Posts tagged ‘flash’

Linux How-Tos and Linux Tutorials: Build Your Own Linux Distro

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

There are hundreds of actively maintained Linux distributions. They come in all shapes, sizes and configurations. Yet there’s none like the one you’re currently running on your computer. That’s because you’ve probably customised it to the hilt – you’ve spent numerous hours adding and removing apps and tweaking aspects of the distro to suit your workflow.

Wouldn’t it be great if you could convert your perfectly set up system into a live distro? You could carry it with you on a flash drive or even install it on other computers you use.

 

Read more at LinuxVoice.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Arch Linux has updated php (multiple vulnerabilities).

Debian-LTS has updated tzdata (unspecified vulnerability).

Gentoo has updated adobe-flash (multiple vulnerabilities) and xorg-server (multiple vulnerabilities).

openSUSE has updated icecast
(13.1, 13.2:denial of service) and ntop (13.1, 13.2: cross-site scripting).

Red Hat has updated java-1.8.0-oracle (RHEL6,7: multiple vulnerabilities), novnc (RHEL6 OSP; RHEL7 OSP: VNC session hijacking),
openstack-foreman-installer (RHEL6
OSP: root command execution),
openstack-glance (RHEL6 OSP; RHEL7 OSP: denial of service),
openstack-nova (RHEL6 OSP; RHEL7 OSP: multiple vulnerabilities),
openstack-packstack, openstack-puppet-modules (RHEL6 OSP; RHEL7 OSP: root command execution),
openstack-swift (RHEL6 OSP; RHEL7 OSP: metadata constraint bypass),
python-django-horizon, python-django-openstack-auth (RHEL6 OSP; RHEL7 OSP: denial of service), and
redhat-access-plugin-openstack (RHEL6 OSP; RHEL7 OSP: information disclosure).

Ubuntu has updated apport
(14.04, 14.10: privilege escalation).

LWN.net: Security updates for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated gst-plugins-bad0.10 (code execution), inspircd (code execution from 2012), movabletype-opensource (code execution), and
ppp (denial of service).

Debian-LTS has updated ruby1.9.1
(three vulnerabilities).

Mageia has updated java-1.7.0-openjdk (multiple vulnerabilities),
mono (three SSL/TLS vulnerabilities), and
python-dulwich (two code execution flaws).

openSUSE has updated flash-player
(11.4: 45 vulnerabilities) and rubygem-rest-client (13.2, 13.1: plaintext
password logging).

Oracle has updated java-1.6.0-openjdk (OL5: unspecified
vulnerabilities) and java-1.7.0-openjdk
(OL5: unspecified vulnerabilities).

Red Hat has updated chromium-browser (RHEL6: multiple
vulnerabilities), java-1.6.0-openjdk
(RHEL5,6&7: multiple vulnerabilities), java-1.7.0-openjdk (RHEL5; RHEL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (RHEL6&7: multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-openjdk (SL5,6&7: multiple
vulnerabilities), java-1.7.0-openjdk (SL5; SL6&7: multiple vulnerabilities), and java-1.8.0-openjdk (SL6&7: multiple vulnerabilities).

SUSE has updated flash-player
(SLE11SP3: 22 vulnerabilities).

SANS Internet Storm Center, InfoCON: green: Exploit kits (still) pushing Teslacrypt ransomware, (Thu, Apr 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Teslacrypt is a form of ransomware that was first noted in January of this year [1]. This malware apparently targets video game-related files [2, 3, 4]. Ive seen Teslacrypt dropped by the Sweet Orange exploit kit (EK) [5], and its also been dropped by Nuclear EK [6]. McAfee saw it dropped by Angler EK last month [2].

I saw it again on Wednesday2015-04-15 from Nuclear EK. Lets take a look at the traffic. The image below from Wireshark shows Nuclear EK traffic being generated from a compromised WordPress site. Nuclear is hosted on a myftp.org domain. ” />
Shown above: Wiresharkdisplay on some of this infection traffic. Click on the image above for a larger image.

A pcap of the above traffic is available at: http://www.malware-traffic-analysis.net/2015/04/15/2015-04-15-Nuclear-EK-sends-Teslacrypt.pcap

Nuclear hasnt changed dramatically from the last time we looked into it in December 2014 [7]. The traffic patterns are very similar. ” />

Next, Nuclear EK sent a Flash exploit. ” />

Finally, Nuclear EK sent the malware payload. Like last time, Nuclear EK obfuscated the payload by XOR-ing the binary with an ASCII string. ” />

Here” />

And heres the browser window that appeared when the user looked into making” />

The bitcoin address for the ransom payment is: 1FracxPs9n7pGFRqV1F61YXVr2AqWi52fs

When I first checked, no transactions had been made to that bitcoin address. Dont know if thats still the case, but anyone can check here: https://blockchain.info/address/1FracxPs9n7pGFRqV1F61YXVr2AqWi52fs

The image belowshows where the malware payload copies itself. It alsothe registry key updated to keep the malware persistent on the system. This malware is available on malwr.com at the following link: ” />

Snort signatures (Cisco/Talos) that triggered on theTeslacrypt traffic:

  • [1:33893:1] MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication

EmergingThreats and ETPRO signatures that triggeredon the Teslacrypt traffic:

  • ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M1 (sid:2020717)
  • ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M2 (sid:2020718)
  • ETPRO TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon Response (sid:2810074)

If your computer becomes infected with Teslacrypt, what should you do? Those files may be lost if you dont have a backup. Even if you pay the ransom, theres no guarantee youll receive the decryption key.

As always, your best defense is regularly backing up your data. If not, you could find yourself at the mercy of this (or other) ransomware.


Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] https://nakedsecurity.sophos.com/2015/03/16/teslacrypt-ransomware-attacks-gamers-all-your-files-are-belong-to-us/
[2] https://blogs.mcafee.com/mcafee-labs/teslacrypt-joins-ransomware-field
[3] http://www.bleepingcomputer.com/forums/t/568525/new-teslacrypt-ransomware-sets-its-scope-on-video-gamers/
[4] http://labs.bromium.com/2015/03/12/achievement-locked-new-crypto-ransomware-pwns-video-gamers/
[5] http://threatglass.com/malicious_urls/bg-mamma-com
[6] http://malware-traffic-analysis.net/2015/04/03/index.html
[7] https://isc.sans.edu/diary/Exploit+Kit+Evolution+During+2014+-+Nuclear+Pack/19081

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated java-1.6.0-openjdk (C7; C6; C5: multiple vulnerabilities), java-1.7.0-openjdk (C7; C6; C5: multiple vulnerabilities), and java-1.8.0-openjdk (C7; C6: multiple vulnerabilities).

Debian-LTS has updated libvncserver (multiple vulnerabilities) and libx11 (code execution).

Mageia has updated arj (multiple vulnerabilities), asterisk (SSL server spoofing), flash-player-plugin (multiple vulnerabilities), glusterfs (denial of service), librsync (file checksum collision), ntp (two vulnerabilities), qemu (denial of service), quassel (denial of service), shibboleth-sp (denial of service), socat (denial of service), tor (denial of service), and wesnoth (information leak).

Oracle has updated java-1.6.0-openjdk (OL6: multiple
vulnerabilities), java-1.7.0-openjdk (OL6:
multiple vulnerabilities), and java-1.8.0-openjdk (OL6: multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5,6 Supplementary: multiple vulnerabilities).

SUSE has updated Adobe Flash
Player
(SLEWE12, SLED12: multiple vulnerabilities).

Krebs on Security: Critical Updates for Windows, Flash, Java

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Get your patch chops on people, because chances are you’re running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication.

brokenflash-aAdobe’s patch includes a fix for a zero-day bug (CVE-2015-3043) that the company warns is already being exploited. Users of the Adobe Flash Player for Windows and Macintosh should update to Adobe Flash Player 17.0.0.169 (the current versions other OSes is listed in the chart below).

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.169.

Google has an update available for Chrome that fixes a slew of flaws, and I assume it includes this Flash update, although the Flash checker pages only report that I now have version 17.0.0 installed after applying the Chrome update and restarting (the Flash update released last month put that version at 17.0.0.134, so this is not particularly helpful). To force the installation of an available update, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

brokenwindowsMicrosoft has released 11 security bulletins this month, four of which are marked “critical,” meaning attackers or malware can exploit them to break into vulnerable systems with no help from users, save for perhaps visiting a booby-trapped or malicious Web site. Then Microsoft patches fix flaws in Windows, Internet Explorer (IE), Office, and .NET

The critical updates apply to two Windows bugs, IE, and Office. .NET updates have a history of taking forever to apply and introducing issues when applied with other patches, so I’d suggest Windows users apply all other updates, restart and then install the .NET update (if available for your system).

Oracle’s quarterly “critical patch update” plugs 15 security holes. If you have Java installed, please update it as soon as possible. Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or fromJava.com.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. In the past, updating via the control panel auto-selected the installation of third-party software, so be sure to look for any pre-checked “add-ons” before proceeding with an update through the Java control panel. Also, Java 7 users should note that Oracle has ended support for Java 7 after this update. The company has been quietly migrating Java 7 users to Java 8, but if this hasn’t happened for you yet and you really need Java installed in the browser, grab a copy of Java 8. The recommended version is Java 8 Update 40.

javamessOtherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Schneier on Security: Two Thoughtful Essays on the Future of Privacy

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Paul Krugman argues that we’ll give up our privacy because we want to emulate the rich, who are surrounded by servants who know everything about them:

Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today — that is, that what affluent people will want in the future is, in general, something like what only the truly rich can afford right now. Well, one thing that’s very clear if you spend any time around the rich — and one of the very few things that I, who by and large never worry about money, sometimes envy — is that rich people don’t wait in line. They have minions who ensure that there’s a car waiting at the curb, that the maitre-d escorts them straight to their table, that there’s a staff member to hand them their keys and their bags are already in the room.

And it’s fairly obvious how smart wristbands could replicate some of that for the merely affluent. Your reservation app provides the restaurant with the data it needs to recognize your wristband, and maybe causes your table to flash up on your watch, so you don’t mill around at the entrance, you just walk in and sit down (which already happens in Disney World.) You walk straight into the concert or movie you’ve bought tickets for, no need even to have your phone scanned. And I’m sure there’s much more — all kinds of context-specific services that you won’t even have to ask for, because systems that track you know what you’re up to and what you’re about to need.

Daniel C. Dennett and Deb Roy look at our loss of privacy in evolutionary terms, and see all sorts of adaptations coming:

The tremendous change in our world triggered by this media inundation can be summed up in a word: transparency. We can now see further, faster, and more cheaply and easily than ever before — and we can be seen. And you and I can see that everyone can see what we see, in a recursive hall of mirrors of mutual knowledge that both enables and hobbles. The age-old game of hide-and-seek that has shaped all life on the planet has suddenly shifted its playing field, its equipment and its rules. The players who cannot adjust will not last long.

The impact on our organizations and institutions will be profound. Governments, armies, churches, universities, banks and companies all evolved to thrive in a relatively murky epistemological environment, in which most knowledge was local, secrets were easily kept, and individuals were, if not blind, myopic. When these organizations suddenly find themselves exposed to daylight, they quickly discover that they can no longer rely on old methods; they must respond to the new transparency or go extinct. Just as a living cell needs an effective membrane to protect its internal machinery from the vicissitudes of the outside world, so human organizations need a protective interface between their internal affairs and the public world, and the old interfaces are losing their effectiveness.

TorrentFreak: Pirate Bay Clone Offloads Banking Trojan Via WordPress Blogs

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

openbayAfter the Pirate Bay was raided last December hundreds of clones appeared online.

Many of these sites used the open source “Open Bay” project, which allows people to set up their own clone in just a few clicks.

Now, several months later one of the clones has gone rogue. As reported by Malwarebytes, several compromised WordPress blogs are being injected with an iframe that loads thepiratebay.in.ua.

At first sight this seems odd, since the site looks just like any other Open Bay clone. However, this one is being used to offload a rather dangerous exploit kit.

“We found the real reason behind this pretty quickly. The Pirate Bay clone is actively pushing the Nuclear exploit kit with an iframe and will infect vulnerable visitors via drive-by download attacks,” Malwarebytes senior security researcher Jérôme Segura writes.

exploitclone

The malicious content is passed on to users’ computers via a known Flash exploit. The payload being pushed by the Pirate Bay clone is linked to a banking trojan.

Interestingly, most other sites relying on the Open Bay project are experiencing issues as well. The main oldpiratebay.org site is currently down, and other clones don’t have any content.

TF asked the people behind the Open Bay project for a comment and we will update this article if we hear back. For now, we haven’t heard any reports indicating that more Pirate Bay clones are pushing exploit kits.

At the time of writing it’s still unclear how the iframe is being injected into the WordPress sites. A likely explanation appears to be outdated WordPress code or an old plugin.

People are advised to avoid the compromised Pirate Bay clone directly and WordPress users should make sure that they’re running the latest version of the blogging platform.

“To avoid getting their sites hacked, WordPress users need to check that they are running the latest WP install and that all their plugins are up to date,” Jérôme Segura notes.

“Other proper hygiene tips such as strong passwords and avoiding public wifi when logging into your site should also be applied,” he adds.

More technical details and analyses can be found at the Malwarebytes blog.

Photo: Michael Theis

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated php5 (multiple vulnerabilities).

Fedora has updated freexl (F21; F20:
denial of service) and libgcrypt (F21: two vulnerabilities).

openSUSE has updated vorbis-tools
(13.2, 13.1: denial of service).

Oracle has updated freetype (OL7; OL6:
multiple vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5,6: multiple vulnerabilities) and freetype (RHEL6,7: multiple vulnerabilities).

Ubuntu has updated libxfont (privilege escalation) and php5 (multiple vulnerabilities).

LWN.net: Tuesday’s security updates

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated checkpw (denial of service), libxfont (privilege escalation), and tcpdump (multiple vulnerabilities).

Debian-LTS has updated gnupg (multiple vulnerabilities) and tcpdump (multiple vulnerabilities).

Gentoo has updated adobe-flash
(multiple vulnerabilities) and file
(multiple vulnerabilities).

Red Hat has updated kernel
(RHEL6.2: multiple vulnerabilities) and kernel-rt (RHE MRG2.5: multiple vulnerabilities).

Ubuntu has updated libav (12.04: multiple vulnerabilities).

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated freetype (many vulnerabilities), gnutls26 (two vulnerabilities), icu (multiple vulnerabilities), libav (multiple vulnerabilities), and putty (information disclosure).

Debian-LTS has updated libextlib-ruby (code execution and more), libssh2 (information leak), mod-gnutls (restriction bypass), and putty (information disclosure).

Fedora has updated 389-admin
(F21: multiple /tmp/ file vulnerabilities), cups-filters (F21; F20:
remote command execution), gnupg (F20:
multiple vulnerabilities), httpd (F21:
multiple vulnerabilities), jBCrypt (F21; F20:
integer overflow), kernel (F20: multiple
vulnerabilities), libmspack (F21; F20: denial of service), libuv (F20: privilege escalation), nodejs (F20: privilege escalation),
phpMyAdmin (F21; F20: information leak), putty (F21; F20:
information disclosure), tcllib (F21: HTML
injection), and v8 (F20: privilege escalation).

Gentoo has updated hivex (privilege escalation) and icu (multiple vulnerabilities).

Mageia has updated 389-ds-base (multiple vulnerabilities) and flash-player-plugin (multiple vulnerabilities).

Mandriva has updated kernel (multiple vulnerabilities), nss (multiple vulnerabilities), qemu (multiple vulnerabilities), and yaml (multiple vulnerabilities).

openSUSE has updated flashplayer
(11.4: multiple vulnerabilities), chromium
(13.2, 13.1: multiple vulnerabilities), and postgresql (11.4: multiple vulnerabilities).

SUSE has updated flash-player
(SLED11 SP3: multiple vulnerabilities) and java-1_7_0-openjdk (SLE12: multiple vulnerabilities).

Ubuntu has updated cups-filters
(14.10, 14.04: remote command execution), requests (14.10, 14.04: cookie stealing attacks), and sudo (information disclosure).

Krebs on Security: ‘AntiDetect’ Helps Thieves Hide Digital Fingerprints

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies.

Every browser has a relatively unique “fingerprint” that is shared with Web sites. That signature is derived from dozens of qualities, including the computer’s operating system type, various plugins installed, the browser’s language setting and its time zone. Banks can leverage fingerprinting to flag transactions that occur from a browser the bank has never seen associated with a customer’s account.

Payment service providers and online stores often use browser fingerprinting to block transactions from browsers that have previously been associated with unauthorized sales (or a high volume of sales for the same or similar product in a short period of time).

In January, several media outlets wrote about a crimeware tool called FraudFox, which is marketed as a way to help crooks sidestep browser fingerprinting. However, FraudFox is merely the latest competitor to emerge in a fairly established marketplace of tools aimed at helping thieves cash out stolen cards at online merchants.

Another fraudster-friendly tool that’s been around the underground hacker forums even longer is called Antidetect. Currently in version 6.0.0.1, Antidetect allows users to very quickly and easily change components of the their system to avoid browser fingerprinting, including the browser type (Safari, IE, Chrome, etc.), version, language, user agent, Adobe Flash version, number and type of other plugins, as well as operating system settings such as OS and processor type, time zone and screen resolution.

Antidetect is marketed to fraudsters involved in ripping off online stores.

Antidetect is marketed to fraudsters involved in ripping off online stores.

The seller of this product shared the video below of someone using Antidetect along with a stolen credit card to buy three different downloadable software titles from gaming giant Origin.com. That video has been edited for brevity and to remove sensitive information; my version also includes captions to describe what’s going on throughout the video.

In it, the fraudster uses Antidetect to generate a fresh, unique browser configuration, and then uses a bundled tool that makes it simple to proxy communications through one of a hundreds of compromised systems around the world. He picks a proxy in Ontario, Canada, and then changes the time zone on his virtual machine to match Ontario’s.

Then our demonstrator goes to a carding shop and buys a credit card stolen from a woman who lives in Ontario. After he checks to ensure the card is still valid, he heads over the origin.com and uses the card to buy more than $200 in downloadable games that can be easily resold for cash. When the transactions are complete, he uses Antidetect to create a new browser configuration, and restarts the entire process — (which takes about 5 minutes from browser generation and proxy configuration to selecting a new card and purchasing software with it). Click the icon in the bottom right corner of the video player for the full-screen version.

I think it’s safe to say we can expect to see more complex anti-fingerprinting tools come on the cybercriminal market as fewer banks in the United States issue chipless cards. There is also no question that card-not-present fraud will spike as more banks in the US issue chipped cards; this same increase in card-not-present fraud has occurred in virtually every country that made the chip card transition, including Australia, Canada, France and the United Kingdom. The only question is: Are online merchants ready for the coming e-commerce fraud wave?

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated kernel
(C6: multiple vulnerabilities).

Debian has updated gnupg
(multiple vulnerabilities), libgcrypt11 (multiple vulnerabilities), movabletype-opensource (multiple vulnerabilities), and nss (data smuggling).

Fedora has updated krb5
(F21: multiple vulnerabilities)
and suricata (F21: multiple vulnerabilities).

Mageia has updated libarchive (M4: directory traversal), libssh2 (M4: denial of service), and qt3, qt4, qt5base (M4: denial of service).

openSUSE has updated flash-player (13.1, 13.2: multiple vulnerabilities), osc (13.1, 13.2: command injection), and wireshark (13.1, 13.2: multiple vulnerabilities).

Oracle has updated gnome-shell, clutter, cogl, mutter (O7:
lock screen bypass), httpd (O7: multiple vulnerabilities), ipa (O7: multiple vulnerabilities), kernel (O7: multiple vulnerabilities), krb5 (O7: multiple vulnerabilities), libreoffice (O7: code execution), libvirt (O7: multiple vulnerabilities), qemu-kvm (O7: multiple vulnerabilities), and thunderbird (O7: multiple vulnerabilities).

SUSE has updated bind
(SLE10: denial of service), flash-player (SLE12: multiple vulnerabilities), and osc (SLE12: command injection).

SANS Internet Storm Center, InfoCON: green: Malware targets home networks, (Fri, Mar 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Malware researchers at Trend Micro have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to CC before deleting it self .

TROJ_VICEPASS.A pretends to be an Adobe Flash update, once its run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If its succeed, the malware will scan the network for connected devices.

The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, this IP range is hard-coded

Once the scans is finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a CC server via HTTP protocol.

After sending the results to the Command and Control server (CC) , it will delete itself from the victims computer. It uses the following command to do so:

  • exe /C ping 1.1.1.1 -n 1 -w 3000 Nul Del %s

Such type of malware infection can be avoided using a very basic security techniques such as downloading updated and software from a trusted sources only and changing the default password of your equipments.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe Flash Update Plugs 11 Security Holes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe has released an update for its Flash Player software that fixes at least 11 separate, critical security vulnerabilities in the program. If you have Flash installed, please take a moment to ensure your systems are updated.

brokenflash-aNot sure whether your browser has Flash installed or what version it may be running? Browse to this link. The newest, patched version is 17.0.0.134 for Windows and Mac users. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to version 17.0.0.134.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The last few Flash updates from Adobe have been in response to zero-day threats targeting previously unknown vulnerabilities in the program. But Adobe says it is not aware of any exploits in the wild for the issues addressed in this update. Adobe’s advisory on this patch is available here.

SANS Internet Storm Center, InfoCON: green: Threatglass has pcap files with exploit kit activity, (Tue, Mar 10th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Threatglassis a one way to find up-to-date examples of exploit kit traffic. Not all of it is exploit kit traffic, but all of it represents some sort of malicious activity. Threatglassdoesnt explain what type of traffic youre looking at from the pcaps the site provides. Letslook at a page from last week on Thursday, March 5th 2015 [1]. This one isexploit kit activity. In the image below, youll find a link to the packet capture in the lower right-hand corner” />

Download the pcap and open it in Wireshark. User http.request as the filter, and make sure youre showing the host name in the column display. ” />

For most exploit kits, the pattern oftraffic is: Landing page — Exploit (Java, Flash, Silverlight, IE, etc) — Malware payload if the exploit is successful

Lets look at this example by following a few TCP streams in the pcap. ” />

When the Flash exploit works, a malware payload is sent. Currently, Nuclear Exploit Kit obfuscates the malware payload with an ASCII string. In this case, the binary was XOR-ed with the ASCII string:” />

The Virus Total results indicate the malware is a Tofsee variant –https://www.virustotal.com/en/file/7659b2be203a34b7491c7101c0275b9e20e8d801d236817a5285c2e63e0ad0e5/analysis/

If you want a sample of the deobfuscated payload, you can get it from malwr.com at:https://malwr.com/analysis/N2U3NDUwMjQ5MWViNGZkNWFlMTBkMjkxMzExZGQxNTM/

If you have the time, review some of the other entries on Threatglass to figure out which ones are exploit kit activity, and which ones are other activity, like fake flash installer pop-up windows. This is one of many resources on line thataspiring analystscan use to build their skills.

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1]http://threatglass.com/malicious_urls/geospotrima-com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Backblaze Blog | The Life of a Cloud Backup Company: 10 Billion Files Restored and Counting…

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Andy Klein. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

10 billion files recovered
As an online backup provider, people pay us to backup their data so they can recover their files when needed. On March 2nd, a little after Noon Pacific Time, Backblaze reached a data recovery milestone. We restored our 10 billionth file. No alarms went off, no bells rang, no one sang the Backblaze jingle, 10 billion just happened, then 10 billion and one and then 10 billion and two and so on. In an instant 10 billion was here and gone. How fast, you ask? Let’s look at the statistics for 2015 so far:

Average Number of Files Restored

Backblaze Restore

So in the time it took you read this sentence hundreds of files were restored.

Hard Drive File Recovery

In reality, there are many files being restored at the same time. We currently have 22 restore servers, locked away in our data center, working day and night, 7 days a week, restoring files. Surely, they must get a break sometimes, you ask? Yes, some days of the week are busier than others, as you can see below:

Percentage of Restores Done Each Weekday

Backblaze Restores by Day of Week

Just like many of us, they get a little breather on the weekend. Perhaps when our customers do their restores, they use the office network, just sayin’.

We didn’t get to 10 billion files all at once, it took a while, years in fact. We restored our first file for a customer in June 2008, shortly after we introduced the Backblaze 1.0 Beta. It took nearly 4 years to get to 1 billion files restored. Once that happened, it has gotten a little crazy. The chart below shows how we progressed over the years up through 10 billion files today.
Files Restored Over TimeProjecting forward we anticipate restoring our 100 billionth file sometime in late 2020. I predict October 27th, but I could be off by a year or two either way.

Recovering Files
Backblaze customers can restore one file, a group of files or all their data, anytime they wish, with 99.1% of all restores being done by downloading the files using a web browser or the Backblaze Downloader application. On average each restore consists of 33,164 files, but interestingly restoring a single file represents 21% of all the restores being done as shown below.

Number of Files Recovered Each Restore

Files Restored

Yes, each month there are a number of customers that download a million files or more in a single restore. What’s the largest number of files we’ve restored at one time? We believe the current record is 18,006,871 files. Please note, this is not meant to be a challenge to those of you contemplating large restores.

By the way, it’s probably a good idea to break up a large restore into smaller parts and use the Backblaze Downloader. This will make for a much better download experience. Of course, you can always opt to purchase a Flash Drive or USB Hard Drive from us. Once your restore is ready, we’ll load your data on the drive and ship it to you next day at no extra charge. It’s convenient, fast, and you get to keep the drive.

Well I just checked, we’re up to 10,124,152,571 files restored and counting, but that’s what you pay us for. Restore away, and thanks.

 

Author information

Andy Klein

Andy Klein

Andy has 20+ years experience in technology marketing. He has shared his expertise in computer security and data backup at the Federal Trade Commission, Rootstech, RSA and over 100 other events. His current passion is to get everyone to back up their data before it’s too late.

The post 10 Billion Files Restored and Counting… appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

SANS Internet Storm Center, InfoCON: green: 11 Ways To Track Your Moves When Using a Web Browser, (Tue, Feb 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

There are a number of different use cases to track users as they use a particular web site. Some of them are more sinister then others. For most web applications, some form of session tracking is required to maintain the users state. This is typically easily done using well configured cookies (and not the scope of this article). Session are meant to be ephemeral and will not persist for long.

On the other hand, some tracking methodsdo attempt to track the user over a long time, and in particular attempt to make it difficult to evade the tracking. This is sometimes done for advertisement purposes, but can also be done to stop certain attacks like brute forcing or to identify attackers that return to a site. In its worst case, from a private perspective, the tracking is done to follow a user across various web sites.

Over the years, browsers and plugins have provided a number of ways to restrict this tracking. Here are some of the more common techniques how tracking is done and how the user can prevent (some of) it:

1 – Cookies

Cookies are meant to maintain state between different requests. A browser will send a cookie with each request once it is set for a particular site. From a privacy point of view, the expiration time and the domain of the cookie are the most important settings. Most browsers will reject cookies set on behalf of a different site, unless the user permits these cookies to be set. A proper session cookie should not use an expiration date as it should expire as soon as the browser is closed. Most browser do offer means to review, control and delete cookies. In the past, a Cookie2 header was proposed for session cookies, but this header has been deprecated and browser stop supporting it.

https://www.ietf.org/rfc/rfc2965.txt
http://tools.ietf.org/html/rfc6265

2 – Flash Cookies (Local Shared Objects)

Flash has its own persistence mechanism. These flash cookies are files that can be left on the client. They can not be set on behalf of other sites (Cross-Origin), but one SWF scriptcan expose the content of a LSO to other scripts which can be used to implement cross-origin storage. The best way to prevent flash cookies from tracking you is to disable flash. Managing flash cookies is tricky and typically does require special plugins.

https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html

3 – IP Address

The IP address is probably the most basic tracking mechanism of all IP based communication, but not always reliable as users IP addresses may change at any time, and multiple users often share the same IP address. You can use various VPN products or systems like Tor to prevent your IP address from being used to track you, but this usually comes with a performance hit. Some modern JavaScript extension (RTC in particular) can be used to retrieve a users internal IP address, which can be used to resolve ambiguities introduced by NAT. But RTC is not yet implemented in all browsers. IPv6 may provide additional methods to use the IP address to identify users as you are less likely going to run into issues with NAT.

http://ipleak.net

4 – User Agent

The User-Agent string sent by a browser is hardly ever unique by default, but spyware sometimes modifies the User-Agent to add unique values to it. Many browsers allow adjusting the User-Agent and more recently, browsers started to reduce the information in the User-Agent or even made it somewhat dynamic to match the expected content. Non-Spyware plugins sometimes modify the User-Agent to indicate support for specific features.

5 – Browser Fingerprinting

A web browser is hardly ever one monolithic piece of software. Instead, web browsers interact with various plugins and extensions the user may have installed. Past work has shown that the combination of plugin versions and configuration options selected by the user tends to be amazingly unique and this technique has been used to derive unique identifiers. There is not much you can do to prevent this, other then minimize the number of plugins you install (but that may be an indicator in itself)

https://panopticlick.eff.org

6 – Local Storage

HTML 5 offers two new ways to store data on the client: Local Storage and Session Storage. Local Storage is most useful for persistent storage on the client, and with that user tracking. Access to local storage is limited to the site that sent the data. Some browsers implement debug features that allow the user to review the data stored. Session Storage is limited to a particular window and is removed as soon as the window is closed.

https://html.spec.whatwg.org/multipage/webstorage.html

7 – Cached Content

Browsers cache content based on the expiration headers provided by the server. A web application can include unique content in a page, and then use JavaScript to check if the content is cached or not in order to identify a user. This technique can be implemented using images, fonts or pretty much any content. It is difficult to defend against unless you routinely (e.g. on closing the browser) delete all content. Some browsers allow you to not cache any content at all. But this can cause significant performance issues. Recently Google has been seen using fonts to track users, but the technique is not new. Cached JavaScript can easily be used to set unique tracking IDs.

http://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
http://fontfeed.com/archives/google-webfonts-the-spy-inside/

8 – Canvas Fingerprinting

This is a more recent technique and in essence a special form of browser fingerprinting. HTML 5 introduced a Canvas API that allows JavaScript to draw image in your browser. In addition, it is possible to read the image that was created. As it turns out, font configurations and other paramters are unique enough to result in slightly different images when using identical JavaScript code to draw the image. These differences can be used to derive a browser identifier. Not much you can do to prevent this from happening. I am not aware of a browser that allows you to disable the canvas feature, and pretty much all reasonably up to date browsers support it in some form.

https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html

9 – Carrier Injected Headers

Verizon recently added injecting specific headers into HTTP requests to identify users. As this is done in flight, it only works for HTTP and not HTTPS. Each user is assigned a specific ID and the ID is injected into all HTTP requests as X-UIDH header. Verizon offers a for pay service that a web site can use to retrieve demographic information about the user. But just by itself, the header can be used to track users as it stays linked to the user for an extended time.

http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/

10 – Redirects

This is a bit a varitation on the cached content tracking. If a user is redirected using a 301 (Permanent Redirect) code, then the browser will remember the redirect and pull up the target page right away, not visiting the original page first. So for example, if you click on a link to isc.sans.edu, I could redirect you to isc.sans.edu/index.html?id=sometrackingid. Next time you go to isc.sans.edu, your browser will automatically go direct to the second URL. This technique is less reliable then some of the other techniques as browsers differ in how they cache redirects.

https://www.elie.net/blog/security/tracking-users-that-block-cookies-with-a-http-redirect

11- Cookie Respawning / Syncing

Some of the methods above have pretty simple counter measures. In order to make it harder for users to evade tracking, sites often combine different methods and respawn cookies. This technique is sometimes refered to as Evercookie. If the user deletes for example the HTTP cookie, but not the Flash Cookie, the Flash Cookie is used to re-create the HTTP cookie on the users next visit.

https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11001.pdf

Any methods I missed (I am sure there have to be a couple…)


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Matthew Garrett: Intel Boot Guard, Coreboot and user freedom

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

PC World wrote an article on how the use of Intel Boot Guard by PC manufacturers is making it impossible for end-users to install replacement firmware such as Coreboot on their hardware. It’s easy to interpret this as Intel acting to restrict competition in the firmware market, but the reality is actually a little more subtle than that.

UEFI Secure Boot as a specification is still unbroken, which makes attacking the underlying firmware much more attractive. We’ve seen several presentations at security conferences lately that have demonstrated vulnerabilities that permit modification of the firmware itself. Once you can insert arbitrary code in the firmware, Secure Boot doesn’t do a great deal to protect you – the firmware could be modified to boot unsigned code, or even to modify your signed bootloader such that it backdoors the kernel on the fly.

But that’s not all. Someone with physical access to your system could reflash your system. Even if you’re paranoid enough that you X-ray your machine after every border crossing and verify that no additional components have been inserted, modified firmware could still be grabbing your disk encryption passphrase and stashing it somewhere for later examination.

Intel Boot Guard is intended to protect against this scenario. When your CPU starts up, it reads some code out of flash and executes it. With Intel Boot Guard, the CPU verifies a signature on that code before executing it[1]. The hash of the public half of the signing key is flashed into fuses on the CPU. It is the system vendor that owns this key and chooses to flash it into the CPU, not Intel.

This has genuine security benefits. It’s no longer possible for an attacker to simply modify or replace the firmware – they have to find some other way to trick it into executing arbitrary code, and over time these will be closed off. But in the process, the system vendor has prevented the user from being able to make an informed choice to replace their system firmware.

The usual argument here is that in an increasingly hostile environment, opt-in security isn’t sufficient – it’s the role of the vendor to ensure that users are as protected as possible by default, and in this case all that’s sacrificed is the ability for a few hobbyists to replace their system firmware. But this is a false dichotomy – UEFI Secure Boot demonstrated that it was entirely possible to produce a security solution that provided security benefits and still gave the user ultimate control over the code that their machine would execute.

To an extent the market will provide solutions to this. Vendors such as Purism will sell modern hardware without enabling Boot Guard. However, many people will buy hardware without consideration of this feature and only later become aware of what they’ve given up. It should never be necessary for someone to spend more money to purchase new hardware in order to obtain the freedom to run their choice of software. A future where users are obliged to run proprietary code because they can’t afford another laptop is a dystopian one.

Intel should be congratulated for taking steps to make it more difficult for attackers to compromise system firmware, but criticised for doing so in such a way that vendors are forced to choose between security and freedom. The ability to control the software that your system runs is fundamental to Free Software, and we must reject solutions that provide security at the expense of that ability. As an industry we should endeavour to identify solutions that provide both freedom and security and work with vendors to make those solutions available, and as a movement we should be doing a better job of articulating why this freedom is a fundamental part of users being able to place trust in their property.

[1] It’s slightly more complicated than that in reality, but the specifics really aren’t that interesting.

comment count unavailable comments

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated liblivemedia
(code execution), libxml2
(regression/incomplete fix in previous update), and ntp (incomplete fix in previous update).

Debian-LTS has updated krb5
(multiple vulnerabilities), libxml2
(regression/incomplete fix in previous update), ntp (multiple vulnerabilities), sympa (information disclosure), unzip (two vulnerabilities), and wpasupplicant (command execution).

Fedora has updated e2fsprogs
(F21: code execution), jasper (F21;
F20: two vulnerabilities), kernel (F20: two vulnerabilities),
mantis (F21; F20: multiple vulnerabilities), maradns (F20: security hardening), postgresql (F21: multiple vulnerabilities), and websvn (F21; F20: information disclosure).

Gentoo has updated adobe-flash
(multiple vulnerabilities), antiword
(denial of service), bind (denial of
service), libav (multiple vulnerabilities),
libevent (code execution), mediawiki (multiple vulnerabilities), nginx (information disclosure), and tcpdump (multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

openSUSE has updated flash-player (13.2, 13.1; 11.4:
multiple vulnerabilities), privoxy (13.2,
13.1: multiple vulnerabilities), unzip
(13.2, 13.1: code execution), virtualbox
(13.2, 13.1: multiple vulnerabilities), and vorbis-tools (13.2, 13.1: denial of service).

Red Hat has updated flash-plugin
(RHEL5,6: multiple vulnerabilities).

SUSE has updated flash-player
(SLE12: multiple vulnerabilities) and flash-player, flash-player-gnome,
flash-player-kde4
(SLE11 SP3: multiple vulnerabilities).

Raspberry Pi: Xenon Death Flash: a free physics lesson

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

If you own a Raspberry Pi 2, congratulations: you’re also the proud owner of an elegant demonstration of the photoelectric effect!

At the weekend, Peter Onion, a veteran of our forums and of Raspberry Jams in Cambridge, Bletchley and surrounding areas (visible, costumed, in the background of this photo at the Christmas CamJam), discovered what we think might be the most adorable bug we’ve ever come across.

The Raspberry Pi 2 is camera-shy.

Peter’s bug report came via our forums. He’d been proudly photographing his new Raspberry Pi 2, and had discovered something peculiar: every time the flash on his camera went off, his Pi powered down.

The blip you're seeing here is what happens when you point a xenon flash at a Pi 2.

The blip you’re seeing here is what happens when you point a xenon flash at a Pi 2.

Jonathan has spent much of the morning emitting flashes and poking an oscilloscope. We’ve found out what’s going on, and the good news is that it’s completely benign: your Pi will not suffer any permanent effects from being flashed at.

More good news: the effect only happens under VERY specific circumstances. Flashes of high-intensity, long-wave light – so laser pointers or xenon flashes in cameras – cause the device that is responsible for regulating the processor core power (it’s the chip marked U16 in the silkscreening on your Pi 2, between the USB power supply and the HDMI port – you can recognise it because it’s a bit shinier than the components around it) to get confused and make the core voltage drop. Importantly, it’s ONLY really high-intensity bursts like xenon flashes and laser pointers that will cause the issue. Other bright lights – even camera flashes using other technologies – won’t set it off. You can take your naked Pi 2 in the sunshine for a picnic or take it to a rave, and it’ll be perfectly solid. Just don’t take it on the red carpet at the Oscars. Jon is currently shining an 1800-lumen led light at a Pi 2 on his desk: not a wobble.

This component that’s causing the issue is in a WL-CSP package: a bare silicon die which has solder balls attached. This is a picture of the underside of a similar package (enormously magnified) – each circle is a minuscule ball of solder:

underside balls

WL-CSP packaging is a common technique for more high-tech electronics parts, as it means no further packaging of the device is required. It is also the smallest physical package possible, which designers of mobile things (and people making very tiny computers) really care about.

What’s causing the component to behave so oddly? It’s the photoelectric effect, where metals emit electrons when hit by light. The video below is a really good tutorial on how that works.

What you’re seeing with Pi 2 and xenon flashes is the same effect, but in semiconductor material, not metal. Semiconductors, like metals, have free electrons which can be ‘knocked off’ by photons. Photodiodes, solar cells and phototransistors all use this effect to function. If you’d like to learn more about how a solar cell works, there’s a nice explanation here at Physics.org

Silicon junctions (the types that are responsible for making diodes and transistors and other such electronic miracles function) can be ‘upset’ by this photoelectric effect if it is large enough (i.e. if enough light of the right energy [i.e. colour] is fired at them). This seems to be what is happening to our power supply chip – somewhere in the complex silicon chip circuitry there are some transistors or diodes that malfunction when hit by high energy bursts of light, causing the power supply to ‘drop out’, so the Pi reboots.

Jonathan is actively investigating exactly what happens when U16 is flashed with a high energy pulse from a xenon flash tube, and we are also looking at possible ways to make future production Pis immune to this issue if we can – we know you like to take pictures of them.

We have found no evidence that ‘flashing’ your Pi2 with a xenon flash can cause any real damage, but we still don’t recommend doing it (it will crash or reboot, and this means you may corrupt your SD card). I’ve said it above, but it bears repeating, because I’ve seen some of you mention this in the forums and in comments sections elsewhere: common everyday light sources – e.g. bright sunlight, indoor lighting, angry cyclists* – don’t cause this to happen, so please don’t worry! 

If you need to use your Pi 2 in a situation where it might be flashed at, our advice is to cover U16 (make sure you get the sides too) – the current easy fix is to use a small blob of Sugru or Blu-Tak covering the whole component (someone in the forums used a pellet of bread: the first yeasted bug fix we have encountered), or simply put the Pi in an opaque case.

Secretly, I’m kind of hoping for another (similarly benign) bug this abstruse. I love writing this sort of post.

*Note to the paranoid on Twitter: I wasn’t clear enough here. We are referring to ourselves, not dissing you and your bike. We’re in Cambridge, and a lot of us cycle (aggressively) to and from work: we’ve been shining our bike lights at Pis for much of this morning, because they’re the brightest lights any of us own.

Krebs on Security: China To Blame in Anthem Hack?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.

According to this story from Bloomberg’s Michael Riley and Jordan Robertson, “the attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group — defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.”

While the story is light on details, it adds a bit more context to an FBI “flash alert” that KrebsOnSecurity obtained independently last week. The alert said the FBI has received information regarding a group of cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”

fbi-pandaflash

The alert notes that analysis of malware samples used in the attack indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China. The FBI said the tools used in the attack were referenced in open source reports on Deep Panda, a claim that also shows up in the Bloomberg piece. That story references data about Deep Panda from Atlanta-based cybersecurity firm CrowdStrike, which specializes in attributing nation state-level attacks.

According to the FBI, Deep Panda has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks. While it may be unrelated, it’s worth noting that in the past two weeks alone, Adobe has shipped no fewer than three unscheduled, emergency updates to address Flash Player vulnerabilities that were being exploited in active attacks at the time Adobe released patches.

The FBI’s flash advisory continues:

“Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by this group. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.”

deeppanda-cs

In its own writeup on Deep Panda from mid-2014, CrowdStrike notes that “for almost three years now, CrowdStrike has monitored DEEP PANDA targeting critical and strategic business verticals including: government, defense, financial, legal, and the telecommunications industries. At the think tanks, [we have] detected targeting of senior individuals involved in geopolitical policy issues, in particular in the China/Asia Pacific region. DEEP PANDA presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies.”

Leaving aside the question of whether state-sponsored Chinese hackers were in fact behind the Anthem breach, there are still many unanswered questions about this incident, such as when did Anthem find out about it? How long did the breach last? How did the attackers break in? What can other businesses learn from this incident to protect themselves?

Steve Ragan, a journalist who writes the Salted Hash blog for CSO Online, references a document he received from a trusted source that was reportedly sent as a memo from Anthem to its clients. That memo notes that the unauthorized activity seems to date back to at least December 10, 2014. That activity apparently continued undetected until January 27, 2015, meaning the attackers had access to Anthem’s customer database for more than a month before they were discovered.

A memo sent from Anthem to its associates. Credit: Salted Hash.

A memo sent from Anthem to its associates. Credit: Salted Hash.

The memo explains:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

The notice from Anthem to its clients concludes that “the attacker had proficient understanding of the data platforms and successfully utilized valid databaes administrator logon information.”

As for how the attackers broke in, perhaps the FBI’s Flash warning on Deep Panda (PDF) holds some clues.

Incidentally, infosec professionals take note: Anthem is hiring. On Feb. 4, the same day that Anthem disclosed a breach at its “database warehouse” may have affected as many as 80 million consumers, it also posted a help wanted ad for a “Cloud Encryption Security Professional.”

Krebs on Security: Yet Another Flash Patch Fixes Zero-Day Flaw

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.

brokenflash-aThe newest update, version 16.0.0.305, addresses a critical security bug (CVE-2015-0313) present in the version of Flash that Adobe released on Jan. 27 (v. 16.0.0.296). Adobe said it is are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe’s advisory credits both Trend Micro and Microsoft with reporting this bug. Trend Micro published a blog post three days ago warning that the flaw was being used in malvertising attacks – booby-trapped ads uploaded by criminals to online ad networks. Trend also published a more in-depth post examining this flaw’s use in the Hanjuan Exploit Kit, a crimeware package made to be stitched into hacked Web sites and foist malware on visitors via browser plug-in flaws like this one.

To see which version of Flash you have installed, check this link. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash. Google Chrome version 40.0.2214.111 includes this update, and is available now. To check for updates in Chrome, click the stacked three bars to the right of the address bar in Chrome, and look for a listing near the bottom that says “Update Chrome.”

As I noted in a previous Flash post, short of removing Flash altogether — which may be impractical for some users — there are intermediate solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

My favorite in-between approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit(EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

SANS Internet Storm Center, InfoCON: green: Adobe Flash Player Update Released, Fixing CVE 2015-0313, (Thu, Feb 5th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

An update has been released for Adobe Flash that fixes according to Adobe the recently discovered and exploited vulnerability CVE-2015-0313. Currently, the new version of Flash Player is only available as an auto-install update, not as a standalone download. To apply it, you need to check for updates within Adobe flash. (personal note: on my Mac, I have not seen the update offered yet).

The new Flash player version that fixes the problem is 16.0.0.305. The old version is 16.0.0.296.

Adobe updated its bulletin to note the update:https://helpx.adobe.com/security/products/flash-player/apsa15-02.html


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Exploit Kit Evolution – Neutrino, (Wed, Feb 4th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

This is a guest diary submitted by Brad Duncan.

In September 2014 after the Neutrino exploit kit (EK) had disappeared for 6 months, it reappeared in a different form. It was first identified as Job314 or Alter EK before Kafeine revealed in November 2014 this traffic was a reboot of Neutrino [1].

This Storm Center diary examines Neutrino EK traffic patterns since it first appeared in the Spring of 2013.

Neutrino EK: 2013 through early 2014

Neutrino was first reported in March 2013 by Kafeine on his Malware Dont need Coffee blog [2]. It was also reported by other sources, like Trend Micro [3].

Heres a sample of Neutrino EK from April 2013 using HTTP over port 80:

Shown above: Neutrino EK traffic from April 2013.

By the summer of 2013, we saw Neutrino use HTTP over port 8000, and the traffic patterns had evolved. Heres an example from June 2013, back when I first started blogging about malware traffic [4]:

Shown above: Neutrino EK traffic from June 18th, 2013.

In October 2013, Operation Windigo (an on-going operation that has compromised thousands of servers since 2011) switched from using the Blackhole EK to Neutrino [5].

Before Neutrino EK disappeared in March of 2014, I usually found it in traffic associated with Operation Windigo. Here are two examples from February and March 2014 [6] [7]:

Shown above: Neutrino EK traffic from February 2nd, 2014.

Shown above: Neutrino EK traffic from March 8th, 2014.

March 2014 saw some reports about the EKs author selling Neutrino [8]. Later that month, Neutrino disappeared. We stopped seeing any sort of traffic or alerts on this EK.

Neutrino EK since December 2014

After Kafeine made his announcement and EmergingThreats released new signatures for this EK, I was able to infect a few VMs. Heres an example from November 2014 [9]:

Shown above: Neutrino EK traffic from November 29th, 2014.

Traffic patterns have remained relatively consistent since Neutrino reappeared. I infected a VM on February 2nd, 2015 using this EK. Below are the HTTP requests and responses to Neutrino EK on vupwmy.dout2.eu:12998.

  • GET /hall/79249/card/81326/aspect/sport/clear/16750/mercy/flash/clutch/1760/
    absorb/43160/conversation/universal/
  • HTTP/1.1 200 OK (text/html) – Landing page
  • GET /choice/34831/mighty/drift/hopeful/19742/fantastic/petunia/fine/12676/
    background/76767/seal/74018/street/20328/
  • HTTP/1.1 200 OK (application/x-shockwave-flash) – Flash exploit
  • GET /nowhere/44312/clad/29915/bewilder/career/pass/sinister/
  • HTTP/1.1 200 OK (text/html) – No actual text, about 25 to 30 bytes of data, shows up as Malformed Packet in Wireshark.
  • GET /marble/1931/batter/21963/dear/735/yesterday/6936/familiar/37370/
  • smart/8962/move/37885/
  • HTTP/1.1 200 OK (application/octet-stream) – Encrypted malware payload
  • GET /lord.phtml?horror=64439push=75359pursuit=washfond=monsieur
    wooden=forevercontent=21179despite=libertystalk=shiverfaithful=10081
    bold=35942
  • HTTP/1.1 404 Not Found OK (text/html)
  • GET /america/86960/seven/quiet/blur/belong/traveller/12743/gigantic/96057/
    trunk/69375/await/30077/cunning/39832/betray/638/
  • HTTP/1.1 404 Not Found OK (text/html)

The malware payload sent by the EK is encrypted.

Shown above: Neutrino EK sends the malware payload.

I extracted the malware payload from the infected VM. If youre registered with Malwr.com, you can get a copy from:

https://malwr.com/analysis/NjFjNjQyYjBkMzVhNGE4MWE4Mjc1Mzk2NmQxNjFjM2E/

This malware is similar to previous Vawtrak samples Ive seen from Neutrino and Nuclear EK last month [10] [11].

Closing Thoughts

Exploit kits tend to evolve over time. You might not realize how much the EK has changed until you look back through the traffic. Neutrino EK is no exception. It evolved since it first appeared in 2013, and it significantly changed after reappearing in December 2014. It will continue to evolve, and many of us will continue to track those changes.

———-

Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

[2] http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

[3] http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

[4] http://malware-traffic-analysis.net/2013/06/18/index.html

[5] http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

[6] http://malware-traffic-analysis.net/2014/02/02/index.html

[7] http://malware-traffic-analysis.net/2014/03/08/index.html

[8] http://news.softpedia.com/news/Neutrino-Exploit-Kit-Reportedly-Put-Up-for-Sale-by-Its-Author-430253.shtml

[9] http://www.malware-traffic-analysis.net/2014/12/01/index.html

[10] http://malware-traffic-analysis.net/2015/01/26/index.html

[11] http://www.malware-traffic-analysis.net/2015/01/29/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.