NEWS - September 13, 2012

Crack in Internet's foundation of trust allows HTTPS session hijacking

"Attack dubbed CRIME breaks crypto used to prevent snooping of sensitive data."

Researchers have identified a security weakness that allows them to hijack web browser sessions even when they're protected by the HTTPS encryption that banks and e-commerce sites use to prevent snooping on sensitive transactions.

The technique exploits web sessions protected by the Secure Sockets Layer and Transport Layer Security protocols when they use one of two data-compression schemes designed to reduce network congestion or the time it takes for webpages to load. Short for Compression Ratio Info-leak Made Easy, CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable.

Continued :

Also: CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions
Discussion is locked
Reply to: NEWS - September 13, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 13, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
BlackHole 2.0: Criminals take to the cloud

The BlackHole developers are unleashing a new version of their exploit toolkit on the net. With BlackHole 2.0, the software has been "rewritten from scratch", say the unknown developers in a Russian-language release announcement on Pastebin. In their posting, they advertise new features such as temporary exploit URLs that are only valid for a few seconds, making them harder to analyse.

BlackHole is one of the most dominant exploit toolkits currently available in the underground market. It enables attackers to exploit security holes in order to install malicious software on victim's systems. In the case of a well known Java hole earlier this year, the BlackHole developers had already created a suitable exploit module even before Oracle released a patch to fix the problem.

The exploit toolkit's entry barriers aren't particularly high - all you need is criminal intent and money. The toolkit can now even be rented for a $50 a day and will then run on a server that is owned by the BlackHole team. The annual licence fee for criminals who use their own servers is $1,500.

New version of Blackhole exploit kit
BlackHole 2.0 gives hackers stealthier ways to pwn
Blackhole exploit kit gets upgraded to evade antivirus software

- Collapse -
Researchers Find Botnet C&C Hiding Inside Tor

Security researchers have identified a command-and-control server that appears to be hiding inside the Tor network.

Protecting the command and control (C&C) server's traffic is a challenge for botnet owners, since if defenders detect and block that traffic, infected zombies in the botnet won't be able to receive any instructions, wrote researchers from G Data Security Labs in a blog post. There aren't a lot of details available at this time about the botnet's actual activities, but the fact that it is hiding within a network designed to hide user activity means it will be hard for administrators to defend against this botnet.

The Tor network is an anonymization service for end users, in which users can surf the Internet while hiding their locations completely. Tor also offers various services for these identity-shy users, such as an instant messaging server. This particular set of botnet owners appears to have built an IRC server as a hidden service within the Tor network, the researchers wrote.

While the way the C&C server communicates is "novel," the rest of the features are fairly commonplace, G Data researchers said.

Continued :

Botnet operators hide C&Cs in the Tor network
Botnet masters hide C&C server inside Tor network

- Collapse -
Apple closes more than 160 security holes in iTunes

The latest update to the Windows version of Apple's popular iTunes media player closes an alarming number of security holes. According to the company, iTunes 10.7 for Windows addresses a total of 163 vulnerabilities, all of which are in the WebKit browser engine used by the media player to display HTML-based pages in its iTunes Store.

Apple notes that these security issues could be exploited by an attacker to, at worst, inject and execute arbitrary code on a victim's system. While users cannot navigate to any web site in iTunes, users should not take these issues lightly: when connected to a public network, an attacker could use a man-in-the-middle attack to manipulate network traffic, directing users to maliciously crafted pages to exploit the holes. The worrying thing about this update is that these memory corruption issues have been fixed in other applications for some time now. Google's Chrome web browser, which also uses WebKit, corrected a number of these flaws nearly six months ago in Chrome 18, while Apple itself fixed many of the problems in July with the release of Safari 6.

Continued :

Also: Google helps close 163 security vulnerabilities in iTunes

See Vulnerabilities & Fixes - Apple iTunes Multiple WebKit Vulnerabilities

- Collapse -
Spam one step ahead of iPhone 5 release

From the Kaspersky Antivirus Research Weblog:

Apple fans are eagerly awaiting the arrival of iPhone 5 which is due out today. Each unveiling of an iDevice is accompanied by a global buzz of excitement which usually attracts the attention of spammers: every new iPad or iPhone inevitably becomes the bait in numerous fake lotteries and other fraudulent emails.

However, customers are not only interested in Apple's devices but also their accessories. This year's first registered mass mailing dedicated to the new iPhone came from a Chinese company that has decided to fill this niche.

The advertiser, having first apologized for any inconvenience that may be caused by the email, offers users the chance to buy a case for the new iPhone 5 which has not even been officially presented. [Screenshot]

Considering the sort of promises that usually appear in spam, one can only wonder why the sender didn't offer an actual iPhone 5 or, better still, an iPhone 6 (or whatever it'll be called in 2013? iPhone 5v?).

- Collapse -
Chrome browser for Android gets security boost, patches

Google has upgraded its Chrome browser for Android devices, boosting its security framework and patching several security bugs. The security holes that were fixed were all rated as "medium" for their severity, and Google paid $500 for each one to the individuals who reported them.

The seven bugs included a current-tab cross-application scripting vulnerability, a file-induced information and credential disclosure and cookie theft by a malicious local Android application.

The new version of Chrome for Android also features improved sandbox technology, which isolates websites so that malicious ones don't impact the entire browser operation.

"This is made possible by the innovative multi-process architecture in Chrome for Android, in conjunction with Android's User ID (UID) isolation technology," wrote Google software engineer Jay Civell in a blog post.

This improved sandbox functionality will be automatically used for Android devices running the 4.1 version of the OS, commonly known as Jelly Bean. The upgrade is also available for users of devices running version 4.0 of Android, called Ice Cream Sandwich.

Continued :

Chrome for Android update strengthens sandbox
Google strengthens Chrome for Android with sandbox

See Vulnerabilities & Fixes - Google Chrome for Android Multiple Vulnerabilities

- Collapse -
Minnesota woman fined $222,000 for 24 illegal song downloads

The first jury trial for a file-sharing suit brought by the major record labels has resulted in a $222,000 fine for a Minnesota woman accused of downloading and distributing more than 1,700 songs on the file-sharing site KaZaA.

The court also forbid the woman, Jammie Thomas-Rasset, from making sound recordings available for distribution in the future.

Prosecuting 1,700 songs might have been bit unwieldy, so the Recording Industry Association of America (RIAA) instead focused on 24 illegally downloaded and shared music files.

A group of six recording companies first contacted Thomas-Rasset in 2005 after hiring MediaSentry, an online investigative firm, to look into suspected copyright infringement.

She turned down their initial demand of a $4,500 settlement.

According to a federal court ruling (PDF) on Tuesday, Thomas-Rasset argued that she never heard of KaZaA, that she didn't have KaZaA on her computer, and that she didn't use KaZaA to download files.

Continued :

- Collapse -
Microsoft Disrupts the Emerging Nitol Botnet Being Spread..
Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain

From The Official Microsoft Blog:

Earlier this week, the U.S. District Court for the Eastern District of Virginia granted Microsoft's Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed "Operation b70," this legal action and technical disruption proceeded from a Microsoft study which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people's computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet, our second botnet disruption in the last six months.

A supply chain between a manufacturer and a consumer becomes unsecure when a distributor or reseller receives or sells products from unknown or unauthorized sources. In Operation b70, we discovered that retailers were selling computers loaded with counterfeit versions of Windows software embedded with harmful malware. Malware allows criminals to steal a person's personal information to access and abuse their online services, including e-mail, social networking accounts and online bank accounts. Examples of this abuse include malware sending fake e-mails and social media posts to a victim's family, friends and co-workers to scam them out of money, sell them dangerous counterfeit drugs, and infect their computers with malware.

Continued :

Microsoft's study into unsecure supply chains leads to botnet disruption
Nitol and Takedown by Microsoft
Microsoft seizes Chinese dot-org to kill Nitol bot army
- Collapse -
Research: Half of All Androids Contain Known Vulnerabilities

About half of all Android phones contain at least one vulnerability that could be used to take control of the device, according to new research. Duo Security, which launched a free vulnerability scanning app for Android this summer, said their preliminary data from users shows a huge number of the devices are vulnerable to at least one of the known Android flaws.

The X-Ray app from Duo scans Android devices for a set of known vulnerabilities in a variety of the Android releases. Many of them are flaws that attackers have used in the last few months. The main issue with Android security and patches is that each carrier is responsible for pushing out new versions of the operating system to its users and they all do it on random timelines. There's no set interval for updates and users don't have to upgrade, so there's a good chance that many users are running older, vulnerable versions of Android at any given time.

And that's exactly what the data Duo collected from the 20,000 devices on which X-Ray is installed shows: There are a lot of vulnerable Android devices floating around out there.

"Since we launched X-Ray, we've already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary," Jon Oberheide of Duo Security wrote in a blog post on the results.

Continued :

CNET Forums