Feed aggregator

Google AdWords Campaigns Hijacked by Malvertisers

Threatpost for B2B - Thu, 01/15/2015 - 17:38
Two Google AdWords campaigns have been hijacked by malvertisers and users are being redirected to fraud sites without even clicking the poisoned ads.

Pirelli Home Broadband Routers Exposed for Two Years

Threatpost for B2B - Thu, 01/15/2015 - 16:04
Administration files for Pirelli routers, issued by the biggest ISP in Spain, can be accessed from anywhere putting WPA keys, PINs, certificates and more at risk.

Matthew Green on the NSA and Compromising Crypto Standards

Threatpost for B2B - Thu, 01/15/2015 - 15:41
Dennis Fisher talks with Matthew Green of Johns Hopkins University about the NSA's "regret" for continuing to support Dual EC after it had been shown to be compromised, the effects of the agency's influence on crypto standards and the hope for more secure standards in the future.

Parking Services Confirm Payment Card Breaches

Threatpost for B2B - Thu, 01/15/2015 - 14:27
Two services that allow users to reserve offsite parking spots at airports over the internet announced this week that they recently suffered breaches and its customers’ data may be at risk.

Marriott Agrees to Stop Blocking Guest WiFi Devices

Threatpost for B2B - Thu, 01/15/2015 - 12:24
Marriott, which last year paid a $600,000 fine for blocking customers’ WiFi devices in its hotels, has said that it no longer will prevent guests from using personal hotspots or similar devices. The situation resulted from a complaint by a guest who stayed at Marriott’s Gaylord Opryland hotel in 2013 and found that he couldn’t […]

Government Demands for Verizon Customer Data Drop

Threatpost for B2B - Thu, 01/15/2015 - 10:15
The number of subpoenas, total orders and warrants that the United States government delivered to Verizon all dropped in the second half of 2014, according to the company’s latest transparency report. The giant telecom provider released data on Thursday that showed a decrease in subpoenas of about 10 percent from the first half of last […]

Microsoft Security Updates January 2015

Secure List feed for B2B - Wed, 01/14/2015 - 20:34

Microsoft's security team begins 2015 with a minimal set of Security Bulletins, MS15-001 through MS15-008. The set included one critical vulnerability in a service that probably shouldn't be shipped any longer (telnet), and seven bulletins rated "Important" patches for elevation of privilege, DoS, and security bypass issues.

The critical Bulletin effects the telnet service. The telnet service is an ancient piece of software that provides shell access to a system, mostly available on router installations. Only it's over unencrypted, plain text communications, and should not be used. It was also a bit of a bear to configure and make useful, but may have been useful in development and IT environments. Luckily, this service is not enabled by default on supported windows systems (but it is installed by default on Windows Server 2003). A quick search in shodan shows a pretty reduced set of users, and its presence in our Ksn data is very limited. And, on the public internet, the number of Windows telnet servers listening on port 23 and providing a related banner is only a couple hundred. So, this patch effects very few customers.

But, if someone didn't install an alternative like OpenSSH, uses the PowerShell facility, WinSCP, RDP, or other facilities, and oddly installed this service, they may be running a server vulnerable to remote malformed packet delivery leading to remote code execution. Meaning it's a severe issue that really "shouldn't" effect many users. And it appears to not be exploited on our user base. When installed and enabled, Microsoft's telnet server runs as "Tlntsess.exe" on all Windows systems since Windows Server 2003. And on a somewhat related note, Ksn shows infected Tlntsess.exe files on new customer systems running a first scan or enabling a scan after running infected code:
Virus.Win32.Virut.ce
Worm.Win32.Mabezat.b
Virus.Win32.Sality.gen
Virus.Win32.Parite.b
Virus.Win32.Nimnul.a
Virus.Win32.Tenga.a
Virus.Win32.Expiro.w
Virus.Win32.Slugin.a

It's always surprising to still see the viral stuff, but it's certainly more prevalent than telnet service exploitation at this point.

The other Security Bulletins are rated "Important", and the escalation of privilege issues are somewhat interesting and the kind of thing businesses should be aware of - they are frequently used as a part of target attack activity.

One of these EoP vulnerabilities was reported privately and exposed publicly by Google's Project Zero two days prior to the scheduled and known patch release. The project maintains a database of exploitable vulnerabilities, each of which has a deadline of 90 days from reporting before the bug goes public: "Deadline exceeded - automatically derestricting". This EoP was fixed and the fix released by Microsoft as MS015-003 on its scheduled "patch tuesday" release, two days after Google exposed their bug issue publicly. It's strange that Google would do such a thing, it's not as if Microsoft doesn't commit to reasonable time frames for fixes and proper testing anymore. Microsoft responded with a lengthy writeup on responsible disclosure and cooperation within the industry, and mentioned Google's approach in particular.

The flawed code has yet to be seen as abused in the wild, but it will likely happen. You can find a set of executive summaries for the Bulletins here.

And one last note, the Advanced Notification Service is coming to an end. Microsoft ended their practice of broadcasting advance notice of security updates to all customers, and offers it only to paying Premiere-level customers. For the most part, it seems that this works out just fine and possibly frustrates people less with security maintenance. However, I think that it would be useful for Microsoft to pre-release forecasted download file sizes and reboot requirements for the updates, along with their ratings of critical or not, etc. For example, knowing that I will have to download over 200mb of critical software updates requiring system reboots would be helpful. That information would be useful to their customers both large and small. Time will tell if they bring it back, but likely, they will not need to.

Skeleton Key Malware Opens Door to Espionage

Threatpost for B2B - Wed, 01/14/2015 - 17:00
The Skeleton Key malware bypasses single-factor authentication on Active Directory domain controllers and paves the way to stealthy cyberespionage.

Phony Oracle Patches Making the Rounds

Threatpost for B2B - Wed, 01/14/2015 - 12:42
Attackers are circulating fake fixes for Oracle error messages and the company is warning users not to download any patches that don’t come directly from Oracle.

New Strain of Crowti Ransomware Moving in I2P Network

Threatpost for B2B - Wed, 01/14/2015 - 12:35
A new strain of the Crowti ransomware, also dubbed Cryptowall 3.0, is moving on the I2P anonymity network.

NSA Official: Support for Compromised Dual EC Algorithm Was ‘Regrettable’

Threatpost for B2B - Wed, 01/14/2015 - 12:29
In a new article in an academic math journal, the NSA’s director of research says that the agency’s decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice. Michael Wertheimer, the director of researcher at the National […]

GE Ethernet Switches Have Hard-Coded SSL Key

Threatpost for B2B - Wed, 01/14/2015 - 10:24
There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely. The vulnerability exists in a number of GE Ethernet switches, including the GE Multilink […]

Microsoft Patches Vulnerability Under Attack and Google-Disclosed Zero Day

Threatpost for B2B - Tue, 01/13/2015 - 15:41
Microsoft issued eight Patch Tuesday security bulletins, including a fix for a vulnerability disclosed by Google and another under active attack.

Report: DHS Not Addressing Cyber Threats to Building Access Control Systems

Threatpost for B2B - Tue, 01/13/2015 - 15:00
The Department of Homeland Security is doing an inadequate job assessing and addressing the risk posed by cyber threats to access control systems at federal facilities.

Adobe Patches Nine Vulnerabilities in Flash

Threatpost for B2B - Tue, 01/13/2015 - 14:45
Adobe patched Flash Player , addressing nine vulnerabilities in the software including critical bugs that could allow an attacker to take control of an affected system.

Gitrob Combs Github Repositories for Secret Company Data

Threatpost for B2B - Tue, 01/13/2015 - 13:55
Gitrob, an open source intelligence tool, helps security analysts search Github organization repositories for files not meant for public consumption.

Encryption is Not the Enemy

Threatpost for B2B - Tue, 01/13/2015 - 12:30
David Cameron, speaking in the wake of the terror attack in Paris last week, said at an event Monday that the UK government can't allow any form of communication that can't be read.
Syndicate content