19 total posts
Microsoft unlikely to patch Duqu kernel bug next week
"Expect a security advisory today on Windows zero-day, but no patch Nov. 8, says expert"
The odds are that Microsoft won't patch the Windows kernel bug next week that the Duqu remote-access Trojan exploits to plant itself on targeted PCs, a researcher said today.
"Probably not," said Andrew Storms, director of security operations at nCircle Security, when asked what chance he gave Microsoft fixing the flaw Nov. 8, this month's regular Patch Tuesday.
"I think we'll see an advisory today or tomorrow, but patching next week would really be pushing it for Microsoft," said Storms.
He based his assumption on Microsoft's apparently reactive move to news today from Symantec, which said that additional analysis showed the Duqu malware is installed after a Windows kernel bug is exploited.
"If Microsoft had information [about the vulnerability] before this, it would have been faster either patching or with an advisory," said Storms. "They're in reaction mode now, and probably working up an advisory."
Continued : http://www.computerworld.com/s/article/9221373/Microsoft_unlikely_to_patch_Duqu_kernel_bug_next_week
High Court Rejects Assange Extradition Appeal
"WikiLeaks founder Julian Assange has lost his appeal against extradition to Sweden"
Julian Assange, founder of whistleblowing site WikiLeaks, has lost his appeal against extradition to Sweden on rape charges.
Lord Justice Thomas and Mr Justice Ouseley handed down their judgement at the High Court this morning, dismissing Assange's argument that the warrant was invalid because it had been issued by a prosecutor rather than a judicial authority. They also rejected Assange's assertion that the descriptions of the offences were not fair and accurate.
"This is self evidently not a case relating to a trivial offence, but to serious sexual offences," the judges said. "Assuming proportionality is a requirement, it is difficult to see what real scope there is for the [appeal] argument in circumstances where a Swedish Court of Appeal has taken the view, as part of Swedish procedure, that an arrest is necessary."
The full judgement can be read here (pdf).
Assange's lawyers now have 14 days to convince the High Court that there is a wider issue of public importance at stake, sufficient to warrant an appeal to the Supreme Court.
Continued : http://www.eweekeurope.co.uk/news/high-court-rejects-assange-extradition-appeal-44539
Wikileaks' Assange extradition appeal fails at UK's High Court
Julian Assange's extradition bid to Sweden fails
WikiLeaks' Julian Assange loses extradition appeal
Assange loses fight against extradition
Trojan-using criminal ringleaders jailed in UK
The UK's Metropolitan Police has announced that two Ukranian men have each been sentenced to four years and eight months imprisonment. The men, described by the police as the ringleaders of the plot, pleaded guilty to a charge of conspiracy to defraud; they used banking trojans to obtain confidential information on victims' bank accounts which was then used to remove funds from those accounts. One of the men, Yevhen Kullibaba, was based in the Ukraine and organised the obtaining of the information and identification of accounts to be attacked; the other man, Yurly Konovolenko, then carried out those instructions in the UK.
The police are unable to give a total amount stolen but estimate that the criminals attempted to remove over four million pounds, with known losses of nearly three million pounds. Operation Lath, as the investigation was codenamed, has now seen thirteen people jailed in the UK. The Metropolitan Police's Police Central e-Crime Unit has been working with UK banks, the FBI, US Department of Justice and other international law enforcement agencies.
Also: Busted! Ukrainian cybercrime duo who ripped off $4.5 million sent to prison in UK
Researcher Warns Of Exploitable Hole In Chinese Translation
.. Software NJStar
An independent security researcher has warned officials in Australia, the US and China about a serious, remotely exploitable hole in language translation software that is used by leading corporations, universities and governments.
Dillon Beresford said a stack overflow vulnerability in a comDillon Beresfordponent of NJStar Communicator, a language translation application, could be used to take control of systems running the software, putting leading corporations including Google, Siemens, Goldman Sachs and the FBI at risk of attack. A Metasploit module containing exploit code for the vulnerability in the MiniSMTP (simple mail transfer protocol) server component of NJStar's Communicator Version 3 has been posted on exploit-db.com.
The NJStar software, by Australian firm NJStar Corp., isn't used for industrial control. Rather, it is a commonly used platform for word processing and input and output language translation that allows Chinese, Japanese and Korean speaking users to write and view content on systems running English- and other latinate language versions of Windows.
Continued : http://threatpost.com/en_us/blogs/researcher-warns-exploitable-hole-chinese-translation-software-njstar-110111
See Vulnerabilities & Fixes: NJStar Communicator MiniSmtp Packet Processing Buffer Overflow Vulnerability
Economics of Vulnerability Research Still Skewed
By any measure, Luigi Auriemma is a prolific vulnerability researcher. In the first ten months of 2011, the pay-for-bugs program Zero Day Initiative credited Auriemma with discovering 30 vulnerabilities, ranging from issues in Sybase enterprise software to Adobe Shockwave to Apple Quicktime. In its Upcoming Advisories section, ZDI listed Auriemma with finding another 35 vulnerabilities that still await fixes from their developers. The vulnerability researcher, who has made his name in part by finding SCADA bugs, is not yet ready to leave his day job. Despite ZDI's bonus system, his independent research is not a career, he says.
"Vulnerability research is just a secondary thing, so sometimes I dedicate my time to it while other times I don't touch it for days or even weeks," Auriemma explains. "This is a good thing for occasional researchers or for [those] who have found or can find a good source of bugs in software accepted by these companies."
The researcher's dilemma highlights a fundamental problem with the economics of vulnerability research: Despite the danger that vulnerabilities pose to companies that rely on the flawed software, information about security issues continues to have only a marginal value to most legitimate companies and has failed to create any reliable source of income for most of the hackers and security professionals focused on finding flaws.
Continued : http://threatpost.com/en_us/blogs/economics-vulnerability-research-still-skewed-110211
Experts: Firms need to come clean about cyber attacks
LCC Businesses need to 'fess up when they've been the victims of cyber attacks, experts at the London Conference on Cyberspace (LCC) said today.
Government and biz bosses said that even though companies didn't really want to own up to having been breached, they needed to start sharing information with officials to protect critical infrastructures.
Erik Akerboom, president of the Cyber Security Council in the Netherlands, said that his government needed to know about the DigiNotar hack when it happened, not later on.
"We needed information at the time that DigiNotar was hacked; it was hacked in June but we didn't find out then," he said.
Digital certificate firm DigiNotar was hacked in June this year and forged Google.com SSL credentials were then used to spy on 300,000 Iranian internet users. The incident was notorious over the summer when it was discovered that the firm's security was wholly inadequate, and because it took so long for the company to come clean.
DigiNotar only started to revoke certificates in mid-July, and didn't go public with the security issue until August. The company subsequently filed for bankruptcy, having lost all the trust its business relied upon.
Continued : http://www.theregister.co.uk/2011/11/02/business_need_to_confess_cyber_attacks/
Also: #LondonCyber: DigiNotar hack a wake up call for greater public/private co-operation
Update on the Zbot spot!
From Matt McCormack @ the MMPR's "Threat Research & Response Blog":
I'm back to update you on our changes to Zbot in the Malicious Software Removal Tool (MSRT). We reviewed the data coming back from MSRT in September and incorporated the findings into October's MSRT (and beyond), which means we are now in a position to provide additional information.
As I mentioned in the previous blog post, the purpose of our special Zbot September update was to glean an insight into the effectiveness of MSRT against this prolific threat. Couple that with a focus on the Zbot family and, suffice it to say, we're pretty happy with our findings and results!
And now, onto the numbers!
Historically, and prior to the September 2011 release, MSRT consistently detected about 90% of PWS:Win32/Zbot variants in the wild. For the month of September 2011, we detected and removed PWS:Win32/Zbot from around 185,000 distinct Windows computers, a stark increase to the months beforehand, which we can attribute the increase to additional technology added to MSRT for just such an occasion.
For October so far, we've removed Zbot from over 88,000 computers and we expect that number to grow to around 100,000 - again, a very good result from MSRT, illustrated in the chart below that lists October 2011 MSRT data:
Continued : http://blogs.technet.com/b/mmpc/archive/2011/10/31/update-on-the-zbot-spot.aspx
The Mystery of Duqu: Part Three
First things first, I have to point out a mistake in the previous text.
When analyzing the fourth incident in Iran, we stated that there were two network attacks on a victim machine from the IP address 18.104.22.168. It could have been an exclusive version of Duqu, but it turned out to be a big mistake.
Judge for yourself - Duqu checks for Internet connections and attempts to reach the server kasperskychk.dyndns.org which should be located at 22.214.171.124. An analysis of the information at this address shows that it is located at the same data center as the 126.96.36.199 IP address that we "discovered"!
In actual fact, however, I made a mistake when converting the address, which was the result of a single missing 'minus' sign: the numbers "1062731669" and "-1062731669". In the first case, converting to an IP address we get 188.8.131.52, but in the second we get the local address 192.168.0.107, which, of course, is of no interest to our research whatsoever.
Dropper and 0-day.
Now, for some much more interesting news. It turned out that the continuing research by the Hungarian lab Crysys has led to the detection of the main missing link - a dropper that performed the initial system infection.
As we expected, a vulnerability was to blame. An MS Word doc file was detected that was sent to one of the victims by the people behind Duqu. The file contained an exploit for a previously unknown vulnerability in Windows that extracted and launched components of Duqu.
Symantec and Microsoft still haven't made the actual dropper file available to other antivirus companies yet, nor have they provided information about which Windows component contains the vulnerability that results in privilege escalation. However, indirect evidence suggests that the vulnerability is in win32k.sys.
We discovered a similar vulnerability (see MS10-073) a year ago when analyzing the Stuxnet worm. Another interesting problem in win32k.sys (MS11-077) was fixed by Microsoft on 11 October this year - a code execution vulnerability than can be exploited through font files.
Continued : http://www.securelist.com/en/blog/208193206/The_Mystery_of_Duqu_Part_Three
Related: The Mystery of Duqu: Part Two
[[color=blue]Also related to first post: Duqu: Status Updates Including Installer with Zero-Day Exploit Found[/color]]
Who Wants Ice Cream?
From the Kaspersky Lab Weblog:
Google has recently announced the forthcoming availability of Ice Cream Sandwich, Android 4.0. In such a short time, Android has seemingly come so far. I'd like to stop and take a look at the security improvements and additions featured in this release.
Google's Android debuted in November 2007 and with its steady rise in popularity we also saw researchers begin to search for holes. A number of vulnerabilities have been found from root exploits like Rage Against the Cage to cross application scripting bugs like CVE-2011-2357.
With the release of Ice Cream Sandwich we can expect some new advances in Android security. Google promises:
A new Keychain API and encrypted storage
According to Google this lets "let applications store and retrieve private keys and their corresponding certificate chains. Any application can use the keychain API to install and store user certificates and CAs securely." Certificate handling issues are a real concern for Android users after the Diginotar fiasco.
Address Space Layout Randomization
ASLR is a method of protecting the system and third party applications from being attacked by randomizing their addresses in memory. It is an absolute requirement in the desktop computing world, and it's great to see it arrive, although late, on Android. iOS has had this feature for some time.
Additionally it seems that the Android developers are taking a greater interest in enterprise security.
Full Device Encryption
Actually a feature of the 3.X codebase, but now available for phones, device encryption is an absolute must for any mobile device as the compact size makes them incredibly easy to lose. Unfortunately this has been far too long in coming.
Continued : http://www.securelist.com/en/blog/208193203/Who_Wants_Ice_Cream
LCC: Enterprises need to cut the internet to stay secure
Kaspersky Lab chief executive Eugene Kaspersky has warned that cyber threats have grown so dangerous that governments and enterprises should consider military grade security measures to keep information safe.
Kaspersky said at the London Conference on Cyberspace that any network can be breached if hackers have enough budget and resources.
"If they want to they will hack you. I'm afraid that, when it comes to enterprise and government security, we need to make it more secure and less flexible," he said.
"We need to introduce military IT security standards to these environments. If the cost of the information is too high it's time to disconnect the networks from the internet."
Such a strategy need not mean disconnecting all internal machines from the internet, merely the ones with access to key information, and organisations must decide whether their information is valuable enough to consider such a radical measure, he added.
Continued : http://www.v3.co.uk/v3-uk/news/2122031/-londoncyber-enterprises-cut-internet-stay-secure
Are You on the Pwnedlist?
2011 has been called the year of the data breach, with hacker groups publishing huge troves of stolen data online almost daily. Now a new site called pwnedlist.com lets users check to see if their email address or username and associated information may have been compromised.
Pwnedlist.com is the creation of Alen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint. Enter a username or email address into the site's search box, and it will check to see if the information was found in any of these recent public data dumps.
Puzic said the project stemmed from an effort to harvest mounds of data being leaked or deposited daily to sites like Pastebin and torrent trackers.
"I was trying to harvest as much data as I could, to see how many passwords I could possibly find, and it just happened to be that within two hours, I found about 30,000 usernames and passwords," Puzic said. "That kind of got me thinking that I could do this every day, and if I could find over one million then maybe I could create a site that would help the everyday user find if they were compromised."
Pwnedlist.com currently allows users to search through nearly five million emails and usernames that have been dumped online. The site also frequently receives large caches of account data that people directly submit to its database. Puzic said it is growing at a rate of about 40,000 new compromised accounts each week.
Continued : http://krebsonsecurity.com/2011/11/are-you-on-the-pwnedlist/
Following WordPress into a Blackhole
From the Avast Blog:
When we looked into the recent wave of WordPress site hacks, our investigation took two separate paths: uncovering the TimThumb vulnerability and the Black Hole Toolkit used to exploit it.
Now it is time to talk more in detail about what the Blackhole Toolkit is.
For starters, the Blackhole exploit kit is used to spreading malicious software to users through hacked legitimate sites. It was most likely made by Russia developers. The big clue for this is that operators can switch between Russia and English languages. The full version of this toolkit costs around $1500 on the black market. However, bargain hunters can find a stripped down version for the free online.
But, much more important than acquiring Blackhole is finding out how to get rid of it. More precisely, simply finding out if you have been infected. So, how can website owner recognize that his page was infected and has been blocked by an antivirus program because it is being misused as a redirector to site with Blackhole exploit kit? And how do they compromise your site?
The bad guys are using a security vulnerability in non-updated TimThumb. This allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes.
Continued : https://blog.avast.com/2011/10/31/following-wordpress-into-a-blackhole/
WordPress / TimThumb related: Old image resize script leaves 1 mil Web pages compromised
Wireshark updates fix vulnerabilties
The Wireshark developers have released versions 1.4.10 and 1.6.3 of the open source, cross-platform network protocol analyser. The maintenance and security updates close multiple vulnerabilities. Some of these are rated as highly critical by Secunia, and could be exploited by an attacker to cause a denial-of-service (DoS) or compromise a victim's system.
The updates address problems related to the ERF file parser that could lead to a buffer overflow and a NULL pointer dereference error in the Infiniband dissector. Versions 1.4.0 to 1.4.9 and 1.6.0 to 1.6.2 are affected. Wireshark 1.6.3 addresses a problem in the CSN.1 dissector that could be used to crash the application. The new versions also address a number of other bugs found in previous builds.
Further information about the updates, including a full list of changes, can be found in the 1.4.10 and the 1.6.3 release notes, and in the security advisories. Wireshark 1.4.10 and 1.6.3 are available to download for Windows and Mac OS X. Wireshark source code is licensed under the GPLv2.
Continued : http://www.h-online.com/security/news/item/Wireshark-updates-fix-vulnerabilties-1370490.html
See Vulnerabilities & Fixes: Wireshark Multiple Vulnerabilities
Anonymous retreats from Mexico drug cartel confrontation
Threats to begin unmasking members of Zetas reined back as cartel rumoured to be hiring own security specialists for physical retaliation - as others question whether Anonymous member was ever kidnapped in Veracruz.
Plans by the hacker collective Anonymous to expose collaborators with Mexico's bloody Zetas drug cartel - a project it dubbed "#OpCartel" - have fallen into disarray, with some retreating from the idea of confronting the killers while others say that the kidnap of an Anonymous hacker, the incident meant to have spawned the scheme, never happened.
The apparent climbdown by the group came as one security company, Stratfor, claimed that the cartel was hiring its own security experts to track the hackers down - which could have resulted in "abduction, injury and death" for anyone it traced.
Two hacker members of "Operation Cartel", which said earlier this week that it would expose members of the murderous cartel, have now indicated that they are stopping their scheme to identify collaborators and members because they don't want anyone to be killed as a result.
Continued : http://www.guardian.co.uk/technology/2011/nov/02/anonymous-zetas-hacking-climbdown
'Anonymous' Abandons Attack Against Mexican Drug Cartel?
Anonymous Reportedly Divided Over Efforts to Expose Drug Cartel
Related: Anonymous threatens Mexican drug cartel
MPAA Lashes Out Against Rogue Cyberlockers
An internal MPAA fact-sheet obtained by TorrentFreak shows that the movie industry is preparing a full-frontal attack on the business model of what they call "rogue cyberlockers". The document summarizes how these file-hosting sites offer affiliates cash in return for signing up new premium members. According to the MPAA these practices facilitate mass-copyright infringement.
Last week the MPAA submitted a list of rogue sites to the U.S. Government. The movie industry group claimed that these sites facilitate massive copyright infringement, and would therefore like to see them shut down with help from upcoming legislation such as the E-Parasites bill.
Aside from naming many of the larger BitTorrent sites, the MPAA's list also included several so-called cyberlockers. In recent years these file-hosting sites have overtaken BitTorrent in popularity, and this hasn't gone unnoticed by Hollywood.
The problem with outing these sites as piracy havens is that there's no clear definition of when a site is "rogue" or not. Last year the file-hosting site RapidShare was branded rogue by the MPAA, but this year they were excluded without explanation. However, an internal MPAA fact sheet that landed on TorrentFreak's desk may shed some light on their definition of rogue.
Continued : http://torrentfreak.com/mpaa-lashes-out-against-rogue-cyberlockers-111101/
Americans will sue if personal data is compromised
Americans will go to great lengths to avoid identity theft, and many say they would take legal action against government or private organizations that compromise their personal data, according to new research by Unisys.
Results from the bi-annual Unisys Security Index, which surveys more than 1,000 Americans for consumer views on a wide range of security concerns, indicated that more than three-quarters of respondents would stop dealing with an organization entirely in the event of a security breach, underlining the need to better protect customers' personal data shared electronically.
Nearly 90 percent of all survey respondents said they would take some sort of action in the event of a data breach, ranging from conservative solutions like changing their passwords (87 percent) to those with more serious commercial implications, such as closing their accounts (76 percent) or taking legal action (53 percent).
Organizations that ignore security concerns also face public perception risks. Nearly 65 percent of U.S. survey respondents said they'd publicly expose a company that allows a breach. And in a world where communities such as Facebook and Twitter provide the opportunity to instantly broadcast dissatisfaction to a broad audience, this threat seems more real than ever before.
Continued : http://www.net-security.org/secworld.php?id=11878
Gmail app for iPhone debuts, disappears
One of the most highly anticipated apps for Apple devices was made available on Wednesday. At least, until it wasn't.
Google announced a Gmail app for the iPhone, iPad and iPod Touch that was designed to make it easier for the service's more than 190 million users to navigate their mail.
"We check email pretty much everywhere these days," Google content manager Matthew Izatt wrote on the Gmail blog. "And when we do, we want easy access to our important messages so we can respond quickly and get back to life -- or slinging birds at thieving green pigs."
Users of Apple's operating system could already access Gmail through a mobile site or set it up as their default e-mail account. But the new app promised a smoother experience with a host of new features. The tech blogosphere was delighted.
"Go get the iPhone app for Gmail!" popular blogger Robert Scoble wrote on his Google+ page.
Then, a few minutes passed.
"UPDATE: DO NOT. The Gmail app is really a piece of crud," he wrote. "Not worth loading. Very disappointed."
Google had obviously already noticed what Scoble did. Shortly after it was unveiled, the app was pulled from the Apple Store.
"The iOS app we launched today contained a bug with notifications," Google posted on its Gmail Twitter account. "We have pulled the app to fix the problem. Sorry we messed up."
Later, a fuller explanation was added to the original blog post.
"Earlier today we launched a new Gmail app for iOS," Google posted. "Unfortunately, it contained a bug which broke notifications and caused users to see an error message when first opening the app. We've removed the app while we correct the problem, and we're working to bring you a new version soon. Everyone who's already installed the app can continue to use it."
Continued : http://www.cnn.com/2011/11/02/tech/mobile/gmail-app/index.html