About two weeks ago, Emsisoft published a blog post on the transaction malleability crisis at Mt.Gox. Today, the headlines read that the Bitcoin exchange is dead.
Thursday, February 27, 2014
[securityaffairs] Chameleon WiFi virus emulates contagion of a common cold within humans
A team of researchers created in the lab the Chameleon WiFi virus, a malware that infects entire WiFi networks replicating contagion of a common cold within humans.
[net-security] Third-party programs responsible for 76% of vulnerabilities in popular software
Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013, say the results of Secunia's Vulnerability Review 2014, which is based on a sampling of the company’s seven million PSI users.
[infosecinstitute] OpenVPN
Introduction
In this tutorial we’ll talk about OpenVPN client connection settings, which come in handy when the connection to the OpenVPN server does not work. We’ll be using GopenVPN GUI client program that can be very useful to connect/disconnect to certain OpenVPN network right from the desktop without entering command line mode. The GopenVPN is also useful, because it presents us with the status of the openvpn connection, which is red if not connected, yellow if connection is being established and green when we’re successfully connected to the OpenVPN server.
[infosecinstitute] Manual Web Application Penetration Testing – Blind SQL Injection with SQLmap
Introduction
In this part of the series I am going to focus only on SQL injection. I assume that you already know about normal SQL injection, which I have shown already in my earlier parts, where you are giving input to the different parameters and waiting for the server to react to you, then you use a suffix and prefix in order to inject into the database. In this section we are moving a little bit forward, and I am going to talk about blind SQL injection. However, for those who do not have any background knowledge of this, go to Wikipedia and check it manually. For this part of my series you must have a registered account in NOWASP Mutillidae. So make sure you register if you do not have it.
[infosecinstitute] Securing Cloud-Based Applications with Docker
Introduction to Docker
In this article, we’ll first introduce Docker and try to explain how it works. After setting the stage, we’ll simulate the file upload vulnerability by copying the shell into the Redmine Docker image. This is effectively the same as if an attacker would find and exploit the vulnerability in Redmine, which would give him command-line access to the server.
[infosecinstitute] Getting started with Damn Vulnerable iOS Application
In this article, I will write about how to get started with Damn Vulnerable iOS Application. Damn Vulnerable iOS App (DVIA) is an iOS application that I wrote to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try. Every challenge is coupled with an article that the users can read to learn more on that topic. This application can also be used by absolute beginners in iOS application security as the tutorials that come with DVIA are written keeping beginners in mind. The users can also buy a comprehensive guide of solutions for DVIA if they want. DVIA is also open source and its Github page can be found here.
[computerworld] Report: UK spies captured millions of Yahoo users' webcam images
IDG News Service - U.K. intelligence agency GCHQ captured and stored still webcam images of millions of Yahoo users including substantial quantities of sexually explicit material, the Guardian newspaper reported Thursday.
[defensesystems] New Army manual combines cyber, electromagnetic operations
The Army has codified its approach operations in the electromagnetic spectrum with the release of a field manual for what it calls cyber electromagnetic activities (CEMA).
[fireeye] Live from RSA USA 2014: Talking Security with Martin Brown, Chief Security Portfolio Architect at BT Security Enterprise
The excitement and buzz at the RSA Conference has everyone talking security and we are no exception. In fact, during the conference, we are gathering up industry leaders and influencers and asking them to provide their perspectives on the biggest issues in cybersecurity in 2014 for our podcast series hosted by FireEye Chief Security Strategist, Richard Bejtlich.
[computerweekly] NHS to procure NHSMail2 on new managed email framework
The NHS is to buy its new NHSMail2 email service through a framework that has been tendered by the Government Procurement Service yesterday.
[defensesystems] Army steps up search for anti-drone technology
As the Pentagon moves toward a future of fewer troops andmore unmanned vehicles, other countries are doing the same, particularly in the use of drones. The military is trying to account for that by not only expanding its use of unmanned aerial vehicles, but looking for technologies to defend against them.
[defensesystems] Secretive Boeing Black smartphone appears on FCC website
Boeing, which said nearly two years ago it was developing a super-secure Android smartphone, apparently is getting ready to release it.
[defensesystems] Hyperspectral sensor lets drones see through camouflage, spot explosives
The Air Force is planning to test a high-powered spectral sensor for unmanned aerial vehicles capable of spotting such things on the ground as improvised explosives or camouflaged targets by identifying what those objects are made of.
[defensesystems] Can a microscopic component foil electronics counterfeiters?
The Defense Advanced Research Projects Agency has started a new program, the Supply Chain Hardware Integrity for Electronics Defense (SHIELD), to combat the use of counterfeit electronics in the defense supply chain. The program is currently seeking proposals to develop a tiny, cheap authentication system, according to a posting on the FedBizOps website.
[crowdstrike] The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity
Two weeks ago, news broke about strategic web compromise (SWC) activity on the website for the U.S. organization, Veterans of Foreign Wars (VFW). This activity leveraged exploit code for a zero-day vulnerability now identified as CVE-2014-0322 and ultimately infected victims with ZxShell malware. CrowdStrike Intelligence attributed this attack to the AURORA PANDA adversary; however, the discovery of additional indicators revealed that another adversary was leveraging the same vulnerability to carry out targeted attacks nearly a month before the VFW attack occurred. This other activity appears to be focused on French aerospace and shares similarities with a 2012 SWC campaign affecting the website of U.S.-based turbine manufacturer, Capstone Turbine.
[fireeye] Amazon’s Mobile Shopping Clients and CAPTCHA
Amazon is a popular online retailer serving millions of users. Unfortunately, FireEye mobile security researchers have found security issues within Amazon’s mobile apps on both Android and iOS platforms through which attackers can crack the passwords of target Amazon accounts. Amazon confirmed our findings and hot fixed the issue.
[fireeye] The 2013 FireEye Advanced Threat Report!
FireEye has just released its 2013 Advanced Threat Report (ATR), which provides a high-level overview of the computer network attacks that FireEye discovered last year.
Monday, February 24, 2014
[thehackernews] Silent Circle's Blackphone - Privacy and Security Focused Smartphone for $629
Earlier this year encrypted communications firm Silent Circle and Spanish Smartphone makerGeeksphone announced a privacy-focused encrypted Smartphone called 'Blackphone' and today the company has revealed it as 'Mobile World Congress' in Barcelona.
[thehackernews] Hacking Team sold Spyware to 21 Countries; Targeting Journalists and Human Right Activists
Spying on the world by injecting sophisticated backdoors in software, systems, and mobile phones, leads to violation of the Privacy and Security of every individual. Yes, we are talking about Surveillance, but this time not about NSA.
[emsisoft] Caphaw Trojan Found in Youtube Ads
Last Friday – under the shadow of two critical zero day exploits on Internet Explorer and Adobe Flash – researchers at Bromium Labs discovered malware in an advertising network connected to Youtube. Specific details are yet unknown and the threat has yet to be completely mitigated. As of Friday, Google Security was made aware of the issue and is currently investigating the matter with Bromium.
[scmagazine] RSA 2014: RedOwl Analytics named "Most Innovative Company" at Innovation Sandbox
RedOwl Analytics – a Baltimore software company whose cloud-based product, Reveal, provides solutions for entities to analyze digital communications data – was named “Most Innovative Company” at the RSA Conference 2014 Innovation Sandbox event.
[scmagazine] BSides SF: Researchers estimate three 'major' data breaches each month
Addressing hackers and InfoSec experts in their “Ripped from the headlines, what the news tells us about information security incidents” speech at Bsides San Francisco, Widup and Thompson revealed how they have been investigating the data breach numbers since May of last year.
[scmagazine] Poisoned YouTube ads serve Caphaw banking trojan
Recent YouTube visitors should be extra vigilant after ads on the website were found to be poisoned.
According to researchers at Bromium Labs, who blogged about the threat on Friday, YouTube's ad network was compromised to host the Styx exploit kit.
The kit, which in recent news was pegged as compromising online retailer Hasbro.com, was leveraged to spread a nasty banking trojan, called Caphaw, to users.
[securityaffairs] Apple restores certificate validation checks mysteriously missed
Apple released a security update to iOS that restores some certificate-validation checks that had apparently been missing for an unspecified amount of time.
[infosecinstitute] How to Perform a Safe Password Analysis
It’s one of the most exciting moments in a security researcher’s work: while looking through an obscure log file, you see strings like “James1984″ and “SecureMe!” scattered throughout the data. Upon closer inspection, you realize that you’ve uncovered hundreds if not thousands of cleartext username/password pairs!
Even as you celebrate your success, you are also tempted to use your victory to push for additional security reforms, such as a stronger password policy, or publish your results to educate other security professionals. But how, exactly, would you go about conducting and publishing a password analysis without exposing the company to harm, from insider threats or otherwise?
[infosecinstitute] Android Architecture and Forensics
Android is one of the most open, versatile, and customizable mobile operating systems out there. Android is a Linux-based operating system with market share – 79.70% in smart phones. Android is a software stack for mobile devices that includes an operating system, middleware and key applications.
[infosecurity-magazine] Apple Issues Critical Vulnerability Patch for the Majority of its Devices
Apple released security patches Friday for iPhone 4 and later, iPhone 3GS, iPod Touch (4th and 5th generations) and iPad 2 and later. This is a serious vulnerability, and users are advised to patch as soon as possible.
[infosecurity-magazine] CSA Summit 2014: NSA Surveillance a Pre-cursor to Police State, Says Former US Cyber Czar
The CSA Summit at this year’s RSA Conference kicked off with a keynote by Richard Clarke, former presidential advisor. Discussing the recent NSA surveillance controversy, the counter-terrorism and cybersecurity expert declared technology is currently available for the US government, and other nations around the world, “to create a ubiquitous, omniscient police surveillance state.”
[valverde] Reverse engineering my bank's security token
My current bank, one of Brazil's largest, provides its clients with one of several methods (in addition to their passwords) to authenticate to their accounts, online and on ATMs. I reverse engineered their Android OTP code generator and ported it to an Arduino-compatible microcontroller.
[welivesecurity] Android 4.4 revealed to have VPN security flaw
Researchers as Ben Gurion university in Israel have discovered a vulnerability in Android 4.4 KitKat that allows an attacker to intercept and divert secure virtual private network (VPN) traffic.
[defensesystems] Army’s move to Samsung reflects a flexible mobile strategy
When the Defense Department introduced its Commercial Mobile Implementation Plan a year ago, it said the plan would accommodate Apple, Android and BlackBerry devices for a variety of uses. Several recent purchases seem to bear that out.
[defensesystems] Air Force unveils secret space surveillance satellites
The Air Force has pulled back the curtain on a formerly secret satellite program intended to keep tabs on other spacecraft and space debris in geosynchronous orbit.
[fireeye] Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation
Background monitoring mobile applications has become a hot topic on mobile devices. Existing reports show that such monitoring can be conducted on jailbroken iOS devices. FireEye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple's app review process effectively and exploit non-jailbroken iOS 7 successfully. We have been collaborating with Apple on this issue.
Sunday, February 23, 2014
[thehackernews] Apple's iOS vulnerable to Man-in-the-middle Attack, Install iOS 7.0.6 to Patch
Apple's latest 35.4 MB update of iOS 7.0.6 doesn't seem important at first, but it contains a critical security patch that addresses a flaw with SSL encryption.
[securityaffairs] South Korea is developing a cyber weapon to hit North Korean nuclear
The South Korea government is working to the development of a cyber weapon to hit North Korean nuclear facilities. It’s Information warfare.
[securityaffairs] Banking trojan hit a large number of Islamic Mobile Banking Customers
Security researchers at InterCrawler discovered a Banking trojan which infected a large number of devices the Middle East belonging to Islamic Banks.
[securityaffairs] WhatsApp lack enforcing certificate pinning, users exposed to MITM
Experts at Praetorian have been conducting the Project Neptune to assess the security for designing and maintenance of mobile apps, including WhatsApp.
[infosecinstitute] Lights and shadows on the capabilities of the NSA
Introduction
The documents leaked by Edward Snowden revealed to the world the amazing spying machine built by US intelligence, its capabilities appears virtually infinite, the US agents, in fact, are able to infect targets even if they are not online, they are able to control any communication and can practically interfere with any technology we use daily.
[infosecinstitute] Securing URL Sensitive Data: Asp.Net Website Security
This paper especially demonstrating, how to encrypt sensitive data resided in website URL which usually travels across diverse network. Website usually can be compromised or subtle information can be disclosed by exploiting this inherent vulnerability. This article is elaborating such mechanism over ASP.NET website in step by step form by employing couple of C# algorithm. This rare artifact is dedicated to streamline the newbies or professional developer undertaking who usually strive to implement such mechanics.
[infosecurity-magazine] 80% of SOHO Routers Contain Vulnerabilities
It has become increasingly obvious in recent months that routers are being targeted by attackers – even the NSA uses this attack vector as part of its Quantum Injection program. Now a new survey suggests that as much as 80% of the best-selling SOHO routers include vulnerabilities.
[infosecurity-magazine] BYOD and Cloud Threats Loom, But IT is Woefully Unprepared
A new generation of unknown security threats stemming from megatrends and technologies like BYOD, mobility, cloud computing, and internet usage, as well as internal actions both accidental and malicious, introduce organizations to a multitude of new risks. However, according to a new report, the majority of IT leaders around the world say they don’t view these threats as top security concerns.
[computerworld] Poorly managed SSH keys pose serious risks for most companies
Computerworld - Many companies are dangerously exposed to threats like the recently revealed Mask Advanced Persistent Threat because they don't properly manage the Secure Shell (SSH) cryptographic keys used to authenticate access to critical internal systems and services.
[crowdstrike] Details about Apple SSL vulnerability and iOS 7.0.6 patch
On February 21st, 2014 Apple pushed out an emergency SSL security update for iOS (7.0.6).
John Costello, CrowdStrike's Sr. SDET Engineer, and myself reverse engineered the binary patches in order to analyze the vulnerability and its full impact. Given the fact that the patches are not yet available for all impacted systems, we are not yet publishing full technical details of this vulnerability so as not to make life easier for attackers. However, we decided to release some additional information in the Q&A below in order to educate the community about the level of risk this vulnerability represents.
Friday, February 21, 2014
[thehackernews] Why Facebook is buying WhatsApp for $19 Billion?
Popular Smartphone Messaging app WhatsApp's $19 billion acquisition by Social Network giantFacebook made Headlines this week.
[emsisoft] Emsisoft Malwarelympics 2014
Just like last year, Emsisoft’s Malwarelympics infographic decorates winners that don’t necessarily want to be on the podium. This year the United States takes gold from reigning champion Russia, for the most infected country in the world. In second, Russia takes silver; and in third, Iran takes bronze, just beating out Germany by a few thousand samples.
[cert] 10 Years of FloCon
Hi, this is George Jones, I was conference chair of the 10th annual FloCon Conference that was held in Charleston, South Carolina, January 13-16, 2014. Check out the FloCon proceedings to learn about the work presented, and consider participating in future FloCons.
[scmagazine] Source code for data-stealing Android app leaks
Mobile malware, which often disguises itself as an Android "security app," may threaten a greater number of users now that its source code has leaked.
[scmagazine] Firm detects Zeus variant targeting POS terminals
Researchers have discovered malware that is based on the leaked code of Zeus and random-access memory (RAM)-scraping malware targeting credit card data.
[scmagazine] Report: Malicious apps in Google Play store grow 388 percent
Malicious apps contained in the Google Play store have grown 388 percent between 2011 and 2013, according to a report from RiskIQ, an Internet security services company. At the same time, the number of malicious apps that Google has removed annually dropped to 23 percent in 2013, down from 60 percent in 2011.
[securityaffairs] Italy defined The National Strategic Framework for cyberspace security
Italy – The Presidency of Council of Ministers has published the “National Strategic Framework for cyberspace security” document.
[securityaffairs] Zeus variant hit Software-as-a-service applications
Discovered a Zeus variant that implements a web-crawling feature to hit Software-as-a-service applications to obtain access to proprietary data or code
[net-security] Security awareness training: Why it matters
Dr. Peter Lokhorst is Managing Director of InfoSecure BV, which is currently in seven countries and provides awareness training programs to international clients including Procter & Gamble, European Central Bank, Deutsche Telecom and Bayer.
[net-security] Cloud Essentials: CompTIA Authorized Courseware for Exam CLO-001
Introduction
A part of the popular Sybex Essentials series, this book tackles the basics of cloud computing, the pros and cons of public, private and hybrid clouds, talks about the different service models, strategies on cloud adoption, and touches on cloud security, privacy and compliance.
A part of the popular Sybex Essentials series, this book tackles the basics of cloud computing, the pros and cons of public, private and hybrid clouds, talks about the different service models, strategies on cloud adoption, and touches on cloud security, privacy and compliance.
[net-security] The growth and complexity of mobile threats
As employees continue to use their own devices and personal applications for work purposes, more threats are introduced into the workplace, putting company networks at risk. The Webroot report also provides suggestions and best practices to reduce the risk to corporate data from employee-owned mobile devices.
[infosecurity-magazine] BYOD and Cloud Threats Loom, But IT is Woefully Unprepared
A new generation of unknown security threats stemming from megatrends and technologies like BYOD, mobility, cloud computing, and internet usage, as well as internal actions both accidental and malicious, introduce organizations to a multitude of new risks. However, according to a new report, the majority of IT leaders around the world say they don’t view these threats as top security concerns.
[infosecurity-magazine] The Pressures Facing IT Security Pros
Companies employ security professionals to defend their networks. They are pitted against equally professional and particularly talented attackers using 0-day weapons the defenders have never seen before. Judging by the number of breaches occurring almost daily, the attackers appear to be in the ascendant. Now a new report seeks to uncover the pressures affecting our defenders in their daily work.
[defensesystems] DOD aims for a proactive spectrum strategy
The Defense Department’s new spectrum plan is a balancing act that looks to meet the growing demands for wireless communications in the military while freeing up spectrum for commercial use.
[defensesystems] Air Force launches first GPS satellite of the year
The Air Force launched the fifth GPS IIF satellite aboard a United Launch Alliance Delta IV launch vehicle from Cape Canaveral on Feb. 20 in the first launch of a GPS satellite this year. The launch window opened at 8:40 p.m. EST, and takeoff was achieved at the end of a 19 minute window after being briefly delayed by high solar activity.
[defensesystems] BAE testing revolutionary helmet-mounted display
BAE Systems has begun field testing what it says is the first head-up display (HUD) for soldiers, the company announced on Feb. 19, possibly giving future soldiers the ability to mark targets and set waypoints.
[fireeye] Write Once, Exploit Everywhere: FireEye Report Analyzes Four Widely Exploited Java Vulnerabilities
Over the last couple of decades, Java has become the lingua franca of software development, a near-universal platform that works across different operating systems and devices. With its “write once, run anywhere” mantra, Java has drawn a horde of developers looking to serve a large user base as efficiently as possible.
Thursday, February 20, 2014
[infosecinstitute] Common Linux Misconfigurations
Over the numerous configuration reviews and pentest engagements that we have performed for our clients, we’ve observed a common pattern in the configuration weaknesses in Linux systems. We believe reviewing these common weaknesses and taking them into consideration may save a lot of time and resources, and more importantly help system administrators with creating more secure environments.
[infosecinstitute] Manual Web Application Penetration Testing – Finding XSS by Playing With Parameters
Introduction
In my previous article we saw the different ways of fuzzing, including suffix and prefix. We used those fuzzing techniques in order to find error messages in web applications. Now that we know how to fuzz, we will use that skill to find XSS, generally known as cross site scripting.
[infosecinstitute] Automated Malware Analysis
Malware analysis is an interesting topic that all Information security engineers are quite aware of. In manual malware analysis, malware samples are taken and moved to an isolated machine called Sandbox, where in-depth analysis is carried out. The processes followed to find out the attributes of the malwares are usually the same, so it is obviously a necessity to automate the analysis process to save time. One such automated analysis that I would like to showcase in this article is with the help of Cuckoo.
[infosecurity-magazine] State of Healthcare IT Security is 'Alarming'
Healthcare IT is one of the more critical arenas when it comes to cybersecurity, due to the sensitive nature of the information stored. But alarmingly, new research has revealed that the networks and internet-connected devices of organizations in virtually every healthcare category – from hospitals to insurance carriers to pharmaceutical companies – have been and continue to be compromised by successful attacks.
[infosecurity-magazine] 96% of Applications Have an Average of 14 Vulnerabilities
The latest Cenzic report on application vulnerability trends shows that things aren't getting any better. All software has bugs, and almost all of them have bugs that are security vulnerabilities. In fact, on average, they have 14 separate vulnerabilities – a quarter of which are cross-site scripting flaws.
[computerworld] Adobe Flash exploit targets security, public policy sites
IDG News Service - Abobe planned to release an emergency update for Flash Player on Thursday, after security vendor FireEye pointed to a zero-day exploit used by attackers to target visitors to websites of three nonprofits, two of which focus on national security and public policy.
[computerweekly] Businesses ignore unknown threats despite cost, study shows
Security breaches cost UK organisations an estimated £1.5bn a year, yet many continue to disregard the next big wave of risk to IT security from unknown threats, a study has revealed.
[defensesystems] Navy names Cyberspace/IT Person of the Year
Randall Cieslak, CIO of the U.S. Pacific Command, has been named the Navy Department’s Cyberspace/IT Person of the Year Award winner for his work in developing a shared infrastructure within the command and improving security with the implementation of IPv6. Cieslak and four others were honored with the DON CIO’s 2014 awards.
[defensesystems] Air Force to swap 5,000 BlackBerrys for iOS devices
The Air Force has begun a shift away from BlackBerry mobile devices, announcing that it will replace 5,000 BlackBerrys with Apple iOS devices in an initial effort to begin rolling out modernized commercial mobile technologies.
[securelist] Virtual bitcoins vs hard cash
The festive season with its gifts, decorations and costumes can easily put a dent in your finances. No wonder then that after the holidays spam started appearing with suggestions on how to make some money. And increasingly spammers are using bitcoins – a cryptocurrency – as the bait. For instance, bitcoins can be earned in return for access to the computing power of a device. There are plenty of stories about millionaires who have made a fortune with the help of this currency, and spammers have been quick to exploit its current popularity.
[crowdstrike] Mo' Shells Mo' Problems - Deep Panda Web Shells
Disclaimer: CrowdStrike derived this information from investigations in non-classified environments. Since we value our client's privacy and interests, some data has been redacted or sanitized.
[fireeye] Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit
Less than a week after uncovering Operation SnowMan, the FireEye Dynamic Threat Intelligence cloud has identified another targeted attack campaign — this one exploiting a zero-day vulnerability in Flash. We are collaborating with Adobe security on this issue. Adobe has assigned the CVE identifier CVE-2014-0502 to this vulnerability and released a security bulletin.
Wednesday, February 19, 2014
[net-security] Lessons learned from blocking 100 million cyber attacks
Using real-life data from the 100m+ malicious hack attempts FireHost blocked in the last 12 months, they produced a Superfecta report which contains a quarter-by-quarter guide to the biggest cybercrime trends and incidents in 2013, including expert analysis from both FireHost’s IT security teams and partners.
[dwaterson] A RAT named Poison Ivy
In February 2013, Mandiant published a report exposing APT1, one of the cyber espionage units based in China. They found that APT1 is one of the most prolific cyber espionage groups, having stolen hundreds of terabytes of sensitive proprietary data through Advanced Persistent Threats (APTs). Mandiant concluded that APT1 is likely Chinese government-sponsored and has links with the People’s Liberation Army Unit 61398.
[dwaterson] The Privacy War era has begun
Our private information is under heavy, sustained attack like never before. The Cold War has been succeeded by the Privacy War. Individual privacy and civil liberties, as well as enterprise proprietary data, is under unprecedented attack from various powerful quarters. Like the Cold War, the Privacy War has no gunfire. Like the Cold War, the Privacy War involves government secret agents, subterfuge, secrecy and espionage. Like the Cold War, the most powerful governments in the world are key antagonists. But unlike the Cold War, there are other attackers in additional to governments, and the target of attacks is individual and enterprise information. The Cold War fizzled out in the early 1990s, the Privacy War began in earnest after 9/11.
[dwaterson] Bitcoin – it’s all about the money, money, money
Bitcoin is a new online digital currency which has been in the news recently because of its dramatic price fluctuations. The currency uses peer-to-peer networking for transfers, whereas digital certificates, cryptographics, and decentralised processing provide security. It has been referred to as MOIP – Money Over Internet Protocol.
[dwaterson] Anonymous internet with Tor
In the wake of the PRISM revelations, the question of internet communication privacy has come to the fore. Many are looking toward the Tor Project for anonymity. Tor protects against network surveillance and traffic analysis.
[infosecinstitute] The Importance of Session Regeneration
1. Introduction
Users of web applications are recognized by session IDs. That’s why it’s obvious that session management is an important subject. Session management flaws are related to weaknesses in the following categories:
- Generation of session IDs (think about the session IDs that can be predicted)
- Life cycle of session IDs (think about the session IDs that can be disclosed when sent via HTTP instead of HTTPS)
This article is focused on one issue in the life cycle of session IDs – session regeneration. Session regeneration is about setting a new value of a session ID – it can occur for example after successful log in of the user. Possible consequences and attack scenarios are presented when session IDs are not regenerated.
[infosecurity-magazine] Malicious Apps in Google Play Spike Nearly 400%
Android malware is the fastest-growing malware arena – a fact that few dispute. New research has dug into some of the details behind the growth, after finding that malicious apps in the Google Play store spiked almost 400% in 2013.
[infosecurity-magazine] Zeus Trojan Now Hiding in Plain Sight – Using Pictures
A new variant of the notorious Zeus banking trojan is making the rounds, with a new approach that uses steganography, a technique that allows it to disguise data inside of an existing file without damaging it.
[infosecurity-magazine] Enterprise Vulnerability Management Not Keeping Pace with Cloud and Mobility
Despite an increased focus on zero-day exploits, traditional vulnerability management solutions are unnecessarily exposing most to security threats that could be mitigated through continuous monitoring (CM), according to a report from Forrester Consulting.
[infosecurity-magazine] Using Windows Error Reports to Detect Unknown Breaches
The Microsoft Windows Error Reporting (WER) – that is, Dr. Watson – generates detailed crash telemetry and sends it, when allowed, to Microsoft. Microsoft uses the information to help it understand and correct software flaws, and harden the operating system. But in December of last year it was realized that this data can be, and probably is, intercepted and used for nefarious purposes.
[computerworld] Demand for Linux skills rises
Computerworld - Demand for people with Linux skills is increasing, a trend that appears to follow a shift in server sales.
Cloud infrastructure, including Amazon Web Service, is largely Linux based, and cloud services' overall growth is increasing Linux server deployments. As many as 30% of all servers shipped this year will be cloud services providers, according to research firm IDC.
[computerworld] Malware-infected Android apps spike in the Google Play store
IDG News Service - The number of mobile apps infected with malware in Google's Play store nearly quadrupled between 2011 and 2013, a security group has reported.
[defensesystems] DARPA looks to upgrade space junk monitoring
The Defense Advanced Research Projects Agency is willing to spend as much as $1.4 million on a program to track low-inclination, low-Earth orbit objects, the agency announced in an update to a posting on the FedBizOps website.
[fireeye] XtremeRAT: Nuisance or Threat?
Rather than building custom malware, many threat actors behind targeted attacks use publicly or commercially available remote access Trojans (RATs). This pre-built malware has all the functionality needed to conduct cyber espionage and is controlled directly by humans, who have the ability to adapt to network defenses. As a result, the threat posed by these RATs should not be underestimated.
Tuesday, February 18, 2014
[securityaffairs] Detected new Zeus variant which makes use of steganography
Security experts at Malwarebytes detected a new of the popular Zeus banking trojan variant which makes use of steganography to hide the configuration file.
[securityaffairs] Profiling hacking for hire services offered in the underground
Security expert Dancho Danchev profiled hacking for hire services offered in the underground, providing an indication of their prices.
[net-security] Half a million Belkin WeMo users are wide open to attackers
IOActive has uncovered multiple vulnerabilities in Belkin WeMo Home Automation devices that could affect over half a million users. Belkin’s WeMo uses Wi-Fi and the mobile Internet to control home electronics anywhere in the world directly from the users’ smartphone.
[net-security] New detection system spots zero-day malware
A group of researchers has created a new infection detection system that can help Internet service providers and large enterprises - or anyone running large-scale networks - spot malware attacks that antivirus and blacklisting solutions can't.
[net-security] Hackers prove massive data theft from US casino operator
Last week’s hack and defacement of the official website of the US-based Las Vegas Sands Corp. and that of the popular casinos it operates apparently didn’t affect customers and the corporation’s gambling systems.
[net-security] Most security pros concerned about missing threats between vulnerability scans
Continuous monitoring, whose roots lie with the U.S. government, addresses many of the challenges faced by traditional vulnerability management solutions and offers CISOs and security leaders across sectors a near real-time view into the security posture of their respective institutions.
[infosecinstitute] Ten Important Privacy Threats
1. Introduction
As the Internet becomes more and more important to our lives, the challenge is to enjoy the conveniences of online activities while reducing the risks of privacy violations. A good understanding of the privacy threats is an important factor for preventing privacy violations. In order to provide such an understanding, this article discusses ten important privacy threats, namely government surveillance (Section 2), data profiling (Section 3), hacking of bank institutions (Section (4), hacking of software companies (Section 5), hacking of government health care websites (Section 6), fake online complaints (Section 7), using Facebook for background checking (Section 8), hacking of delivery drones (Section 9), hacking of cloud computing servers (Section 10), and hacking of Google Glass (Section 11). The privacy threats are explained in the form of stories of fictitious individuals. Finally, a conclusion is drawn (Section 12).
[infosecurity-magazine] AT&T Fields Thousands of National Security Requests for Customer Data
AT&T has released its very first transparency report, detailing the government-led requests for information on its subscribers. The telco said that it in the first six months of 2013, it received between 2,000 and 2,999 National Security Letters, affecting between 4,000 and 4,999 customer accounts.
[computerworld] Apple takes top spot in brand value computation
Computerworld - Apple was appointed the world's highest-valued brand today by Brand Finance, which said the Cupertino, Calif. company's brand is worth nearly $105 billion.
[computerworld] Whatever happened to the IPv4 address crisis?
Network World - In February 2011, the global Internet Assigned Numbers Authority (IANA) allocated the last blocks of IPv4 address space to the five regional Internet registries. At the time, experts warned that within months all available IPv4 addresses in the world would be distributed to ISPs.
[defensesystems] DOD reaches $40.5M enterprise deal for Adobe products
The Defense Department has awarded a three-year, $40.5 million joint enterprise licensing agreement, called a JELA, to CDW-G to provide Adobe products to the Army, Air Force and Defense Information Systems Agency.
[defensesystems] Why DOD needs to consider commercial SATCOM
In today’s asymmetrical conflict zones, enemies excel at blending into the surrounding environment, whether on city streets or mountainous landscapes. Military leaders make important decisions based on the warfighter’s first-hand knowledge of the enemy and the in-theater environment. But soon, as the U.S. draws down its presence in Afghanistan, resulting in fewer boots on the ground, military leadership will have ever fewer pieces of data coming straight from the scene—making the Defense Department’s intelligence, surveillance and reconnaissance (ISR) programs ever more important.
[defensesystems] Navy’s first laser gun could target drones, small craft
Moving past traditional munitions such as bullets and missiles, the Navy plans to deploy its first laser gun onto the USS Ponce this summer.
The prototype Laser Weapon System, or LaWS, is a directed-energy weapon. Firing an invisible beam of energy, the laser will be able to burn through a target or destroy sensitive electronic equipment. The weapon will be guided by the Phalanx close-in system that is currently used to defend against anti-ship missiles.
[defensesystems] When GPS falters, where will the military turn?
Whether you use it to find the closest grocery store or guide an artillery shell to its target, GPS has become the most ubiquitous navigational tool since the North Star.
Monday, February 17, 2014
[cert] Vulnerabilities and Attack Vectors
Hi, this is Will Dormann of the CERT Vulnerability Analysis team. One of the responsibilities of a vulnerability analyst is to investigate the attack vectors for potential vulnerabilities. If there isn't an attack vector, then a bug is just a bug, right? In this post, I will describe a few interesting cases that I've been involved with.
[cert] Top-10 Top Level and Second Level Domains Found in Malicious Software
Hello folks. This post comes to you courtesy of Ed Stoner and Aaron Shelmire from the Network Situational Awarenessgroup at CERT. They write:
[cert] Study of Malicious Domain Names: TLD Distribution
Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes:
[cert] Prioritizing Malware Analysis
Hi, this is Jose Morales, researcher in the CERT:CES team. In early 2012, a backdoor Trojan malware named Flame was discovered in the wild. When fully deployed, Flame proved very hard for malware researchers to analyze. In December of that year, Wired magazine reported that before Flame had been unleashed, samples of the malware had been lurking, undiscovered, in repositories for at least two years. As Wired also reported, this was not an isolated event.
[securityaffairs] The crowd-funding site Kickstarter has been Hacked
The crowd-funding site Kickstarter has been Hacked! The company suggested to its users to change their password.
[net-security] Exploring the complexity of modern cyber attacks
What are the main challenges in balancing a growing security architecture with emerging threats, while at the same time justifying ROI to the management?
[net-security] Geographical passwords as a solution to the password problem
The massive data breaches that happened in the last few years have proven beyond doubt that the text password authentication method has many flaws.
[infosecinstitute] What We Learned from APTs in the Current Year
Early this year we witnessed major IT firms suffering from data breaches of one kind or another, and they have come out in the open about the breaches, as well. A couple of examples are Apple and Twitter. It’s going to be costly if the enterprises play according to the old book of rules—develop and deliver. The threat landscape has seen remarkable changes, especially with the cloud being the major form of technology sought after these days. Security threats have seen a marked evolution from botnets and spywares to advanced malwares and APTs. Firms such as Mozilla, Google, Facebook, and many others realized this simple fact and have started bounty programs to detect and prevent security breaches. Attacks have been engineered to steal trade secrets, insider information, authentication credentials, and other personal information of the targeted enterprises.
[dwaterson] Surviving a high profile data breach
It seems as if hardly a day passes without a high profile data breach report in the press. Organisational defences are being breached and confidential data is being stolen. There is a ready market for Personally Identifiable Information (PII) such as credit card numbers, email addresses, and bank account details. For many organisations, it is less a matter of whether they will suffer a high profile breach, but when. A recent survey found that most security pros are unsure if they could properly handle a breach, and would need to fudge a report to their CEO.
[infosecinstitute] Average Certified Ethical Hacker (CEH) Salary 2014
With a spate of successful hacking attempts on various banking and retail websites, ethical hacking has emerged as one of the most critical roles in protecting a company’s information. With hackers becoming smarter and more aggressive, ethical hackers are in high demand in almost every industry. They are most often employees of government agencies and high-profile Research and Development laboratories to prevent unauthorized access to sensitive information but nowadays, almost every company across the world, whether it be online commerce and retail, real estate, logistics and transport, healthcare, hospitality, or any sector in between; employs some variant of ethical hacking to keep their information the way it’s meant to be: confidential!
[infosecurity-magazine] Merkel and Hollande Propose a European Internet
News outlets, such as the BBC, are reporting that Germany's Chancellor Angela Merkel "is proposing building up a European communications network to help improve data protection" and prevent European emails and other data passing through the United States where it can be, and has been, harvested by the NSA.
Sunday, February 16, 2014
[blackhat] ENERGY FRAUD AND ORCHESTRATED BLACKOUTS: ISSUES WITH WIRELESS METERING PROTOCOLS (WM-BUS)
Government requirements, new business cases, and consumer behavioral changes drive energy market players to improve the overall management of energy infrastructures.
While the energy infrastructure is steadily maintained and improved, some significant changes have been introduced to the power grids of late. Actually, the significance of the changes could be compared to the early days of the Internet where computers started to become largely interconnected. Naturally, questions arise whether a grid composed of so many interacting components can still meet today's requirements for reliability, availability, and privacy.
[blackhat] END-TO-END ANALYSIS OF A DOMAIN GENERATING ALGORITHM MALWARE FAMILY
Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware’s author and accomplices.
[blackhat] DEFENDING NETWORKS WITH INCOMPLETE INFORMATION: A MACHINE LEARNING APPROACH
Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24-hour day; even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do "simple" security monitoring effectively, let alone complex incident detection and response.
[blackhat] BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS
Last year at Black Hat, Argyros and Kiayias devastated all things pseudorandom in open-source PHP applications. This year, we're bringing PRNG attacks to the masses.
[infosecinstitute] SSL ATTACKS
In the last few years, we have witnessed a wide range of attacks on the SSL/TLS mechanism. In this article, we will try to cover various attacks that were prominent in the field of cryptography. Transport layer security (TLS) ensures integrity of data transmitted between two parties (server and client) and also provides strong authentication for both parties. The attacks launched in the last few years have exploited various features in the TLS mechanism. We are going to discuss these attacks one by one.
[infosecinstitute] U.S. Cyber Policy – Course and Legal Aspects
Introduction
Cyber policy is an important issue that many would qualify as pending. Even leading nations struggle to get a good grip on the political and legal implications that emerged after the inception of the great Internet globalization. With respect to the cyberspace, the U.S. government, like every other government, aspires after own agenda. This article reviews some of the U.S. key stands when it comes to determining an advantageous cyber policy. In addition, it includes also a summary of the recently revealed Presidential Policy Directive-20.
[infosecinstitute] Anatomy of BIOS Security
Introduction
Computer security has become much harder to manage in recent years, and this is due to the fact that attackers continuously come up with new and more effective ways to attack our systems. As attackers become increasingly sophisticated we as security professionals must ensure that they do not have free reign over the systems that we are hired to protect. An attack vector that many people forget to consider is the boot process itself which is almost completely controlled by the BIOS.
[infosecinstitute] WEAPON OF ANONYMOUS
Before starting, I would like to give a small preview about the topic. This article focuses on the world famous hacker group, known as “Anonymous.” I will be describing their attacking methodologies and way of planning, but we will be focusing more about the weapons or tools they use. The word anonymous simply means having no name or identity. The group Anonymous is a faction of hackers or hacktivists. They have their own website and IRC (Internet Relay Chat) channel where they hold lax online gatherings that focuses on brain storming. Rather than giving orders, the group uses a voting system that chooses the best way in handling any situation. This group is famous for their hacks, one of which is Distributed Denial of Service (DDOS) attacks on government websites, well-reputed corporate websites, and religious websites. Their famous slogan is:
[securityaffairs] Discovered thousands of FTP servers infected by malware
Hold Security reported it has discovered a list of credentials for close to 7,800 FTP servers being circulated in cybercrime forums in the Deep Web.
Saturday, February 15, 2014
[thehackernews] 300000 Android Devices infected by Premium SMS-Sending Malware
Downloading various apps blindly from Google play store may bring you at risk in terms of money.
PandaLabs, the Cloud Security Company, has identified malicious Android apps on Google Play that can sign up users for premium SMS subscription services without their permission and so far it has infected at least 300,000 Android users, although the number of malicious downloads could have reached 4 times higher i.e. 1,200,000 users.
[securityaffairs] TESCO thousands shopping account credentials leaked online
Thousands of Tesco.com shopping accounts were suspended after hackers have leaked users details including credentials and Tesco Clubcard vouchers.
[infosecinstitute] Analyzing Malicious PDFs
PDF files have become very common in everyday work. It’s hard to imagine business proposals without PDFs. The PDF format is used in almost all companies to share business deals, company brochures, and even invitations.
[infosecinstitute] Java Code Embedding in C#
Interoperability Between JVM & CLR
Abstract
The real concept driving this article is to develop solutions using the .NET or Java Framework that interoperate with heterogeneous systems or even mutually communicate with each other. Java Virtual Machine (JVM) is exposing Java Native Interface (JNI), which allows other programs to control JVM in a manner, for instance, load classes, create instances and run methods.
[infosecinstitute] NSA BIOS Backdoor a.k.a. God Mode Malware Part 1: DEITYBOUNCE
This article is the first part of a series on NSA BIOS backdoor internals. Before we begin, I’d like to point out why these malwares are classified as “god mode.” First, most of the malware uses an internal (NSA) codename in the realms of “gods,” such as DEITYBOUNCE, GODSURGE, etc. Second, these malwares have capabilities similar to “god mode” cheats in video games, which make the player using it close to being invincible. This is the case with this type of malware because it is very hard to detect and remove, even with the most sophisticated anti-malware tools, during its possible deployment timeframe.
[infosecinstitute] Java Bytecode Reverse Engineering
Abstract
This article is especially designed to show how to crack a Java executable by disassembling the corresponding bytes code. Disassembling of Java bytecode is the act of transforming Java bytecode to Java source code. Disassembling is an inherent issue in the software industry, causing revenue loss due to software piracy. Security engineers have made an effort to resist disassembling techniques, including software watermarking, code obfuscation, in the context of Java bytecode disassembling. A huge allotment of this paper is dedicated to tactics that are commonly considered to be reverse engineering. The methods presented here, however, are intended for professional software developers and each technique is based on custom created application. We are not encouraging any kind of malicious hacking approach by presenting this article; in fact the contents of this paper help to pinpoint the vulnerability in the source code and learn the various methods developers can use in order to shield their intellectual property from reverse engineering. We shall explain the process of disassembling in terms of obtaining sensitive information from source code and cracking a Java executable without having the original source code.
[infosecurity-magazine] Bitcoin Hack Leaves Silk Road 2 Drained of All Funds
The Silk Road 2 black-market transaction site has been drained of its operating capital, with hackers lifting $2.7 million in Bitcoins from its central escrow coffers.
[infosecurity-magazine] Moon Landing: New Worm Spreads Itself via Linksys Routers
An unusual self-propagating worm has been discovered, spreading its way among Linksy E-models routers, the popular home networking and small office CPE. Johannes Ullrich, a researcher with SANS Technology Institute, named the bug the Moon because it includes basic HTML pages with images based on the movie "The Moon.” But here’s the other thing: the worm just seems to “moon about,” not really doing anything other than spread itself.
[blackhat] ABOVE MY PAY GRADE: CYBER RESPONSE AT THE NATIONAL LEVEL
Incident response is usually a deeply technical forensic investigation and mitigation for an individual organization. But for incidents that are not merely cyber crime but truly national security events, such as large-scale disruptive attacks that could be acts of war by another nation, the process is completely dissimilar, needing a different kind of thinking.
[blackhat] A TALE OF ONE SOFTWARE BYPASS OF WINDOWS 8 SECURE BOOT
Windows 8 Secure Boot based on UEFI 2.3.1 Secure Boot is an important step towards securing platforms from malware compromising boot sequence before the OS. However, there are certain mistakes platform vendors shouldn't make which can completely undermine protections offered by Secure Boot. We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.
[cio] Kickstarter Hacked, User Names and Encrypted Passwords Accessed
IDG News Service (New York Bureau) — The crowdfunding website Kickstarter said Saturday it had been hacked and that user names, encrypted passwords and other data had been accessed.
Friday, February 14, 2014
[thehackernews] Magento vulnerability allows an attacker to create administrative user
It seems you cannot go a day without hearing about someone or some group hacking a website or stealing credit card and other sensitive data from e-commerce sites.
The Market of E-commerce is at its boom, and that provides even more opportunities to hackers. There are many readymade e-commerce platforms available on the Internet, that are easy to install and easy to manage at no extra cost and 'Magento' is one of the most popular out of them.
[emsisoft] MtGox Freezes All Bitcoin Withdrawals
Hackers do what they do to make money. That’s why they create ransomware like Linkup andCryptolocker, and that’s why massive corporations like Microsoft pay bug bounties as large as $100,000 to anyone who can detect vulnerabilities in their software. It’s also why the Mt.Gox Bitcoin exchange did what it did last Friday, February 7th.
[scmagazine] Arbor Networks observes several large NTP-based DDoS attacks
Arbor Networks announced on Friday that it observed several large NTP-based distributed denial-of-service (DDoS) attacks this week, including one on Monday that peaked at 325 gigabytes per second.
[securityaffairs] The Syrian Electronic Army hacked Forbes
The Syrian Electronic Army has hacked Forbes WordPress CMS and has hijacked Twitter accounts belonging to the media agency. Who will be the next one?
[securityaffairs] Cybercriminals target mobile applications with fake SSL Certificates
Cybercriminals targeting mobile applications with fake SSL Certificates to run man-in-the-middle attacks against the affected companies and their customers.
[securityintelligence] Discovering Threat-Aware Identity and Access Management
Today’s rapidly-changing, borderless business world and the mobile/cloud momentum are breaking down the traditional perimeter, forcing us to look at security differently. Maybe your firm is implementing new access policies and controls for mobile users, or you’re moving applications into the cloud. Or perhaps you’re opening up your enterprise to external users to exploit new business models. As cloud, mobile and other IT consumerization trends take hold, organizations must look beyond traditional Identity and Access Management (IAM) approaches and implement security solutions designed for current and emerging trends.
[securityintelligence] Learn About New Security Analytics and Fraud Protection Solutions at Pulse 2014
In this series of breakout sessions you can attend live demo’s, panel discussions, and interactive presentations where IBM experts and customers share their real-world security experiences, and solutions for the pressing security business problems of today. There are a number of sessions you will not want to miss including:
[infosecinstitute] NSA Backdoor Part 2, BULLDOZER: And, Learn How to DIY a NSA Hardware Implant
This article is the second part of a series on NSA BIOS Backdoor internals. This part focuses on BULLDOZER, a hardware implant acting as malware dropper and wireless communication “hub” for NSA covert operations. Despite that BULLDOZER is a hardware, I still use the word “malware” when referring to it because it’s a malicious hardware. Perhaps the term “malware” should refer to both malicious software and malicious hardware, instead of referring only to the former.
[infosecinstitute] Injecting Spyware in an EXE (Code Injection)
Implanting malicious code in the form of spyware to an existing running process is one of the more sophisticated tasks. Before the advent of disassembler or patching tools, the malevolent code is usually invoked from the hard-core programming code, which is a very exhaustive process in itself, because we had gone through with programming code written especially in C or VC++. This paper demonstrates exclusively the invoking of a covert code along with the foremost executable by using OllyDbg and IDA Pro disassemblers. Such covert malicious code is triggered without the having the assent of the user; more precisely, the moment when the specific methods are executed from the leading EXE, the spyware becomes automatically activated surreptitiously.
Subscribe to:
Posts (Atom)