Monthly Archives: January 2015

About 19K French websites attacked since last week, report says

Since last week’s attacks in France, hacking attempts have been made against roughly 19,000 French websites, the AP reported on Thursday, citing Admiral Arnaud Coustilliere, head of cyberdefense for the French military.

Coustilliere said that some of the cyber attacks are being launched by well-known Islamic hacker groups, and that they are targeting everything from military regiments to pizza shops, according to the report, which adds that most of the attacks are fairly minor denial-of-service attacks.

French officials suspect MECA: Middle East Cyber Army, Fallaga team, and Cyber Caliphate as being among the hacker groups carrying out the cyber attacks, the report indicates.

“What’s new, what’s important, is that this is 19,000 sites – that’s never been seen before,” Coustilliere was quoted as saying.

 

Via: scmagazine

Several vulnerabilities addressed in Firefox 35, some deemed critical

Mozilla released Firefox 35 on Tuesday, and it comes with fixes for numerous vulnerabilities, a few of which are deemed critical.

Security researcher Nils is credited with discovering a critical ‘Gecko Media Plugin (GMP) sandbox escape‘ vulnerability that could enable an attacker to “escape or bypass the GMP sandbox if another exploitable bug is found in a GMP media plugin which allowed them to compromise the GMP process,” according to an advisory.

Mitchell Harper, a security researcher, is credited with discovering a critical ‘read-after-free in WebRTC‘ that, if exploited, could result in a “potentially exploitable crash or incorrect WebRTC,” an advisory indicates.

Mozilla also addressed miscellaneous memory safety hazards that are deemed critical. An advisory notes that some of the vulnerabilities “showed evidence of memory corruption under certain circumstances,” and states that some bugs could presumably be exploited to run arbitrary code.

The single high impact vulnerability is an ‘uninitialized memory use during bitmap rendering‘ reported by Google security researcher Michal Zalewski, according to an advisory. The bug could possibly enable data to leak to web content.

The remaining vulnerabilities – deemed moderate or low impact – include one bug that could potentially enable privilege escalation, and another flaw that can possibly enable a cross-site request forgery attack from malicious websites.

In the December 2014 release of Firefox 34, Mozilla dropped support for SSL 3.0 entirely in order to protect users from its inherent vulnerabilities, Chad Weiner, director of product management for Firefox, told SCMagazine.com at the time.

Disabling support for SSL 3.0 addresses POODLE, a severe vulnerability in SSL 3.0 that was discovered by Google researchers in October and could enable an attacker to intercept plaintext data from secure connections. Fallback to SSL 3.0 was removed in Chrome 39 in November 2014, and will be disabled completely in Chrome 40.

 

Via: scmagazine

Obama wants Congress to increase prison sentences for hackers

Proposal also expands hacking definition. That’s a “dangerous idea,” expert says.

The Obama administration, currently engaged in a war of words with North Korea over the recent hacking of Sony Pictures Entertainment, is calling on Congress to increase prison sentences for hackers and to expand the definition of hacking.

During next week’s State of the Union address, the president is set to publicly urge increased prison time and other changes to the Computer Fraud and Abuse Act—the statute that was used to prosecute Internet activist Aaron Swartz before he committed suicide in 2013.

At issue is the Computer Fraud and Abuse Act (CFAA), passed in 1984 to bolster the government’s ability to nab hackers who destroy or disrupt computer functionality or who steal information.

In general, the CFAA makes it illegal to “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

Obama said Tuesday, “We want cybercriminals to feel the full force of American justice, because they are doing as much damage—if not more, these days—as folks who are involved in more conventional crime.”

Among other things, penalties under Obama’s plan would increase from a maximum five-year penalty to 10 years for pure hacking acts, like circumventing a technological barrier. What’s more, the law would expand the definition of what “exceeds authorized access” means. A hacker would exceed authorization when accessing information “for a purpose that the accesser knows is not authorized by the computer owner.”

That raised the eyebrows of researchers and scholars alike.

That language is “awkward,” according to Orin Kerr, a professor and CFAA expert who has defended Lori Drew and Andrew “weev” Auernheimer in CFAA criminal prosecutions. “For example, if your employer has a policy that ‘company computers can be accessed only for work-related purposes,’ and you access the computer for personal reasons, then you presumably would be accessing the computer for a purpose that you know the employer has not allowed,” Kerr said Wednesday.

Kerr continued:

With that said, I don’t know how this proposed language would apply to other written restrictions. Some written restrictions are phrased as conditions on purpose, but others are not. I’m not sure if the proposal would prohibit all violations of written conditions or only those phrased as or substantially resembling conditions on purpose. For example, imagine the employer has a policy that company computers can only be accessed by company employees. If a non-employee accesses the computer, the written restriction is breached, but there isn’t a breach of a purpose-based condition. It’s not clear if the Administration proposal is an awkwardly drafted way to have liability for breaching written-restrictions generally, or if it was intended to only impose liability for violating purpose-based written restrictions. (If the latter, why should purpose-based limitations be treated differently from other limitations, and what should the test be for distinguishing them?)

Kerr said his “biggest concern” surrounds accepted social computing practices, or as he calls it—”norms-based” liability. He said:

The key problem is the expanded definition of “exceeds authorized access,” which would make it an unauthorized access when a user accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” This is at least somewhat clear in the case of a written restriction: A person might know that a purpose is not authorized because the written restriction says so. But think about how this language would apply when the prosecution is based on a norms violation. The problem is, when it comes to norms, how do you know what a computer owner has authorized? Is that just a matter of what the computer owner would say if you asked them? Something else?

More broadly, Kerr added, “The expansion of ‘exceeding authorized access’ would seem to allow lots of prosecutions under a ‘you knew the computer owner wouldn’t like that’ theory. And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct.”

Security expert Robert Graham said Wednesday that the proposal would affect “cybersecurity professionals that protect the Internet. If you cared about things such as ‘national security’ and ‘cyberterrorism,’ then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like ‘hacking.’ Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open door for nation-state hackers and the real cybercriminals.”

 

 

Via: arstechnica

January 2015 Patch Tuesday Issues 8 Patches, Ends Mainstream Support for Windows 7

Just a week after they made changes to their advanced notification service for “casual” customers for 2015, Microsoft released eight security bulletins to patch various security vulnerabilities with only one considered “critical.”

Microsoft Rates 7 Bulletins as ‘Important’, 1 as ‘Critical’

The security update rated “critical” is the Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393), or MS15-002, which affects various Microsoft Windows versions and could allow remote code execution on affected systems. According to the bulletin, only customers who enable the Telnet service are vulnerable. The bulletin also reports that Telnet is not installed by default on Windows Vista later operating systems.

MS15-005 and MS15-006 are both bulletins rated as ‘Important’ that describe a security feature bypass, which result in a system restart. Four of the ‘Important’ bulletins describe an elevation of privilege.

End of Mainstream Support for Windows 7

The first Patch Tuesday for the year also signals the end of mainstream support for Windows 7. This means that non-security updates will no longer be provided, but security updates will still be sent out. Windows 7 will end all support in January 2020.

It is highly recommended for users and system administrators to immediately patch these system vulnerabilities. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

  • 1006439 – Microsoft Windows Telnet Service Buffer Overflow Vulnerability (CVE-2015-0014)
  • 1006441 – Microsoft Windows Components Directory Traversal Elevation Of Privilege Vulnerability (CVE-2015-0016)
  • 1006372 – Microsoft Network Policy Server RADIUS Implementation Denial Of Service Vulnerability (CVE-2015-0015)

More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: January 2015 – Microsoft Releases 8 Security Advisories.

 

 

Via: trendmicro

Zappos data breach: settlement reached

appos, an online clothing and shoe retailer, has reached a settlement over a 2012 data breach which impacted up to 24 million of its customers.

The agreement, made with Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio and Pennsylvania, will see the company take steps to improve customer data safety in the future.

Zappos will also hand over a total of $106,000 within the next 30 days – which will go to the various states in respect of the investigation’s costs.

The inquiry focused on the measures implemented by Zappos to protect customer information following the theft of names, password hashes, email addresses, phone numbers and the last four digits of their payment cards after a company server in Kentucky was breached.

The attorneys general had previously asked the company for more information following the breach:

This incident raises serious concerns about the possibility of fraud and targeted email ‘phishing’ or other scams, as well as questions about the effectiveness of the company’s measures to protect the confidentiality and security of private information that it receives from consumers.

Fortunately it seems that no evidence was discovered to suggest that full payment card details were ever compromised.

Even so, the $106,000 fine may seem rather small, given the scale of the breach and the number of customers affected.

Of course, as privacy and security attorney Scot Ganow commented, the overall costs to the business are likely to be much higher in terms of reputation damage and the resulting loss of business.

He highlighted how reputation management, legal action and the introduction of compliance requirements and external audits all come with a cost.

The PR and business fallout can often cost you more than the enforcement action or settlement.

 

Commenting via a press release issued after the settlement was agreed, North Carolina Attorney General Roy Cooper said:

When you entrust your personal information to a business, you expect that business to keep it safe. Businesses must take the threat of a security breach seriously, and they must do more to protect consumers’ data.

The full terms of the settlement reached between Zappos and the nine states mandate that the company must:

  • Maintain and comply with its information security policies and procedures;
  • Provide the attorneys general with its current security policy;
  • Provide the attorneys general copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard (PCI DSS) for two years;
  • Have a third party conduct an audit of its security of personal information; and
  • Provide relevant training to employees.

 

Via: sophos

Microsoft’s Patch Tuesday preview will no longer be made public

Microsoft’s Advance Notification Service (ANS) is changing – notably, the corporation will no longer be releasing a public blog post to preview what is to come on Patch Tuesday, according to a Thursday post by Chris Betz, senior director of the Microsoft Security Response Center.

Premier customers may continue to receive the ANS information through their Technical Account Manager support representatives, and ANS information will also be provided to organizations that are part of security programs such as the Microsoft Active Protections Program, Betz wrote.

Customers who do not have a Premier support contract may get ANS information through myBulletins, which makes it possible for customers to obtain bulletin information only on applications that are running in their environment, according to Betz.

“ANS has always been optimized for large organizations,” Betz wrote. “However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.”

Industry professionals seem to be against the change.

In a Friday email correspondence, Wolfgang Kandek, CTO of Qualys who regularly writes about Patch Tuesday, told SCMagazine.com that he believes the change is a business optimization, and he went on to say that it is ultimately a bad idea.

“We should move in the direction of more information and explanation,” Kandek said, going on to add, “Organizations that have a structure already will be able to cope, but it will slow down adoption in other organizations that are just working on getting into the process of managing their vulnerabilities and the needed fast patching.”

Chris Goettl, product manager with Shavlik, told SCMagazine.com in a Friday email correspondence that he also does not like the move, and that it cuts a lot of lead time for companies who care about what is coming and want to plan in advance.

“I think the repercussions will be at the business level first,” Goettl said. “Getting the right amount of information to admins so they could submit change controls in advance, discuss with their internal security and approval boards, and prep test groups before patching started allowed many companies to be aggressive in their patch day maintenance.”

Now things will have to be pushed back, Goettl said.

“Companies that have 20-day cycles to go through QA, development, [and] production rollouts are going to find their cycles pressed even more for time,” Goettl said. “Now their fact-finding will start on patch day and, due to red tape, will have to potentially push back or condense an already tight schedule for maintaining servers.”

Ross Barrett, senior manager of security engineering at Rapid7, agreed in a Friday email correspondence with SCMagazine.com, explaining that “this makes it harder for teams to know what to patch, [and] will take longer for teams to identify vulnerable systems and patch them. It has always been a race from patch release to exploit availability and this is taking away the tiny head start that they previously had to get organized.”

Johannes Ullrich, dean of research with the SANS Technology Institute, told SCMagazine.com in a Friday email correspondence that the change could be beneficial if it helps with patch quality, but he said that several users have already expressed missing the ability to plan ahead.

“I think we need more transparency in what patches address, in order to better assess their impact on other software,” Ullrich said. “In addition, we need to clearly express the risk the vulnerabilities expose users to.”

Ullrich said, “Overall, patching needs to be more automated, and companies like Microsoft need to not only embrace related standards, but also provide reliable guidance as to the risk of the patch and the vulnerability, as well as the ability to “break up” patches to be able to expedite patching high risk vulnerabilities.”

 

 

Via: scmagazine

Fitbit Finally Starts Shipping The Charge HR And Surge Smartwatch

Fitbit announced its latest and greatest fitness trackers back in October and the company announced today at CES that the devices are finally shipping. The Charge HR retails for $150 while the Surge smartwatch commands $250.

These are the models to carry Fitbit into 2015 and beyond. The company carved out a dominant place in the fitness market despite suffering a major recall in early 2014.

The Charge HR builds on the success (and failure) of the Fitbit Force but adds heartrate monitoring capability.

The Surge is a big addition for Fitbit. It’s more smartwatch than activity tracker and is clearly designed to appeal to fitness fanatics. The Surge also has a heart-rate monitor and built-in GPS capabilities that can track pace, distance, and elevation.

The watch’s large LCD face is customizable and can display Caller ID, text alerts and media playback. But at $249, Fitbit is competing with a different set of players including Samsung and Garmin. While Fitbit might rule the inexpensive activity tracker field, the brand could face hesitation from buyers looking for a premium product.

The two fitness trackers are now available on Fitbit.com and will hit retailers in the coming weeks with international shipping expected in early February.

 

 

Via: techcrunch

Apple Said To Kick Off SIM-Free iPhone 6 And 6 Plus Sales

Apple has finally started selling the iPhone 6 and 6 Plus without SIMs, completely unlocked in the U.S., according to 9to5Mac’s reliable Mark Gurman. The SIM-free version of the iPhone has been available in the stores of other countries before now, but a debut stateside would be the first time it’s officially unlocked and without any carrier ties or SIM since its launch this past fall.

The T-Mobile version of the iPhone 6 and 6 Plus is not locked into any specific contract, and will work with SIMs from other carriers, but the latest flagship smartphone from Apple still technically can’t be bought SIM-free through official channels in the U.S.

Pricing won’t change either, according to Gurman, meaning the iPhone 6 will range from $649 to $849 depending on storage choices, and the iPhone 6 Plus will go from $749 to $949 unlocked and SIM free. Storage options with this generation include 16, 64 and 128GB options, as Apple dropped the 32GB tier and began offering the new top of the range with its newest, larger screen phones.

Unlocked sales generally follow a few months after the initial launch, so the timing here isn’t surprising. And since, functionally speaking, the T-Mobile version is effectively the same thing, not much changes for consumers – but it’s still one of the notable markers in an iPhone’s lifespan, and a reminder that the 6 and 6 Plus have already been around for a while now.

 

 

Via: techcrunch

FBI clarifies stingray policy, says court warrants not needed when used in public spaces

In recent meetings with two senators’ staff, the Federal Bureau of Investigation (FBI) clarified its thoughts on stingray use and said court warrants aren’t needed to deploy the devices in public spaces.

Senate Judiciary Committee Chairman Patrick Leahy, D-Vt. and Sen. Chuck Grassley, R-Iowa, penned a letter last week pressing Attorney General Eric Holder and Secretary of Homeland Security Jeh Johnson to elaborate on the FBI’s polices regarding the surveillance devices. The letter explains that both senators had their staff meet with FBI Director James Comey to determine how the agency uses the cell-site simulators, and during those discussions, the staff members determined that the FBI changed its policy concerning legal policies. Grassley’s office said in a comment to SCMagazine.com that it believes the FBI’s policies were changed in August 2014.

Without going into the full scope of the program, the senators explain that the FBI’s policy requires a search warrant to use a stingray, unless the case poses “an imminent danger to public safety,” involves a fugitive, or in cases where “the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.”

Hanni Fakhoury, senior staff attorney at the Electronic Frontier Foundation (EFF), said in a Tuesday interview with SCMagazine.com that while the policy itself might not be particularly new, the fact that Leahy and Grassley are directly asking for answers could indicate the start of more public transparency surrounding the devices’ use.

“We’re seeing a glimmer of acknowledgement and public discussion of these things, where previously it had not been the case,” he said.

The senators’ letter specifically asks for clarification on the number of times the FBI has used a stingray device since the policy became effective, and in how many of those instances a search warrant or other legal process authorized its use. The letter also asks about the retention and destruction policy of the collected information.

When considering privacy interests of civilians whose information is swept up along with a specific target’s, the senators write: “We understand that the FBI believes that it can address these interests by maintaining that information for a short period of time and purging the information after it has been collected.  But there is a question as to whether this sufficiently safeguards privacy interests.”

Grassley’s office said in a statement that these questions are the primary reasons he and Leahy wrote their letter. He, “wants to learn exactly how the devices are being used and explore to what extent the policies governing their use are sufficient to protect the privacy of third parties who aren’t the target,” his office said in a emailed statement.

When asked to comment on the senators’ requests, the Department of Justice (DOJ), via an email correspondence with SCMagazine.com, said that it was in the process of “reviewing the letter.”

Multiple local cases have sprung up this year to try and get more information about how police departments team up with the FBI to use stingrays. In one recent case, California nonprofit First Amendment Coalition sued the San Diego Police Department to get public records released on the force’s stingray use.

 

Via: scmagazine

“Tower dump” of consumer mobile data a popular police snooping tactic

New reports have revealed the extent to which local law enforcement engage in mass collection of consumer cell phone data to aid in their investigations.

Days after news surfaced about the National Security Agency’s amassing of nearly five billion phone records daily to carry out location-based tracking, stats have emerged on the privacy-invading presence of police gathering mobile data.

The USA Today
published an article detailing the findings, which were gleaned from public records obtained by the outlet and Gannett newspapers and TV stations.

The records revealed that, among more than 125 law enforcement agencies in 33 states, one in every four used a surveillance tactic called “tower dump.” The method gives police access to “identity, activity and location” data of users and makes use of “multiple [cell phone] towers, and wireless providers, and can net information from thousands of phones,” the article said.

In addition, records showed that at least 25 police departments own a Stingray device – which essentially operates as a fake cell phone tower in order to siphon data from nearby phones that connect to it.

“In some states, the devices are available to any local police department via state surveillance units,” the article said. “The federal government funds most of the purchases via anti-terror grants.”

Classified documents obtained by The Washington Post revealed how location-based mobile data, in particular, was of interest to NSA. Using a tool called “Co-Traveler,” the agency is able to gather insight on cell phone users’ travels and habits by “tapping into cables” connecting mobile networks around the world, including those that service U.S. phones, leaks from NSA whistleblower Edward Snowden showed.

Catherine Crump, a staff attorney at the American Civil Liberties Union (ACLU), told SCMagazine.com that uncovered mobile tracking methods require a “national debate about whether these types of mass surveillance tactics are ever appropriate,” she said.

“Surveillance technologies that are being used today are extremely powerful, and whatever you think about their use to stop serious crimes, it’s worrying when even more minor offenses are being investigated using these technologies,” Crump explained.

Hanni Fakoury, a staff attorney at the Electronic Frontier Foundation (EFF) pointed out in a Monday interview that the NSA and law enforcement agencies carried an overarching privacy risk for innocent cell phone users entangled in the mass collection practices.

“I think that they are similar in idea,” Fakoury said of NSA’s “co-traveler” tactics and the “tower dump” methods employed by police – “meaning you grab lots of [information] in order to sift through the data you want.”

Several major wireless carriers, including Verizon, AT&T and T-Mobile, recently provided information on law enforcement requests received in 2012. Sen. Edward Markey, D-Mass., requested the information for the second year in a row, and revealed the findings.

The wireless providers received 1.1 million federal, state and local law enforcement requests for cell phone records, Markey found. There were also around 9,000 cell tower dumps that year, among companies that turned over the information.

For providing the data, T-Mobile received $11 million from law enforcement, while AT&T received $10 million. Verizon was paid around $5 million in 2012.

 

Via: scmagazine