Monthly Archives: January 2015

Only some instances of the Angler Exploit Kit are targeting the latest flaw.

Kafeine, a well-known malware researcher, is reporting that the Angler Exploit Kit has started targeting new vulnerability in Adobe’s Flash Player. The malicious payload isn’t being used by all Angler instances, but at least one is targeting version 16.0.0.257, the current release.

According a recent report from Malwarebytes, exploit kits are one of the fastest-growing threats online, as they’re able to leverage the inherent trust that people place in the websites they regularly visit. Not that long ago, a single exploit kit on a well-visited website infected 6,000 people in just 30 minutes, the report noted.

Modular by design, exploit kits and be updated on the fly to target the latest vulnerabilities in Flash, Internet Explorer, Adobe Reader, and Java.

Angler is just one of the popular kits on the criminal market, holding its own against RIG, Astrum, Sweet Orange, and Fiesta.

In a statement, Pedro Bustamante, the director of Special Projects at Malwarebytes, said the fact that the zero-day was being used by Angler shows that criminals are keen to target people en-masse.

“Using a delivery mechanism such as Angler increases the chance of successful infections, allowing for accurate attacks through infected adverts on high traffic websites,” Bustamante’s statement added.

The zero-day was observed during a drive-by-attack, and Kafeine says the payload is focused on Internet Explorer.

Testing has confirmed that the attack targets Windows XP (IE versions 6-9), Windows 7 (IE 8), and Windows 8 (IE 10). However, Windows 8.1 isn’t being targeted. Likewise, Chrome users are also being ignored by the payload delivery script.

A spokesperson from Adobe said that the company is aware of the zero-day reports and investigating the claims.

Via: csoonline

Digital Bond Labs security researcher Corey Thuen has found a way to unlock car doors, start a car, and gather engine information via a dongle known as “Snapshot” – a device used by Progressive Insurance to track driving habits for risk assessment and premium adjustment, according to Forbes.

The dongle is used in more than two million vehicles in the U.S., Forbes said.

A skilled hacker could compromise one to control a vehicle remotely, Thuen said, but a remote attack is only possible if a u-blox modem, which handles connections between the dongle and Progressive’s servers, is compromised.

Ultimately, Snapshot’s firmware is insecure – with no validation or signing of updates, secure boot, cellular authentication, and secure communications or encryption, Thuen said, noting that compromising Progressive’s backend infrastructure could enable control over “devices that make it out to the field.”

Via: scmagazine

Oracle released its first quarterly Critical Patch Update (CPU) of the year on Tuesday, issuing 169 security fixes for hundreds of its products.

Vulnerabilities in the company’s browser plug-in Java received 19 patches, 14 of which could be remotely exploitable without authentication. Four Java bugs were given a CVSS Base Score of 10.0, the most critical ranking. Nine other CVEs had scores of 6.0 or higher.

“Four out-of-every five identified CVEs in the CPU can be exploited for full or partial sandbox bypass,” said John Matthew Holt, CTO at Waratek, in a prepared statement to SCMagazine.com. “It is a modern day paradox that Java technology, which rocketed to prominence on the promise of its ‘secure sandbox’ design, is vulnerable to 16 new sandbox bypasses. That represents one new Java sandbox bypass every 120 hours since the last CPU.”

Eight vulnerabilities in Oracle database were also addressed in the recent release, including CVE-2014-6567, which received a CVSS Base Score of 9.0, signaling that a full compromise of a targeted server could be possible on the Windows platform with authentication. None of the database vulnerabilities could be remotely exploitable without authentication.

Four other database vulnerabilities ranked above a 6.0, and CVE-2014-6577 received a rating of 6.8. If exploited, it could result in a complete confidentiality compromise of the targeted systems on database versions prior to 12c on the Windows platform.

A separate bug in the E-Business Suite, CVE-2015-0393, could have granted administrator privileges to lower-level users. Australian researcher David Litchfield discovered and reported the vulnerability to Oracle this past year. He found it during a review of a client’s system and believed it to be a backdoor left behind after a hack. In actuality, the “backdoor” turned out to be part of a seeded installation, which left him “flabbergasted,” according to his Twitter. In a further write-up of the bug, Litchfield said that Oracle, “has no documentation for why they did this. This is very concerning.”

Oracle’s MySQL received nine fixes, three which could be remotely exploitable without authentication. The most critical bug, CVE-2015-0411, had a base score of 7.5.

The company also issued 29 fixes for its Sun Systems Products Suite, 10 of which could be remotely exploitable without authentication. One bug, CVE-2013-4784, received a 10.0 rating and another, CVE-2014-4259, received a 9.0.

Via: scmagazine

If you enjoy reading up on what’s new in computer security as you sup on your first coffee of the day you’ll have noticed that the outrageously popular online game Minecraft is in the news.

The blocky online building environment is attracting press because about 1800 Minecraft credentials (worth about $27 USD each) have been leaked on Pastebin.

The story began on the German language site Heise before it was picked up by The Guardian and did the round of security commentators.

Details on the apparent leak are non-existent – we don’t know if the credentials are new or old, how they were acquired or by whom. Meanwhile Minecraft’s creator, Mojang, appears to have nothing to say on the matter.

I suspect I know why.

The fact is that leaked credentials for websites and online games appear on the web every day – in fact it’s so common that there are entire websites devoted to sharing them. We almost never know if they’re old or new, how they were acquired or by whom.

By some standards, 1800 credentials is a lot – after all, it represents 1800 victims and a retail value of $46,000 USD, neither of which can be sniffed at – but as data leaks go it’s depressingly small fry.

Of course, what people are really worried about is that this small leak might be part of a much larger cache of credentials stolen in an Adobe-style break-in of the Minecraft network.

We have no evidence that a break-in has occurred and no evidence that a break-in hasn’t occurred – but the presence of 1800 leaked credentials on the internet represents little, if anything, new.

Users can be parted from their credentials by all manner of ugly, criminal techniques, not least malware infections and phishing, and 1800 credentials is a tiny fraction of Minecraft’s mammoth, 100 million strong user base – just 0.002%.

Given that Microsoft reported an average infection rate of 0.8% among its users in 2013 we might reasonably expect the ‘normal’ background level of stolen Minecraft credentials in circulation to be much greater than 1800.

And, of course, there is always the prospect that these credentials aren’t new.

I decided to search for some of the passwords to see if they had any kind of internet history that’s visible through Google.

Some of them didn’t, but the very first set of credentials I looked for – a gmail address and an eight character password – had actually been on quite a journey.

The pair’s earliest appearance is on a Portuguese forum entry dated 10 July 2014 – six months before they enjoyed a bit part in today’s news.

They go on to appear on more gaming forums in the following months – first on a Lithuanian language forum on 30 August 2014 and then on English language forums in October and November.

During December they turn up on a number of different blogs and leak sites, including Pastebin for the first time.

They crop up on different Pastebin pages a number of times during December and January. Then, on 19 January, they appear for the fourth time and along with 1799 others like them they become news.

Wherever I found this one set of credentials they were just one item in a list of many stolen Gmail or Minecraft credentials and the the rest of the list was not the same on every site.

Of course none of this means there hasn’t been a break-in at Minecraft but I’ll refrain from inviting you to speculate about that until something genuinely out of the ordinary happens.

What I can say is that these 1800 usernames and passwords are a timely reminder to choose a different, strong password for every website you use.

Thieves will attempt to use stolen usernames and passwords to login to accounts on popular websites like Twitter and Facebook, no matter where they came from.

If you struggle to remember all the passwords you need then you can use a password manager to help you.

And, if you’re not sure how to choose a password or why you should bother, our short straight-talking video explains:

via: sophos

Microsoft’s Outlook e-mail service has apparently been the victim of a cyberattack over the weekend, this time perpetrated by the Chinese government. The hack took the form of a man-in-the-middle (MITM) attack that would allow the government to monitor a user’s e-mail account, including login and password.

The news was first reported by Greatfire.org, an online watchdog group focused on providing information on Internet censorship in China. Greatfire said it first began receiving reports of the attack on Saturday. The report surfaced only a week after news that China had completely blocked access to Google’s Gmail system.

A Pattern of Attacks

The attack focused specifically on Outlook’s IMAP and SMTP connections. In other words, while users accessing their mail through the Outlook application would be affected, anyone connecting through the Microsoft Web interface was safe, according to Greatfire. The attack lasted for about a day, seemed to have been confined to Chinese users, and has since ended, Greatfire wrote.

The attack is notable for its particularly insidious nature. Users saw only a relatively benign looking warning indicating that the identity of the mail server could not be verified. Users had the option of continuing with the connection despite the warning. They would likely have attributed the warning to a network connection problem before proceeding, Greatfire wrote in its blog post.

The Chinese government has recently been accused of being behind a number of cyberattacks. In addition to the attack on Gmail, services by both Yahoo and Apple in China have been targeted. At this point, the recent events are beginning to form a pattern.

“Because of the similarity between this attack and previous, recent MITM attacks in China (on Google, Yahoo and Apple), we once again suspect that [Deputy Head of the Propaganda Department of the Communist Party of China] Lu Wei and the Cyberspace Administration of China have orchestrated this attack or have willingly allowed the attack to happen,” Greatfire wrote. “If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor.”

Testing Its Technology

Just last month, China was suspected of blocking Chinese users’ access to Gmail through an e-mail client. The Chinese government denied any action on its part in the service disruption. Google had also accused China of blocking access to its e-mail services in 2011, a claim the government also denied.

Apple, meanwhile, has also apparently been on the receiving end of the Chinese government’s wrath. Apple’s iCloud was the subject of a similar MITM attack in October. Greatfire said that these types of attacks might represent an attempt by China to refine its methods through experimentation.

“The authorities are most likely continuing to test their MITM technology. The authorities may also be gauging user response,” Greatfire said. “By keeping track of how many users ignore the certificate warnings, the authorities will be able to determine the effectiveness of this type of attack.”

Via: enterprise-security-today

Agents from the United States and United Kingdom will carry out simulated cyber-attacks against each other following talks between President Barack Obama and Prime Minister David Cameron.

A series of “war games” will begin with a staged attack against the financial sector as both countries look to bolster their defenses against computerized attacks.

According to the BBC, the first exercise will involve the Bank of England and commercial banks and will also target the City of London as well as Wall Street.

Later exercises will be run to test other areas of critical infrastructure including power suppliers and transport networks.

The two countries will jointly create a “cyber cell” that will include agents from both nations who will conduct the tests and then share information on the threats as well as plans for combatting hackers.

The Guardian reports that the US division of the cell has already been set up with agents from MI5, GCHQ and the FBI. It says a similar cell will be created within the UK shortly.

The planned measures are part of a two day set of talks between Obama and Cameron in which the pair are discussing the economy and terrorism, as well as cybersecurity. The talks come in the wake of the recent Sony hack and the takeover of social media accounts under the control of US Central Command earlier this week.

The new deal on cybersecurity will also see additional funds made available towards the training of the next generation of security experts – an area currently experiencing a huge skills shortage, David Cameron said:

The joint exercises and training of our next generation of cyber-experts will help to ensure that we have the capability we need to protect critical sectors like our energy, transport and financial infrastructure from emerging threats.

As talks continue, Cameron is expected to push for more cooperation from tech and social giants including Google, Apple, Facebook and Twitter. He is likely to ask Obama to exert more pressure on such companies to collaborate with the security services as they look to gather more communications data and intelligence from suspected terrorists.

Earlier this week Cameron said he will, if re-elected prime minister in May’s national election, legislate against encrypted communications that currently pose problems for the security services who are unable to read them.

In an interview with the BBC’s Nick Robinson, David Cameron explained how cyber attacks are one of “the biggest modern threats we face”, stating that 8 out of 10 large companies in Britain have had some sort of cyber-attack against them.

Cameron went on to say that the expertise to deal with such threats already exists on both sides of the Atlantic but by combining resources the two countries could create “a system where countries and hostile states and hostile organizations know that they shouldn’t attack us.”

Via: sophos

Be My Eyes, a new Danish non-profit ‘startup’, has taken a commodity technology, the humble video call, and, by combining it with a community of sighted volunteers, used it as the basis for an iOS app that lets you help a visually-impaired person ‘see’ through their phone’s video camera.

Specifically, Be My Eyes — which recently caught the attention of Twitter and Square founder Jack Dorsey — works as follows: If you’re a sighted person you register with the service and wait for the app to send you a notification that a visually-impaired person who has also signed up requires help. Once a match is found, the two of you are connected via an audio/video call, essentially enabling you to ‘lend’ your eyes to the visually-impaired person who points their phone’s rear-facing camera at whatever it is they want to see. The two of you then collaborate over the call to solve the problem.

Unfortunately, however, I’ve been unable to try out the app for myself. Since officially launching yesterday, the Be My Eyes servers have been somewhat overwhelmed, while I’m told there is currently a very high ratio of sighted volunteers (over 13,000 have signed up) to visually-impaired people requiring help — which, in the long run, is probably encouraging. Meanwhile, over 2,000 ‘blind’ people have been helped so far, according to the app’s built-in metrics.

As for the type of help typically being asked for, Be My Eyes co-founder Thelle Kristensen tells me that problems related to the kitchen, such as checking the expiry date of an item of food or locating something in the fridge, rank high. He’s also had to help someone figure out how to navigate the menus of an audio player, where the gadget’s voice-over functionality fell short, as well as helping a visually-impaired person locate a specific door number when in an unfamiliar location.

The app currently employs a simple points system to encourage volunteers to keep coming back. There’s also a blocking feature so that if two people don’t get on, Be My Eyes ensures that they won’t get paired again, which could be awkward.

Kristensen also tells me the app is entirely non-profit, initially developed by a group of volunteers after they saw Hans Jørgen Wiberg, who is visually-impaired himself, pitch the idea at Startup Weekend. Since then Be My Eyes has received backing from the Danish Blind Society, the Velux Foundations and the software development studio Robocat.

There’s no current plans to monetise the app, though one future possibility, should demand outstrip supply, is that power users could pay to top up the amount of help they require. However, Kristensen was keen to stress that the basic service will always remain free.

Via: techcrunch

Most cars’ built-in navigation systems tend to be a bit clunky compared to modern smartphone apps like of Google Maps. It looks like Ford is among the first car manufacturers to acknowledge this. The next version of AppLink, its system for connecting smartphone apps to its SYNC infotainment system, will allow third-party navigation apps to project their maps from the phone onto the built-in screens in its cars.

Ford will roll out the latest (and much improved) version of SYNC later this year, but AppLink 3.0 will only become available at a later date (SYNC can be updated over WiFi and through a connected smartphone).

The company is already working with Alibaba to bring its navigation and music services to its in-vehicle screens. Chances are, other companies will jump on board as well, though it’s worth noting that Ford has to explicitly whitelist applications to run on AppLink. There’s no reason to believe the company will stop Google, Microsoft, TeleNav or Here from offering its mapping services on its platform, though.

AppLink currently focuses mostly on audio apps, but with Glympse, it has long featured a location-sharing service as well.

As Ford notes, AppLink 3.0 will use the Genivi alliance’s open-source SmartDeviceLink service and its APIs to enable this feature. The members in the Genivi alliance, besides Ford, include the likes of BMW, Honda, Nissan, Renault, Volvo and John Deere, as well as chip manufacturers like Intel, Qualcomm and Nvidia and plenty of aftermarket manufacturers. Earlier this month, the Genivi Alliance also announced that it would offer open source middleware to support Android Auto integration into car infotainment products.

Via: techcrunch

Look — I love my job. But damn do the folks at Disney’s research labs have a fun looking gig.

We’ve seen them build systems that let them 3D print impossible spinning tops, software to turn 3D models into massive parade balloons, and solutions for doing motion capture outdoors with nothing but a few GoPros.

Now they’re building robots that can draw sprawling pictures across the beach.

The robot — aptly called “Beachbot” — works by dragging a set of pins through the sand, sort of like a rake. Each pin is individually raisable, allowing the bot to draw lines of varying thicknesses. More pins down = thicker lines drawn.

The artist behind the robot starts a canvas by setting down poles, which the robot uses as markers to finely calculate its position. At that point, the robot can be passed an image file to draw automatically, or the artists can steer it manually.

The Beachbot moves on a set of large, soft wheels that Disney has dubbed “balloon wheels”, allowing it to move across the sand without leaving tracks or screwing up whatever it’s drawn previously.

Why? A) Because why not. and B) It doesn’t require much thinking to come up with practical uses for this, even just within the realm of Disney. Disney has beach resorts. People would flip out to wake up in the morning and see their favorite characters drawn in the sand outside of their room — and by lunch, high tide would come in and wash it away, prepping the canvas for a new drawing the next day.

This project, like a good number of Disney Research’s projects, was built in collaboration with Swiss engineering school ETH Zürich.

Via: techcrunch

Encryption is not being deployed fast enough according to a leaked document from the US National Intelligence Council  reported by the Guardian
newspaper today, contradicting PM David Cameron’s calls yesterday for governments to stymie encryption so as to be able to access all communications.

As a result of slow uptake, both government and industry are vulnerable to cyber-attacks from Russia, China and criminal gangs says the report, a five-year forecast written in in 2009.

The Guardian says that the report – believed to be part of the cache given to the paper by Snowden –  describes the failure to keep up with cyber-attackers as being largely “due to the slower than expected adoption … of encryption and other technologies.”  The newspaper also says the report was shared with GCHQ and put on its intranet.

Encryption is described in the report as the best defence to protect data, especially combined with multi-factor authentication. Otherwise, it says that the “scale of detected compromises indicates organisations should assume that any controlled but unclassified networks of intelligence, operational or commercial value directly accessible from the internet are already potentially compromised by foreign adversaries”.

On the positive side, it says: “We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions.”

Official UK government security advice still recommends encryption, despite end-to-end encryption making surveillance by government agencies far more difficult.

Via: scmagazineuk