Security News

Security nightmares are going Low-Level

Java and Flash have been and still are terrible 3rd party components when it comes to the security of our PCs. While from a functional point of view they were rocket science in the ’90 (anybody who remember ActiveX would agree) nowadays they are sluggish, weakly integrated, rectangles in our web pages. Finally both Oracle and Adobe are planning to kill them, as they are anachronistic given the abilities of modern HTML5 browsers:

Everything good till now. But.. There is a not-so-new frightening trend on the rise: the presence of growing complexity in the hardware layer as shown recently in Intel’s CPUs by their Manageability Engine (think about an HP iLO integrated in the CPU).

Your PC cannot even boot without Intel ME! Ready to switch back to a Core Duo?

–Francesco Ongaro

Security News

Password cracking experts decipher elusive Equation Group crypto hash

Password cracking experts decipher elusive Equation Group crypto hash: Unraveling a mystery that eluded the researchers analyzing the highly advanced Equation Group the world learned about Monday, password crackers have deciphered a cryptographic hash buried in one of the hacking crew’s exploits. It’s Arabic for “unregistered.”

Researchers for Moscow-based Kaspersky Lab spent more than two weeks trying to crack the MD5 hash using a computer that tried more than 300 billion plaintext guesses every second. After coming up empty-handed, they enlisted the help of password-cracking experts, both privately and on Twitter, in hopes they would do better. Password crackers Jens Steube and Philipp Schmidt spent only a few hours before figuring out the plaintext behind the hash e6d290a03b70cfa5d4451da444bdea39 was غير مسجل, which is Arabic for “unregistered.” The hex-encoded string for the same Arabic word is dbedd120e3d3cce1.

Security News

Yosemite infested by nasty ‘Rootpipe’ vuln

Yosemite infested by nasty ‘Rootpipe’ vuln: A Swedish security researcher has turned up a serious vulnerability in OS X “Yosemite”, but details are to be withheld until January, giving Apple time to prepare a patch.

The vuln was first described in mid-October, when Truesec posted a YouTube video below that sketchily described the existence of the bug.

Truesec researcher Emil Kvarnhammar says he discovered a way to get past the user controls on Apple’s terminal shell, to gain access to a shell with root privileges. The vulnerability subverts the password requirements for someone to run sudo – that is, to access the shell as a superuser.

While Kvarnhammar hasn’t told the world whether it’s a purely-local exploit or remotely-exploitable, the advice he gives suggests the latter. First, Apple users should create their day-to-day account without admin privileges as a separate user and not run as Administrator for “normal” operations. Second, users should turn on FileVault to encrypt their hard drives.

Kvarnhammar is quoted in Swedish media for example, here, picked up in English all over the world, as saying he’s tested the bug on OS X 10.8, 10.9 and 10.10. He has confirmed that it has existed since at least 2012, but probably is much older than that.

Security News

Major cybercrime rings in Kuwait, Algeria disrupted

Major cybercrime rings in Kuwait, Algeria disrupted: Boston: Microsoft Corp launched what it hopes will be the most successful private effort to date to crack down on cyber crime by moving to disrupt communications channels between hackers and infected PCs.

The operation, which began on Monday under an order issued by a federal court in Nevada, targeted traffic involving malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways and were written and distributed by developers in Kuwait and Algeria.

It is the first high-profile case involving malware written by developers outside of Eastern Europe, according to Richard Domingues Boscovich, assistant general counsel of Microsoft’s cybercrime-fighting Digital Crimes Unit.
“We have never seen malware coded outside Eastern Europe that is as big as this. This really demonstrates the globalisation of cybercrime,” said Boscovich, whose team at Microsoft has disrupted nine other cybercrime operations over the past five years, all of which it believes originated in Eastern Europe.

He said it would take days to determine how many machines were infected, but noted that the number could be very large because Microsoft’s anti-virus software alone has detected some 7.4 million infections over the past year and is installed on less than 30 per cent of the world’s PCs.

The malware has dashboards with point-and-click menus to execute functions such as viewing a computer screen in real time, recording keystrokes, stealing passwords and listening to conversations, according to documents filed in US District Court in Nevada on June 19 and unsealed on Monday.

The malware was purchased by at least 500 customers.

Security News

Facebook shrugs as ‘emotional contagion’ research outrages its users

Facebook shrugs as ‘emotional contagion’ research outrages its users: Over the weekend, a paper was published in a prestigious journal by Facebook researchers who, for one week, intentionally modulated the news feeds of Facebook users.Not “passively monitored”, mind you; rather, actively manipulated.

Some saw a dash more positive items in their feeds; some received a more grim daily dose, as the researchers snipped out happy tidings, all of which led to the conclusion that yes, emotional states are contagious, and no, seeing friends post happy news does not necessarily make people want to jump off ledges.

The researchers subsequently also found out that just as emotions are contagious, so too is the outrage that spewed out of internetlandia at the idea of having been toyed with unawares.

Fury spread on Monday, coming from politicians, lawyers, and internet activists who ripped to shreds the experiment and its ethical standing.

Here’s the gist of the stick that stirred up this hornet’s nest:For one week in January 2012, data scientists tampered with what almost 700,000 Facebook users saw when they logged on.Some saw content that had mostly happy, positive words; some were served content that analysis showed was sadder than average.

The researchers found that at the end of the week, the manipulated Facebook users – or, as the New York Times has dubbed them, the “lab rats” – were themselves more likely to post using correspondingly extra-positive or extra-negative words.

Security News

Internet Explorer Zero-Day Vulnerability Publicly Disclosed, Identified in October 2013

Internet Explorer Zero: Microsoft kept a critical Zero-Day Internet explorer 8 vulnerability hidden from all of us, since October 2013.

A Critical zero-day Internet Explorer vulnerability, which was discovered by Peter ‘corelanc0d3r’ Van Eeckhoutte in October 2013 just goes public today by the Zero Day Initiative (ZDI) website.

Zero Day Initiative is a program for rewarding security researchers for responsibly disclosing vulnerabilities. ZDI reportedly disclosed the vulnerability to Microsoft when it was first identified by one of its researchers, on which Microsoft responded 4 month later on February 2014 and confirmed the flaw, but neither the Microsoft patch the vulnerability nor it disclosed any details about it.

But due to ZDI’s 180 days public notification policy, they are obligated to publicly disclosed the details of a Zero-Day vulnerability. ZDI warned Microsoft several days ago about the pending public disclosure of the flaw after it completed 180 days as on April, but apparently Microsoft didn’t respond to it.

Security News

FBI chief says anti-marijuana policy hinders the hiring of cyber experts

FBI chief says anti-marijuana policy hinders the hiring of cyber experts: The director’s comments come one day after five members of the Chinese military were indicted in the US on allegations of hacking into major US corporations and stealing trade secrets.

“I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview,” Comey told a New York City Bar Association meeting Tuesday.

Security News

World hit by record wave of ‘mega’ data breaches in 2013

World hit by record wave of ‘mega’ data breaches in 2013: What do Target, AOL, LivingSocial, Evernote, and Adobe have in common with one another? Answer: they were all victims of huge data breaches during 2013, part of a phenomenon that a new Symantec report calcuates has reached epidemic levels.

According to the firm’s latest Internet Security Threat Report ISTR, such ‘mega’ breaches are only the best-known victims from a spike nobody saw coming after a quiet 2012.

That last year was a record year for data breaches has been apparent for some time, but the scale of the rise revealed in the numbers is still extraordinary. It doesn’t seem to matter which measurement is used, what happened was bad, nay appalling, with the number of breaches hitting a record 258, a 62 percent rise over 2012.This saw 552 million identities compromized, including 8 breach incidents that exceeded 10 million in each case. This compares with the previous high point for data breaches, 2011, which saw 208 breaches, equivalent to 232 million records.

The first uncomfortable fact is this: these are only the ones we know about. Almost all the names on the top ten list are US-based, which doesn’t mean they haven’t been happening everywhere else too.

The second uncomfortable fact is this: 552 million breached records means that excluding duplicates the criminal underworld now probably knows not just the email addresses of approaching half a billion people but in many cases their home addresses, names and perhaps even social security numbers. And this is only one year’s total.

Security News

End of Life Software Is Not the End of Security

End of Life Software Is Not the End of Security: It’s the end of the road for Windows XP. The very popular and widely used Microsoft operating system will have officially reached its “end of life” for organizations in the United States. As of April 8, 2014, Microsoft will no longer provide any free or paid support assistance. Users will no longer receive patches, hotfixes, or security updates from Microsoft. Consequently, XP will become a prime target for hackers eager to exploit weaknesses in the system and penetrate vulnerable networks utilizing it.

When any IT or technical product reaches its end of life, in most cases, all support is halted. This leaves the software or hardware vulnerable to future exploitation or attack. Reported errors, compatibility issues and feature requests are no longer addressed with upgrades or patches. While an end of life operating system, software package or machine may still function, if it is on your network, it becomes a target for hackers seeking backdoor access and this creates a huge risk to the security, integrity and availability of your confidential business and patient information.

Security News

CISOs say SIEM not a good choice for big data security analytics

CISOs say SIEM not a good choice for big data security analytics: Big data security analytics is increasingly a necessity for organizations struggling to spot previously unknown attacks, but according to a trio of CISOs, enterprise IT teams shouldn’t plan on using traditional security products such as SIEM for handling large quantities of data.

Speaking with a panel of CISOs at the 2014 RSA Conference, moderator Neil MacDonald, vice president at Stamford, Conn.-based Gartner Inc., said the term big data may be overhyped in the security community, but it is playing an ever more important role in fending off advanced persistent threats. Traditional, signature-based antivirus products are only good for blocking known attacks, according to MacDonald, but such capabilities are pointless, for example, when hackers utilize malware crafted specifically for a certain organization.

Enterprise security professionals are coming around to the idea that breach prevention is basically impossible, MacDonald noted.

“You must assume the systems will be breached. Once breached, how do you know you’ve been compromised?” MacDonald asked. “You have to baseline and understand what ‘goodness’ looks like and look for deviations from goodness. McAfee and Symantec can’t tell you what normal looks like in your own systems. Only monitoring anomalies can do that.”

MacDonald said that such monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets. Of course, such monitoring can create the sort of large quantities of data that traditional security systems struggle to handle.

Panel member Golan Ben-Oni, CISO for Newark, N.J.-based IDT Corp., said his organization realized several years ago that the ability to collect and correlate data from the network and endpoints was vital. As a result, the company has introduced many new technologies and tools, though Ben-Oni said that determining which products are “best of breed” has been a constant challenge.