Entries with tag security research.

Security Researchers: Don’t Compare Every Vulnerability to Heartbleed, Shellshock

Some security researchers are berating the media and others in the security field for using Heartbleed or Shellshock as a source of comparison when a new software flaw is discovered. In early November, Microsoft patched a serious bug in SChannel (Secure Channel) that was found in each version of the Windows operating system since Windows 95. An IBM researcher reported the bug to Microsoft in May, and it was recently fixed. According to a recent article on securitywatch.pcmag.com, a security researcher from Tripwire referenced Heartbleed and Shellshock when discussing the Microsoft patch. The article states that the need for sensationalism to gain attention for information security to be taken seriously indicates “a problem, and it’s not the bug itself.” Each vulnerability issue should be taken on its own. Josh Feinblum, vice president of information security at Rapid7, noted that the SChannel vulnerability wasn’t like Heartbleed. “This vulnerability poses serious theoretical risk to organizations and should be patched as soon as possible, but it does not have the same release-time impact as many of the other recently highly-publicized vulnerabilities,” he wrote. “Microsoft customers can take a deep breath before they dive head first into patching, but should make sure patching is treated at the highest priority given the potential risk if/when an exploit is successfully developed.” (PC Mag)(Rapid7 Blog)

New Service Charts Websites’ Security Issues

A new online service offers a public index of websites with known security issues, enabling users to see if a site they visit has a security flaw. Project Un1c0rn < http://un1c0rn.net>, developed by a group of independent developers—is a searchable index of 59,000 websites currently, with more to come. It is focusing on problems caused by the Heartbleed OpenSSL vulnerability as well as issues with open Mongo DB and MySQL databases, which are the sources of the most widespread vulnerabilities as they rely on common tools. The developers are working to make Project Un1c0rn the first peer-to-peer decentralized exploit system, which they say would enable individuals to host their own scanning nodes and let security researchers offer to help with fixes. (SlashDot)(Motherboard)(Project Un1c0rn)

Researchers Report Hacker Attack Campaign against US, EU Targets

Security vendor FireEye has uncovered a series of attacks against targets in Europe and the US that occurred between 29 April and 27 May. FireEye says a group of Middle East-based hackers called the Molerats are responsible for the attacks, launched via remote-access tool exploits known as Poison Ivy. The group, which also engages in phishing attacks, is become more active, according to researchers, who traced Molerats attacks to campaigns launched against the BBC, an unnamed US financial institution, and government organizations in Israel, Latvia, Macedonia, New Zealand, Slovenia, Turkey, the UK, and the US. Although the attackers typically use free, commonly available malware, FireEye says the group appears to be adapting its attacks to be increasingly difficult to detect. (SlashDot)(eWeek)(FireEye)

Trojan Infects Linux, Unix Servers Worldwide

An international group of security researchers has detected a widespread Trojan attack responsible for infecting at least 25,000 Linux and Unix servers. According to security vendor Kaspersky Lab, this finding debunks conventional wisdom that Linux-based systems do not need added security. The newly found malware lets hackers create a botnet of infected servers to steal credentials, redirect Web traffic to malicious sites, and send large volumes of spam daily. The attacks, known as Operation Windigo, have occurred for at least 2-1/2 years and now control 10,000 servers, according to security firm ESET. The researchers—from organizations such as ESET, Germany’s Situation Center and CERT-Bund, and the Swedish National Infrastructure for Computing—say infected servers have been located in France, Germany, the UK, and the US. (SlashDot)(Security Week)(ESET)
 

Newly Found Android Botnet Is Used in Multiple Spyware Campaigns

A newly discovered mobile botnet—which researchers from security vendor FireEye describe as “one of the largest advanced mobile botnets to date”—is being used for at least 64 spyware campaigns targeting Android devices. Once an Android device is compromised, the MisoSMS botnet uses malware to steal a user’s text messages and e-mail them to cybercriminals in China. The infection is prevalent on Android devices in Korea, explain researchers. They say the attackers appear to be using command-and-controls servers in Korea and China to access the text messages. (SlashDot)(FireEye)
 

Report: Chinese Hackers Spy on Foreign Ministries

Chinese hackers reportedly eavesdropped on the computers of five European foreign ministries prior to the September 2013 G20 Summit of finance ministers and central bank governors from 20 major global economic powers, according to research by computer security firm FireEye. The hackers reportedly employed a phishing campaign that used malware-tainted e-mails, to load malicious code on victims’ PCs. FireEye researchers say they monitored the hackers’ main server used for about a week in late August 2013 but lost contact when operations moved to another server. FireEye did not identify the affected nations but said all were European Union members. The company reported the attacks to the US Federal Bureau of Investigation, which has declined comment. FireEye used technical evidence, including the language used on the control server, to determine the hackers are based in China. According to FireEye, the Chinese attackers are allied with the Ke3chang hacking group, which has been active since 2010 and typically targets aerospace, energy, and manufacturing firms. Whether the group is government-supported is unclear. The Chinese government has reportedly continued to deny any claims it has hacked foreign governments. (Reuters)(CNET)(BBC)
 

Researcher Demonstrates Facebook Bug with Post to Zuckerberg

A Palestinian hacker frustrated at a non-response from Facebook in attempting to post a bug he found to the company’s White Hat program, decided to demonstrate it by hacking Mark Zuckerberg’s account. Khalil Shreateh discovered a vulnerability that allows a user to post to anyone’s wall, friend or not. After his initial report, he was told by a member of the security team that it was not a bug. He then responded by posting a note to Zuckerberg’s wall, stating he had “no other choice.” Shreateh said he was immediately contacted by Facebook security seeking details of the exploit and, just as quickly, had his Facebook account disabled. Facebook claims there was insufficient technical detail provided by Shreateh, which did not allow them to replicate the bug. "Exploiting bugs to impact real users is not acceptable behavior for a white hat," the engineer wrote, adding that researchers are allowed to create test accounts to aid their research. Although Facebook has a bug bounty program with a $500 minimum bounty, it is not paying Shreateh as his actions in attempting to report the finding violated Facebook’s Terms of Service. Facebook admits it should have asked Shreateh for more details. “We get hundreds of reports every day. Many of our best reports come from people whose English isn't great - though this can be challenging, it's something we work with just fine and we have paid out over $1 million to hundreds of reporters,” Matt Jones told reporters. “We should have pushed back asking for more details here.” The bug has been fixed. “Both Facebook and Shreateh could have handled this better,” notes Larry Seltzer on ZDNet. “I hope they find a way to get Shreateh the money because he deserves it in spite of the arrogant way he demonstrated the bug.”  (CNET)(ZDNet)(The Telegraph)(Khalil Shreateh Blog)
 

Research: Attackers Could Use Radios to Hack Energy-Industry Sensors

New research finds that industrial sensors commonly used for energy-infrastructure monitoring could be hacked from distances of up to 64 kilometers (about 40 miles) via radio transmitter. Lucas Apa and Carlos Mario Penagos, researchers with security firm IOActive, say they found numerous software vulnerabilities in the wireless automation systems used in the oil and gas industry that hackers could use to launch attacks. They didn’t release details about the precise vulnerabilities, citing safety concerns. Apa and Penagos used a radio antenna for several types of attacks that disrupted the communications between a sensor and a base station or disabled the industrial control sensors. The researchers say they exploited several types of weaknesses in the devices, including unspecified configuration errors and weak cryptographic keys used to authenticate communications. A hacker could use the attacks to, for example, alter readings such as pressure and volume in a pipeline, which could alter the sensor readings and ultimately disable a pipeline or shut-down a facility’s operations or even cause an explosion that could result in injuries or deaths. The researchers say the problems they found cannot be easily fixed. The researchers gave their findings to the US Computer Emergency Readiness Team. Apa and Penagos plan to present their findings this week at the Black Hat USA security conference in Las Vegas. (PC World)(Reuters)(IOActive)
 

Researchers Take Rare Step, Will Publish their Car-Hacking Findings

Although research into hacking vehicles’ software systems has been conducted for years, the details are not widely released because of security concerns. Now, Twitter security engineer Charlie Miller and Chris Valasek, director of security intelligence for vendor IOActive, say they will publish a detailed 100-page white paper about their hacks of the Toyota Prius and Ford Escape and release the exploit software they developed this week. Among their hacks were making a Toyota Prius suddenly brake when traveling 80 miles an hour and disabling a moving Ford Escape’s brakes. Miller and Valasek connected laptops directly to vehicles’ computer networks for their research and thus did not execute their hacks remotely, which would be much more dangerous. Toyota is reportedly reviewing the DARPA-funded research, and Ford is aware of it. Miller and Valasek said they are releasing their work to encourage additional research on discovering and fixing flaws in cars like the ones they found. (Reuters)(Forbes) 

Researchers Blocked from Presenting Car-Hack Findings

Volkswagen AG obtained a restraining order from a British high court that prohibits dissemination of research by three European computer scientists who uncovered a hack for locks on various luxury automobiles. University of Birmingham lecturer Flavio Garcia, along with Radboud University Nijmegen researchers Baris Ege and Roel Verdult were to have presented their work at the upcoming Usenix Security Symposium. They had shown vulnerabilities in antitheft systems in Audi, Bentley, Lamborghini, and Porsche vehicles by defeating the RFID transponder built into the car key based on a unique algorithm, which the researchers claim had been published on the Internet in 2009, that allows the car to verify the identity of the ignition key. Volkswagen and French electronics firm the Thales Group filed a suit to stop the researchers from presenting their work, contending that would make the affected cars vulnerable to theft. A Radboud University Nijmegen spokesperson told the BBC that the researchers would not have released information describing how to actually steal a car and that they informed Thales, which created the algorithm,  in November 2012 so that it could eliminate the antitheft-system vulnerability. (Ars Technica)(The Associated Press @ Businessweek)(BBC) 

Showing 1 - 10 of 16 results.
Items per Page 10
of 2