Hacking & Security

Java Reflection API Woes Resurface in Latest Oracle Patches

Threatpost - 15 Říjen, 2014 - 15:55
Oracle's Critical Patch update addresses 154 vulnerabilities, many of which are remotely exploitable. Security Explorations of Poland, meanwhile, published details on a number of Java flaws in the Java Reflection API.
Kategorie: Hacking & Security

Pozor na nový útok POODLE proti SSL 3.0

CSIRT.cz - 15 Říjen, 2014 - 14:33

POODLE útok je nový útok na SSL 3.0 ohrožující Internet. Umožňuje útočníkům rozšifrovat data přenášená přes zabezpečený kanál.

Kategorie: Hacking & Security

XXE Attacks

InfoSec Institute Resources - 15 Říjen, 2014 - 14:15

Introduction XXE (XML External Entity attack) is now increasingly being found and reported in major web applications such as Facebook, PayPal, etc. For instance, a quick look at the recent Bug Bounty vulnerabilities on these sites confirms this. Although XXE has been around for many years, it never really got [...]

The post XXE Attacks appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Microsoft Patches 3 Zero-day Vulnerabilities actively being Exploited in the Wild

The Hacker News - 15 Říjen, 2014 - 14:14
As part of monthly patch update, Microsoft released eight security bulletins on Tuesday that address dozens of vulnerabilities including a zero-day flaw reportedly being exploited by Russian hackers to target NATO computers and a pair of zero-day Windows vulnerabilities that attackers have been exploiting to penetrate major corporations' networks. Just a day before yesterday, our team
Kategorie: Hacking & Security

Chinese Social Media Censorship

InfoSec Institute Resources - 15 Říjen, 2014 - 14:00

1. Introduction In the 3rd century BC, the Chinese Emperor Qin Shihuang attempted to destroy original Confucian texts and killed scholars who had knowledge in those texts. This event is known as “fénshū kēngrú” (in English: the burning of books and burying of scholars). At least since that time, the [...]

The post Chinese Social Media Censorship appeared first on InfoSec Institute.

Kategorie: Hacking & Security

POODLE SSL 3.0 Attack Exploits Widely-used Web Encryption Standard

The Hacker News - 15 Říjen, 2014 - 12:44
Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer (SSL) 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites. Google's Security Team revealed on Tuesday that the most widely used web encryption standard SSL 3.0 has a major security vulnerability that could be exploited
Kategorie: Hacking & Security

What you need to know about the SSLv3 "POODLE" flaw

LinuxSecurity.com - 15 Říjen, 2014 - 12:38
LinuxSecurity.com: Another security vulnerability is hitting the tech (and mainstream!) press, and we want to make Fedora users get straight, simple information. This one is CVE-2014-3466, and the cute nickname of the day is "POODLE".
Kategorie: Hacking & Security

Laura Poitras on the Crypto Tools That Made Her Snowden Film Possible

LinuxSecurity.com - 15 Říjen, 2014 - 11:47
LinuxSecurity.com: As a journalist, Laura Poitras was the quiet mastermind behind the publication of Edward Snowden's unprecedented NSA leak. As a filmmaker, her new movie Citizenfour makes clear she's one of the most important directors working in documentary today. And when it comes to security technology, she's a serious geek.
Kategorie: Hacking & Security

Pozor na pudly. Po Heartbleedu přichází další zranitelnost SSL

Zive.cz - bezpečnost - 15 Říjen, 2014 - 11:14
Inženýři z Googlu objevili další chybu v návrhu SSL ( PDF s podrobnějším popisem ). Nazvali ji POODLE – P adding O racle O n D owngraded L egacy E ncryption, nebo také Poodlebleed, a týká se starého protokolu SSL 3.0, který je už sice dávno překonaný, ale mnoho serverů a prohlížeče jej stále ...
Kategorie: Hacking & Security

The "Sandworm" malware - what you need to know

Sophos Naked Security - 15 Říjen, 2014 - 11:13
Fortunately, the Sandworm malware is a lot easier to deal with than the giant science fiction creature from which it takes its name. In fact, in malware terms, it's not a worm at all. Paul Ducklin takes a look...

Autor Anonaboxu nejspíše mlží a znevažuje projekt anonymizační krabičky

Zive.cz - bezpečnost - 15 Říjen, 2014 - 10:19
V pondělí prolétla internetem zprávička o Anonaboxu – drobném síťovém zařízení s dvojicí ethernetových portů a se zabudovaným Torem. Když tedy do jednoho portu připojíte třeba notebook a do druhého kabel z domácího routeru, krabička veškerou komunikaci a bez dalšího nastavování přesměruje skrze ...
Kategorie: Hacking & Security

The secure smartphone that won’t get you beaten with rubber hoses

Ars Technica - 15 Říjen, 2014 - 10:00

Interest in secure communications is at an all time high, with many concerned about spying by both governments and corporations. This concern has stimulated developments such as the Blackphone, a custom-designed handset running a forked version of Android that's built with security in mind.

But the Blackphone has a problem. The mere fact of holding one in your hand advertises to the world that you're using a Blackphone. That might not be a big problem for people who can safely be assumed to have access to sensitive information—politicians, security contractors, say—but if you're a journalist investigating your own corrupt government or a dissident fearful of arrest, the Blackphone is a really bad idea. Using such a phone is advertising that you have sensitive material that you're trying to keep secret and is an invitation to break out the rubber hoses.

That's what led a team of security researchers to develop DarkMatter, unveiled today at the Hack In The Box security conference in Kuala Lumpur. DarkMatter is a secure Android fork, but unlike Blackphone and its custom hardware, DarkMatter is a secure Android that runs on regular Android phones (including the Galaxy S4 and Nexus 5) and which, at first glance, looks just like it's stock Android. The special sauce of DarkMatter is secure encrypted storage that selected apps can transparently access. If the firmware believes it's under attack, the secure storage will be silently dismounted, and the phone will appear, to all intents and purposes, to be a regular non-secure device.

Read 9 remaining paragraphs | Comments

Kategorie: Hacking & Security

SSL broken, again, in POODLE attack

Ars Technica - 15 Říjen, 2014 - 06:15
Poodle Gothic Redux by Amanda Wray

From the researchers that brought you BEAST and CRIME comes another attack against Secure Sockets Layer (SSL), one of the protocols that's used to secure Internet traffic from eavesdroppers both government and criminal.

Calling the new attack POODLE—that's "Padding Oracle On Downgraded Legacy Encryption"—the attack allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or e-mail systems. The flaw was documented by Bodo Möller, Thai Duong, and Krzysztof Kotowicz, all of whom work at Google. Thai Duong, working with Juliano Rizzo, described the similar BEAST attack in 2011 and the CRIME attack in 2012.

The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure their communications. Although SSL has been superseded by Transport Layer Security, it's still widely supported on both servers and clients alike and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte and time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Attacker takes over Facebook page set up for 'Bucket List Baby' Shane, posts porn

Sophos Naked Security - 15 Říjen, 2014 - 02:36
A Facebook page set up to chronicle the extremely short life of a baby with the rare, terminal condition of anencephaly was hijacked within days of the infant's death and set to display lewd images. The parents, who had lost their child mere days before, fell for one of the most vile phishing attacks ever.

New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue

Threatpost - 15 Říjen, 2014 - 02:13
A new attack on the SSLv3 protocol, disclosed Tuesday, takes advantage of an issue with the protocol that enables a network attacker to recover the plaintext communications of a victim.
Kategorie: Hacking & Security

Microsoft Security Updates October 2014

Kaspersky Securelist - 15 Říjen, 2014 - 00:23

Update (2014.10.15) - administrative notes for preparation... Friends on Twitter let me know their update cycle took close to 20 minutes on Windows 7. Yesterday, others on 8.1 told me their update download was around a gig, for some it was ~200 mb. Also, this cycle likely requires everyone a reboot to complete.

*******

This morning was possibly one of the most information rich in the history of Microsoft's patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog actor was losing an IE 0day being patched, and that seemed unusual. This month, several vulnerabilities abused with 0day exploits by known APT actors are being patched and the actors are being publicly noted. So today Microsoft pushes out eight security bulletins MS14-056 through MS14-063, including three rated critical.

The most interesting of today's vulnerabilities are two that are enabled by Windows functionality, but are useful for spearphishing targets with Office-type data file attachments - an Excel file, PowerPoint Show, Word document, and so on. The first of the two remind us of the Duqu attacksMS14-058 patches yet another kernel level font handling flaw CVE-2014-4148, the same kind of issue seen in the Duqu spearphish exploits. This one is rated critical by Microsoft. No one particular actor has been associated with this attack or exploit just yet.

The Windows OLE vulnerability patched with MS14-060 is surprisingly rated "Important" by Microsoft. The APT known as the "Sandworm team" deployed CVE-2014-4114 in incidents against targets alongside other known exploits. The group was known for deploying new variants of the BlackEnergy bot in cyber-espionage campaigns, hitting geopolitical and military targets. In one incident, the team sent spearphish as a PowerPoint slide deck containing the 0day OLE exploit to Ukrainian government and US academic organizations. When opened, the slides dropped newer variants of BlackEnergy to the victim systems. These newer variants of BlackEnergy maintain functionality dedicated to cyber espionage tasks.The most interesting characteristics of these BlackEnergy trojans are the custom plugins or modules, but that's for a different blog post. Our GReAT researchers Maria Garnaeva and Sergey Lozhkin spoke about interesting BlackEnergy functionality at the May 2014 PHDays conference.

Another group known as Hurricane Panda attempted to exploit CVE-2014-4113 in targeted environments. This escalation of privilege issue can present a real problem in situations where an attacker has gotten in to a network and is attempting to burrow in further. This bug also exists in Windows kernel code, and is patched by the same MS14-058 bulletin mentioned above.

The Internet Explorer update addresses fourteen vulnerabilities, rated critical for IE6 through IE11. They do not affect Server Core installations.

More can be read about October 2014 Microsoft Security Bulletins here.

Uživatelé používající CyanogenMod jsou náchylní k Man-in-the-Middle útokům

CSIRT.cz - 14 Říjen, 2014 - 21:13

Uživatelé Androidu používající oblíbenou ROM třetí strany - CyanogenMod - se mohou stát obětí Man-in-the-Middle (MitM) útoků, patrně kvůli znovu použitému deset let starému Java kódu.

Kategorie: Hacking & Security

Microsoft, Adobe Push Critical Security Fixes

Krebs on Security - 14 Říjen, 2014 - 21:11

Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office, Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks.

Earlier today, iSight Partners released research on a threat the company has dubbed “Sandworm” that exploits one of the vulnerabilities being patched today (CVE-2014-4114). iSight said it discovered that Russian hackers have been conducting cyber espionage campaigns using the flaw, which is apparently present in every supported version of Windows. The New York Times carried a story today about the extent of the attacks against this flaw.

In its advisory on the zero-day vulnerability, Microsoft said the bug could allow remote code execution if a user opens a specially crafted malicious Microsoft Office document. According to iSight, the flaw was used in targeted email attacks that targeted NATO, Ukrainian and Western government organizations, and firms in the energy sector.

More than half of the other vulnerabilities fixed in this month’s patch batch address flaws in Internet Explorer. Additional details about the individual Microsoft patches released today is available at this link.

Separately, Adobe issued its usual round of updates for its Flash Player and AIR products. The patches plug at least three distinct security holes in these products. Adobe says it’s not aware of any active attacks against these vulnerabilities. Updates are available for Windows, Mac and Linux versions of Flash.

Adobe says users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 15.0.0.189. To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although my installation of Chrome says it is up-to-date and yet is still running v. 15.0.0.152 (with no outstanding updates available, and no word yet from Chrome about when the fix might be available).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). If you have Adobe AIR installed, you’ll want to update this program. AIR ships with an auto-update function that should prompt users to update when they start an application that requires it; the newest, patched version is v. 15.0.0.293 for Windows, Mac, and Android.

Finally, Oracle is releasing an update for its Java software today that corrects more than two-dozen security flaws in the software. Oracle says 22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Java SE 8 updates are available here; the latest version of Java SE 7 is here.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. I don’t have an installation of Java handy on the machine I’m using to compose this post, but keep in mind that updating via the control panel may auto-select the installation of third-party software, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework, which also received updates today from Microsoft).

Kategorie: Hacking & Security

Patrně došlo k úniku sedmi miliónů přihlašovacích údajů služby Dropbox

CSIRT.cz - 14 Říjen, 2014 - 21:09

Dlouhá řada hesel ke službě Dropbox údajně unikla a byla publikována online, ale společnost ujišťuje své klienty, že její systémy nebyly narušeny.

Kategorie: Hacking & Security

Fixes for IE, Flash Player in October Patch Tuesday Release

Threatpost - 14 Říjen, 2014 - 21:02
Microsoft posted eight bulletins for Patch Tuesday, three of which are considered critical including a cumulative Internet Explorer update, while Adobe has fixes for Flash Player and ColdFusion.
Kategorie: Hacking & Security
Syndikovat obsah