Criminals have found a safe haven abusing legitimate processes, such as real-time bidding, implemented by online advertising networks to move exploits and malware, and build botnets and fraud campaigns.
Archive for March, 2015
MongoDB, a popular NoSQL database used in big data and heavy analytics environments, has patched a serious denial-of-service vulnerability that is remotely exploitable.
Companies using the default installation of MongoDB, which does not require authentication to access the database, are urged to update immediately to a patched version, and set up authentication. Hackers using a Shodan query or scanning the Internet for vulnerable installations, can easily find MongoDB servers online. According to the MongoDB website, large organizations such as MetLife, Bosch, Expedia, and The Weather Channel have the database in production for a variety of uses.
Researchers at Fortinet’s FortiGuard Labs discovered the vulnerability in separate areas of MongoDB on Feb. 20 and 23 respectively, and disclosed privately immediately to MongoDB, which made updates available on March 17.
“A potential attacker doesn’t have to be authenticated or have rights to the database to exploit the vulnerability,” said Aamir Lakhani, security strategist, FortiGuard Labs. “All they have to do is send a crafted packet, a particular regex query, to crash the database.”
According to an advisory on the Fortinet website, the vulnerability is in an old PCRE library (8.30) of regular expressions used in MongoDB querying. MongoDB patched the library in version 3.0.1 and 2.6.9, the last two major releases in production. Up-to-date versions of MongoDB ship with a patched version of PCRE (8.36 and beyond).
“I would say a skilled attacker who understands regex wouldn’t have too much of a difficult time with this attack, especially after examining the code,” Lakhani said. “Some things would stand out with a skilled attacker. And at some point as usually happens with these things, someone will automate it or develop a Metasploit plugin that will make an exploit easy to execute.”
Cutting into that simplicity would be the enablement of authentication.
“You can set up Mongo to ensure authentication is required. It’s the recommended best practice,” Lakhani said. “If Mongo is set up in a way that does not allow for anonymous access, at that point, an anonymous user cannot run an attack. But if a user has legitimate credentials, they can execute the same attack.”
The Fortinet exploit is basically a regular expression that meets a number of conditions that would cause the database to crash. Variants of the crafted regex work, Fortinet said, but it did not disclose the details.
“There are several ways to carry out an attack against this vulnerability,” Lakhani said. “The most common is to connect to the MongoDB server through a website query or using a MongoDB client tool to connect to the server. The attacker puts in a regex string with an input field where MongoDB reads it and processes the input. As soon as it looks at the packet, the server is taken down.
“The risk is that system is down until services are restarted, and sometimes that requires manual intervention from an administrator,” Lakhani said.
The Supreme Court has weighed in on a series of lower court decisions, issuing a summary opinion that satellite-based monitoring is in fact a Fourth Amendment search. What remains to be decided is whether GPS-based tracking constitutes an unreasonable search and is thus a violation of the Fourth Amendment, which offers protection against unreasonable search and seizure.
The opinion [pdf], made public by the Supreme Court yesterday, kicks the can back to the North Carolina state courts. What’s changed for them, is that they can no longer ignore the fact that affixing a GPS monitoring device to a person’s body or automobile is considered a Fourth Amendment search. It is the lower court now that will have to consider the Fourth Amendment implications at play here and determine whether such a search is unreasonable.
Torrey Dale Grady is a recidivist sex offender. In 1997, a North Carolina trial court convicted him of a second degree sexual offense. Grady was then convicted again in 1997 of taking indecent liberties with a child. After serving the sentence for his latter crime, the New Hanover County Superior Court summoned Grady to appear in a hearing to decide whether he should be subjected to wear a satellite based monitoring device for the remainder of his life. While Grady did not dispute his status as a recidivist offender, he did argue that the GPS monitoring regime violated his Fourth Amendment protections against unreasonable searches and seizures.
The real problem arises, as most for the Supreme Court, from sloppy lower court rulings. The original trial court ordering Grady to wear a GPS monitoring device was unpersuaded by his Fourth Amendment objection and ordered Grady to enroll in the program and be monitored for the rest of his life. Upon appeal, the North Carolina Court of Appeals too rejected Grady’s argument claiming it was foreclosed in a prior decision. In turn, the North Carolina Supreme Court dismissed Grady’s petition for discretionary review.
Kent Scheidegger, the author of some 150 Supreme Court briefs, explains that instead of characterizing satellite-based monitoring as a reasonable search, the lower courts decided that GPS monitoring was not a search at all. In this way they paved Grady’s path to the Supreme Court.
The Supreme Court, on the other hand, is bound by its own precedents. In this instance, their precedent is United States v. Jones, a similar case in which the court ruled that “the Government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search’” because the government had “physically occupied private property for the purpose of obtaining information.”
In essence, the Supreme Court is taking a philosophical position here, deciding that a ‘search’ is any means through which the government attempts to gather information from a person.
“In light of these decisions, it follows that a State also conducts a search when it attaches a device to a person’s body, without consent, for the purpose of tracking that individual’s movements,” the court wrote in its opinion.
Beyond this, the Supreme Court seems to reason that North Carolina believed its order was outside the scope of the Fourth Amendment because it was a civil order. The Supreme Court notes that “the government’s purpose in collecting information does not control whether the method of collection constitutes a search.”
“The State’s program is plainly designed to obtain information,” the court explained. “And since it does so by physically intruding on a subject’s body, it effects a Fourth Amendment search.”
In closing their opinion, the Supreme Court notes that the North Carolina courts did not rule on the reasonableness of this particular search and that they (the Supreme Court) had no intention of being the first to weigh in on that matter. They then vacated the existing rulings and remanded the case back to the lower courts.
Posted Mar. 30, 2015 at 7:31 PM
Updated Mar 30, 2015 at 7:33 PM
Article source: http://www.pjstar.com/article/20150330/NEWS/150339903
Until yesterday, a popular networking library for iOS and OS X, used by several apps like Pinterest and Simple was susceptible to SSL man-in-the-middle (MiTM) attacks.
An APT group with its sights on selective targets, most of those in Israel, has been using an elusive malware implant to steal data from groups with state and political interests.
The gang, called Volatile Cedar by researchers at Check Point Software Systems, has been working since 2012 and could have ties to the Lebanese government or a political group operating in the country.
“This is the first time we are aware of cyber capabilities of some kind from an actor in Lebanon. It’s not surprising, a matter of time really before anyone in the government or a major political group developed capabilities in that realm,” said Shahar Tal, vulnerability research manager at Check Point Software Technologies.
Tal said many of the confirmed targets belong to organizations in Israel, as well as neighboring countries, including Turkey. Those targets include defense contractors, telecommunications companies, IT companies, media outlets and educational institutions.
The implant, called Explosive, is a remote access Trojan that goes to great lengths to not only steal data from its victims, but also to hide its presence from victims and security software. The implant has been used only a handful of times, and if a version is detected by antivirus or intrusion detection, for example, a new version of the same implant is quickly developed.
Check Point said it has found five variants of Explosive since it was first used in November 2012. Each time, new attack features or obfuscation were added; versions 1-3 evolved quickly to encrypt network traffic, add clipboard monitoring and other surveillance features, to a pair of a rarer versions of the malware called KS and Micro. KS does not use a backdoor for communication, instead data is stored on the compromised server to be moved later by the attackers. Micro, meanwhile, could be the predecessor to Explosive, Check Point said, adding that it detected only a few samples.
Rather than use phishing as an initial means of infecting an organization, Volatile Cedar campaigns generally target publicly exposed Windows servers, Check Point said, using these as an initial foothold in order to eventually pivot to other machines on the target network.
“Spear phishing is the expected way to go,” Tal said. “This is actually a pretty effective way of entering networks. If you have web hacking skills, you’re going to get something on that webserver. Once you’re inside the webserver, there’s usually little protection going from the outside to the intranet.”
Tal said organizations may sacrifice security for productivity on internal-facing systems, instead relying on security around the webserver to keep intruders out.
“It’s a unique pivot point where you basically open a portal on internal network and are uninterrupted by most firewall solutions,” Tal said. “People are not aware of this. They don’t generally segment their network enough because they trust the webserver to block everything coming in, but once you successfully take over a web application, it’s not protected from the inside.”
Once a public server is discovered, the attackers scan it for vulnerabilities and if they find one, inject a Web shell code that is used as a backdoor to send stolen data and new commands and configurations to the compromised machine, including the Explosive Trojan.
“This Trojan allows the attackers to send commands to all targets via an array of CC servers. The command list contains all the functionality required by the attacker to maintain control and extract information from the servers and includes keylogging, clipboard logging, screenshots, run commands, etc,” the report says. “Occasionally, mostly in cases where large data extractions are required, the attacker installs an additional SSH tunnel which is connected to PLink servers controlled by the attacker.”
Check Point says Explosive contains a main executable binary and a DLL with backend API calls. The binary contains the Trojan’s logic, while the DLL contains exported API functions.
“The Explosive DLL file is dynamically loaded by the main executable at runtime whenever it is needed, and unloaded when the desired action is complete,” the report says. “This separation is probably designed to support quick functionality patches by the attackers, and to avoid heuristic detection of the main executable by common AV engines and other protection software.”
Explosive creates several threads, including a keylogger, clipboard logger, memory monitor, and a means to check in with its command and control server to determine whether the connection is alive and secure before sending data or receiving further commands. Those commands include the ability to dump Internet Explorer browsing history, steal saved passwords, get registry values, list running processes, run a command line, send files to a command server, delete specified files, get folder contents, kill Explosive processes, remove traces, and restart.
As for attribution, while not definitive, Check Point said it was able to connect enough dots to point the finger at Lebanon. For example, compile times point to work hours in the region. The first command and control servers in the operation were hosted at a Lebanese web host, not typical of other APT campaigns. Also, DNS registration information on some of the infrastructure servers led to connections in Lebanon, as did some of the DNS contact information, which had ties to social media accounts with Lebanese political leanings.
“It’s not NSA-grade malware, but it’s also, not script kiddie level,” Tal said. “They’re not replacing firmware, but they are implementing stealth features and eliminating what analytic tools would flag. What they lack in technical skill, they make up for in operation discipline.”
The ongoing DDoS attack on GitHub, which has made the social coding site intermittently unresponsive since March 25, is essentially a side effect of an older operation from the Chinese government against a site run by the anti-censorship project GreatFire.org.
According to an analysis of the attacks by researchers at Swedish vendor Netresec AB, that’s where the Chinese government intervenes.
That tactic is virtually identical to one used in the attack on GreatFire earlier in March, GreatFire officials said.
“Millions of global internet users, visiting thousands of websites hosted inside and outside China, were randomly receiving malicious code which was used to launch cyberattacks against GreatFire.org’s websites. Baidu’s Analytics code (h.js) was one of the files replaced by malicious code which triggered the attacks. Baidu Analytics, akin to Google Analytics, is used by thousands of websites. Any visitor to any website using Baidu Analytics or other Baidu resources would have been exposed to the malicious code,” the Great Fire analysis says.
GitHub officials have been working to mitigate the effects of the DDoS attacks, with varying degrees of success. The latest status update from GitHub on Tuesday morning shows that the service is operating normally at the moment. GreatFire officials have published a detailed report on the attack, and have concluded that the Chinese government is behind both DDoS attacks.
“When we first blogged about this attack we did not want to level accusations without evidence. Based on the technical forensic evidence provided above and the detailed research that has been done on the GitHub attack, we can now confidently conclude that the Cyberspace Administration of China (CAC) is responsible for both of these attacks,” the GreatFire blog post says.
Copyright © 2015 – WNYT-TV, LLC
A Hubbard Broadcasting Company
Article source: http://wnyt.com/article/stories/s3750073.shtml
The Guardian revealed on Monday that Australia’s immigration department accidentally disclosed the personal details of world leaders who attended the G20 summit in Brisbane last year, including US president Barack Obama, Russian president Vladimir Putin, German chancellor Angela Merkel and many others.
The mistake happened when an immigration employee sent the leaders’ passport and visa details to an unauthorised recipient at the organising committee of football’s Asian Cup, staged in Australia in January.
The world leaders were not told about the breach, after the department deemed the risks of the breach to be “very low”.
We asked a panel of security and data experts what they thought about the information disclosed, how it could be used and whether the department was right not to inform those affected.
Chris Gatford, director of Hacklabs
What happened here is an email was sent from one person to the wrong user, which sent effectively the personally identifiable information of the world leaders.
At first thought, if that’s all it contained, I actually thought the risk for the leaders was relatively low. Let’s face it, they are probably the most well-known people on the planet.
If … it was ordinary people it probably would have been more of a problem.
The usefulness of the story is: what else don’t we know? How frequently is information being lost by the Australian government and not being disclosed?
Steve Wilson, principal analyst at Constellation Research
For an ordinary person … passport details could be used for identity theft. In this case there’s probably no real risk of identity theft of Angela Merkel.
What I’d be worried about is whether that level of detail could be used to index those people in different databases to find out more things about them. The threat is more about the other information that could be gleaned from finding out more data.
If you had access to other commercial data sources you could probably start to unpack their travel details, and that would be a security risk.
If it’s true that [the immigration department] knew about this without notifying them, then that is deeply concerning. It’s as much to do with transparency, but it’s also about not presuming to act on someone else’s behalf.
If a VIP has had their details exposed then you need to give them every opportunity to be made aware of the situation and the risks. You’re only prolonging the agony by not acting.
Neil Fergus, chief executive officer at Intelligent Risks
It does seem an unusual decision to have been made under the circumstances not to notify them.
I’m not sure at what point there has to be a security assessment to advise people whether their personal details have been disclosed.
But I would have thought that just as a basic diplomatic courtesy it would have been appropriate to advise the ambassadors of the countries about what has happened, and equally to assure them that there were no security concerns. But by not disclosing it you make an issue out of it.
Credit: MGN Online
Data breach may have exposed Bradley employees personal information
March 30, 2015
Updated Mar 30, 2015 at 8:54 PM CDT
PEORIA, Ill. — Bradley University has apparently been hacked, and University officials say the breach could have resulted in the release of the personal information of current employees and their family members.
The University says Malware was found on two university computers, which could capture information including employee social security numbers.
Bradley officials say they have received reports from employees indicating fraudulent tax return filings.
The FBI and the IRS are investigating the situation and are helping ensure the data systems are secure.
Bradley employees have been encouraged to monitor their personal financial accounts and credit reports for irregular activity, and has set up a call center to assist those affected.
To submit a comment on this article, your email address is required. We respect your privacy and your email will not be visible to others nor will it be added to any email lists.