Posts tagged ‘flash’

Krebs on Security: Spreading the Disease and Selling the Cure

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults.

Grimbooter

Grimbooter

Rattani helps run two different “booter” or “stresser” services – grimbooter[dot]com, and restricted-stresser[dot]info. He also works on TheHosted[dot]me, a Web hosting firm marketed to Web sites looking for protection from the very attacks he helps to launch.

As part of an ongoing series on booter services, I reached out to Rattani via his Facebook account (which was replete with images linking to fake Youtube sites that foist malicious software disguised as Adobe’s Flash Player plugin). It turns out, the same Google Wallet is used to accept payment for all three services, and that wallet traced back to Rattani.

In a Facebook chat, Rattani claimed he doesn’t run the companies, but merely accepts Google Wallet payments for them and then wires the money (minus his cut) to a young man named Danial Rajput — his business partner back in Karachi. Rajput declined to be interviewed for this story.

The work that Rattani does for these booter services brings in roughly $2,500 a month — far more than he could ever hope to make in a month slinging sandwiches. Asked whether he sees a conflict of interest in his work, Rattani was ambivalent.

“It is kind of [a conflict], but if my friend won’t sell [the service], someone else will,” he said.

Rattani and his partner are among an increasing number of young men who sell legally murky DDoS-for-hire services. The proprietors of these services market them as purely for Web site administrators to “stress test” their sites to ensure they can handle high volumes of visitors.

But that argument is about as convincing as a prostitute trying to pass herself off as an escort. The owner of the attack services (the aforementioned Mr. Rajput) advertises them at hackforums[dot]net, an English language forum where tons of low-skilled hackers hang and out and rent such attack services to prove their “skills” and toughness to others. Indeed, in his own first post on Hackforums in 2012, Rajput states that “my aim is to provide the best quality vps [virtual private server] for ddosing :P”.

Damon McCoy, an assistant professor of computer science at George Mason University, said the number of these DDoS-for-hire services has skyrocketed over the past two years. Nearly all of these services allow customers to pay for attacks using PayPal or Google Wallet, even though doing so violates the terms of service spelled out by those payment networks.

“The main reason they are becoming an increasing problem is that they are profitable,” McCoy said. “They are also easy to setup using leaked code for other booters, increasing demand from gamers and other customers, decreasing cost of attack infrastructure that can be amplified using common DDoS attacks. Also, it is relatively low-risk to operate a booter service when using rented attack servers instead of botnets.”

The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online. That includes the Lizardstresser, the attack service launched by the same Lizard Squad (a.k.a. Loser Squad) criminals whose assaults knocked the Microsoft Xbox and Sony Playstation networks offline on Christmas Day 2014.

The sad truth is that most booter services probably would not be able to remain in business without CloudFlare’s free service. That’s because outside of CloudFlare, real DDoS protection services are expensive, and just about the only thing booter service customers enjoy attacking more than Minecraft and online gaming sites are, well, other booter services.

For example, looking at the (now leaked) back-end database for the LizardStresser, we can see that TheHosted and its various properties were targeted for attacks repeatedly by one of the Loser Squad’s more prominent members.

The Web site crimeflare.com, which tracks abusive sites that hide behind CloudFlare, has cataloged more than 200 DDoS-for-hire sites using CloudFlare. For its part, CloudFlare’s owners have rather vehemently resisted the notion of blocking booter services from using the company’s services, saying that doing so would lead CloudFlare down a “slippery slope of censorship.”

As I observed in a previous story about booters, CloudFlare CEO Matthew Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI.

I suppose it’s encouraging that prior to CloudFlare, Prince was co-creators of Project Honey Pot, which bills itself as the largest open-source community dedicated to tracking online fraud and abuse. In hacking and computer terminology, a honeypot is a trap set to detect, deflect or otherwise counteract attempts at unauthorized use or abuse of information systems.

It may well turn out to be the case that federal investigators are allowing these myriad booter services to remain in operation so that they can gather copious evidence for future criminal prosecutions against their owners and users. In the meantime, however, it will continue to be possible to purchase powerful DDoS attacks with little more than a credit card or prepaid debit card.

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated jasper (C7: multiple vulnerabilities).

Debian has updated jasper (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), polarssl (code execution), squid (denial of service), and websvn (information disclosure).

Debian-LTS has updated libevent (denial of service) and websvn (information disclosure).

Fedora has updated docker-io
(F20: multiple vulnerabilities), grep (F21:
heap buffer overrun), java-1.7.0-openjdk
(F20: multiple vulnerabilities), java-1.8.0-openjdk (F21; F20:
multiple vulnerabilities), kde-runtime
(F20: misuse of crypto), kernel (F21:
restriction bypass), python-django (F21:
multiple vulnerabilities), and xdg-utils
(F21: command injection).

Mageia has updated aircrack-ng (multiple vulnerabilities), chromium-browser-stable (multiple vulnerabilities), jasper (multiple vulnerabilities), and java-1.7.0-openjdk (multiple vulnerabilities).

openSUSE has updated Firefox
(11.4: multiple vulnerabilities), libevent
(13.2, 13.1: denial of service), openssl
(13.2, 13.1: multiple vulnerabilities), shotwell, vala (13.2: heap buffer overflow),
and thunderbird (13.2, 13.1: multiple vulnerabilities).

SUSE has updated flash-player
(SLED11 SP3: unspecified vulnerability) and vsftpd (SLES11 SP3: unauthorized access).

Ubuntu has updated ghostscript
(10.04: multiple vulnerabilities), jasper
(14.10, 14.04, 12.04: multiple vulnerabilities), and unbound (14.10, 14.04: denial of service).

SANS Internet Storm Center, InfoCON: green: Adobe updates Security Advisory for Adobe Flash Player, Infocon returns to green, (Mon, Jan 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

On Saturday, 24 JAN 2015, Adobe updated their Security Advisory for Adobe Flash Player specific to CVE-2015-0311. From the update:

Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

To that end we”>GREEN. Please ensure you apply updates as soon as possible and stay tuned here as additional related information”>|”>@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: yellow: “Stealth” Update for Flash from Adobe, (Sat, Jan 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: yellow. Original post: at SANS Internet Storm Center, InfoCON: yellow

[Update] Adobe now updated its advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobes website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1]http://www.adobe.com/software/flash/about/

[2]http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3]http://blogs.adobe.com/psirt/?p=1160


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: yellow: Infocon change to yellow for Adobe Flash issues, (Fri, Jan 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: yellow. Original post: at SANS Internet Storm Center, InfoCON: yellow

We have decided to change the Infocon 1to yellow in order to bring attention to the multiple recentAdobe Flash Player vulnerabilities2 that are being actively exploited. There have been 3 patchedvulnerabilities thathave an update and applying themis highly recommended. 1 of the vulnerabilities has not yet been patched, and is expected to be released as an OOB (Outof Band) next week by Adobe 3.

Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infoconfrom now until Monday.

1-https://isc.sans.edu/infocon.html

2-https://isc.sans.edu/forums/diary/Flash+0Day+Deciphering+CVEs+and+Understanding+Patches/19223/

3-“>Adrien de Beaupr”>My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated jasper
(C6: multiple vulnerabilities).

openSUSE has updated dbus-1
(13.1, 13.2: multiple vulnerabilities), elfutils (13.1, 13.2: directory traversal),
flash-player (13.1, 13.2: memory randomization circumvention), otrs (13.1, 13.2: authentication bypass), roundcubemail (13.2: cross-site request forgery), strongswan (13.1, 13.2: denial of service), and wireshark (13.1, 13.2: multiple vulnerabilities).

Oracle has updated jasper (O6; O7: multiple vulnerabilities).

Red Hat has updated jasper
(RHEL6,7: multiple vulnerabilities), java-1.7.0-oracle (multiple vulnerabilities), and java-1.8.0-oracle (RHEL6: multiple vulnerabilities).

Scientific Linux has updated jasper (SL6,7: multiple vulnerabilities).

SUSE has updated flash-player (memory randomization circumvention) and rpm (SLE12: multiple vulnerabilities).

Ubuntu has updated elfutils
(directory traversal), mysql-5.5 (12.04,
14.04, 14.10): multiple vulnerabilities, and samba (14.04, 14.10: privilege escalation).

SANS Internet Storm Center, InfoCON: yellow: Flash 0-Day: Deciphering CVEs and Understanding Patches, (Fri, Jan 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: yellow

(updated with Jan 24thupdate)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one out of band), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version”>yes APSA15-01

So in short: There is still one unpatchedFlash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: OOB Adobe patch!, (Thu, Jan 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe has released an advisory regarding an out of band security update for Flash, APSB15-021. It is a fix forCVE-2015-0310, which is reserved but for which there is little additional information at the NIST or Mitre sites. Most likely this is the previously reported 0day 2. There are reports that this vulnerability is actively being exploited, and that it is part of a crimewarekit. This would be a highly recommended patch! If you have the Adobe Flash Player installedapply the update. All versions on all platforms appear to be vulnerable.

1-http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

2- https://isc.sans.edu/forums/diary/Flash+0Day+Exploit+Used+by+Angler+Exploit+Kit/19213/

Cheers,
Adrien de Beaupr
Intru-shun.ca Inc.
My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Flash Patch Targets Zero-Day Exploit

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.

brokenflash-aEarly indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that appears to work against many different combinations of Internet Explorer browser on Microsoft Windows systems.

Attackers may be targeting Windows and IE users now, but the vulnerability fixed by this update exists in versions of Flash that run on Mac and Linux as well. The Flash update brings the media player to version 16.0.0.287 on Mac and Windows systems, and 11.2.202.438 on Linux.

While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits. In a statement released along with the Flash update today, Adobe said its patch addresses a newly discovered vulnerability that is being actively exploited, but that there appears to be another active attack this patch doesn’t address.

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” Adobe said. “Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although as of this writing it seems that the latest version of Chrome (40.0.2214.91) is still running v. 16.0.0.257

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

I am looking forward to day in which far fewer sites require Flash Player to view content, and instead rely on HTML5 for rendering video content. For now, it’s probably impractical for most users to remove Flash altogether, but there are in-between options to limit automatic rendering of Flash content in the browser. My favorite is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Darknet - The Darkside: Flash Zero Day Being Exploited In The Wild

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

This is not the first Flash Zero Day and it certainly won’t be the last, thanks to the Sandbox implemented in Chrome since 2011 – users of the browser are fairly safe. Those using IE are in danger (as usual) and certain versions of Firefox. It has been rolled into the popular Angler Exploit Kit, […]

The post Flash Zero Day Being…

Read the full post at darknet.org.uk

SANS Internet Storm Center, InfoCON: green: Flash 0-Day Exploit Used by Angler Exploit Kit, (Wed, Jan 21st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

The Angler exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatchedFlash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Java Patch Plugs 19 Security Holes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Oracle this week released its quarterly patch update for Java, a widely-installed program that for most casual users has probably introduced more vulnerability than utility. If you have Java installed and require it for some application or Web site, it’s time to update it. If you’re not sure you have Java on your computer or are unsure why you still have it, read on for advice that could save you some security headaches down the road.

javamessOracle’s update brings Java 7 to Update 75 and Java 8 to Update 31, and fixes at least 19 security vulnerabilities in the program. Security vendor Qualys notes that 13 of those flaws are remotely exploitable, with a CVSS score of 10 (the most severe possible score).

Java 7 users should know that Oracle plans to start using the auto-update function built into the program to migrate those users to Java 8 this week.

According to a new report (PDF) from Cisco, online attacks that exploit Java vulnerabilities have decreased by 34 percent in the past year. Cisco recons this is thanks to security improvements in the program, and to bad guys embracing new attack vectors — such Microsoft Silverlight flaws (if you’re a Netflix subscriber, you have Silverlight installed). Nevertheless, my message about Java will remain the same: Patch it, or pitch it.

The trouble with Java is that it has a very broad install base, but many users don’t even know if they have it on their systems. There are a few of ways to find out if you have Java installed and what version may be running. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. In the past, updating via the control panel auto-selected the installation of third-party software, so be sure to look for any pre-checked “add-ons” before proceeding with an update through the Java control panel.

Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

For Java power users — or for those who are having trouble upgrading or removing a stubborn older version — I recommend JavaRa, which can assist in repairing or removing Java when other methods fail (requires the Microsoft .NET Framework).

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Raspberry Pi: Social animals: electric eel tweets with a Pi

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Meet Miguel Wattson (geddit?), the most piscine member of the Raspberry Pi community. Miguel is an electric eel who lives in a tank at the Tennessee Aquarium; and his keepers, with some help from some computer science interns, have decided to use Miguel’s tendency to generate electricity to do some showboating.

miguelwattson

Bzzzzt.

 

Electric eels (actually a kind of knifefish, so strictly speaking they’re electric fish, which sounds much less cool) have the ability to discharge up to 860 volts from three large organs made from electrocytes – organic cells which work like the voltaic pile in an early battery –  which they use to stun prey, to communicate, and to navigate. An electric eel at full power only discharges for a couple of milliseconds, but even so, has the ability to electrocute a full-sized human.

This is all very glamorous and exciting, but the problem for eel watchers is that all of this drama is silent and invisible. There’s no way to tell just from watching whether or not an electric eel is discharging. Happily, there’s a way around that.

Sensors (I’m guessing electrodes in the water, connected to ground, whose resistance can be measured – but I do not have an electric eel to test this setup on – your ideas in the comments please!) in Miguel’s tank detect when he discharges. These signals are sent to a LED light and speaker system in the aquarium, where they make static rapping sounds, and flash lights to demonstrate how frequently Miguel discharges. Here he is, doing his thing at feeding time.

But the aquarium team didn’t stop there. Miguel’s electrical activity also sends a message to the attached Raspberry Pi, telling it to send a tweet. Miguel’s Twitter feed is full of fishy puns, eel facts, and messages about conservation – along with the occasional “POW” and “BUZZ!” A database of tweets is constantly added to by staff at the aquarium (Miguel does not have fingers and consequently finds it hard to type)

“Ironically, the eel code was written in Python,” said Evgeny Vasilyev, one of the computer science interns  from Tennessee Technological University’s Business Media Center. “The project’s main set piece was Raspberry Pi, a low cost computer which provides all of the necessary functionality in a compact package.”

The Pi not only sends the tweets – it acts as a throttle to make sure that Miguel doesn’t start spamming the feed when he gets overexcited. Feeding time, for example, gets Miguel so overstimulated that he discharges more than once a second. The Pi keeps the frequency of tweets down to a reasonable level.

The Chattanooga Times Free Press has some video of the setup:

You can follow Miguel on Twitter at @EelectricMiguel. You’ll notice that he follows Tennessee Aquarium’s pioneering tweeting groundhog (no, we have no idea what a groundhog is doing in an aquarium), @ChattNoogaChuck, whose profile boasts that he is the aquarium’s chief seasonal forecaster.

If you’re following Miguel, keep an eye out on Mondays, Wednesdays and Fridays, when he’s fed, for bursts of activity!

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated rpm (two code
execution flaws).

Debian-LTS has updated curl (HTTP
request injection).

openSUSE has updated flash-player
(13.2, 13.1: multiple vulnerabilities), flashplayer (11.4: multiple vulnerabilities),
and util-linux (13.2, 13.1: code execution).

SUSE has updated flash-player (SLE11SP3; SLE12: multiple vulnerabilities) and kernel (SLE12: multiple vulnerabilities, one
from 2013).

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities), thunderbird (C6; C5: three vulnerabilities), and xulrunner (C7:
multiple vulnerabilities).

Debian has updated iceweasel
(multiple vulnerabilities) and kernel
(multiple vulnerabilities, including one from 2013).

Debian-LTS has updated unrtf (two
code execution flaws).

Fedora has updated firefox (F21; F20:
multiple vulnerabilities), kde-runtime
(F21: kwallet crypto botch from 2013), and owasp-esapi-java (F21; F20:
crypto botch from 2013).

Mageia has updated flash-player-plugin (multiple vulnerabilities)
and python-pip (denial of service).

Mandriva has updated libsndfile
(code execution), libvirt (denial of
service), mpfr (code execution), and untrf (denial of service).

Oracle has updated firefox (OL5:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: multiple vulnerabilities).

SUSE has updated kernel
(SLERTE11SP3: multiple vulnerabilities, some from 2012 and 2013) and xorg-x11-server (SLE11SP3: multiple vulnerabilities).

Ubuntu has updated coreutils
(14.04, 12.04, 10.04: two vulnerabilities, one from 2009), curl (HTTP request injection), firefox (14.10, 14.04, 12.04: multiple
vulnerabilities), gparted (12.04: code
execution), GTK+ (14.04: lock screen
bypass), unzip (three code execution
flaws), and ubufox (14.10, 14.04, 12.04:
multiple vulnerabilities).

Errata Security: Notes on the CIA spying case

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The CIA announced it wasn’t going to punish those responsible for spying/hacking on Senate computers. Since journalists widely get this story wrong, I thought I’d write up some notes getting it right. That’s because while the CIA organization is guilty of gross misconduct, it’s actually likely that no individual employees did anything wrong. The organization is guilty, but (possibly) the people aren’t.

The first thing to note is that no hacking happened. These were CIA computers, at a CIA facility, managed by CIA sysadmins, who had the admin passwords.

That’s the complicated bit. In 2009 when the Intelligence committee demanded to look at the torture/interrogation documents, the CIA balked about the security issues of staffers taking documents offsite. Therefore, they came to an agreement with the Senate: the CIA would set up a special secured network at their building, disconnected from the rest of the CIA network. The Senate staffers would go there to work. Documents would be transferred from the CIA’s main network onto this special network by hand (probably USB flash drive or something).

The Senate committee didn’t have to agree to this. By law, they have oversight, and can make decisions that screw the CIA. But the Senate committee recognized this was a legitimate concern, and agreed to the compromise. However, they demanded concessions from the CIA, such as not “spying” on their staffers.

I say “spying” here because that’s the word used in the press, but it was more complex than that. Spying on employees is routine within the CIA. There’s always compliance officers running around checking computers to make sure they don’t have documents on them they shouldn’t. So “compliance” is the better word than “spying”, it sounds much nicer.

But the agreement was specifically that only IT techies would have access to the computers purely for the purposes of IT techy stuff, and that nobody else at the CIA would have access — not even for compliance purposes.

Well, in the course of events, other people at the CIA did access these computers, did do compliance checks. Judging from Dianne Feinstein’s comments, it appears that most of these incidents were just honest mistakes, at least, she’s not concerned by them. The one incident she’s concerned about involves the Panetta report — the internal CIA investigation that found gross misconduct in the torturing/interrogation.

The Panetta report wasn’t one of the documents the Senate staffers were supposed to see. Nobody knows how it got onto these special computers. The staffers just found it there accidentally. At least, that’s the information we have publicly. The CIA accuses the staffers of doing nefarious things, but we outsiders can’t know really what happened. (Maybe somebody at the CIA leaked it to the staffers).

When the CIA heard the staffers had the Panetta document, they did what they always do when things like this happen: their normal compliance checks and investigation. Among the things they would do in such situations is thoroughly scan the computers they’d given the Senate staffers, read their emails, search their files, and so forth. Yes, at the top level, the head of the CIA agreed that this would not happen — but the employees didn’t necessarily know this. Apparently, nobody told them about the agreement — they didn’t get the memo.

The problem is ultimately this: that while the CIA as an organization broke the rules here, it’s possible that no individual person did anything intentionally bad.

Personally, I think this is bullshit. I think lower level flunkies knew what they were doing was wrong, that high-level managers gave them direction, and that many at the CIA deliberately pushed the rules as much as they could in order to interfere with the Senate investigation. But I don’t have proof of this, and no such proof has been made public.

I don’t like the CIA. I think their torture is a stain on our national honor. I think it’s a travesty that the torturers aren’t punished. It’s clear I don’t support the CIA, and that I have no wish to defend them. But I still defend truth, and the truth is this: the CIA did not “hack senate computer” as many claim.



These notes where compiled mostly from Dianne Feinstein’s description of events http://www.feinstein.senate.gov/public/index.cfm/2014/3/feinstein-statement-on-intelligence-committee-s-cia-detention-interrogation-report.

Krebs on Security: Adobe, Microsoft Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software.

brokenwindowsLeading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.

For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch. Somehow I doubt this is the last time we’ll see this tension between these two software giants. But then again, who said patching had to be boring? For a full rundown of updates fixed in today’s release, see this link.

Adobe, as it is prone to do on Patch Tuesday, issued an update to fix a whole mess of security problems with its Flash Player program. Adobe’s update brings the Player to v. 16.0.0.257 for Windows and Mac users, and fixes at least nine critical bugs in the software. Adobe said it is not aware of exploits that exist in the wild for any of the vulnerabilities fixed in this release.

brokenflash-aTo see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. If your version of Chrome doesn’t show the latest version of Flash, you may need to restart the browser or manually force Chrome to check for updates (click the three-bar icon to the right of the address bar, select “About Google Chrome” and it should check then).

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

As always, please feel free to sound off in the comments section below with your experience about applying any of these security patches.

SANS Internet Storm Center, InfoCON: green: Adobe Patch Tuesday – January 2015, (Tue, Jan 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe released one bulletin today, affecting Flash Player. The update should be applied to Windows, OS X as well as Linux versions of Adobes Flash player. It is rated with a priority of 1 for most Windows versions of Flash Player.

Adobe Air, as well as browser like Chrome and Internet Explorer are affected as well.

http://helpx.adobe.com/security/products/flash-player/apsb15-01.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Purism Librem 15 (Linux Journal)

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Linux Journal looks at
the Purism Project
and the Purism Librem 15 laptop. “The Librem 15 uses the Trisquel distribution which wasn’t a distribution I had heard of before now. Basically it’s a Debian-based distribution that not only removes the non-free repository by default, but it has no repositories at all that provide non-free software. It was picked for the Librem 15 because it is on the list of official FSF-approved GNU/Linux distributions and since that laptop is aiming to get the FSF stamp of approval, that decision makes sense. Since it’s a Debian-based distribution, the desktop environment and most of the available software shouldn’t seem too different for anyone who has used a Debian-based distribution before. Of course, if you do want to use any proprietary software (like certain multimedia codecs or official Flash plugins) you will have to hunt for those on your own. Then again, the whole point of this laptop is to avoid any software like that.

TorrentFreak: BitTorrent Zeitgeist: What People Search for in 2014

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

2014During December, all self-respecting search engines produce an overview of the most popular search terms of the past year.

These lists give insight into recent trends, and in 2014 Robin Williams, World Cup and Ebola were the top trending searches on Google.

But what about torrent search engines? With billions of searches every year it’s worth taking a look at the most-entered keywords on the dominant file-sharing network.

A few years ago we started the BitTorrent zeitgeist tradition with help from one of the largest torrent sites around. Based on a sample of hundreds of millions of searches, this list should give a decent overview of what people are looking for.

2014’s number one query is the same as last year’s. YIFY is the name of a popular movie release group that many people follow to see what new pirated titles are available.

The term 2014, often used to find recent movies, comes in second place, followed by 1080p in third. Last year “1080p” was in 42nd place suggesting that people were increasingly looking for high definition video. The sixth and eight place for newcomers YIFY 720p and YIFY 1080p confirm this trend.

In fourth place we find NeZu, another popular movie release group that is listed in the top 50 for the first time this year.

The first content related search query is Guardians of The Galaxy in ninth place. Other popular movie searches are Lucy and Dawn of The Planet of The Apes taking the 23rd and 24th spots respectively.

TV content is also popular with Game of Thrones in 12th and The Walking Dead in 16th place. Perhaps surprisingly, there are no searches related to music titles in the top 50. The only music related term is Discography in 11th place.

Finally, a game release group made it into the top 50 this year. The query Nosteam, referring to the ^^nosTEAM^^ group, is one of the highest newcomers and is listed in 15th place.

Below is the full list of the 50 most-entered search queries on one of the most popular torrent sites on the Internet.

1. yify
2. 2014
3. 1080p
4. nezu
5. hindi
6. yify 720p
7. french
8. yify 1080p
9. guardians of the galaxy
10. 3d
11. discography
12. game of thrones
13. movies
14. tamil
15. nosteam
16. the walking dead
17. ita
18. dvdrip
19. telugu
20. android
21. malayalam
22. hindi 2014
23. lucy
24. dawn of the planet of the apes
25. nl
26. apk
27. ps3
28. lynda
29. 720p
30. 2013
31. need for speed
32. arrow
33. +18
34. batman
35. hercules
36. x art
37. pc games
38. how to train your dragon 2
39. 22 jump street
40. divergent
41. teenage mutant ninja turtles
42. edge of tomorrow
43. The fault in our stars
44. godzilla
45. mac
46. wwe
47. the equalizer
48. walking dead
49. maleficent
50. the flash

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Raspberry Pi: Penguin Lifelines

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

We quite frequently get asked about optimum operating temperatures for the Raspberry Pi – frequently enough that this was a very early addition to our FAQs page back in 2012:

The Raspberry Pi is built from commercial chips which are qualified to different temperature ranges; the LAN9512 is specified by the manufacturers being qualified from 0°C to 70°C, while the AP is qualified from -40°C to 85°C. You may well find that the board will work outside those temperatures, but we’re not qualifying the board itself to these extremes.
And we left it at that. I hadn’t really thought much about extreme environments for a while – but then I bumped into our friend Jonathan Pallant, from Cambridge Consultants, a couple of weeks ago; and he started telling me about the progress of a project he’s been working on with the Zoological Society of London (ZSL), which pushes the Raspberry Pi’s working temperature down further than any other we’ve seen.
How? By the simple expedient of sticking them on poles in Antarctica for a year, in order to monitor penguins. That means the Pis have to work reliably at temperatures which can consistently be below -42°C  (-45ºF). And they’ve been coping with those temperatures just fine for a year now.
penguins

Image: Alasdair Davies, ZSL

The Penguins Lifeline project, headed up by Dr Tom Hart, is a multi-organisation enterprise. ZSL are working with Woods Hole Oceanographic Institution, Oxford University, Oceanites, and Stony Brook University to monitor Adelie penguin populations throughout the year, and to find out how external events like weather and disease, and human influences like pollution and fisheries, affect them. The cameras have been in situ since January 2014 (so very nearly a year’s data has been collected and sent back to researchers by the very cold Raspberry Pis). It’s summer in Antarctica right now, but most places where these are installed will still be well below freezing.
Credit: Alasdair Davies, ZSL

Credit: Alasdair Davies, ZSL

The penguins trigger the cameras (there are two in each unit: a regular camera and one with no IR filter for taking pictures in the dark with an infra-red flash – sound familiar?) by moving near them; each unit is equipped with an motion detector. The pictures are then sent to the researchers by the Pi via the Iridium satellite network. Each setup is powered by external lead batteries, which are topped up (when the sun’s out) by solar panels.

Researchers count the penguins from the images, and are able to track when they arrive to breed, and monitor populations. In previous studies, a human would have to go out to the camera installation and pick up the data by hand: networking the cameras, using Raspberry Pis, means that this doesn’t need to happen any more.

There are a few ways in which you can help Penguins Lifeline. The researchers are crowdsourcing some of the work that needs doing in classifying images: the pictures the project is creating need sorting to establish how many adults, chicks and eggs are visible in each.

Orange circles identify adults, green circles chicks, and yellow circles eggs.

Orange circles identify adults, green circles chicks, and yellow circles eggs.

804,303 images have been classified so far, but there are plenty more to help sort.

You can also make a donation. Adopting a colony will help fund the placing of more Raspberry Pi cameras in remote regions to monitor penguin populations.

You can read much more about the project over at the Penguin Lifelines site. And because we think penguins are brilliant, here are a couple more pictures.

Setting up. Credit: Alasdair Davies, ZSL

Setting up. Credit: Alasdair Davies, ZSL

Credit: Alasdair Davies, ZSL

Credit: Alasdair Davies, ZSL

SANS Internet Storm Center, InfoCON: green: Exploit Kit Evolution During 2014 – Nuclear Pack, (Thu, Dec 18th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

This is a guest diary submitted by Brad Duncan.

Nuclear exploit kit (also known as Nuclear Pack) has been around for years. Version 2.0 of Nuclear Pack was reported in 2012 [1] [2]. Blogs like malware.dontneedcoffee.com have mentioned version 3.0 of Nuclear Pack in posts during 2013 [3] [4].

This month, Nuclear Pack changed its traffic patterns. The changes are significant enough that I wonder if Nuclear Pack is at version 4. Or is this merely an evolution of version 3, as weve seen throughout 2014? Lets look at the traffic.

In January 2014, traffic from Nuclear Pack was similar to what Id seen in 2013. Here” />

2014 saw Fiesta exploit kit-style URLs from Nuclear Pack. Also, like other exploit kits, Nuclear sent Flash and Silverlight exploits. Here” />

The above example has Silverlight, Flash, PDF and IE exploits. In each case, a payload was sent to the vulnerable VM. The traffic consists of two TCP streams.” />

These patterns are not far off from the beginning of the year. I only saw additional exploits from Nuclear Pack that I hadnt noticed before.

In December 2014, Nuclear Pack moved to a different URL structure. I first noticed this on a pcap from Threatglass.com [7]. Initially, Id mistaken the traffic for Angler exploit kit.” />

Here” />

Since the change in URL patterns, Nuclear Pack is XOR-ing the malware payload. The image below shows an example where one of payloads is XOR-ed with the ASCII string: DvnQkxI

The change in traffic patterns is fairly significant for Nuclear Pack. I havent found any reason on why the change occurred. Is this merely an evolution, or do these changes indicate a new version of Nuclear Pack?

———-

Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://blog.spiderlabs.com/2012/04/a-new-neighbor-in-town-the-nuclear-pack-v20-exploit-kit.html

[2] http://www.webroot.com/blog/2012/10/31/nuclear-exploit-pack-goes-2-0/

[3] http://malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html

[4] http://3.bp.blogspot.com/-iqXmOKC5Zgk/UieYOEA8jPI/AAAAAAAAA_c/nlX2cgxhyZo/s1600/screenshot_2013-09-04_020.png

[5] http://malware-traffic-analysis.net/2014/01/24/index.html

[6] http://malware-traffic-analysis.net/2014/09/29/index.html

[7] http://threatglass.com/malicious_urls/firstliving-org

[8] http://malware-traffic-analysis.net/2014/12/12/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Backblaze Blog | The Life of a Cloud Backup Company: 2014 Year In Review

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Gleb Budman. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog-2014

Seven years ago we started on a mission to make storing data astonishingly easy and low-cost so that no one loses their wedding photos, curated music, work files, or any of the other items from their computers. In 2014, I’m proud to say we made a good dent in that mission. Here are a few of the highlights from our 2014 year in review.

Products
We launched an Android app to complement our existing iPhone app and increased restore sizes on hard drives to 4 TB and by 2x on flash drives to 128 GB so our customers could access more of their data faster. Email Notifications and Backup Summaries ensured they knew their data was safely backed up. Our refer-a-friend program gave our customers and their friends months of Backblaze for free. Upgrades to support iOS 8, Apple OS X Mavericks, and hundreds of smaller updates to keep improving the service for our customers.

Community
I am incredibly grateful to the community that has supported us over the years. Another 11 incredible people joined our team to help us scale, plus a few interns (one of whom just won a $100,000 national science award.)

On Twitter, Facebook, and other digital places we talked with you virtually and then met many of you in person at Macworld, RootsTech, and many other events.

We wrote 75 blog posts such as those sharing a bunch of data on hard drive reliability, the impact of temperature on a hard drive, and which hard drive SMART stats matter. Since about 1,000,000 of you read these posts, we revamped our blog platform and will strive to continue sharing learning worthy of your time reading.

Scale
The simplicity of the product our customers see hides the wild scale of the systems and operations required to support it. We introduced a new 270 TB Storage Pod this year, scaled up to store over 100,000,000 GB of customer data, and opened a huge new 500 petabyte data center. Our support team answered their 100,000th ticket. Our customers recovered over 6 billion files that would have been irretrievably lost.

Recognition
Famed consumer product reviewer Walt Mossberg recommends Backblaze and makes it his personal service. Gizmag calls Backblaze one of the easiest to use. And Deloitte ranks Backblaze the 128th fastest growing company in North America, with 917% revenue growth over five years.

Next
So with 2015 imminently arriving, where do we go? Keep focusing on making storing data astonishingly easy and low-cost. One of the things I’m incredibly proud of our team for is being able to support a 1000% increase in per-customer data storage while keeping the $5 unlimited pricepoint unchanged. Thus, a lot of what we have planned will continue to be in the background – enhancing our massive cloud storage system to scale bigger, be more cost-efficient, and work ever better – so that our customers can continue to store more and more data, easier and easier.

A huge thank you to all of you: our customers, our community, our partners, and our employees for helping us make this happen.

 

Author information

Gleb Budman

Co-founder and CEO of Backblaze. Founded three prior companies. He has been a speaker at GigaOm Structure, Ignite: Lean Startup, FailCon, CloudCon; profiled by Inc. and Forbes; a mentor for Teens in Tech; and holds 5 patents on security.

Follow Gleb on: Twitter / LinkedIn / Google+

The post 2014 Year In Review appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Mandriva has updated apache-mod_wsgi (privilege escalation).

SUSE has updated flash-player
(SLED11 SP3: multiple vulnerabilities).

Errata Security: All malware defeats 90% of defenses

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

When the FBI speaks, you can tell they don’t know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

“The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”
He’s trying to show how sophisticated, organized, and unprecedented the hackers were.
This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.
Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting “email this to your friends and see what they get”. We then added some malware components to it. We then dropped the USB drives in the parking lot.
This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, … everything.
The point I’m trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.
The problem isn’t that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn’t, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.
The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.

Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.