Language Selection

English French German Italian Portuguese Spanish

Security

DEF CON 26 Reports

Filed under
OSS
Security

Security Leftovers

Filed under
Security
  • Practical Web Cache Poisoning

    In this paper I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.

    I'll illustrate and develop this technique with vulnerabilities that handed me control over numerous popular websites and frameworks, progressing from simple single-request attacks to intricate exploit chains that hijack JavaScript, pivot across cache layers, subvert social media and misdirect cloud services. I'll wrap up by discussing defense against cache poisoning, and releasing the open source Burp Suite Community extension that fueled this research.

  • IBM's proof-of-concept 'DeepLocker' malware uses AI to infect PCs
  • Hack causes pacemakers to deliver life-threatening shocks

    At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

  • Bad infrastructure means pacemakers can be compromised before they leave the factory

    # Windoze kills

    The new research is some of the most chilling to date. Rios and Butts have found vulnerabilities in Medtronic's infrastructure for programming and updating the pacemakers and their programming terminals (which run Windows XP!) (Windows XP!!). By attacking Medtronic's cloud infrastructure, the pair can poison all the devices as they leave the factory, or corrupt them once they're in the field.

  • Hackable implanted medical devices could cause deaths, researchers say

    To take control of the pacemaker, Rios and Butts went up the chain, hacking the system that a doctor would use to program a patient’s pacemaker. Their hack rewrote the system to replace the background with an ominous skull, but a real hack [sic] could modify the system invisibly, while ensuring that any pacemaker connected to it would be programmed with harmful instructions. “You can obviously issue a shock,” Butts said, “but you can also deny a shock.” Because the devices are implanted for a reason, he added, withholding treatment can be as damaging as active attempts to harm.

  • AWS does a guff in a bucket and exposes GoDaddy's dirty laundry

    Details included usage stats from GoDaddy, pricing and negotiated discounted rates from Amazon. More worryingly, there's also server config information, CPU specs, hostnames, operating systems and server loads.

    [...]

    GoDaddy was given a chance to plug the leaks, but after five weeks, UpGuard decided to act, as GoDaddy still hadn't locked things down.

  • Amazon AWS error exposes info on 31,000 GoDaddy servers

    Data leaks are par for the course these days, and the latest company to be involved in one is GoDaddy. The company, which says it's the world's top domain name registrar with over 18 million customers, is the subject of a new report from cybersecurity firm UpGuard that was shared exclusively with Engadget. In June, cyber risk analyst Chris Vickery discovered files containing detailed server information stored in an unsecured S3 bucket -- a cloud storage service from Amazon Web Services. A look into the files revealed multiple versions of data for over 31,000 GoDaddy systems.

  • Hackers [sic] Could Cause Havoc By Pwning Internet-Connected Irrigation Systems

    The researchers studied three different Internet of Things devices that help control irrigation and found flaws that would allow malicious hackers [sic] to turn them on remotely in an attempt to drain water. The attacks don’t rely on fancy hacking techniques or hard to find vulnerabilities, but to make a real, negative impact on a city’s water reserves, the hackers [sic] would need to take control of a lot of sprinklers. According to the researcher’s math, to empty an average water tower, hackers [sic] would need a botnet of 1,355 sprinklers; to empty a flood water reservoir, hackers [sic] would need a botnet of 23,866 sprinklers.

    The researchers say their attacks are innovative not because of the techniques, but because they don’t rely on targeting a city’s critical infrastructure itself, which is (or should be) hardened against hackers [sic]. Instead, it attacks weak Internet of Things devices connected to that infrastructure.

  • Windows BitPaymer ransomware scores a hole in one: US PGA takes a hit

    Malicious attackers have launched a Windows ransomware attack on the servers of the PGA of America golf tournament which began at the Bellerive County Club in St Louis on Thursday.

    Allan Liska, a ransomware expert from security form Recorded Future, told iTWire that the ransomware in question appeared to be BitPaymer.

  • Hacking [sic] a Brand New Mac Remotely, Right Out of the Box

    That attack, which researchers will demonstrate Thursday at the Black Hat security conference in Las Vegas, targets enterprise Macs that use Apple's Device Enrollment Program and its Mobile Device Management platform. These enterprise tools allow employees of a company to walk through the customized IT setup of a Mac themselves, even if they work in a satellite office or from home. The idea is that a company can ship Macs to its workers directly from Apple's warehouses, and the devices will automatically configure to join their corporate ecosystem after booting up for the first time and connecting to Wi-Fi.

  • In-the-wild router exploit sends unwitting users to fake banking site

    The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years. As described in disclosures here, here, here, here, and here, the flaw allows attackers to remotely change the DNS server that connected computers use to translate domain names into IP addresses.

  • In-vehicle wireless devices are endangering emergency first responders

    In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.

  • Breaking Down the Door to Emergency Services through Cellular IoT Gateway

    Nearly two years have passed since we first started observing cellular gateways distributing packets across the internet. Today, we are only scratching the surface of what will inevitably turn into years of future research and discoveries before the world has tackled the problem of IoT devices being deployed without security considerations. For now, this article includes the following, and will be followed up with future research and discoveries.

    • The existence of cellular IoT devices that are not properly configured is allowing attackers to easily leverage remote administration for nefarious purposes.
      • The improperly configured devices we discovered and tested had either default administration credentials (such as admin:12345), or they required no authentication at all.
    • The absence of logging capabilities on these devices ensures that nefarious activities cannot be tracked.
    • Because most of the use cases for cellular IoT are for moving fleets, devices that need tracking, or remote critical infrastructure, virtually all of them have GPS coordinates. Excessive information disclosure, such as providing GPS coordinates publicly without requiring authentication (as some devices we discovered do) is giving attackers the ability to track fleet vehicles without ever breaking the law with unauthorized access. Yes, police cars can be tracked without breaking the law.
    • There is no bias on which industries or cellular device manufacturer will fall victim to threats emerging from cellular devices. Virtually every industry that requires some form of long-range, constant connectivity is impacted (and likely, most manufacturers) as development standards apply unilaterally.
    • As of July 28, 2018, we have identified more than 100,000 devices that are impacted online. 86% of the devices identified exist within the United States.
    • Attackers have been exploiting many of these systems since August 2016, if not earlier.
    • We have a defined list of impacted Sierra Wireless makes and models, however, we believe the problem to be widespread across all manufacturers of cellular IoT devices.

Security: Crowdfense, Windows, Linux, Black Hat 2018 and More

Filed under
Security

Security: Firewalld, NSA, WPA, Supply-chain Attacks and Facebook

Filed under
Security
  • Firewalld: The Future is nftables

    Firewalld, the default firewall management tool in Red Hat Enterprise Linux and Fedora, has gained long sought support for nftables. This was announced in detail on firewalld’s project blog. The feature landed in the firewalld 0.6.0 release as the new default firewall backend.

  • How SELinux helps mitigate risk while facilitating compliance

    Many of our customers are required to meet a variety of regulatory requirements. Red Hat Enterprise Linux includes security technologies that help meet these requirements. Improving Linux security also benefits our layered products, such as Red Hat OpenShift Container Platform and Red Hat OpenStack Platform.

  • WPA3: How and why the Wi-Fi standard matters

    WPA2 has given us 14 years of secure wireless networking. WPA3 will fix a number of big problems in WPA2 and make strong security the default condition.

  • How one man could have hacked every Mac developer (73% of them, anyway)

    OK, in some ways that’s only very loosely true, when you think of all the non-Unixy stuff on top of the Darwin base layer, and we welcome your comments below to explain just how carelessly loose we have been…

    [...]

    The potential impact of a well-thought-out hack into one of the many package management ecosystems out there is a pet concern of security researcher Eric Holmes.

    Hacks against the very repositories that many of us rely upon for software updates are known in the jargon as supply-chain attacks – after all, the modern supply chain often doesn’t involve any factories, ships, trains, inventories, trucks, pallets or forklifts.

    So, Holmes decided to take a look at the supply chain for Homebrew, or Brew for short – we’re guessing he picked Brew not only because he knew it was the most popular amongst the Mac community, but also because he uses it himself.

    The results were, in a word, salutary.

  • SD Times Open-Source Project of the Week: Fizz

    In order to implement the new generation of Transport Layer Security, TLS 1.3, at Facebook, the company built a TLS library in C++ 14 called Fizz. Earlier this week, Facebook announced it was open sourcing that library.

    TLS 1.3 added several new features to make Internet traffic more secure, such as encrypting handshake methods, redesigning how secret keys are derived, and a zero round-trip connection setup.

    “We are excited to be open-sourcing Fizz to help speed up deployment of TLS 1.3 across the internet and help others make their apps and services faster and more secure,” Facebook wrote in a post.

Hardware and Wi-Fi Flaws

Filed under
Security

Patches for PostgreSQL and OpenEMR

Filed under
Security

Security Leftovers

Filed under
Security
  • People Think Their Passwords Are Too Awesome For Two Factor Authentication. They’re Wrong.
  • Security updates for Thursday
  • Let's Encrypt Now Trusted by All Major Root Programs

    Now, the CA’s root is directly trusted by almost all newer versions of operating systems, browsers, and devices. Many older versions, however, still do not directly trust Let’s Encrypt.

    While some of these are expected to be updated to trust the CA, others won’t, and it might take at least five more years until most of them cycle out of the Web ecosystem. Until that happens, Let’s Encrypt will continue to use a cross signature.

  • WPA2 flaw lets attackers easily crack WiFi passwords

    The security flaw was found, accidentally, by security researcher Jens Steube while conducting tests on the forthcoming WPA3 security protocol; in particular, on differences between WPA2's Pre-Shared Key exchange process and WPA3's Simultaneous Authentication of Equals, which will replace it. WPA3 will be much harder to attack because of this innovation, he added.

  • ​Linux kernel network TCP bug fixed

    Another day, another bit of security hysteria. This time around the usually reliable Carnegie Mellon University's CERT/CC, claimed the Linux kernel's TCP network stack could be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)."

  • State of Security for Open Source Web Applications 2018

    ach year, we publish a set of statistics summarizing the vulnerabilities we find in open source web applications. Our tests form part of Netsparker's quality assurance practices, during which we scan thousands of web applications and websites. This helps us to add to our security checks and continuously improve the scanner's accuracy.

    This blog post includes statistics based on security research conducted throughout 2017. But first, we take a look at why we care about open source applications, and the damage that can be caused for enterprises when they go wrong.

  • New Actor DarkHydrus Targets Middle East with Open-Source Phishing [Ed: Headline says "Open-Source Phishing," but this is actually about Microsoft Windows and Office (proprietary and full of serious bugs)]

    Government entities and educational institutions in the Middle East are under attack in an ongoing credential-harvesting campaign.

    Government entities and educational institutions in the Middle East are under attack in an ongoing credential-harvesting campaign, mounted by a newly-named threat group known as DarkHydrus. In a twist on the norm, the group is leveraging the open-source Phishery tool to carry out its dark work.

    The attacks follow a well-worn pattern, according to Palo Alto Networks’ Unit 42 group: Spear-phishing emails with attached malicious Microsoft Office documents are leveraging the “attachedTemplate” technique to load a template from a remote server.

Security Leftovers

Filed under
Security
  • Voting By Cell Phone Is A Terrible Idea, And West Virginia Is Probably The Last State That Should Try It Anyway

    So we've kind of been over this. For more than two decades now we've pointed out that electronic voting is neither private nor secure. We've also noted that despite this several-decade long conversation, many of the vendors pushing this solution are still astonishingly-bad at not only securing their products, but acknowledging that nearly every reputable security analyst and expert has warned that it's impossible to build a secure fully electronic voting system, and that if you're going to to do so anyway, at the very least you need to include a paper trail system that's not accessible via the internet.

  • Dell EMC Data Protection Advisor Versions 6.2 – 6.5 found Vulnerable to XML External Entity (XEE) Injection & DoS Crash

    An XML External Entity (XEE) injection vulnerability has been discovered in Dell’s EMC Data Protection Advisor’s version 6.4 through 6.5. This vulnerability is found in the REST API and it could allow an authenticated remote malicious attacker to compromise the affected systems by reading server files or causing a Denial of Service (DoS crash through maliciously crafted Document Type Definitions (DTDs) through the XML request.

  • DeepLocker: Here’s How AI Could ‘Help’ Malware To Attack Stealthily

    By this time, we have realized how artificial intelligence is a boon and a bane at the same time. Computers have become capable of performing things that human beings cannot. It is not tough to imagine a world where you AI could program human beings; thanks to sci-fi television series available lately.

  • DeepLocker: How AI Can Power a Stealthy New Breed of Malware

    Cybersecurity is an arms race, where attackers and defenders play a constantly evolving cat-and-mouse game. Every new era of computing has served attackers with new capabilities and vulnerabilities to execute their nefarious actions.

  • DevSecOps: 3 ways to bring developers, security together

    Applications are the heart of digital business, with code central to the infrastructure that powers it. In order to stay ahead of the digital curve, organizations must move fast and deploy code quickly, which unfortunately is often at odds with stability and security.

    With this in mind, where and how can security fit into the DevOps toolchain? And, in doing so, how can we create a path for successfully deterring threats?

  • Top 5 New Open Source Security Vulnerabilities in July 2018 [Ed: Here is Microsoft's partner WhiteSource attacking FOSS today by promoting the perception that "Open Source" = bugs]
  • DarkHydrus Relies on Open-Source Tools for Phishing Attacks [Ed: I never saw a headline blaming "proprietary tools" or "proprietary back door" for security problems, so surely this author is just eager to smear FOSS]
  • If for some reason you're still using TKIP crypto on your Wi-Fi, ditch it – Linux, Android world bug collides with it [Ed: Secret 'standards' of WPA* -- managed by a corporate consortium -- not secure, still...]

    It’s been a mildly rough week for Wi-Fi security: hard on the heels of a WPA2 weakness comes a programming cockup in the wpa_supplicant configuration tool used on Linux, Android, and other operating systems.

    The flaw can potentially be exploited by nearby eavesdroppers to recover a crucial cryptographic key exchanged between a vulnerable device and its wireless access point – and decrypt and snoop on data sent over the air without having to know the Wi-Fi password. wpa_supplicant is used by Linux distributions and Android, and a few others, to configure the Wi-Fi for computers, gadgets, and handhelds.

  • Linux vulnerability could lead to DDoS attacks

Security: Windows Back Doors Again and WPA-2 Issues

Filed under
Security
  • Key iPhone supplier is hamstrung with the debilitating WannaCry worm

    A key chip supplier for iPhones, Taiwan Semiconductor Manufacturing Co., said the virulent WannaCry ransomware worm infected its production lines over the weekend. The incident shows how the malicious malware continues to leave a wake of $100 million-plus losses 15 months after it first took flight.

  • iPhone Chipmaker Blames WannaCry Variant for Plant Closures

    Taiwan Semiconductor Manufacturing Co. said Monday that full operations have resumed after a variant of the 2017 WannaCry ransomware affected production over the weekend. The infection, which happened when a supplier connected tainted software to TSMC’s network without a virus scan, spread swiftly and hit facilities in Tainan, Hsinchu and Taichung -- home to some of the cutting-edge plants that produce Apple’s semiconductors.

  • The Beginning of the End of WPA-2 — Cracking WPA-2 Just Got a Whole Lot Easier

    Here is me cracking WPA-2 using the four-way handshake with just a Raspberry PI and a $10 wi-fi transceiver:

  • WPA-2 Hash Cracking

    WPA-2 produces a hash value as part of the four-way handshake. The password can thus be cracked using a dictionary attack...

FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux's SegmentSmack

Filed under
Security
BSD

Hard on the heels of the Linux kernel's packets-of-death attack dubbed SegmentSmack, a similar vulnerability has been disclosed and fixed in FreeBSD.

Attributed to SegmentSmack discoverer Juha-Matti Tilli of Aalto University in Finland, the FreeBSD TCP issue is related to how the operating system's networking stack reassembles segmented packets. Much in the same way Linux kernel versions 4.9 and higher can be brought down by bad network traffic, a sequence of maliciously crafted packets can also crash FreeBSD machines.

FreeBSD 10, 10.4, 11, 11.1, and 11.2 are affected, and the maintainers have released patches to mitigate the programming cockup. In the open-source operating system project's advisory for CVE-2018-6922 (Linux's SegmentSmack was assigned CVE-2018-5390), the problem was this week described as an “inefficient algorithm” involving a segment reassembly data structure.

Read more

Syndicate content

More in Tux Machines

A Look At The Windows vs. Linux Scaling Performance Up To 64 Threads With The AMD 2990WX

This past week we looked at the Windows 10 vs. Linux performance for AMD's just-launched Ryzen Threadripper 2990WX and given the interest from that then ran some Windows Server benchmarks to see if the performance of this 64-thread CPU would be more competitive to Linux. From those Windows vs. Linux tests there has been much speculation that the performance disparity is due to Windows scheduler being less optimized for high core/thread count processors and its NUMA awareness being less vetted than the Linux kernel. For getting a better idea, here are benchmarks of Windows Server 2019 preview versus Ubuntu Linux when testing varying thread/core counts for the AMD Threadripper 2990WX. Toggled via the BIOS was SMT as well as various CCX configurations and each step of the way comparing the Windows Server 2019 Build 17733 performance to that of Ubuntu 18.04 LTS with the Linux 4.18 kernel in various multi-threaded benchmarks supported under both operating systems. Read more

Kernel: RISC-V and Virtual Machine

  • RISC-V's Linux Kernel Support Is Getting Into Good Shape, Userspace Starting To Work
    The RISC-V open-source processor ISA support within the mainline kernel is getting into good shape, just a few releases after this new architecture port was originally added to the Linux Git tree. The RISC-V code for Linux 4.19 includes the ISA-mandated timers and first-level interrupt controllers, which are needed to actually get user-space up and running. Besides the RISC-V first-level interrupt controller, Linux 4.19 also adds support for SiFive's platform-level interrupt controller that interfaces with the actual devices.
  • A Hearty Batch Of KVM Updates Land In Linux 4.19
    There is a lot of new feature work for the Kernel-based Virtual Machine (KVM) within the Linux 4.19 kernel.

Kate/KTextEditor Picks Up Many Improvements To Enhance KDE Text Editing

Even with KDE's annual Akademy conference happening this past week in Vienna, KDE development has been going strong especially on the usability front. The Kate text editor and the KTextEditor component within KDE Frameworks 5 have been the largest benefactors of recent improvements. This KDE text editing code now has support for disabling syntax highlighting entirely if preferred. When using syntax highlighting, there have been many KTextEditor enhancements to improve the experience as well as improvements to the highlighting for a variety of languages from JavaScript to YAML to AppArmor files. Read more

KStars v2.9.8 released

KStars 2.9.8 is released for Windows, MacOS, and Linux. It is a hotfix release that contains bug fixes and stability improvements over the last release. Read more Also: KDE Itinerary - How did we get here?