Posts Tagged ‘Security’

The company Hacking Team internally tested its code against a wide range of antivirus engines and Internet security apps. Testing was done using Windows 7, 64bit. In this color coded scheme, red means the code was not only detected but issued an alert whereas black just blocked with no notification. Click on the image for the full list.

  • Green – Antivirus does not react to the launch of the agent.
  • Yellow – Agent connects to the server, but can sometimes issues a warning. The antivirus has a non-standard configuration (ie the firewall turned off).
  • Black – the agent can not connect to the server, but there is no anti-virus warnings, or agent is in the antivirus black list.
  • Red – the agent can not connect to the server, an antivirus warning appears (agent is detected as malicious).

av-chart-hackingteam

Source: [exploit.in]

8edb1-url

Researchers sifting through the confidential material stolen from spyware developer Hacking Team have already uncovered a weaponized exploit for a currently unpatched vulnerability in Adobe Flash, and they also may have uncovered attack code targeting Microsoft Windows and a hardened Linux module known as SELinux.

Hacking Team documentation accompanying the Flash exploit said it targeted “the most beautiful Flash bug for the last four years,” according to a blog post published Wednesday by researchers from antivirus provider Trend Micro. The use-after-free flaw resides in a Flash Bytearray object. Researchers at competing AV company Symantec have confirmed the existence of a Flash exploit that works against the latest version of Flash (18.0..194). They also have confirmed it works against people viewing content with Internet Explorer, and it’s presumed it will work against other browsers as well.

“Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash which could allow attackers to remotely execute code on a targeted computer,” they wrote in a blog post published Tuesday. “Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued.”

Full Story @ [arstechnica]

Founder and Director of Oath Keepers Stewart Rhodes urges all Oath Keeper chapters across the country to hold an Emergency Summit by state, in order to prepare for an economic collapse. ‘Assume the worst’ and formulate support teams. Food storage the most crucial.

The very network nodes that relay anonymous Tor traffic for you, free of charge, may be sniffing or reading your data as it passes through. That’s the conclusion of an investigation by a security researcher known as Chloe.

The test involved setting up a dummy website with an admin sub-domain and a login page. Chloe then logged into the site through the Tor network many times – in fact, 137,319 times. Due to timeouts and other issues, only 99,271 attempts resulted in a successful connection to the dummy admin account.

Chloe was looking for instances where the unique password chosen for each login attempt was used a second time, which would indicate that the exit node, in that instance, had sniffed the credentials and someone had then decided to have a go at using the credentials to log into Chloe’s dummy site.

Chloe found 16 instances of multiple uses of a unique password. While it may appear a small number, this number should be zero. In addition, there were 650 unique page visits which points to additional sniffing activity.

Chloe estimates that the number of exit nodes tested was 1400, with each used around 95 times.

The conclusion: “We can see that there’s passive MITM [man in the middle spying] going on in the Tor network. This is done by setting up a fully functional and trustworthy exit node and start sniffing.”

Source: [scmagazineuk]

Mastercard is testing a smartphone app that uses facial recognition to verify online purchases. Users in the trial can hold their phone up as though taking a selfie to approve transactions.

“The new generation, which is into selfies… I think they’ll find it cool,” the firm’s security expert Ajay Bhalla told CNN.

One security expert told the BBC facial recognition should be complemented with “extra layers of security”.

“Google tried facial recognition on Android phones and there were a lot of problems in the early days”, said Ken Munro, security researcher at Pen Test Partners.

“People realised you could take a photo of somebody and present it to the camera, and the phone would unlock.”

Spoofed

Google admits its facial recognition is “less secure than a pattern, PIN or password” on the website for one of its devices.

Mastercard’s app asks users to blink to prove that they are human, but even this has been spoofed in the past.

Full Story @ [BBC]

Sen. Charles Grassley (R-Iowa) has sent a letter to FBI Director James Comey asking for “more specific information about the FBI’s current use of spyware”. The letter includes a list of highly specific questions about the way the FBI uses remote exploitation capabilities and spyware tools. The letter is related to a current effort by the Department of Justice to get more leeway in the way that its agencies use spyware tools in criminal investigations.

Intelligence agencies and military branches are known to use exploits for zero days in their work, some of which are developed internally and others that are purchased from outside vendors. In 2013, a contract surfaced that showed the NSA had subscribed to a zero-day exploit service run by VUPEN, a French company that develops and sells vulnerability and exploit information. And last month the U.S. Navy published a solicitation for zero days in a variety of popular software.

In addition to the information on exploit usage, Grassley also is asking Comey for more details on the FBI’s phishing operations. Last year, it was reported that the FBI at one point ran an operation that involved setting up a site to impersonate the Associated Press in order to get a target to click on a link that would install a remote monitoring tool. AP officials were indignant at the revelation, saying it undermined the organization’s credibility. In his letter, Grassley asks how many other times the FBI has used this tactic and whether the bureau ever informs the companies it is impersonating.

Full Story @ [threatpost]

In this blog we describe a sophisticated backdoor, called Dino by its creators. We believe this malicious software has been developed by the Animal Farm espionage group, who also created the infamous Casper, Bunny and Babar malware. Dino contains interesting technical features, and also a few hints that the developers are French speaking.

Animal Farm is the security industry’s name for a group of attackers first described by Canada’s Communications Security Establishment (CSE) in a set of slides leaked by Edward Snowden in March 2014. In those slides CSE assess with “moderate certainty” that this group is a French intelligence agency. Since then, several examples of malware created by Animal Farm have been found and publicly documented, in particular:

The connection between those pieces of malware and the group described in CSE slides has been convincingly established, for example by Paul Rascagnères (G Data).

In this blog post we add a new piece to the puzzle with Dino, another malicious program belonging to Animal Farm’s arsenal.

Full Story @ [welivesecurity]

circuit-board-layout

Any system that is connected to the Internet is always subject to threats, no matter how well it is protected. This assumption is well known to any teenager today. No software barriers can fully prevent human errors in a program code or user behavior.

That’s why devices that have functions of special importance, or that contain top-secret information, are usually not connected to the Internet. It is always better to accept inconvenience than face unpleasant consequences. This is how, for example, control systems for large industrial objects or some bank computers are protected.

It may seem that going offline completely will keep any secret safe: if there is no Internet, then there is no data leakage. However, that is not the case. Remote data transfer techniques adopted by secret services long time ago become more accessible each year to ‘commercial’ users. Quite a few spy gadgets at James Bond’s disposal are becoming commonplace today.

Electromagnetic spying

Any operational device that is connected to a power line generates electromagnetic radiation that can be intercepted by proven technologies. Almost half a century ago, state security services of the U.S. and the USSR were concerned with such leakages, and the information that has been obtained since those days is massive. Some parts of the American activity are known under the TEMPEST abbreviation, and some declassified archives reads as good as detective novels.

Despite the long history, new methods of ‘surfing’ electromagnetic waves appear regularly as the electrical equipment evolves. In the past, the weakest links were CRT monitors and unshielded VGA cables that produced electromagnetic noise. Keyboards have become favorite toys for data security researchers over the past few years. The research in this area has been steadily productive. These are just a few examples.

Keystrokes can be remotely tracked with high accuracy at the 67-feet (20-meter) distance by using a homemade device that analyzes the radio spectrum and costs around $5,000. It is interesting to note that the attack is equally effective against common cheap USB keyboards, expensive wireless keyboards with a signal encryption, and built-in notebook keyboards.

All of the devices work on the same principle and generate electromagnetic noise. The difference is stipulated by the signal power, which depends upon the length of the data transmission wire (it is the shortest for notebooks).
(more…)

thorcloud

Although many of the practices I describe here could be used in just about any environment, a few of them are specific to EC2, but even then, you may find ways to map these notions to other cloud environments. Most of these practices revolve around Security Groups. EC2 Security Groups can be thought of in some ways like a VLAN in a traditional network. With Security Groups, you can create firewall settings to block incoming traffic to specific ports for all servers that are members of a specific group. Unlike traditional VLANs, you can create firewall rules within Security Groups that block traffic between members of that group. Servers can be members of multiple Security Groups, although it’s important to know that Security Groups are assigned only when an instance is created—you can’t add or remove Security Groups from an instance after you create it.

Finally, I never store a secret in my userdata file. Often when you spawn a server in EC2, you provide the server with a userdata file. A number of AMIs (Amazon Machine Images—the OS install image you choose) are configured to execute the userdata script. Although in some cases this file is used to pass specific configuration values on to the server, many people (myself included) use the file as a post-install script. In my case, I use it to configure my configuration management system (Puppet) and from that point on let it take over the configuration of the system. What you may not know is that the contents of the userdata script are available via an API call to any user who is on the system throughout the life of the instance. If you use the userdata file to inject any sort of secrets (certificates or SSH private keys, passwords or shared secrets the system uses in its configuration, or anything you wouldn’t want a regular user to see), those secrets will be visible to any user on the system. In fact, if you happen to use Puppet yourself (or otherwise have facter installed on the system), facter itself will return the contents of that userdata script for you.
Handling Secrets

It’s incredibly important to think about how you manage secrets in a cloud environment beyond just the userdata script. The fact is, despite your best efforts, you still often will need to store a private key or password in plain text somewhere on the system. As I mentioned, I use Puppet for configuration management of my systems. I store all of my Puppet configuration within Git to keep track of changes and provide an audit trail if I ever need it. Having all of your configuration in Git is a great practice, but the first security practice I recommend with respect to secrets is to avoid storing any plain-text secrets in your configuration management system. Whenever possible, I try to generate secrets on the hosts that need them, so that means instead of pushing up a GPG or SSH key pair to a server, I use my configuration management system to generate one on the host itself.

Full Story @ [Linux Journal]

cyber_security-locked

Recorded Future, a social media data mining firm backed by the CIA’s venture capital arm, says in a report that login credentials for nearly every federal agency have been posted on open Internet sites for those who know where to look.

Recorded Future identified the possible exposures of login credentials for 47 United States government agencies across 89 unique domains.

As of early 2015, 12 of these agencies, including the Departments of State and Energy, allowed some of their users access to computer networks with no form of two-factor authentication. The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.

The findings by Recorded Future were gained using the company’s Web Intelligence Engine which scans more than 680,000 Web sources in seven languages. Recorded Future arms information security teams with real-time threat intelligence so you can proactively defend your organization against cyber attacks.

Source: [Recorded Future]