Archive for October, 2013

Google Chrome to Automatically Block Malicious Downloads

Google is panning to add a new feature to its Chrome browser that will block malicious downloads automatically, helping to prevent drive-by downloads and the kind of malware that rides along with supposedly legitimate software.

The new addition to Chrome already is in the development queue, appearing in the company’s Canary channel, which is the earliest development release available. The feature is meant to help protect users against the kind of malware that often is installed with users’ knowledge and make changes to their machines or install other malicious components such as keyloggers or Trojans.

With this new feature enabled, Chrome will show users a small notification in the bottom of the browser window, alerting them that a download has been blocked automatically.

“In the current Canary build of Chrome, we’ll automatically block downloads of malware that we detect. If you see this message in the download tray at the bottom of your screen, you can click “Dismiss” knowing Chrome is working to keep you safe,” Linus Upson, vice president of Google, said in a blog post explaining the changes.

“This is in addition to the 10,000 new websites we flag per day with Safe Browsing, which is used by Chrome and other browsers to keep more than 1 billion web users safe.”

Along with the addition of automatic malicious download blocking, upcoming versions of Chrome also will have a feature that will roll back users’ browser settings to the original state at the press of a button. This can help users recover from a malware infection that changes browser settings, resets home pages or prevents users’ from removing a plugin or extension.

“Bad guys trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or—ironically—a supposed security update. These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state,” Upson said.

“We’re taking steps to help, including adding a “reset browser settings” button in the last Chrome update, which lets you easily return your Chrome to a factory-fresh state. You can find this in the “Advanced Settings” section of Chrome settings.”

Image from Flickr photos of F Delventhal.

Latest Tweet from:

Categories: Malware, Web Security

Comment (1)

  1. LeeW October 31, 2013 @ 4:23 pm


    So, who defines malicious? My religious philosophy, my political ideology? These have always been declared “Malicious” or divisive, or any other maligned pronunciation by despotic,bankrupt anti freedom malignancies. Google? Already implicated as as a collaborator with the for-mentioned. And what about Googles purported collaboration with the Chinese governments tracking of dissidents calling for freedom?

    Sure, Chrome! A shiny reflection of what glitters is NOT always a good thing.

Leave A Comment Cancel Reply

Recommended Reads

Article source:

No Comments

EFF Makes Case That Fifth Amendment Protects Against Compelled Decryption

With new leaks about the extent of U.S. government surveillance coming almost daily, one constant remains among all the deterrents to the NSA’s prying eyes: encryption technology works. As far as we know, the math behind encryption is solid, despite the specter of some unnamed breakthrough made by the spy agency some years ago.

The Snowden documents don’t seem to substantiate this breakthrough as yet; any success the NSA has had in beating encryption may come from subverting NIST standards used to build the technology into products, or companies being legally forced or coerced into handing over the encryption key.

Tangentially, the government continues to try to make a case for the ability to force someone alleged to have committed a crime to decrypt their hard drives and turn over evidence. On a number of previous occasions, the courts have upheld Fifth Amendment protections against self-incrimination in such cases.

In a case starting on Monday in Massachusetts Supreme Judicial Court, an appeal of a previous decision against Leon Gelfgatt, 49, of Marblehead, Mass., an attorney, was indicted in a mortgage fraud scam in which he is alleged to have stolen more than $1.3 million. The government, in trying to make its case against Gelfgatt, tried to compel him to decrypt his hard drive. The judge in the case, however, denied the request saying that such an action would violate the Fifth Amendment.

Digital advocacy group the Electronic Frontier Foundation, along with the American Civil Liberties Union, filed an amicus brief yesterday explaining the Fifth Amendment privilege against self-incrimination prohibits compelled decryption. Hanni Fakhoury, staff attorney with the EFF, wrote in a blogpost that the Fifth Amendment protects an individual from unveiling the “contents of his mind” and that the government through this action would be learning new facts in the case beyond the encryption key.

“By forcing Gelfgatt to translate the encrypted data it cannot read into a readable format, it would be learning what the unencrypted data was (and whether any data existed),” Fakhoury wrote. “Plus, the government would learn perhaps the most crucial of facts: that Gelfgatt had access to and dominion and control of files on the devices.”

The government’s argument is that the decryption is akin to providing the combination to unlock a safe, rather than compelling the production of decrypted files.

“That assertion is incorrect,” the brief says. “Just as encrypting a drive encrypts each and every one of its files, decrypting the drive makes available copies of all of its files.” The contention is that because the data is transformed and scrambled, decryption is more than a key, safe combination or password, the brief said.

In February 2012, a federal appeals court determined that a Florida man’s rights were violated when he was jailed for refusing to decrypt his hard drive. The EFF said this was the first time an appellate court ruled the Fifth Amendment protects against compelled decryption.

The EFF’s Fakhoury told Threatpost that the government has in the past suggested that encryption is used only by criminals to cover their tracks, while failing to point out legitimate business—and personal reasons—to encrypt data such as protecting trade secrets or personal data.

“In the surveillance environment, the need for encryption is especially strong because it often seems that strong technology is our last refuge from the government’s prying eyes,” Fakhoury said. “We’ve seen in all the leaks the government’s effort to undermine web encryption and so we must make sure they can’t undermine the physical device encryption here.”

Latest Tweet from:

Categories: Cryptography

Leave A Comment Cancel Reply

Recommended Reads

Article source:

No Comments

Researcher Posts Bug Details on Zuckerberg’s Wall

Back in August, Khalil Shreateh, a Palestinian security researcher listing his job status as “unemployee” discovered a bug on Facebook, the world’s largest social network, that gave him the ability to post content on any other user’s timeline. He then did what any entrepreneurial young security researcher would do: he went straight to the top, explaining exactly what he had discovered with a post on the wall of Facebook founder and CEO Mark Zuckerberg.

That’s right, he disclosed the details of his bug by exploiting the flaw in order to post the details of it on the timeline of Facebook’s CEO.

To be clear, Shreateh claims he had attempted multiple times to disclose his bug to Facebook’s White Hat program, but there was a misunderstanding between the two. Apparently Shreateh wasn’t providing enough technical information. Facebook would later confirm the existence of the bug, deactivate Shreateh’s Facebook account, and ultimately award him no bounty for the bug, explaining that he had violated the terms of service with his demonstration.

Surprisingly, the incident was little more than a misunderstanding. Facebook reactivated Shreateh’s account shortly after having deactivated it.

In fact, a Facebook spokesperson told Threatpost via email that Shreateh has since reported more bugs to their White Hat program, following the correct guidelines for these, and receiving bounty payments in turn.

The vulnerability here isn’t an incredibly critical one, but Facebook users should not be able to post content on or even view the walls of anyone other than their friends, unless the user receiving the content has gone into their settings and specifically allowed everyone to post on their wall.

Sheateh disclosed the bug through Facebook’s White Hat program by performing the attack on a seemingly random user. Initially, the security team at Facebook responded to Sheateh telling him that what he found was not a bug, which, Sheateh claims, is why he then had to perform the attack again, publishing a post on Zuckerberg’s timeline to show that there was indeed a vulnerability.

This, of course, is not what most researchers would consider responsible disclosure, which is likely the reason why Sheateh did not receive a bounty payment when Facebook eventually acknowledged the bug.

Latest Tweet from:

Categories: Hacks, Social Engineering

Comments (2)

  1. Matt Hazz October 31, 2013 @ 4:41 pm


    wow, republishing two month old ‘news’ must be a slooow news day or you guys are really desperate for content or both.

Leave A Comment Cancel Reply

Recommended Reads

Article source:

No Comments

EU Petition Seeks to Restrict Export of ‘Digital Arms’

A Dutch member of the European parliament is supporting a grass-roots effort to restrict the export of surveillance software such as FinFisher and others, which are used by some governments and law-enforcement agencies to monitor their citizens’ activities.

The effort, dubbed Stop Digital Arms, is supported by Marietje Schaake, a member of the EU Parliament’s International Trade committee. The petition itself is on the site, and it calls upon members of the European Union “to give the European Commission the mandate to draft the laws and develop initiatives necessary to stop digital arms trade”.

There are a number of companies that sell the kind of surveillance and “lawful intercept” software referenced in the digital arms petition. Perhaps the most well-known is a British company called Gamma International UK, which sells the FinSpy and FinFisher software used by various governments around the world. In a report called “For Their Eyes Only” released earlier this year, the Citizen Lab at the Munk School of Global Affairs at the university of Toronto detailed the spread of this software around the world and identified a slew of FinFisher command-and-control servers in countries such as Australia, Bahrain, Canada, Germany, the Netherlands and the United States, among many others.

“We, users of the global open internet urge European politicians and institutions, EU Member States and European businesses to stop the trade in digital arms,” the petition says.

“We believe in the empowerment of individuals via the internet and technologies but also acknowledge that technologies can become powerful arms in the hands of oppressors, or when companies and governments gain unchecked power or market share; we regret that globally opposition members, journalists, bloggers and citizens increasingly face repression through the use of technologies.”

The existence and use of lawful intercept and surveillance software has been an open secret in the security and privacy communities for some time now, but research such as the Citizen Lab report and the use of these applications against activists and journalists in countries such as Egypt and Syria during their recent political upheavals has raised the awareness of them among politicians and the general technology community. There are U.S. companies that sell similar software and appliances, and are restricted by U.S. law from exporting them to certain countries the U.S. does not do business with. The EU petition seeks to prevent European Union companies from selling their wares in some countries, as well.

“We urge European technological companies to develop standards to embed ‘human rights by design’ principles in their business operations and sign up to codes of conduct that respect human rights and promote corporate social responsibility,” the petition says.

Latest Tweet from:

Categories: Government, Privacy, Web Security

Leave A Comment Cancel Reply

Recommended Reads

Article source:

No Comments

British Citizen Indicted for Attacking Government, Military Networks

The United States District Court in New Jersey is accusing British citizen Lauri Love, and others not named, of conspiring to and illegally accessing various government and military networks. The purpose of these attacks, prosecutors said, was to steal vast stores of personally identifiable and other non-public information and to disrupt the operations and infrastructure of U.S. government networks.

Love and co-conspirators are accused of seeking out vulnerabilities in government and military networks with automated vulnerability scanning tools and exploiting those bugs in order to access the systems of their victims at that time and to implant backdoors to permit access in the future. They allegedly stole personally identifiable information (PII) belonging to military service people and current and former government employees, causing millions of dollars in damages, according to an indictment acquired by SC Magazine.

In Internet Relay Chat logs acquired by investigators, Love – allegedly operating under the handle “peace” – notes that these vulnerabilities could be leveraged to acquire “real confidential [stuff].”

Victims of the alleged conspiracy include, the U.S. Army, Environmental Protection Agency (EPA), NASA, Engineer Research and Development Center (ERDC), Plans and Analysis Integration Office (PAIO), Strategic Studies Institute (SSI), Army Network Enterprise Technology Command (NETCOM), Army Contract Command (ACC), Missile Defense Agency (MDA), and Federal Facilities Environmental Stewardship and Compliance Assistance Center (FedCenter).

Love’s attack methods are said to have included SQL injection attacks, targeting vulnerabilities Adobe’s ColdFusion development platform, and infecting victim machines with backdoor malware designed to provide indefinite access to sensitive networks. Prosecutors claim that Love shared the vulnerabilities he found, his attack methods, and methods for exfiltrating and making sense of stolen data with his co-conspirators so they too could perform similar attacks and steal data.

IRC logs included in the indictment appear to demonstrate that Love’s actions were malicious and deliberate.

“[Co-conspirator two], you have no idea how much we can [mess] with the U.S. government if we wanted to,” Love is alleged to have said. “This … stuff is really sensitive.”

Love would go onto to claim that the information is “…basically every piece of information you’d need to do full identity theft on any employee or contractor for the [redacted government agency].”

According to prosecutors, the accused also used their IRC channel to coordinate the promotion of their attacks and the data they stole via various social networks, including Twitter.

In an attempt to cover their tracks, the alleged conspirators routed their traffic through proxy servers and further anonymized themselves using the Tor network. Prosecutors claim that the accused also attempted to shield themselves from investigators by communicating on secure IRC channels and using multiple handles, all of which appears to have been evident in the IRC logs.

Specifically, Love and his alleged conspirators are accused exposing a ColdFusion vulnerability in order to access ERDC servers, stealing a password property file there, which they then allegedly used to determine the server’s administrative password and view sensitive information.

In the NETCOM attack, prosecutors says Love and company deployed a SQL injection attack that resulted in the theft of PII from thousands of military personnel stationed at the Forth Monmouth, New Jersey military installation.

In the ACC attack, the accused conspirators allegedly accessed competitive acquisition and other related information after launching a SQL injection attack. They are said to have taken natural resource management and other sensitive information from an Army Corps server by deploying a similar attack and exploiting ColdFusion vulnerabilities. Prosecutors claimed they again used ColdFusion bugs to compromise PAIO servers and steal budgetary information stored there and to install malware on ERDC, USMDA, FedCenter, NASA and SSI servers.

Latest Tweet from:

Categories: Government, Hacks

Leave A Comment Cancel Reply

Recommended Reads

Article source:

No Comments

HTTP 301 Redirections Lead to Trouble for Mobile Apps

Thousands of mobile apps developed for the Apple iOS platform can be forced to display phony, even malicious content, because of a vulnerability that allows an attacker to redirect traffic to a third-party site and persistently serve content from that location.

Researchers from Israeli mobile company Skycure were scheduled to present the details of their findings today during a session at RSA Europe in Amsterdam.

The attack, dubbed HTTP Request Hijacking (HRH) requires that an attacker carry out a man-in-the-middle attack over an open Wi-Fi connection. Once the attacker positions himself, he can capture HTTP requests and redirect them via a HTTP 301 redirection, or a server-side 301 Moved Permanently request. This request is cached by the mobile application and once the user opens the vulnerable app again, it will connect with the attacker’s server and not the intended website.

“While the 301 Moved Permanently HTTP response has valuable uses, it also has severe security ramifications on mobile apps, as it could allow a malicious attacker to persistently alter and remotely control the way the application functions, without any reasonable way for the victim to know about it,” wrote Skycure CTO Yair Amit in a blogpost.

HRH doesn’t pose the same risk on desktop browsers because the URL in the address bar would change and could be noticed by the user. Mobile applications don’t generally display the site to which they connect, keeping the clandestine connection secret, Amit said.

HTTP 301 responses are used for permanent webpage redirections. Sites that move to new domains use 301 redirects, as do sites that can be accessed via slightly different URLs; one is selected as the canonical destination, according to a Google support doc, while the others will redirect to that URL using a 301 response.

The problem in this attack, Amit said, is that the mobile app keeps the 301 response in cache and permanently connects to the attacker’s web server. That server can then drop any content into the app, including links to malicious sites.

Amit said they have a proof of concept that works on iOS, but since this is a rather generic attack, it could work against other mobile operating systems.

“We went on to test a bunch of high profile applications, and were amazed to find that about half of them were susceptible to HRH attacks,” Amit said. “Focusing on leading app store news apps, we found many of them vulnerable and easy to exploit.”

Amit added that the while the attack works quite well against unencrypted sessions, it also can be mounted against HTTPs traffic.

“It is interesting to note that by luring a victim to install a malicious profile that contains a root CA, an attacker can mount HRH attacks on SSL traffic as well,” Amit said. “Combining the malicious profiles threat we uncovered together with this new threat of HTTP Request Hijacking, generates a troubling scenario: Even after the malicious profile is identified and removed from the device, attacked apps continue to interact seamlessly with the attacker’s server instead of the real server, without the victim’s knowledge.”

IOS developers are urged to look for the vulnerability in their apps, Amit said, adding that apps should connect using HTTPS, although it’s not a foolproof defense.

Latest Tweet from:

Categories: Mobile Security

Leave A Comment Cancel Reply

Recommended Reads

Article source:

No Comments

Mozilla Fixes 10 Vulnerabilities with Firefox 25

Article source:

No Comments

Lavabit, Silent Circle Form New Anti-Surveillance Dark Mail Alliance

As the stunning revelations about the NSA’s collection methods and capabilities continue to mount, two secure email providers that have shut down their services in recent months have formed a new alliance to develop and deploy a new secure email platform that will be resistant to surveillance and back doors. The Dark Mail Alliance, formed Wednesday by Silent Circle and Lavabit, aims to put together an open protocol and architecture for private email.

Both Lavabit and Silent Circle made the decision this summer to pull the plug on their respective secure email services, for different, but related, reasons. Lavabit, a provider of encrypted private email services, in August said that it would pull the plug on its service. At first the company didn’t provide many details on why the decision had been made, but it gradually became clear that Lavabit founder Ladar Levison had decided to shut the service down rather than comply with a government request for access to the master encryption key for the service. Edward Snowden, the NSA whistle blower, was a Lavabit user, and the FBI wanted access to his email, but was also asking for access to other users’ accounts. Levison instead shut the service down.

Soon afterward, officials at Silent Circle came to the decision that they needed to end their Silent Mail offering, as well, as they assumed it also would be a prime target for government surveillance requests.

“We said we had to do something and do it now, and tell people why we did. I had to think about it in terms of if I were [the government], what would I be doing? I would be typing up the subpoenas to be delivered at 7 a.m.,” Jon Callas, co-founder of Silent Circle, said at the time of the shutdown in August.

Now, the two companies are pooling their resources in an effort to get a new secure email platform off the ground. Truly secure and private email has proven to be a challenge for more than a decade now, but officials from the two companies say that the need is there.

“Together our mission is simple: To bring the world a unique end-to-end encrypted protocol and architecture that is the ‘next-generation’ of private and secure email. What we call ‘Email 3.0.’ is an urgent replacement for today’s decades old email protocols (‘1.0’) and mail that is encrypted but still relies on vulnerable protocols leaking metadata (‘2.0’),” they said in a blog post announcing the alliance.

“Our goal is to open source the protocol and architecture and help others implement this new technology to address the privacy concerns over surveillance and back door threats of any kind.”

How the alliance will proceed and what the technology will look like remain to be seen, but the interest in this kind of technology in the security and privacy communities is quite high, especially given the revelations of the last few months.

Image from Flickr photos of Frederic Bisson

Latest Tweet from:

Categories: Cryptography, Government, Privacy

Leave A Comment Cancel Reply

Recommended Reads


Obama Administration to Review NSA Capabilities

President Barack Obama has initiated a review of the procedures and methods that the NSA uses to collect intelligence at home and overseas to ensure that the agency isn’t overstepping its bounds in phone and Internet data collection.

Read more…

Article source:

No Comments

Smaller, Popular Open Source Software Packages Exposed in Sourceforge Review

Open source projects with anywhere between 100,000 and 1 million downloads are pretty sizable endeavors, and with the code open for scrutiny, you would think bugs would be found and some sort of disclosure process would be in place.

If a spate of recently discovered issues in seven popular software packages hosted on Sourceforge is any indication, the answer might be no on both counts.

Metasploit exploit modules were released recently for post-authentication command execution and arbitrary file-read vulnerabilities in enterprise applications such as Moodle, vTiger CRM and Openbravo ERP, as well as network monitoring software Zabbix, Linux-based hosting control panel program ISPConfig, and consumer software such as OpenMediaVault and NAS4Free. In total, these packages have been downloaded more than 16 million times with Moodle leading the way at nearly 4.8 million downloads.

“It’s not Apache, it’s not Linux, but that’s still a lot of downloads. If I run software with four million downloads, that’s a lot I think,” said Tod Beardsley, Metasploit engineering manager. “If you assume, with the 16 million number, that 1% to 2% are installed and running today, that’s still north of a quarter-million installs.”

These bugs were found by former Rapid7 engineer Brandon Perry, who after DEF CON this summer decided to look for low-hanging fruit on Sourceforge–vulnerabilities in smaller packages that would likely show up in a pen-test, for example.

“Sixteen million downloads over the lifetime of those projects is a pretty decent install base,” Beardsley said. “Coupled with the adventures I had in vulnerability disclosure with these guys indicated to me that they are not very well-practiced at receiving vulnerability notification, which makes me think we may have been the first or among the first that have ever contacted them about security vulnerabilities. There was weirdness in the reporting you don’t run into with Apache or Microsoft, for example.”

Researchers, exploit developers and code auditors would likely target smaller packages, especially in penetration testing engagements, yet some of the software projects listed here did not acknowledge these were even security issues; five of the seven have not been patched, for example. Since all require a username and password to carry out an exploit, the severity of the issue is lessened somewhat. But hackers have proven that it’s not difficult to garner information that could help them learn or guess credentials.

“In Moodle’s case, they don’t believe it’s a bug, which is fine. They can believe that. I talked to them, and they have reasonable arguments why it’s not a bug and normal. But in the end, pen testers don’t care if a vendor calls it a bug or not. If they can get a shell off of it, it’s good for the bad guys and it’s good for penetration testers.”

The Moodle issue, for example, can be exploited to steal an administrator’s session via cross-site scripting, allowing an attacker to log in with credentials and then provide a session key for an admin, Perry said in a blogpost describing the problem. This would allow the lesser-privileged user to get a shell on a web application, which obviously can lead to much more serious problems such as session hijacking or cookie stealing.

“In our opinion, it’s an extension of control that the developers and the users are probably not expecting,” Beardsley said. “I don’t expect to be able to get a shell over port 80. That’s generally not a design feature.”

Now that the modules have been released, Beardsley said they can be used by organizations running the respective software packages to use and evaluate their respective risk profiles.

“All of these [issues] are post-authentication, meaning at a minimum you need a username and password, so maybe that’s good enough,” Beardsley said. “Having the module out allows you as an IT admin to audit for passwords; maybe the passwords [stink]. If the passwords are good, everything’s fine. And if there are no other cross-site scripting vulnerabilities that allow session hijacking, everything’s fine.”

Latest Tweet from:

Categories: Vulnerabilities

Leave A Comment Cancel Reply

Recommended Reads

Article source:

No Comments

Stolen Adobe account data goes public, Photoshop source code breached

In an update on the data breach disclosed earlier this month, Adobe has said that source code for Photoshop was stolen. Making matters worse, a file containing 150 million usernames and hashed passwords has appeared online, and the company says that 38 million accounts were directly impacted by the incident.

Earlier this month, Adobe announced that during a security audit in September, the company discovered that attackers had accessed customer names and IDs, encrypted passwords, encrypted credit and debit card numbers and expiration dates, as well as other data. On top of the PII lost during the incident, Adobe confirmed that source code Adobe Acrobat, ColdFusion, ColdFusion Builder and “other Adobe products,” was also compromised.

Initially, Adobe said that the breach impacted 2.9 million customers worldwide. However, updated information from the company has revealed that at least 38 million users had their accounts exposed.

“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users, Adobe’s Heather Edell told CSO via email.

“We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident — regardless of whether those users are active or not.”

[5 myths of encrypting and tokenizing sensitive data]

Late last week, a file appeared online with 150 million usernames and hashed passwords. This file, circulating under the tag “150kk clients adobe inc” is nearly 4GB in size, and formatted for easy processing. Links to the file have appeared in various locations online, including, where investigative journalist Brian Krebs spotted a copy.

CSO can confirm Krebs’ findings, as well as the fact that the German site hosting the original copy has removed it. However, private servers on IRC are circulating the list in order to use it for hash cracking, and a handful of Russian forums were circulating it late last week to mixed interest. Thus, the leaked records are in the wild, exposing the accounts listed to additional risks should the user recycle passwords.

Another update from Adobe also confirms that source code from Adobe Photoshop, the company’s hugely popular image suite, was also stolen during the breach last month.

“We publicly disclosed on October 3 that the attackers gained access to source code of numerous Adobe products. Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident,” Edell added.

Adobe says they currently have no indication that there has been unauthorized activity on any customer account involved in the incident. Realistically though, the downside is that they can’t rule it out entirely either. Adobe has said their investigation is still ongoing.

Article source:


No Comments