Posts tagged ‘flash’

Matthew Garrett: This is not the UEFI backdoor you are looking for

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

This is currently the top story on the Linux subreddit. It links to this Tweet which demonstrates using a System Management Mode backdoor to perform privilege escalation under Linux. This is not a story.

But first, some background. System Management Mode (SMM) is a feature in most x86 processors since the 386SL back in 1990. It allows for certain events to cause the CPU to stop executing the OS, jump to an area of hidden RAM and execute code there instead, and then hand off back to the OS without the OS knowing what just happened. This allows you to do things like hardware emulation (SMM is used to make USB keyboards look like PS/2 keyboards before the OS loads a USB driver), fan control (SMM will run even if the OS has crashed and lets you avoid the cost of an additional chip to turn the fan on and off) or even more complicated power management (some server vendors use SMM to read performance counters in the CPU and adjust the memory and CPU clocks without the OS interfering).

In summary, SMM is a way to run a bunch of non-free code that probably does a worse job than your OS does in most cases, but is occasionally helpful (it’s how your laptop prevents random userspace from overwriting your firmware, for instance). And since the RAM that contains the SMM code is hidden from the OS, there’s no way to audit what it does. Unsurprisingly, it’s an interesting vector to insert malware into – you could configure it so that a process can trigger SMM and then have the resulting SMM code find that process’s credentials structure and change it so it’s running as root.

And that’s what Dmytro has done – he’s written code that sits in that hidden area of RAM and can be triggered to modify the state of the running OS. But he’s modified his own firmware in order to do that, which isn’t something that’s possible without finding an existing vulnerability in either the OS or (or more recently, and) the firmware. It’s an excellent demonstration that what we knew to be theoretically possible is practically possible, but it’s not evidence of such a backdoor being widely deployed.

What would that evidence look like? It’s more difficult to analyse binary code than source, but it would still be possible to trace firmware to observe everything that’s dropped into the SMM RAM area and pull it apart. Sufficiently subtle backdoors would still be hard to find, but enough effort would probably uncover them. A PC motherboard vendor managed to leave the source code to their firmware on an open FTP server and copies leaked into the wild – if there’s a ubiquitous backdoor, we’d expect to see it there.

But still, the fact that system firmware is mostly entirely closed is still a problem in engendering trust – the means to inspect large quantities binary code for vulnerabilities is still beyond the vast majority of skilled developers, let alone the average user. Free firmware such as Coreboot gets part way to solving this but still doesn’t solve the case of the pre-flashed firmware being backdoored and then installing the backdoor into any new firmware you flash.

This specific case may be based on a misunderstanding of Dmytro’s work, but figuring out ways to make it easier for users to trust that their firmware is tamper free is going to be increasingly important over the next few years. I have some ideas in that area and I hope to have them working in the near future.

comment count unavailable comments Tuesday’s security updates

This post was syndicated from: and was written by: ris. Original post: at

CentOS has updated thunderbird (C6; C5: multiple vulnerabilities).

Debian has updated kfreebsd-9 (denial of service) and xen (code execution).

Debian-LTS has updated commons-httpclient (multiple vulnerabilities) and ruby1.8 (man-in-the-middle attack).

Mageia has updated avidemux (multiple vulnerabilities), firefox, thunderbird, sqlite3 (multiple vulnerabilities), moodle (multiple vulnerabilities), php (multiple vulnerabilities), phpmyadmin (two vulnerabilities), and xbmc (denial of service).

openSUSE has updated clamav
(13.2, 13.1: multiple vulnerabilities), docker (13.2: multiple vulnerabilities), and
flash-player (13.2, 13.1: multiple vulnerabilities).

Oracle has updated thunderbird (OL7; OL6: multiple vulnerabilities).

Scientific Linux has updated thunderbird (SL5,6,7: multiple vulnerabilities).

Ubuntu has updated thunderbird
(15.04, 14.10, 14.04, 12.04: multiple vulnerabilities). Security advisories for Monday

This post was syndicated from: and was written by: ris. Original post: at

Arch Linux has updated thunderbird (multiple vulnerabilities).

CentOS has updated thunderbird
(C7: multiple vulnerabilities).

Debian has updated libmodule-signature-perl (multiple vulnerabilities).

Debian-LTS has updated dpkg (integrity-verification bypass), nbd (denial of service), and tiff (multiple vulnerabilities).

Fedora has updated java-1.8.0-openjdk (F21: unspecified
vulnerability), NetworkManager (F21: denial
of service), phpMyAdmin (F21; F20: two vulnerabilities), qemu (F21: code execution), and t1utils (F21; F20: multiple vulnerabilities).

Mageia has updated ruby-rest-client (two vulnerabilities) and virtualbox (code execution).

openSUSE has updated flash-player
(11.4: multiple vulnerabilities), qemu (13.2; 13.1:
code execution), and firefox (11.4: multiple vulnerabilities).

Red Hat has updated thunderbird
(RHEL5,6,7: multiple vulnerabilities).

Slackware has updated thunderbird (multiple vulnerabilities).

SUSE has updated KVM (SLE11SP3:
code execution), qemu (SLE12: two vulnerabilities), and spice (SLE12; SLESDK12: denial of service).

Errata Security: Those expressing moral outrage probably can’t do math

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Many are discussing the FBI document where Chris Roberts (“the airplane hacker”) claimed to an FBI agent that at one point, he hacked the plane’s controls and caused the plane to climb sideways. The discussion hasn’t elevated itself above the level of anti-vaxxers.

It’s almost certain that the FBI’s account of events is not accurate. The technical details are garbled in the affidavit. The FBI is notorious for hearing what they want to hear from a subject, which is why for years their policy has been to forbid recording devices during interrogations. If they need Roberts to have said “I hacked a plane” in order to get a search warrant, then that’s what their notes will say. It’s like cops who will yank the collar of a drug sniffing dog in order to “trigger” on drugs so that they have an excuse to search the car.

Also, security researchers are notorious for being misunderstood. Whenever we make innocent statements about what we “could” do, others often interpret this either as a threat or a statement of what we already have done.

Assuming this scenario is true, that Roberts did indeed control the plane briefly, many claim that this is especially reprehensible because it endangered lives. That’s the wrong way of thinking about it. Yes, it would be wrong because it means accessing computers without permission, but the “endangered lives” component doesn’t necessarily make things worse.

Many operate under the principle that you can’t put a price on a human life. That is false, provably so. If you take your children with you to the store, instead of paying the neighbor $10 to babysit them, then you’ve implicitly put a price on your children’s lives. Traffic accidents near the home are the leading cause of death for children. Driving to the store is a vastly more dangerous than leaving the kids at home, so you’ve priced that danger around $10.

Likewise, society has limited resources. Every dollar spent on airline safety has to come from somewhere, such as from AIDS research. With current spending, society is effectively saying that airline passenger lives are worth more than AIDS victims.

Does pentesting an airplane put passenger lives in danger? Maybe. But then so does leaving airplane vulnerabilities untested, which is the current approach. I don’t know which one is worse — but I do know that your argument is wrong when you claim that endangering planes is unthinkable. It is thinkable, and we should be thinking about it. We should be doing the math to measure the risk, pricing each of the alternatives.

It’s like whistleblowers. The intelligence community hides illegal mass surveillance programs from the American public because it would be unthinkable to endanger people’s lives. The reality is that the danger from the programs is worse, and when revealed by whistleblowers, nothing bad happens.

The same is true here. Airlines assure us that planes are safe and cannot be hacked — while simultaneously saying it’s too dangerous for us to try hacking them. Both claims cannot be true, so we know something fishy is going on. The only way to pierce this bubble and find out the truth is to do something the airlines don’t want, such as whistleblowing or live pentesting.

The systems are built to be reset and manually overridden in-flight. Hacking past the entertainment system to prove one could control the airplane introduces only a tiny danger to the lives of those on-board. Conversely, the current “security through obscurity” stance of the airlines and FAA is an enormous danger. Deliberately crashing a plane just to prove it’s possible would of course be unthinkable. But, running a tiny risk of crashing the plane, in order to prove it’s possible, probably will harm nobody. If never having a plane crash due to hacking is your goal, then a live test on a plane during flight is a better way of doing this than the current official polices of keeping everything secret. The supposed “unthinkable” option of live pentest is still (probably) less dangerous than the “thinkable” options.

I’m not advocating anyone do it, of course. There are still better options, such as hacking the system once the plane is on the ground. My point is only that it’s not an unthinkable danger. Those claiming it is haven’t measure the dangers and alternatives.

The same is true of all security research. Those outside the industry believe in security-through-obscurity, that if only they can keep details hidden and pentesters away from computers, then they will be safe. We inside the community believe the opposite, in Kerckhoff’s Principle of openness, and that the only trustworthy systems are those which have been thoroughly attacked by pentesters. There is a short term cost of releasing vulns in Adobe Flash, because hackers will use them. But the long term benefit is that this leads to a more secure Flash, and better alternatives like HTML5. If you can’t hack planes in-flight, then what you are effectively saying is that our believe in Kerckhoff’s Principle is wrong.

Each year, people die (or get permanently damaged) from vaccines. But we do vaccines anyway because we are rational creatures who can do math, and can see that the benefits of vaccines are a million to one times greater than the dangers. We look down on the anti-vaxxers who rely upon “herd immunity” and the fact the rest of us put our children through danger in order to protect their own. We should apply that same rationality to airline safety. If you think pentesting live airplanes is unthinkable, then you should similarly be able to do math and prove it, rather than rely upon irrational moral outrage.

I’m not arguing hacking airplanes mid-flight is a good idea. I’m simply pointing out it’s a matter of math, not outrage.

Linux How-Tos and Linux Tutorials: Install Linux on a Modern WiFi Router: Linksys WRT1900AC and OpenWrt

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Ben Martin. Original post: at Linux How-Tos and Linux Tutorials

linksyswrt1900ac router

The Linksys WRT1900AC is a top-end modern router that gets even sweeter when you unleash Linux on it and install OpenWrt. OpenWrt includes the opkg package management system giving you easy access to a great deal of additional open source software to use on your router. If you want the pleasure of SSH access on your router, the ability to use iptables on connections passing through it, and the ability to run various small servers on it, the Linksys WRT1900AC and OpenWrt are a powerful combination.

From a hardware perspective, the Linksys WRT1900AC includes simultaneous dual band with support for 802.11n (2.4 GigaHertz) up to 600 Megabytes per second and 802.11ac (5 GHz) up to 1.3 Gigabytes per second. This lets you connect your older devices to 802.11n and newer hardware can take advantage the greater speed and less congested 802.11ac signal.

The router has a dual-core Marvell Armada 370/XP CPU with 256 MB of RAM and 128 MB of flash storage. You can also attach more storage to the WRT1900AC using its USB 3.0 and eSATA ports. When using OpenWrt you might also like to attach a webcam and printer to the router. The Linksys WRT1900AC has a 4 port gigabit switch and a gigabit upstream WAN port.

Initial setup

The stock firmware that comes with the Linksys WRT1900AC uses a very simple four-step procedure for initial setup. I only partially followed the recommended setup steps.

Step 1: Connect the antennae and power.

Step 2: Connect your upstream “Internet” link to the appropriate port on the router.

Step 3: Connect to the wifi signal from the router. You are given a custom wireless network name and password which appears to be set differently for each individual router. This step 3 nicely removes the security vulnerability inherent in initial router setup, because your router will have a custom password right from the first time you power it on.

Step 4: Log in to and setup the router.

Instead of directly connecting to the Internet port, I used one of the 4 gigabit switch ports to attach the router to the local LAN. This made using the website at step 4 not work for me. I could create an account on the smartwifi site, but it wanted me to be connected through the wifi router in order to adjust the settings.

You can however set up the router without needing to use any remote websites. The Linksys will appear at and connecting a laptop to the wifi router and manually forcing the laptop’s IP address to allowed me to access the router configuration page. At that stage the Connectivity/Local Network page lets you set the IP address of the router to be something that will fit into your LAN in a non conflicting manner (and on the subnet you are using) and also disable the DHCP server if you already have one configured.

The initial screen I got when I was connecting directly using again wanted to take me off to a remote website, though you can click through to avoid having to do that if you want.

I tried to attach a 120 GB SanDisk Extreme SSD to test eSATA storage. Unfortunately ext4 is not a supported filesystem for External Storage in the stock firmware. It could see /dev/sda1 but 0 kilobytes used of 0 kb total space. Using a 16 GB flash pen drive formatted to FAT filesystem was fine; the ftp service was started and the drive showed up as a Samba share, too.

Switching over to OpenWrt

At the time of writing the options for installing OpenWrt on the device were changing. There were four images which offered Linux kernel version 3.18 or 4.0 and some level of extra fixes and updates depending on the image you choose. I used Kaloz’s evolving snapshots of trunk linked at openwrt_wrt1900ac_snapshot.img.

Flashing the image onto the router is very simple as you use the same web interface that is used to manually install standard firmware updates. The fun, and moments of anxiety that occur after the router reboots are familiar to anyone who has ever flashed a device.

When the router reboots you will not have any wifi signals at all from it. The router will come up at a default IP address of The easiest method to talk to the router is to use a laptop and force the ethernet interface to an address of Using a trunk distribution of OpenWrt you are likely not to have a useful web interface on the router. Visiting will likely show an empty web server with no files.

When falling back to trying to do an SSH or network login to the router, another little surprise awaits. Trying to SSH into the router showed that a connection was possible but I was unable to connect without any password. Unfortunately, OpenWrt sets the default password to nothing, creating a catch-22 with SSH not allowing a login with no password, so connection seemed impossible. The saving grace is that telnet is also running on the router and after installing the telnet client on the laptop I could login without any password without any issue. Gaining access to the router again was a tremendous relief.

In the telnet session you can use the passwd command to set a password and then you should be able to login using SSH. I opted to test the SSH login while the telnet session was still active so that I had a fallback in case login failed for some reason.

To make the web interface operational you will have to install the LuCI package. The below commands will do that for you. If you need to use a proxy to get to the Internet the http_proxy, https_proxy, and ftp_proxy environment variables will be of use. Again you might run into a little obstacle here, with the router on the subnet it might not be able to talk with your existing network if it is on the often used subnet. I found that manually forcing the IP address to a 192.168.0.X address using ifconfig on br-lan changed the address for bridged ports and everything moved to that subnet. This is not a permanent change, so if it doesn’t work rebooting the router gets you back to again. It is easy to change this for good using LuCI once you have that installed.

export http_proxy=
opkg update
opkg install luci

Once you have LuCI installed the rest of the router setup becomes point and click by visiting the web server on your router. To enable WiFi signals, go to the Network/Wifi page which gives you access to the two radios, one for 2.4 Ghz and the newer 5 Ghz 802.11nac standard. Each radio will be disabled by default. Oddly, I found that clicking edit for a radio and scrolling down to the Interface Configuration and the Wireless Security page, the default security was using “No Encryption.” I would have thought WPA2-PSK was perhaps a better default choice. So getting a radio up and running involved setting an ESSID, checking the Mode (I used Access Point), and setting the Wireless Security to something other than nothing and setting a password.

Many of the additional features you might install with opkg also have a LuCI support package available. For example, if you want to run a DLNA server on the Linksys WRT1900AC the minidlna package is available, and a luci-app-minidlna package will let you manage the server right from the LuCI web interface.

opkg install minidlna
opkg install luci-app-minidlna

Although the Linksys WRT1900AC has 128 MB of flash storage, it is broken up into many smaller partitions. The core /overlay partition had a size of only 24.6 MB with /tmp/syscfg being another 30 MB partition of which only around 300 KB was being used. While this provides plenty of space to install precompiled software, there isn’t enough space to install gcc onto the Linksys WRT1900AC/OpenWrt installation. I have a post up asking if there is a simple method to use more of the flash on the Linksys WRT1900AC from the OpenWrt file system. Another method to gain more space on an OpenWrt installation is to use an extroot, where the main system is stored on external storage. Perhaps with the Linksys WRT1900AC this could be a partition on an eSATA SSD.

If you don’t want to use extroot right away, another approach is to use another ARM machine that is running a soft floating point distribution to compile static binaries. Those can be transferred over using rsync to the OpenWrt installation on the Linksys WRT1900AC. An ARM machine is either using soft or hard floating point, and generally everything is compiled to work with one or the other. To see which version of floating point your hardware is expecting you can use the readelf tool to sniff at a few existing binaries as shown below. Note the soft-float ABI line in the output.

root@linksys1900ac:~# readelf -a /bin/bash|grep ABI
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Flags:                             0x5000202, has entry point, Version5 EABI, soft-float ABI

I tried to get push button WPS setup to work from OpenWrt without success. I had used that feature under the standard firmware so it is able to work and makes connecting new devices to the router much simpler.

I also notice that there are serial TTL headers on the Linksys WRT1900AC and a post shows a method to reflash the firmware directly from uboot. I haven’t tried this out, but it is nice to see as a possible final ditch method to resurrect a device with non functioning firmware.

Another useful thing is to set up users other than root to use on the OpenWrt installation so that you have less risk of interrupting normal router activity. You might like to install that shadow utils and sudo in order to do this as shown below:

  root@wrt1900ac:/dev# opkg install sudo
  root@wrt1900ac:/dev# opkg install shadow-useradd shadow-groupadd
  root@wrt1900ac:/dev# sudo -u ben bash

I found that the fan came on when the Linksys WRT1900AC was booting into OpenWrt. The fan was turned off again soon after. The temperature readings are available using the sensors command as shown below.

root@wrt1900ac:~# sensors 
Adapter: mv64xxx_i2c adapter
ddr:          +52.8 C  
wifi:         +55.1 C  
Adapter: Virtual device
cpu:          +61.7 C  


Using an LG G3 phone with Android 5, the Wifi Network Analyzer app indicated a speed of 433 Mbps with the phone about a foot from the router. That speed dropped back to around 200Mbps when I moved several rooms away. The same results were given using the stock firmware and the OpenWrt image.

Running iperf (2.0.5) on the OpenWrt installation and a Mid 2012 Macbook Air gave a Bandwidth of 120 Mbps. The same client and server going through a DLink DIR-855 at a similar distance on 5 Ghz gave only 82 Mbps. Unfortunately the Mac only has wifi-n on it as wifi-ac was added to the next year’s model.

The LG G3 running Android 5 connected to the wifi-ac network using the iperf app could get 102 Mbps. These tests where run by starting the server with ‘-s’ and the client with ‘-c server-ip-address’. The server which was running on the Linksys WRT1900AC/OpenWrt machine chose a default of 85 kb TCP window size for these runs. Playing with window sizes I could get about 10 percent additional speed on the G3 without too much effort.

I connected a 120 GB SanDisk Extreme SSD to test the eSATA performance. For sequential IO Bonnie++ could write about 89 Mbps and read 148 Mbps and rewrite blocks at about 55 Mbps. Overall 5,200 seeks/s were able to be done. This compares well for read and rewrite with the eSATA on the Cubox which got 150 Mbps and 50  Mbps respectively. The Cubox could write at 120  Mbps which is about 35 percent faster than the Linksys WRT1900AC. This is using the same ext4 filesystem on both machines, the drive was just moved to each new machine.

bonnie++ -n 0 -f -m Linksys1900ac -d `pwd` 

OpenSSL performance for digests was in a similar ballpark to the BeagleBone Black and CuBox i4Pro. For ciphers the story was very different depending on which algorithm was used, DES and AES-256 were considerably slower than other ARM machines, whereas Blowfish and Cast ran at similar speeds to many other ARM CPUs. For 1,024 bit RSA signatures the Linksys WRT1900AC was around 25-30 percent the performance of the more budget ARM CPUs.

digests linksys router  

ciphers linksys router

rsa sign Linksys router

Final Thoughts

It is great to see that LuCI gives easy access to the router features and even has “app” packages to let you configure some of the additional software that you might like to install on your OpenWrt device. OpenWrt images for the Linksys WRT1900AC are a relatively recent development. Once a recommended stable image with LuCI included is released it should mitigate some of the tense moments that reflashing can present at the moment. The 177+ pages on the OpenWrt forum for the Linksys WRT1900AC are testament to the community interest in running OpenWrt on the device.

It is wonderful to see the powerful hardware that the Linksys WRT1900AC provides being able to run OpenWrt. The pairing of Linux/FLOSS and contemporary hardware lets you customize the device to fit your usage needs. Knowing that you can not only SSH in but that rsync is ready for you and that your programming language of choice can be installed on the device for those little programs that you want to have available all the time but don’t really want to leave a machine on in order to do. There are also some applications which work well on the router itself, for example, packet filtering. A single policy on the router can block tablets and phones from connecting to your work machines.

We would like to thank Linksys for providing the WRT1900AC hardware used in this article. Friday’s security updates

This post was syndicated from: and was written by: n8willis. Original post: at

Arch Linux has updated wireshark-cli (multiple vulnerabilities), wireshark-gtk (multiple vulnerabilities), and wireshark-qt (multiple vulnerabilities).

SUSE has updated flash-player (SLE12: multiple vulnerabilities). Security advisories for Wednesday

This post was syndicated from: and was written by: ris. Original post: at

Arch Linux has updated firefox (multiple vulnerabilities) and tomcat6 (denial of service).

CentOS has updated firefox (C7; C6:
multiple vulnerabilities), kexec-tools (C7:
file overwrites), pcs (C7; C6: privilege escalation), tomcat (C7: HTTP request smuggling), and tomcat6 (C6: HTTP request smuggling).

Debian has updated quassel (SQL injection).

Fedora has updated clamav (F20:
multiple vulnerabilities), dpkg (F21; F20: two
vulnerabilities), kernel (F21: two
vulnerabilities), texlive (F21: predictable
filenames), and wpa_supplicant (F20: code execution).

Gentoo has updated ettercap (multiple vulnerabilities).

Mageia has updated dnsmasq
(information disclosure), flash-player-plugin (multiple vulnerabilities), hostapd (denial of service), netcf (denial of service), pam (two vulnerabilities), and testdisk (multiple vulnerabilities).

Oracle has updated firefox (OL7; OL5:
multiple vulnerabilities), kernel (OL7: two
vulnerabilities), kexec-tools (OL7: file
overwrites), tomcat (OL7: HTTP request
smuggling), and tomcat6 (OL6: HTTP request smuggling).

Red Hat has updated firefox
(RHEL5,6,7: multiple vulnerabilities), flash-plugin (RHEL5,6: multiple
vulnerabilities), java-1.6.0-ibm (RHEL5,6:
multiple vulnerabilities), java-1.7.0-ibm
(RHEL5: multiple vulnerabilities), kernel
(RHEL7: privilege escalation), kernel-rt (RHEL7; RHEMRG2.5:
privilege escalation), kexec-tools (RHEL7:
file overwrites), kvm (RHEL5: code
execution), pcs (RHEL7; RHEL6: privilege escalation), qemu-kvm
(RHEL7; RHEL6: code execution), qemu-kvm-rhev (RHEL7, RHEL6,
RHEL OSP4,5,6: code execution), tomcat
(RHEL7: HTTP request smuggling), tomcat6
(RHEL6: HTTP request smuggling), and xen
(RHEL5: code execution).

Scientific Linux has updated kvm
(SL5: code execution) and xen (SL5: code execution).

Slackware has updated mozilla (multiple vulnerabilities).

SUSE has updated php5 (SLE12:
multiple vulnerabilities).

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Microsoft today issued 13 patch bundles to fix roughly four dozen security vulnerabilities in Windows and associated software. Separately, Adobe pushed updates to fix a slew of critical flaws in its Flash Player and Adobe Air software, as well as patches to fix holes in Adobe Reader and Acrobat.

brokenwindowsThree of the Microsoft patches earned the company’s most dire “critical” rating, meaning they fix flaws that can be exploited to break into vulnerable systems with little or no interaction on the part of the user. The critical patches plug at least 30 separate flaws. The majority of those are included in a cumulative update for Internet Explorer. Other critical fixes address problems with the Windows OS, .NET, Microsoft Office, and Silverlight, among other components.

According to security vendor Shavlik, the issues address in MS15-044 deserve special priority in patching, in part because it impacts so many different Microsoft programs but also because the vulnerabilities fixed in the patch can be exploited merely by viewing specially crafted content in a Web page or a document. More information on and links to today’s individual updates can be found here.

Adobe’s fix for Flash Player and AIR fix at least 18 security holes in the programs. Updates are available for Windows, OS X and Linux versions of the software. Mac and Windows users, the latest, patched version is v. 

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.


The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you run Adobe Reader, Acrobat or AIR, you’ll need to update those programs as well. Adobe said it is not aware of any active exploits or attacks against any of the vulnerabilities it patched with today’s releases.

Linux How-Tos and Linux Tutorials: Build Your Own Linux Distro

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

There are hundreds of actively maintained Linux distributions. They come in all shapes, sizes and configurations. Yet there’s none like the one you’re currently running on your computer. That’s because you’ve probably customised it to the hilt – you’ve spent numerous hours adding and removing apps and tweaking aspects of the distro to suit your workflow.

Wouldn’t it be great if you could convert your perfectly set up system into a live distro? You could carry it with you on a flash drive or even install it on other computers you use.


Read more at LinuxVoice. Friday’s security updates

This post was syndicated from: and was written by: n8willis. Original post: at

Arch Linux has updated php (multiple vulnerabilities).

Debian-LTS has updated tzdata (unspecified vulnerability).

Gentoo has updated adobe-flash (multiple vulnerabilities) and xorg-server (multiple vulnerabilities).

openSUSE has updated icecast
(13.1, 13.2:denial of service) and ntop (13.1, 13.2: cross-site scripting).

Red Hat has updated java-1.8.0-oracle (RHEL6,7: multiple vulnerabilities), novnc (RHEL6 OSP; RHEL7 OSP: VNC session hijacking),
openstack-foreman-installer (RHEL6
OSP: root command execution),
openstack-glance (RHEL6 OSP; RHEL7 OSP: denial of service),
openstack-nova (RHEL6 OSP; RHEL7 OSP: multiple vulnerabilities),
openstack-packstack, openstack-puppet-modules (RHEL6 OSP; RHEL7 OSP: root command execution),
openstack-swift (RHEL6 OSP; RHEL7 OSP: metadata constraint bypass),
python-django-horizon, python-django-openstack-auth (RHEL6 OSP; RHEL7 OSP: denial of service), and
redhat-access-plugin-openstack (RHEL6 OSP; RHEL7 OSP: information disclosure).

Ubuntu has updated apport
(14.04, 14.10: privilege escalation). Security updates for Thursday

This post was syndicated from: and was written by: jake. Original post: at

Debian has updated gst-plugins-bad0.10 (code execution), inspircd (code execution from 2012), movabletype-opensource (code execution), and
ppp (denial of service).

Debian-LTS has updated ruby1.9.1
(three vulnerabilities).

Mageia has updated java-1.7.0-openjdk (multiple vulnerabilities),
mono (three SSL/TLS vulnerabilities), and
python-dulwich (two code execution flaws).

openSUSE has updated flash-player
(11.4: 45 vulnerabilities) and rubygem-rest-client (13.2, 13.1: plaintext
password logging).

Oracle has updated java-1.6.0-openjdk (OL5: unspecified
vulnerabilities) and java-1.7.0-openjdk
(OL5: unspecified vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple
vulnerabilities), java-1.6.0-openjdk
(RHEL5,6&7: multiple vulnerabilities), java-1.7.0-openjdk (RHEL5; RHEL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (RHEL6&7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6&7: multiple
vulnerabilities), java-1.7.0-openjdk (SL5; SL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated flash-player
(SLE11SP3: 22 vulnerabilities).

SANS Internet Storm Center, InfoCON: green: Exploit kits (still) pushing Teslacrypt ransomware, (Thu, Apr 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Teslacrypt is a form of ransomware that was first noted in January of this year [1]. This malware apparently targets video game-related files [2, 3, 4]. Ive seen Teslacrypt dropped by the Sweet Orange exploit kit (EK) [5], and its also been dropped by Nuclear EK [6]. McAfee saw it dropped by Angler EK last month [2].

I saw it again on Wednesday2015-04-15 from Nuclear EK. Lets take a look at the traffic. The image below from Wireshark shows Nuclear EK traffic being generated from a compromised WordPress site. Nuclear is hosted on a domain. ” />
Shown above: Wiresharkdisplay on some of this infection traffic. Click on the image above for a larger image.

A pcap of the above traffic is available at:

Nuclear hasnt changed dramatically from the last time we looked into it in December 2014 [7]. The traffic patterns are very similar. ” />

Next, Nuclear EK sent a Flash exploit. ” />

Finally, Nuclear EK sent the malware payload. Like last time, Nuclear EK obfuscated the payload by XOR-ing the binary with an ASCII string. ” />

Here” />

And heres the browser window that appeared when the user looked into making” />

The bitcoin address for the ransom payment is: 1FracxPs9n7pGFRqV1F61YXVr2AqWi52fs

When I first checked, no transactions had been made to that bitcoin address. Dont know if thats still the case, but anyone can check here:

The image belowshows where the malware payload copies itself. It alsothe registry key updated to keep the malware persistent on the system. This malware is available on at the following link: ” />

Snort signatures (Cisco/Talos) that triggered on theTeslacrypt traffic:

  • [1:33893:1] MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication

EmergingThreats and ETPRO signatures that triggeredon the Teslacrypt traffic:

  • ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M1 (sid:2020717)
  • ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M2 (sid:2020718)
  • ETPRO TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon Response (sid:2810074)

If your computer becomes infected with Teslacrypt, what should you do? Those files may be lost if you dont have a backup. Even if you pay the ransom, theres no guarantee youll receive the decryption key.

As always, your best defense is regularly backing up your data. If not, you could find yourself at the mercy of this (or other) ransomware.

Brad Duncan, Security Researcher at Rackspace
Blog: – Twitter: @malware_traffic



(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License. Security advisories for Wednesday

This post was syndicated from: and was written by: ris. Original post: at

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities), java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), and java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian-LTS has updated libvncserver (multiple vulnerabilities) and libx11 (code execution).

Mageia has updated arj (multiple vulnerabilities), asterisk (SSL server spoofing), flash-player-plugin (multiple vulnerabilities), glusterfs (denial of service), librsync (file checksum collision), ntp (two vulnerabilities), qemu (denial of service), quassel (denial of service), shibboleth-sp (denial of service), socat (denial of service), tor (denial of service), and wesnoth (information leak).

Oracle has updated java-1.6.0-openjdk (OL6: multiple
vulnerabilities), java-1.7.0-openjdk (OL6:
multiple vulnerabilities), and java-1.8.0-openjdk (OL6: multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5,6 Supplementary: multiple vulnerabilities).

SUSE has updated Adobe Flash
(SLEWE12, SLED12: multiple vulnerabilities).

Krebs on Security: Critical Updates for Windows, Flash, Java

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Get your patch chops on people, because chances are you’re running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication.

brokenflash-aAdobe’s patch includes a fix for a zero-day bug (CVE-2015-3043) that the company warns is already being exploited. Users of the Adobe Flash Player for Windows and Macintosh should update to Adobe Flash Player (the current versions other OSes is listed in the chart below).

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version

Google has an update available for Chrome that fixes a slew of flaws, and I assume it includes this Flash update, although the Flash checker pages only report that I now have version 17.0.0 installed after applying the Chrome update and restarting (the Flash update released last month put that version at, so this is not particularly helpful). To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

brokenwindowsMicrosoft has released 11 security bulletins this month, four of which are marked “critical,” meaning attackers or malware can exploit them to break into vulnerable systems with no help from users, save for perhaps visiting a booby-trapped or malicious Web site. Then Microsoft patches fix flaws in Windows, Internet Explorer (IE), Office, and .NET

The critical updates apply to two Windows bugs, IE, and Office. .NET updates have a history of taking forever to apply and introducing issues when applied with other patches, so I’d suggest Windows users apply all other updates, restart and then install the .NET update (if available for your system).

Oracle’s quarterly “critical patch update” plugs 15 security holes. If you have Java installed, please update it as soon as possible. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. In the past, updating via the control panel auto-selected the installation of third-party software, so be sure to look for any pre-checked “add-ons” before proceeding with an update through the Java control panel. Also, Java 7 users should note that Oracle has ended support for Java 7 after this update. The company has been quietly migrating Java 7 users to Java 8, but if this hasn’t happened for you yet and you really need Java installed in the browser, grab a copy of Java 8. The recommended version is Java 8 Update 40.

javamessOtherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Schneier on Security: Two Thoughtful Essays on the Future of Privacy

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Paul Krugman argues that we’ll give up our privacy because we want to emulate the rich, who are surrounded by servants who know everything about them:

Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today — that is, that what affluent people will want in the future is, in general, something like what only the truly rich can afford right now. Well, one thing that’s very clear if you spend any time around the rich — and one of the very few things that I, who by and large never worry about money, sometimes envy — is that rich people don’t wait in line. They have minions who ensure that there’s a car waiting at the curb, that the maitre-d escorts them straight to their table, that there’s a staff member to hand them their keys and their bags are already in the room.

And it’s fairly obvious how smart wristbands could replicate some of that for the merely affluent. Your reservation app provides the restaurant with the data it needs to recognize your wristband, and maybe causes your table to flash up on your watch, so you don’t mill around at the entrance, you just walk in and sit down (which already happens in Disney World.) You walk straight into the concert or movie you’ve bought tickets for, no need even to have your phone scanned. And I’m sure there’s much more — all kinds of context-specific services that you won’t even have to ask for, because systems that track you know what you’re up to and what you’re about to need.

Daniel C. Dennett and Deb Roy look at our loss of privacy in evolutionary terms, and see all sorts of adaptations coming:

The tremendous change in our world triggered by this media inundation can be summed up in a word: transparency. We can now see further, faster, and more cheaply and easily than ever before — and we can be seen. And you and I can see that everyone can see what we see, in a recursive hall of mirrors of mutual knowledge that both enables and hobbles. The age-old game of hide-and-seek that has shaped all life on the planet has suddenly shifted its playing field, its equipment and its rules. The players who cannot adjust will not last long.

The impact on our organizations and institutions will be profound. Governments, armies, churches, universities, banks and companies all evolved to thrive in a relatively murky epistemological environment, in which most knowledge was local, secrets were easily kept, and individuals were, if not blind, myopic. When these organizations suddenly find themselves exposed to daylight, they quickly discover that they can no longer rely on old methods; they must respond to the new transparency or go extinct. Just as a living cell needs an effective membrane to protect its internal machinery from the vicissitudes of the outside world, so human organizations need a protective interface between their internal affairs and the public world, and the old interfaces are losing their effectiveness.

TorrentFreak: Pirate Bay Clone Offloads Banking Trojan Via WordPress Blogs

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

openbayAfter the Pirate Bay was raided last December hundreds of clones appeared online.

Many of these sites used the open source “Open Bay” project, which allows people to set up their own clone in just a few clicks.

Now, several months later one of the clones has gone rogue. As reported by Malwarebytes, several compromised WordPress blogs are being injected with an iframe that loads

At first sight this seems odd, since the site looks just like any other Open Bay clone. However, this one is being used to offload a rather dangerous exploit kit.

“We found the real reason behind this pretty quickly. The Pirate Bay clone is actively pushing the Nuclear exploit kit with an iframe and will infect vulnerable visitors via drive-by download attacks,” Malwarebytes senior security researcher Jérôme Segura writes.


The malicious content is passed on to users’ computers via a known Flash exploit. The payload being pushed by the Pirate Bay clone is linked to a banking trojan.

Interestingly, most other sites relying on the Open Bay project are experiencing issues as well. The main site is currently down, and other clones don’t have any content.

TF asked the people behind the Open Bay project for a comment and we will update this article if we hear back. For now, we haven’t heard any reports indicating that more Pirate Bay clones are pushing exploit kits.

At the time of writing it’s still unclear how the iframe is being injected into the WordPress sites. A likely explanation appears to be outdated WordPress code or an old plugin.

People are advised to avoid the compromised Pirate Bay clone directly and WordPress users should make sure that they’re running the latest version of the blogging platform.

“To avoid getting their sites hacked, WordPress users need to check that they are running the latest WP install and that all their plugins are up to date,” Jérôme Segura notes.

“Other proper hygiene tips such as strong passwords and avoiding public wifi when logging into your site should also be applied,” he adds.

More technical details and analyses can be found at the Malwarebytes blog.

Photo: Michael Theis

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services. Security advisories for Wednesday

This post was syndicated from: and was written by: ris. Original post: at

Debian has updated php5 (multiple vulnerabilities).

Fedora has updated freexl (F21; F20:
denial of service) and libgcrypt (F21: two vulnerabilities).

openSUSE has updated vorbis-tools
(13.2, 13.1: denial of service).

Oracle has updated freetype (OL7; OL6:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5,6: multiple vulnerabilities) and freetype (RHEL6,7: multiple vulnerabilities).

Ubuntu has updated libxfont (privilege escalation) and php5 (multiple vulnerabilities). Tuesday’s security updates

This post was syndicated from: and was written by: ris. Original post: at

Debian has updated checkpw (denial of service), libxfont (privilege escalation), and tcpdump (multiple vulnerabilities).

Debian-LTS has updated gnupg (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities) and file
(multiple vulnerabilities).

Red Hat has updated kernel
(RHEL6.2: multiple vulnerabilities) and kernel-rt (RHE MRG2.5: multiple vulnerabilities).

Ubuntu has updated libav (12.04: multiple vulnerabilities). Security advisories for Monday

This post was syndicated from: and was written by: ris. Original post: at

Debian has updated freetype (many vulnerabilities), gnutls26 (two vulnerabilities), icu (multiple vulnerabilities), libav (multiple vulnerabilities), and putty (information disclosure).

Debian-LTS has updated libextlib-ruby (code execution and more), libssh2 (information leak), mod-gnutls (restriction bypass), and putty (information disclosure).

Fedora has updated 389-admin
(F21: multiple /tmp/ file vulnerabilities), cups-filters (F21; F20:
remote command execution), gnupg (F20:
multiple vulnerabilities), httpd (F21:
multiple vulnerabilities), jBCrypt (F21; F20:
integer overflow), kernel (F20: multiple
vulnerabilities), libmspack (F21; F20: denial of service), libuv (F20: privilege escalation), nodejs (F20: privilege escalation),
phpMyAdmin (F21; F20: information leak), putty (F21; F20:
information disclosure), tcllib (F21: HTML
injection), and v8 (F20: privilege escalation).

Gentoo has updated hivex (privilege escalation) and icu (multiple vulnerabilities).

Mageia has updated 389-ds-base (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).

Mandriva has updated kernel (multiple vulnerabilities), nss (multiple vulnerabilities), qemu (multiple vulnerabilities), and yaml (multiple vulnerabilities).

openSUSE has updated flashplayer
(11.4: multiple vulnerabilities), chromium
(13.2, 13.1: multiple vulnerabilities), and postgresql (11.4: multiple vulnerabilities).

SUSE has updated flash-player
(SLED11 SP3: multiple vulnerabilities) and java-1_7_0-openjdk (SLE12: multiple vulnerabilities).

Ubuntu has updated cups-filters
(14.10, 14.04: remote command execution), requests (14.10, 14.04: cookie stealing attacks), and sudo (information disclosure).

Krebs on Security: ‘AntiDetect’ Helps Thieves Hide Digital Fingerprints

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies.

Every browser has a relatively unique “fingerprint” that is shared with Web sites. That signature is derived from dozens of qualities, including the computer’s operating system type, various plugins installed, the browser’s language setting and its time zone. Banks can leverage fingerprinting to flag transactions that occur from a browser the bank has never seen associated with a customer’s account.

Payment service providers and online stores often use browser fingerprinting to block transactions from browsers that have previously been associated with unauthorized sales (or a high volume of sales for the same or similar product in a short period of time).

In January, several media outlets wrote about a crimeware tool called FraudFox, which is marketed as a way to help crooks sidestep browser fingerprinting. However, FraudFox is merely the latest competitor to emerge in a fairly established marketplace of tools aimed at helping thieves cash out stolen cards at online merchants.

Another fraudster-friendly tool that’s been around the underground hacker forums even longer is called Antidetect. Currently in version, Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

The seller of this product shared the video below of someone using Antidetect along with a stolen credit card to buy three different downloadable software titles from gaming giant That video has been edited for brevity and to remove sensitive information; my version also includes captions to describe what’s going on throughout the video.

In it, the fraudster uses Antidetect to generate a fresh, unique browser configuration, and then uses a bundled tool that makes it simple to proxy communications through one of a hundreds of compromised systems around the world. He picks a proxy in Ontario, Canada, and then changes the time zone on his virtual machine to match Ontario’s.

Then our demonstrator goes to a carding shop and buys a credit card stolen from a woman who lives in Ontario. After he checks to ensure the card is still valid, he heads over the and uses the card to buy more than $200 in downloadable games that can be easily resold for cash. When the transactions are complete, he uses Antidetect to create a new browser configuration, and restarts the entire process — (which takes about 5 minutes from browser generation and proxy configuration to selecting a new card and purchasing software with it). Click the icon in the bottom right corner of the video player for the full-screen version.

I think it’s safe to say we can expect to see more complex anti-fingerprinting tools come on the cybercriminal market as fewer banks in the United States issue chipless cards. There is also no question that card-not-present fraud will spike as more banks in the US issue chipped cards; this same increase in card-not-present fraud has occurred in virtually every country that made the chip card transition, including Australia, Canada, France and the United Kingdom. The only question is: Are online merchants ready for the coming e-commerce fraud wave? Friday’s security updates

This post was syndicated from: and was written by: n8willis. Original post: at

CentOS has updated kernel
(C6: multiple vulnerabilities).

Debian has updated gnupg
(multiple vulnerabilities), libgcrypt11 (multiple vulnerabilities), movabletype-opensource (multiple vulnerabilities), and nss (data smuggling).

Fedora has updated krb5
(F21: multiple vulnerabilities)
and suricata (F21: multiple vulnerabilities).

Mageia has updated libarchive (M4: directory traversal), libssh2 (M4: denial of service), and qt3, qt4, qt5base (M4: denial of service).

openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities), osc (13.1, 13.2: command injection), and wireshark (13.1, 13.2: multiple vulnerabilities).

Oracle has updated gnome-shell, clutter, cogl, mutter (O7:
lock screen bypass), httpd (O7: multiple vulnerabilities), ipa (O7: multiple vulnerabilities), kernel (O7: multiple vulnerabilities), krb5 (O7: multiple vulnerabilities), libreoffice (O7: code execution), libvirt (O7: multiple vulnerabilities), qemu-kvm (O7: multiple vulnerabilities), and thunderbird (O7: multiple vulnerabilities).

SUSE has updated bind
(SLE10: denial of service), flash-player (SLE12: multiple vulnerabilities), and osc (SLE12: command injection).

SANS Internet Storm Center, InfoCON: green: Malware targets home networks, (Fri, Mar 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Malware researchers at Trend Micro have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to CC before deleting it self .

TROJ_VICEPASS.A pretends to be an Adobe Flash update, once its run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If its succeed, the malware will scan the network for connected devices.

The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, this IP range is hard-coded

Once the scans is finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a CC server via HTTP protocol.

After sending the results to the Command and Control server (CC) , it will delete itself from the victims computer. It uses the following command to do so:

  • exe /C ping -n 1 -w 3000 Nul Del %s

Such type of malware infection can be avoided using a very basic security techniques such as downloading updated and software from a trusted sources only and changing the default password of your equipments.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe Flash Update Plugs 11 Security Holes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe has released an update for its Flash Player software that fixes at least 11 separate, critical security vulnerabilities in the program. If you have Flash installed, please take a moment to ensure your systems are updated.

brokenflash-aNot sure whether your browser has Flash installed or what version it may be running? Browse to this link. The newest, patched version is for Windows and Mac users. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The last few Flash updates from Adobe have been in response to zero-day threats targeting previously unknown vulnerabilities in the program. But Adobe says it is not aware of any exploits in the wild for the issues addressed in this update. Adobe’s advisory on this patch is available here.

SANS Internet Storm Center, InfoCON: green: Threatglass has pcap files with exploit kit activity, (Tue, Mar 10th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Threatglassis a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity. Threatglassdoesnt explain what type of traffic youre looking at from the pcaps the site provides. Letslook at a page from last week on Thursday, March 5th 2015 [1]. This one isexploit kit activity. In the image below, youll find a link to the packet capture in the lower right-hand corner” />

Download the pcap and open it in Wireshark. User http.request as the filter, and make sure youre showing the host name in the column display. ” />

For most exploit kits, the pattern oftraffic is: Landing page — Exploit (Java, Flash, Silverlight, IE, etc) — Malware payload if the exploit is successful

Lets look at this example by following a few TCP streams in the pcap. ” />

When the Flash exploit works, a malware payload is sent. Currently, Nuclear Exploit Kit obfuscates the malware payload with an ASCII string. In this case, the binary was XOR-ed with the ASCII string:” />

The Virus Total results indicate the malware is a Tofsee variant –

If you want a sample of the deobfuscated payload, you can get it from at:

If you have the time, review some of the other entries on Threatglass to figure out which ones are exploit kit activity, and which ones are other activity, like fake flash installer pop-up windows. This is one of many resources on line thataspiring analystscan use to build their skills.

Brad Duncan, Security Researcher at Rackspace
Blog: – Twitter: @malware_traffic



(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Backblaze Blog | The Life of a Cloud Backup Company: 10 Billion Files Restored and Counting…

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Andy Klein. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

10 billion files recovered
As an online backup provider, people pay us to backup their data so they can recover their files when needed. On March 2nd, a little after Noon Pacific Time, Backblaze reached a data recovery milestone. We restored our 10 billionth file. No alarms went off, no bells rang, no one sang the Backblaze jingle, 10 billion just happened, then 10 billion and one and then 10 billion and two and so on. In an instant 10 billion was here and gone. How fast, you ask? Let’s look at the statistics for 2015 so far:

Average Number of Files Restored

Backblaze Restore

So in the time it took you read this sentence hundreds of files were restored.

Hard Drive File Recovery

In reality, there are many files being restored at the same time. We currently have 22 restore servers, locked away in our data center, working day and night, 7 days a week, restoring files. Surely, they must get a break sometimes, you ask? Yes, some days of the week are busier than others, as you can see below:

Percentage of Restores Done Each Weekday

Backblaze Restores by Day of Week

Just like many of us, they get a little breather on the weekend. Perhaps when our customers do their restores, they use the office network, just sayin’.

We didn’t get to 10 billion files all at once, it took a while, years in fact. We restored our first file for a customer in June 2008, shortly after we introduced the Backblaze 1.0 Beta. It took nearly 4 years to get to 1 billion files restored. Once that happened, it has gotten a little crazy. The chart below shows how we progressed over the years up through 10 billion files today.
Files Restored Over TimeProjecting forward we anticipate restoring our 100 billionth file sometime in late 2020. I predict October 27th, but I could be off by a year or two either way.

Recovering Files
Backblaze customers can restore one file, a group of files or all their data, anytime they wish, with 99.1% of all restores being done by downloading the files using a web browser or the Backblaze Downloader application. On average each restore consists of 33,164 files, but interestingly restoring a single file represents 21% of all the restores being done as shown below.

Number of Files Recovered Each Restore

Files Restored

Yes, each month there are a number of customers that download a million files or more in a single restore. What’s the largest number of files we’ve restored at one time? We believe the current record is 18,006,871 files. Please note, this is not meant to be a challenge to those of you contemplating large restores.

By the way, it’s probably a good idea to break up a large restore into smaller parts and use the Backblaze Downloader. This will make for a much better download experience. Of course, you can always opt to purchase a Flash Drive or USB Hard Drive from us. Once your restore is ready, we’ll load your data on the drive and ship it to you next day at no extra charge. It’s convenient, fast, and you get to keep the drive.

Well I just checked, we’re up to 10,124,152,571 files restored and counting, but that’s what you pay us for. Restore away, and thanks.


Author information

Andy Klein

Andy Klein

Andy has 20+ years experience in technology marketing. He has shared his expertise in computer security and data backup at the Federal Trade Commission, Rootstech, RSA and over 100 other events. His current passion is to get everyone to back up their data before it’s too late.

The post 10 Billion Files Restored and Counting… appeared first on Backblaze Blog | The Life of a Cloud Backup Company.