B - Thu, 03/06/2014 - 17:36

While the Target data breach may be in the rear view mirror, research this week shows it’s clear that many attackers are still using point of sale malware, namely Dexter and Project Hook, in active attacks.

Researchers at Arbor Networks’ Security Engineering & Response Team (ASERT) looked at several such campaigns, exfiltrated data dumps and decoded them to analyze the scope of their compromises. The group also analyzed network activity triggered by Dexter malware samples.

According to Arbor’s Threat Intelligence Brief 2014-3 released yesterday, researchers noticed a specific variation of Dexter, Dexter Revelation, exfiltrating stolen data, stored in fake .zip files and .txt files – via FTP credentials – from compromised terminals.

Revelation was one of three Dexter variants (along with Stardust and Millennium) that ASERT noticed in December but at that time it was unclear just how the infections were happening.

While researchers were under the assumption that Revelation was a fairly new brand of malware, new research has traced developmental versions of the malware back almost a year, early builds date back to April 2013.

It turns out the Revelation malware has several handy functions it uses including using a memory scraping procedure that “scours system memory looking for plaintext data that matches a credit or debit card format” and a keylogger function it uses to “capture keyboard activity and other system information.” The fake .zip files store a four-byte XOR key that can actually be used to decode the file’s contents.

The report suspects a threat actor going by either “Rome0″ or “rome0″ is directly involved with Dexter. Researchers say they’ve noticed actors going by both of the usernames demonstrating their familiarity with banking Trojans online and frequenting various carding forums.

ASERT posted a list of IP addresses and hostnames associated with Dexter’s command and control activity in the report that it’s hoping organizations review.

“Organizations are encouraged to check logs and other indicators of network activity associated with these IP addresses and/or hostnames to find systems compromised as part of a past or current attack campaign.”

The IP addresses listed in red indicate that the C&C servers associated with them were still active as of the report.

While Project Hook, another point-of-sale malware, is less active than Dexter, researchers are still encouraging organizations to remain vigilant especially after they found a special URL set up hosting back-end panels for Project Hook and another PoS malware: Alina, in January and early February.

Arbor’s report came out the same day that Target announced it would finally overhaul its information security processes and that it’s chief information officer, Beth Jacob, had resigned.

Target reports that it will fill the position with an external hire as well as assign a new role: chief compliance officer.

“Target will be conducting an external search for an interim CIO who can help guide Target through this transformation,” Target’s Chairman, President, and CEO Gregg Steinhafel said Wednesday.

The transformation Steinhafel is referring to is the stress the U.S. retailer has undoubtedly had to grapple with after suffering a massive breach in November. Attackers were able to set up a command and control server and lift more than 40 million credit and debit card records and 70 million other records of customer details from Target point of sale systems.

We may be three months removed from the Target fiasco but point-of-sale malware campaigns continue to permeate the headlines.

Texas-based Sally Beauty Supply, a chain with around 2,700 locations nationwide, confirmed yesterday that someone attempted to breach its system but would not confirm that customer data was at risk. According to Krebs on Security a batch of 282,000 stolen credit card numbers popped up on an underground market and three banks purchased their of their customers cards in hopes of finding the theft’s origin. All of the banks then found that the cards they had gotten hold of had all been used at a Sally Beauty Supply store within 10 days before.

Microsoft to Patch IE 10 Zero Day on Patch Tuesday

Threatpost for B2B - Thu, 03/06/2014 - 15:44

Microsoft will patch a lingering zero-day vulnerability in Internet Explorer next Tuesday, one of five bulletins it will release as part of its March 2014 Patch Tuesday security updates.

The IE 10 zero-day was disclosed close to a month ago when researchers at FireEye reported on Operation SnowMan, an espionage campaign that compromised the U.S. Veterans of Foreign Wars website. The attackers, experts said, were targeting the computers of active military personnel who visit the site seeking benefits information.

FireEye said a Flash exploit was used via an iFrame to trigger the use-after-free vulnerability in the browser. Compromised computers were hit with a remote access Trojan that stole data; experts speculate the attackers were hoping to gain steal military secrets from the active service members who use the site as a resource.

It was soon discovered that a second and unrelated group of attackers was also exploiting the IE 10 zero day, this time to impersonate a number of French aerospace companies, redirecting legitimate traffic to the hacker-controlled domains.

Researchers at Seculert said malware that changes host files on infected machines in order to add in these malicious domains had previously been the domain of pharming attacks used for fraud.

“This is the first time we have seen a malware change a host file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites,” Seculert CTO Aviv Raff said.

Microsoft had shipped a Fix-It mitigation for the zero-day as a stopgap until a patch was ready. Microsoft said IE 9 also contains the same vulnerability, but it was not being exploited. IE 11 users running the Enhanced Mitigation Experience Toolkit (EMET) were also protected against these attacks.

The IE update is one of two critical bulletins expected next week. The other is also a remote code execution vulnerability in Windows.

All five bulletins announced by Microsoft today affect versions of Windows or IE all the way back to Windows XP, which Microsoft will no longer support with security updates as of April 8.

“Windows XP is affected by all five updates and there is really no reason to expect this picture to change: Windows XP will continue to be impacted by the majority of vulnerabilities found in the WIndows ecosystem, but you will not be able to address the issues anymore,” said Qualys CTO Wolfgang Kandek. “You need a strategy for the XP machines remaining in your infrastructure. We are still seeing significant number of XP machines in our scans.”

The remaining three bulletins were rated “important” by Microsoft and include elevation of privilege vulnerability and security feature bypass issues in Windows and another security feature bypass issue in Silverlight.

“Of the remaining issues, one is an important privilege issue, probably going to be a kernel or kernel driver patch; never something to ignore but less important than a critical/remote issue,” said Ross Barrett, senior manager of security engineering at Rapid 7. “The other two are the seldom seen ‘security mechanism bypasses’, probably the same issue being patched in Windows and in Silverlight.  We will have to wait and see how exploitable this turns out to be.  If it turns out that some of these issues are in the wild and under exploitation, then that will be change the circumstances of what to prioritize.”

Silverlight, meanwhile, has relatively limited adoption and given Microsoft’s support of Flash in IE 11, it’s not out of the question it will be discontinued eventually, said Tyler Reguly, manager of security research at Tripwire.

“In a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight,” Reguly said.

Shedding New Light on Tor-Based Malware

Threatpost for B2B - Thu, 03/06/2014 - 14:49

Alarm bells went off last August when spikes in Tor client downloads were traced to a large click-fraud and Bitcoin-mining botnet called Sefnit.

The malware was using the popular anonymity network to communicate with hackers in order to transmit stolen data and receive additional commands. In Sefnit’s case, the 600 percent increase in Tor usage it kicked off was also its downfall as Tor administrators noticed performance issues and steps were taken to strangle its activity.

Hackers’ use of Tor and other Darknet services is really nothing new, but incidents such as the Sefnit takedown that ensued as well as the disruption of the Silk Road drug and malware underground market that also operated over Tor shed more light on the practice.

For example, researchers have Kaspersky Lab have published research uncovering three different campaigns that use Tor as a host infrastructure for criminal malware activities: a 64-bit version of the Zeus Trojan that sends traffic through Tor and creates Tor hidden services to obscure the hackers’ location; Chewbacca, a Trojan that steals data from memory a la ram scapers, and communicates over Tor; and most recently an Android Trojan that uses a .onion domain as a command and control infrastructure.

Researcher Sergey Lozhkin, a senior researcher with Kaspersky Lab, said his work investigating criminals’ use of darknets turned up 900 Tor hidden services and 5,500 nodes.

“The possibility of creating an anonymous and abuse-free underground forum, market or malware C&C server is attracting more and more criminals to the Tor network,” Lozhkin said. “Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.”

Lozhkin said Tor underground markets aren’t set up much differently than legitimate ecommerce sites; most include some sort of registration process, offer buyers ratings on traders, and familiar interfaces through which purchases are made. Criminals are selling everything from money laundering services, credit cards, skimmers, carding equipment and more. And most of it is sold using Bitcoin.

Yesterday, Microsoft published new details on Sefnit’s Tor components and configuration data, the domains it was in contact with and how it communicates over Tor.

After the August spike in Tor traffic alerted experts, Microsoft took steps to stop the botnet that were finally realized last Oct. 27 when it modified signatures sent through its update services that removed the outdated Tor client service installed by the malware. The Tor client service had a specific configuration that Microsoft identified, and despite some concerns that Microsoft was overstepping by possibly snaring some versions of Tor legitimately installed by users, the cleanup moved forward and Sefnit numbers dwindled.

The version installed with Sefnit was v0.2.3.25 and it did not automatically update, Microsoft said, leaving users exposed to a number of exploitable vulnerabilities. The Tor client was added as a Windows service on every computer infected by Sefnit and was configured to accept connections over ports 9050 and 9051; 9051 was used by Sefnit to obtain status information regarding its connection to Tor, while 9050 was used as a communication point for the malware’s SOCKS proxy. Any application configured to use a proxy server, Microsoft said, to communicate over Tor. Sefnit, Microsoft said, used this port to contact its command servers and bypass intrusion detection systems, and utilized Tor hidden services to obfuscate server locations.

The malware comes with a list of .onion domains that are drop points for stolen data. Microsoft said the list of C&C servers was found in file inside a random directory that is cryptographically generated. Within that directory is a file with a .ct extension that contains the victim’s IP address, a string that is likely a victim ID, a list of command and control domains, and a working directory of the malware, Microsoft said.

Microsoft said that at its peak in August 2013 there were an estimated four million Sefnit clients which began receiving commands; that number had dipped significantly by the end of December, leaving two million that could still be at risk for attack because of Sefnit-added Tor services that are outdated, Microsoft said.

Syndicate content