In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates.
Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site's authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.
More gradually, Google plans to update Chrome to effectively nullify all currently valid certificates issued by Symantec-owned CAs. With Symantec certificates representing more than 30 percent of the Internet's valid certificates by volume in 2015, the move has the potential to prevent millions of Chrome users from being able to access large numbers of sites. What's more, Sleevi cited Firefox data that showed Symantec-issued certificates are responsible for 42 percent of all certificate validations. To minimize the chances of disruption, Chrome will stagger the mass nullification in a way that requires they be replaced over time. To do this, Chrome will gradually decrease the "maximum age" of Symantec-issued certificates over a series of releases. Chrome 59 will limit the expiration to no more than 33 months after they were issued. By Chrome 64, validity would be limited to nine months.
WikiLeaks today dumped a smaller subset of documents from its "Vault 7" collection of files from a CIA software developer server. Yet again, these documents are more important from the perspective of WikiLeaks having them than for showing any revelatory content. The exploits detailed in these new files are for vulnerabilities that have largely been independently discovered and patched in the past. The files also reveal that the CIA likely built one of these tools after seeing a presentation on the exploits of Apple's EFI boot firmware at Black Hat in 2012.
The latest batch of files, dramatically named "DarkMatter" (after one of the tools described in the dump), consists of user manuals and other documentation for exploits targeting Apple MacBooks—including malware that leveraged a vulnerability in Apple's Thunderbolt interface uncovered by a researcher two years ago. Named "Sonic Screwdriver" after the ever-useful tool carried by the fictional Doctor of Dr. Who, the malware was stored on an ordinary Thunderbolt Ethernet adapter. It exploited the Thunderbolt interface to allow anyone with physical access to a MacBook to bypass password protection on firmware and install one of a series of Apple-specific CIA "implants."
The first (and only documented) version of Sonic Screwdriver was released in 2012. It worked only on MacBooks built between late 2011 and mid-2012, and the tool used a vulnerability in the firmware of those computers that allowed commands to be sent via the Thunderbolt adapter to change the "boot path" (the location of the files used to boot the computer). The change would allow a local attacker to boot the targeted MacBook from an external device to install malware that eavesdropped on the computer during normal use. Those implants included "DarkMatter," the predecessor to "QuarkMatter." (QuarkMatter is malware that was revealed in the previous WikiLeaks dump, and it infected the EFI partition of a MacBook's storage device.)
In early 2015, architects of Google's Android mobile operating system introduced a new feature that was intended to curtail the real-time tracking of smartphones as their users traversed retail stores, city streets, and just about anywhere else. A recently published research paper found that the measure remains missing on the vast majority of Android phones and is easily defeated on the relatively small number of devices that do support it.
Like all Wi-Fi-enabled devices, smartphones are constantly scanning their surroundings for available access points, and with each probe, they send a MAC—short for media access control—address associated with the handset. Throughout most of the history of Wi-Fi, the free exchange of MAC addresses didn't pose much threat to privacy. That all changed with the advent of mobile computing. Suddenly MAC addresses left a never-ending series of digital footprints that revealed a dizzying array of information about our comings and goings, including what time we left the bar last night, how many times we were there in the past month, the time we leave for work each day, and the route we take to get there.
Eventually, engineers at Apple and Google realized the potential for abuse and took action. Their solution was to rotate through a sequence of regularly changing pseudo-random addresses when casually probing near-by access points. That way, Wi-Fi devices that logged MAC addresses wouldn't be able to correlate probes to a unique device. Only when a phone actually connected to a Wi-Fi network would it reveal the unique MAC address it was tied to. Apple introduced MAC address randomization in June 2014, with the release of iOS 8. A few months later, Google's Android operating system added experimental support for the measure. Full implementation went live in March 2015 and is currently available in version 5.0 through the current 7.1; those versions account for about two-thirds of the Android user base.
The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.
"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can't confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this post was being updated.
Cisco Systems said that more than 300 models of switches it sells contain a critical vulnerability that allows the CIA to use a simple command to remotely execute malicious code that takes full control of the devices. There currently is no fix.
Cisco researchers said they discovered the vulnerability as they analyzed a cache of documents that are believed to have been stolen from the CIA and published by WikiLeaks two weeks ago. The flaw, found in at least 318 switches, allows remote attackers to execute code that runs with elevated privileges, Cisco warned in an advisory published Friday. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.
"An attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections," the advisory stated. "An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."
Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.
According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."
Last month, Microsoft took the unprecedented step of canceling Patch Tuesday, the company's monthly release of security fixes for its large stable of software products. The move meant that customers had to wait 28 days to receive updates that fixed vulnerabilities that allowed hackers to completely hijack computers and networks.
The last-minute move was all the more unusual because Microsoft made it a few days after exploit code for a Windows 10 flaw was released into the wild. In the nine days that followed the cancellation, technical details for two more serious vulnerabilities—one in Windows and the other in the Edge and Internet Explorer browsers—were also disclosed. Microsoft's security team almost certainly knew the latter two flaws would become public knowledge because Google's Project Zero privately reported the vulnerabilities to Microsoft and the bugs were subject to Google's long-standing 90-day disclosure deadline.
Microsoft finally patched the bugs when Patch Tuesday resumed earlier this week with a release that was unusually big by historical measures. That's good, but customers had still been forced to wait 28 days to get the fixes. And, as already noted, details about at least three of them were already well-known. So far, Microsoft hasn't explained why it canceled February's releases except to say the situation was prompted by an unspecified "last-minute issue." ZDNet writer Mary Jo Foley, meanwhile, said unnamed people speculate that the cancellation was the result of a "problem with Microsoft's build system."
SAN FRANCISCO—The indictment unsealed Wednesday by US authorities against two agents of the Russian Federal Security Service, or FSB, (Dmitry Dokuchaev and Igor Sushchin) and two hackers (Alexsey Belan and Karim Baratov) provides some details of how Yahoo was pillaged of user data and its own technology over a period of over two years. But at a follow-up briefing at the FBI office here today, officials gave fresh insight into how they think the hack began—with a "spear phishing" e-mail to a Yahoo employee early in 2014.
Malcolm Palmore, the FBI special agent in charge of the bureau’s Silicon Valley office, told Ars in an interview that the initial breach that led to the exposure of half a billion Yahoo accounts likely started with the targeting of a “semi-privileged” Yahoo employee and not top executives. He said social engineering or spear phishing “was the likely avenue of infiltration" used to gain the credentials of an “unsuspecting employee” at Yahoo.
Palmore declined Ars’ request to elaborate during a brief interview inside the San Francisco FBI office, and he would not say whether the government or Yahoo discovered the breach. He also would not say how long the intrusion lasted before it was cut off.
Federal prosecutors charged two Russian intelligence agents with orchestrating a 2014 hack that compromised 500 million Yahoo accounts in a brazen campaign to access the e-mails of thousands of journalists, government officials, and technology company employees.
In a 38-page indictment unsealed Wednesday, the prosecutors said Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43—both officers of the Russian Federal Security Service—worked with two other men—Alexsey Alexseyevich Belan, 29, and Karim Baratov, 22—who were also indicted. The men gained initial access to Yahoo in early 2014 and began their reconnaissance, the indictment alleged. By November or December, Belan used the file transfer protocol to download part or all of a Yahoo database that contained user names, recovery e-mail accounts, and phone numbers. The user database (UDB) also contained the cryptographic nonces needed to generate the account-authentication browser cookies for more than 500 million accounts.
Belan also downloaded an account management tool (AMT) that Yahoo used to make and track changes to user accounts. Together, the pilfered UDB and AMT allowed Belan, Dokuchaev and Sushchin to locate Yahoo e-mail accounts of interest and to mint authentication cookies needed to access 6,500 accounts without authorization. The accounts belonged to Russian journalists, Russian and US government officials, employees of a prominent Russian security company, and employees of other Internet companies the indicted men wanted to target. Belan and Baratov also used their access to commit additional crimes, including by manipulating Yahoo search results to promote a scam involving erectile dysfunction drugs, stealing electronic gift cards, and sending spam messages to Yahoo users' contacts.
Eight days after developers patched a critical flaw in the Apache Struts Web application framework, there has been no let-up in the volley of attacks attempting to exploit the vulnerability, which affects a disproportionate number of high-impact websites, a security researcher said Tuesday.
As of Tuesday morning, 503 unique IP addresses were attempting to exploit the code execution bug, Jaime Blasco, chief scientist with security firm AlienVault Labs, told Ars. Based on the addresses, the attack origins were most concentrated in China (300 unique IPs), followed by the US (92), Taiwan (71), Hong Kong (15), the Netherlands (9), Russia (4), Canada (3), Italy (3), the UK, (3), and Indonesia (3). In an attempt to go undetected, the attackers in many cases have tweaked the two exploits that were being widely used in last week's wave. AlienVault has responded by updating the signatures it uses to detect the attacks.
The five-year-old vulnerability resides in Web applications that were developed using a buggy version of Apache Struts. In many cases, the use of a single such app allows attackers to inject commands of their choice into the Web server hosting it. Like the attacks seen last week, the exploits are being used to infect vulnerable servers with a wide variety of malware.
In filings with the Securities and Exchange Commission today, Yahoo laid out the severance packages for executives that will be leaving the company as it sheds its Internet business chrysalis and emerges as an Alibaba stock-holding company moth called Altaba. Marissa Mayer, Yahoo's chief executive officer, will receive a package of cash, stock, and benefits valued at a total of $23,011,325 at the completion of the deal, according to Yahoo's proxy statement. Of that, $3 million will be in cash.
Lisa Utzschneider, Yahoo's chief revenue officer, will receive a $16,536,363 severance package. Ken Goldman, Yahoo's chief financial officer, will get a $9,478,568 farewell. Yahoo cofounder David Filo will get $15,000 in cash and two years' worth of continued health insurance. Ronald Bell, Yahoo's general counsel, resigned on March 1; he gets no golden parachute.
The proxy statement filing is a preliminary copy of what will be sent to Yahoo shareholders in advance of the as-of-yet-unannounced special meeting to approve the Verizon acquisition of Yahoo's Internet business—a deal that lost $350 million of its value as the result of a string of data breaches uncovered during audits of Yahoo's systems. Mayer and other Yahoo executives reportedly knew of some of the breaches, which were blamed on a "state actor," well before the acquisition began. But users were still being informed of potential exposure of personal data because of an attacker using cookies forged to bypass user authentication as of February 17.
A commercial malware scanner used by businesses has recently detected an outbreak of malware that came preinstalled on more than three dozen Android devices.
An assortment of malware was found on 38 Android devices belonging to two unidentified companies. This is according to a blog post published Friday by Check Point Software Technologies, maker of a mobile threat prevention app. The malicious apps weren't part of the official ROM firmware supplied by the phone manufacturers but were added later somewhere along the supply chain. In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected.
"This finding proves that, even if a user is extremely careful, never clicks a malicious link, or downloads a fishy app, he can still be infected by malware without even knowing it," Check Point Mobile Threat Researcher Daniel Padon told Ars. "This should be a concern for all mobile users."
A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that's billed as providing "battle tested, military grade" end-to-end encryption and is reportedly being used by individuals inside the US government.
One of the bulletins, published by security firm Quarkslab, warned that current versions of Confide—including those available for Macs, PCs, iPhones, Android devices, and Apple Watches—don't provide true end-to-end encryption at all, at least as that term is commonly defined. Unlike competing secure messaging app Signal—which prevents even authorized insiders from accessing the keys needed to decrypt messages—Confide engineers, or people who hack the Confide service, can easily create keys that can be used to decrypt messages as they're sent in real time.
Quarkslab researcher Jean-Baptiste Bédrune tested Confide and found that the main encryption layer protecting messages in transit is transport layer security (TLS), a protocol that's trivial for authorized people inside Confide to turn off. TLS has faced its share of bypass hacks over the more than two decades it has been in use. In Wednesday's post Bédrune wrote:
The WikiLeaks selective dump of internal files from the CIA's espionage software development organization was accompanied by a press release from Julian Assange that went full-throttle on the dire nature of the CIA's hacking tools. While the documents themselves provide context that contradicts some of Assange's hype, there is certainly a major cause for concern that comes along with the press release: Assange claims that the CIA's tools are being shared "out of control" and may already be in use for nefarious purposes.
In a video statement on Periscope today, Assange asserted that the CIA "lost control of its entire cyber-weapons arsenal. Now, this is a historic act of devastating incompetence to have created such an arsenal and stored it all in one place and not secured it." Assange repeated the claim that WikiLeaks had stumbled upon the archive "as the result of it being passed around a number of different members of the US intelligence community out of control in unauthorized fashion."
When Assange released the first wave of documents, from what is apparently a recent archive from an internal CIA developer collaboration server, he did a number of things that WikiLeaks hasn't done in the past. Perhaps in response to some of the criticism leveled against WikiLeaks from others—including NSA whistleblower Edward Snowden—Assange and WikiLeaks largely redacted personal details of CIA employees from the dump. The group also held back the archives of the tools themselves (publishing instead text files with a list of the archives' contents). Assange has taken the position that this leak is primarily about protecting computer users around the world from the use of the tools that are part of the leak. He also insinuated WikiLeaks had evidence that the CIA spied on US citizens—or at least had implants on systems with US IP addresses.
In a string of attacks that have escalated over the past 48 hours, hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies.
The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.
"If you run it against a vulnerable application, the result will be the remote execution of commands with the user running the server," Vicente Motos wrote of one of the exploits in a post published late Wednesday afternoon on the Hack Players website. "We have dedicated hours to reporting to companies, governments, manufacturers, and even individuals to patch and correct the vulnerability as soon as possible, but the exploit has already jumped to the big pages of 'advisories,' and massive attempts to exploit the Internet have already been observed."
There are thousands of files in WikiLeaks' dump of data from the Central Intelligence Agency's Engineering Development Group (EDG). This organization within the CIA's Center for Cyber Intelligence is responsible for creating the tools used to hack into digital devices around the world in support of the CIA's mission. The leaked documents come from an Atlassian Confluence server used by the EDG's developers to track and document their projects.
Many of the documents in the dump are unclassified—manuals provided by Lockheed Martin and other vendors, for example. Most are classified at the Secret level, including things as innocuous as a guide to getting started with Microsoft Visual Studio, apparently the preferred development tool of the EDG's Applied Engineering Department (AED). There's also a smattering of meme construction components and animated GIFs of the anime series Trigun.
But a tiny fraction of the data is highly classified, according to document marks. This cache sits at the Top Secret level, and it's marked as "Special Intelligence" (SI) and "NOFORN" (no foreign distribution). Out of the first batch of just over 1,000 documents, there are two paragraphs marked at that level. And those pieces describe minutiae of how the CIA's Network Operations Division wants the cryptographic features of its tools to work and how the CIA obtains and prepares phones for use in its exploit lab.
Two days after researchers exposed a National Security Agency-tied hacking group that operated in secret for more than a decade, CIA hackers convened an online discussion aimed at preventing the same kind of unwelcome attention. The thread, according to a document WikiLeaks published Tuesday, was titled "What did Equation do wrong, and how can we avoid doing the same?"
Equation Group is the name Kaspersky Lab researchers gave to the hacking unit that was responsible for a string of hacks so sophisticated and audacious they were unlike almost any the world had seen before. For 14 years, and possibly longer, the hackers monitored computers in at least 42 countries, sometimes by exploiting the same Microsoft Windows vulnerabilities that would later be exploited by the Stuxnet worm that targeted Iran's nuclear program. The backdoors hid inside hard drive firmware and in virtual file systems, among other dark places, and had their own self-destruct mechanism, making it impossible for outsiders to grasp the true scope of the group's hacks.
Equation Group eventually came to light because of a handful of errors its members made over the years. One was the widespread use of a distinctive encryption function that used the RC5 cipher with negative programming constants rather than with the positive constants favored by most developers. The nonstandard practice made it easier to identify Equation Group tools. Another mistake: failing to scrub variable names, developer account names, and similar fingerprints left in various pieces of Equation Group malware. A third error was the failure to renew some of the domain name registrations Equation Group-infected computers reported to. When Kaspersky Lab obtained the addresses, the researchers were shocked to find some machines infected by a malware platform abandoned more than 10 years earlier were still connecting to it.
This morning, WikiLeaks posted the first of what the organization's spokesperson says is a multi-part series of documents and files from the Central Intelligence Agency. "The first full part of the series, 'Year Zero', comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina [sic]," WikiLeaks' spokesperson said in a press release.
The documents, many of them incomplete or redacted, appear to be pulled in part from an internal Wiki, while others appear to have been part of a user file directory. In a move unusual for WikiLeaks, individuals' names have been redacted and replaced with unique identifiers. "These redactions include tens of thousands of CIA targets and attack machines throughout Latin America, Europe, and the United States," WikiLeaks' spokesperson explained in the release. "While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks."
The documents include instructions for using hacking tools, tips on configuration of Microsoft Visual Studio (classified as Secret/NOFORN), and testing notes for various hacking tools. Among the hacking tools listed are those for iOS, a collection of Android zero-days, and hacking techniques from various sources, including the UK's GCHQ and the National Security Agency. These tools, WikiLeaks claimed, "permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide, and Cloackman by hacking the 'smart' phones that they run on and collecting audio and message traffic before encryption is applied." That doesn't mean the CIA has broken encryption on those tools—WikiLeaks' claim is based on their ability to "root" those devices.
Shamoon—the mysterious disk wiper that popped up out nowhere in 2012 and took out more than 35,000 computers in a Saudi Arabian-owned gas company before disappearing—is back. Its new, meaner design has been unleashed three times since November. What's more, a new wiper developed in the same style as Shamoon has been discovered targeting a petroleum company in Europe, where wipers used in the Middle East have not previously been seen.
Researchers from Moscow-based antivirus provider Kaspersky Lab have dubbed the new wiper "StoneDrill." They found it while they were researching the trio of Shamoon attacks, which occurred on two dates in November and one date in late January. The refurbished Shamoon 2.0 added new tools and techniques, including less reliance on outside command-and-control servers, a fully functional ransomware module, and new 32-bit and 64-bit components.
StoneDrill, meanwhile, features an impressive ability to evade detection by, among other things, forgoing the use of disk drivers during installation. To accomplish this, it injects a wiping module into the computer memory associated with the user's preferred browser. StoneDrill also includes backdoor functions that are used for espionage purposes. Kaspersky researchers found four command-and-control panels that the attackers used to steal data from an unknown number of targets. Besides sharing code similarities with Shamoon, StoneDrill also reuses code used in an espionage campaign dubbed "NewsBeef," which targeted organizations around the world.
As the US Republican vice presidential candidate, Mike Pence vigorously chastised Hillary Clinton for using a personal server to send and receive official e-mails while she was Secretary of State. Not only was the arrangement an attempt to escape public accountability, he said, it also put classified information within dangerous reach of hackers.
Now come revelations that Pence routinely used a private AOL account to conduct government business while he was governor of Indiana and that the account was hacked last summer, just months before he turned the heat on his Democratic rival over her personal e-mail server. Use of the AOL account for state business came to light in a 2,100-word article published Thursday evening by The IndyStar. The news outlet based its report on e-mails it received under a public records request. State officials declined to release an unspecified number of e-mails because the state considers them confidential and too sensitive to release to the public.
Pence used the account starting in the mid 1990s and continued using it until it was hijacked in 2016, three years into Pence's four-year tenure as governor, the news outlet reported. The hackers who compromised the account used it to send a scam e-mail to Pence's contacts, falsely claiming that the governor and his wife were stranded in the Philippines and in urgent need of financial assistance. Pence then abandoned that account and opened a new AOL account.