background preloader

Security flaws

Facebook Twitter

The 'Great Cannon' Is China's Powerful New Hacking Weapon. The relentless days-long cyberattack on GitHub showed that someone was willing to use hundreds of thousands of innocent internet users to try to take down two single pages set up by an organization fighting Chinese censorship. A group of cybersleuths has discovered that someone is indeed China, as everyone suspected. More importantly, they’ve also learned that the attack was carried out with a powerful new cyberweapon, whose existence was previously unknown. Researchers at the ​Citizen Lab—a digital watchdog at the University of Toronto's Munk School of Global Affairs—are calling it the “Great Cannon.”

It’s a tool essentially capable of monitoring internet traffic and targeting anyone its operators decide to hit, sending back malware or spyware, or using the target to flood another site with traffic. The Great Cannon was used to hijack and redirect the internet traffic to flood two GitHub pages, in an unprecedented distributed denial of service, or DDoS, attack. Localized Tools and Services, Prominent in the Brazilian Underground. In our monitoring of the global threat landscape, we tend to notice that countries sometimes are affiliated with a particular cybercriminal activity. One classic example is Brazil, which is known for its association with banking malware.

As we noted in a previous blog entry, “[0]nline banking theft is especially rampant in the country, whose history of hyperinflation has once led to an early adoption of online financial systems and a large online banking community.” However, we felt like something was missing. What would explain the growth of these activities in Brazil? Several factors may have contributed to this growth. However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training.

In Brazil, it’s possible to start a new career in cybercrime armed with only US$500. Figure 1. Broadband routers: SOHOpeless and vendors don't care. Feature It is far more common to find routers with critical flaws than without – Craig Young It's sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. – Peter Adkins Introduction Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities.

Many of the holes are so simple as to be embarrassing. Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes. A year earlier, security boffins at Team Cymru warned that an unknown gang had popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities. Security is 'abysmal' Scary code of the week: Valve Steam CLEANS Linux PCs (if you're not careful) Linux desktop gamers should know of a bug in Valve's Steam client that will, if you're not careful, delete all files on your PC belonging to your regular user account.

According to a bug report filed on GitHub, moving Steam's per-user folder to another location in the filesystem, and then attempting to launch the client may perform the following heart-stopping command: rm -rf /* That means: remove all files recursively, and without stopping, from the root directory down. Assuming the client is run as a normal user, it will delete everything owned by that account – including mounted backup drives and network shares – although leave other stuff, such as system files owned by root, intact.

Steam is Valve Software's Swiss-army-knife-like application for downloading and managing collections of computer games, and getting to know fellow players. "I am not sure what happened. "I launched Steam. "It re-installed itself and everything looked great. The code in question is this in steam.sh: ASUS router-popping exploit on the loose. ASUS routers contain a vulnerability that turns users into admins, researcher Joshua Drake says. The boxes could be exploited by malicious local users, but not those on the wider internet, re-rerouting all users on the network to malicious sites, among other attacks. Drake wrote in an advisory that several popular models were affected including the RT-N66U and RT-AC66U.

"Currently, all known firmware versions for applicable routers are assumed vulnerable," Drake said. ASUS has been contacted for comment. The unauthenticated command execution vulnerability is located in the infosvr service, which ran as root and listened on UDP broadcast port 9999. The service is designed, Drake said, to simplify router configuration by locating local routers. Admins should remove the remote command execution functionality from infosvr or firewall it off, he said, as beaming passwords to LANs was not a good idea. Forget the Sony Hack, This Could Be the Biggest Cyber Attack of 2015. On Friday, the FBI officially named North Korea as the party responsible for a cyber attack and email theft against Sony Pictures. The Sony hack saw many studio executives’ sensitive and embarrassing emails leaked online. The hackers threatened to attack theaters on the opening day of the offending film, “The Interview,” and Sony pulled the plug on the movie, effectively censoring a major Hollywood studio.

The end of “The Interview” is not the end of the world. Technology journalists were quick to point out that, even though the cyber attack could be attributable to a nation state actor, it wasn’t particularly sophisticated. Ars Technica’s Sean Gallagher likened it to a “software pipe bomb.” The fallout, of course, was limited. And while President Barack Obama vowed to respond to the attack, he also said it was a mistake for Sony to back down. “I think all of us have to anticipate occasionally there are going to be breaches like this. 2015: The Year of Aurora?

Oops. “Fast forward to 2014. Weather Channel forecast: Bleak, with prolonged XSS. How to simplify SSL certificate management The Weather Channel has dammed a downpour of cross-site-scripting vulnerabilities that soaked three quarters of links on the popular site, security bod Wang Jin says. The website received a tsunami of traffic with more than a billion unique visitors checking in each month according to Drupal which noted it was the "highest trafficked Drupal site in existence".

Wang Jin, a doctoral student at Nanyang Technological University, reported the poor conditions to the site administrators who closed the basic holes affecting tens of thousands of links late November. Jin said attackers could have whipped up a scripting storm against visitors. "Almost all links under the domain weather.com are (were) vulnerable to XSS attacks," Jin said in an advisory.

"Attackers just need to add script at the end of The Weather Channel's URLs [and] then the scripts will be executed. Jin said 76.3 percent of links were found vulnerable using his homebrew security tool. EVIL researchers dupe EVERY 32 bit GPG print. The hidden costs of self-signed SSL certificates Researchers have found collision attacks for 32 bit GPG keys leaving the superseded technology well and truly dead.

Eric Swanson and Richard Klafter used graphical processing units to clone fingerprints for each 32 bit key id in Web of Trust strong set. The feat took four seconds per key increasing the chance that human error could land users with attackers keys. "32 bit key IDs were reasonable 15 years ago but are obsolete now," the duo said in a blog. "Using modern GPUs, we have found collisions for every 32 bit key id in the Web of Trust's strong set. "It is easy to generate and publish a key that looks identical if you only use 32 bits when specifying a key. " The research did not "break" GPG encryption but did erode its usability and increased the likelihood of human error, they said.

Swanson and Klafter used the Scallion tool to generate IDs with the same 32 bit ID which could compromise users who failed to run further identity checks. EVIL researchers dupe EVERY 32 bit GPG print.

Netline

USB coding anarchy: Consider all sticks licked. Choosing a cloud hosting partner with confidence Thumb drives are so inconsistently manufactured it is all but impossible to know if any unit could be reprogrammed to own computers, researcher Karsten Nohl says. The conditions that determined if a unit could be hacked varied not only between vendors but also within product unit lines due to manufacturers buying different hardware components due to fluctuating prices.

In a presentation (slides) at the recent PacSec conference in Japan, Nohl and fellow SRLabs researchers Sasha Kribler and Jakob Lell revealed more information into the attacks known as BadUSB. "As long as USB controllers are reprogrammable, USB peripherals should not be shared with others," the team said. "Once infected through USB, malware can use peripherals as a hiding place, hindering system clean up. " See the researcher's pic here. They examined about 60 chip families from vendors Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip.