NEWS ANALYSIS: Not all public exploits get patches—and sometimes there are even good reasons why. That's the case with a flaw in Chromecast that was demonstrated at last year's Black Hat security conference.
Every summer, the annual Black Hat USA security conference trots out a conga line of security experts, many of them with zero-day exploits in hand. More often than not, those exploits get fixed in a relatively short period of time after the conference ends, but not always.
Case in point is a Google Chromecast security vulnerability first publicly demonstrated at the Black Hat USA event last year. Chromecast is Google's popular media streaming device. In the Arsenal tools showcase as part of Black Hat, Dan Petro, security researcher at Bishop Fox, demonstrated a Chromecast hack and tool called the Ricmote. Now a year later, Petro's Chromecast vulnerability remains unpatched and is likely to remain so for a variety of reasons.
With his Chromecast hack, Petro publicly demonstrated (see the eWEEK video here) how a small Raspberry Pi ARM computer he dubbed the Ricmote could abuse Chromecast's functionality and send an arbitrary video to a Chromecast user. As part of the Chromecast takeover, Petro's device streamed Rick Astley's "Never Going to Give You Up" music video in an attack known as rickrolling, though Petro noted that any content could be sent.
In an interview with Petro ahead of Black Hat 2015, he told eWEEK that from where he sits, it isn't likely that Google will fix the Ricmote vulnerability at all. Petro said there isn't a great way of fixing the flaw without impacting usability in a way that would be unacceptable for how Google wants Chromecast to work.
"It's part of a design choice that Google made, and Chromecast is going to be 'rickrollable' indefinitely into the future," he said.
The way the setup works is intended to make it easy for users to quickly get a Chromecast up and running, which is where the Ricmote vulnerability comes into play. An attacker needs to access the initial SSID broadcast from the Chromecast to execute the attack. If Google changed its setup to not enable the initial SSID broadcast, no doubt it would be more difficult for users to set up their Chromecast.
In addition, for the Ricmote attack to work, the attacker needs to be relatively close to the Chromecast, so this isn't a remotely exploitable attack. Plus, there is no indication that the Ricmote gets access to user information or passwords on the Chromecast.
So, while the Ricmote issue is a vulnerability that can be exploited, the exploit is more of a nuisance than an issue that could leave Chromecast owners exposed to a real risk.
That's the thing about Black Hat—and vulnerability disclosure in general. The simple truth is that not every bug or vulnerability is something that really matters even if an attacker is able to exploit it. In the case of Chromecast, Google's inaction shows that it isn't really worried about the actual risk to users of being rickrolled. Despite the public demonstration at Black Hat of the vulnerability, it isn't worth the trouble of making a major usability change to Chromecast.
Considering that I have yet to see any widespread reports of Ricmotes being used to inconvenience Chromecast users, I suspect that Google isn't wrong either.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Why Google Has Yet to Fix Chromecast Flaw One Year Later
↧
↧
DDoS attack takes down Valve’s $18m Dota 2 International e-Sports tournament
Matches set to be played in front of thousands at Seattle's KeyArena delayed due to DDoS attack
↧
New Rig Exploit Kit snares 1.25 million victims – thanks to Adobe Flash security flaws
Cyber crime pays: Reborn Rig Exploit Kit makes its developers $25,000 per month
↧
Will RBS ever learn? Its latest outage was because of a DDoS attack
Bank suffers yet another IT glitch which left customers unable to access their online banking accounts
↧
Inside the Black Hat USA 2015 Network Operations Center
VIDEO: Welcome to the Black Hat USA 2015 NOC, the nerve center for one of the most hostile technology environments on the planet.
LAS VEGAS--Inside a dark neon-lit room at the Mandalay Bay Hotel here sits the...
↧
↧
iSIGHT Partners Continues Global Expansion
New Australian Threat Analysis Center and Sales Office Extends Reach into the Asia Pacific Japan Region and Completes the Company’s “Follow the Sun” Global Threat Analysis CapabilityDallas, TX – August 5, 2015 – iSIGHT Partners, Inc., the leading provider of cyber threat intelligence for global enterprises, today announced that it has further expanded the business within the Asia Pacific Japan (APJ) region. The company has opened both a threat analysis center and sales office in Sydney, Australia. The move enables iSIGHT Partners to locally support a rapidly growing list of APJ clients and completes the company’s 24x7 “follow the sun” model designed to provide “always on” threat analysis and access to its experts for a marquis list of customers operating globally. iSIGHT Partners already has a strong list of Australian, European and North American clients, including leading Australian banking institutions and organizations across nearly every vertical segment. The opening of the Sydney location will strengthen its ability to support clients in this region and around the world by providing: Local access to world-class threat analysis and intelligence expertise via the Sydney office. A true 24x7x365 “follow the sun” model for responding to client inquires with real experts in threat analysis centers located in the United States, the Netherlands, India and now Australia.A regional, solutions-oriented sales team with a strong track record of partnership with clients across the region. “From the outset, we have been globally focused—with threat research teams in 16 countries around the world, including regional offices throughout Asia,” said CEO John Watters at iSIGHT Partners. “We’ve always known that cyber threats know no borders and that our clients face unique threats from their adversaries from region to region, and we’ve built our business to provide them with the clearest view into these threats as they emerge. Demand for cyber threat intelligence is rising at an astronomical rate and is now coming from every corner of the world. It will only accelerate as more enterprises recognize that they cannot counter sophisticated cyber threats through technology alone. We’re proud to be expanding our global focus and extending our leadership position in the cyber threat intelligence space.” This latest announcement demonstrates significant market momentum for the company with a client base including seven of the top ten U.S. banks, more than 250 local, state and federal government agencies across the globe and major companies across energy, technology, healthcare, manufacturing and other sectors. In April of this year, the company announced the acquisition of Idaho-based Critical Intelligence, the leader in cyber situational awareness and threat intelligence for industrial control systems (ICS) owners and operators. That move came on the heels of the January announcement of a $30M investment by Bessemer Ventures Partners in iSIGHT Partners and its February announcement of the company’s expansion of operations in the EMEA region. Follow iSIGHT PartnersTwitter: @iSIGHT_PartnersBlog: http://www.isightpartners.com/blog/ LinkedIn: https://www.linkedin.com/company/isight-partners About iSIGHT PartnersiSIGHT Partners is the leading global provider of cyber threat intelligence. With more than 250 experts in 16 countries and expertise in 24 languages, only iSIGHT can deliver the full context and intent of the most damaging threats, allowing security organizations to respond faster, defend proactively and invest smarter. Find iSIGHT Partners on the web at www.iSIGHTpartners.com or email us at info@isightpartners.com. Press Contacts:Cohesive for iSIGHT PartnersKate Andersonkatea@wearecohesive.com +44 1291 626200Source: RealWire
↧
FTC to Use DefCon Event to Strike Back Against Robocalls
The Federal Trade Commission is using the DefCon hacker conference as the venue to build interest and technology to combat robocalls.
The U.S. Federal Trade Commission receives a lot of complaints from consumers about all manner of things, but among the most common complaints are ones about automated marketing calls, known as "robocalls."
The FTC has embarked on a number of initiatives over the years to combat the scourge of robocalls, even enlisting the support of the DefCon hacker conference community. At the DefCon 2014 event, the FTC ran a contest called "Zapping Rachel" to help build technology to detect robocalls. For this year's event, which starts on Aug. 6 in Las Vegas, the FTC is back with a new contest called "Robocalls: Humanity Strikes Back."
"It's a challenge to the security community to create a solution to identify robocalls received on landlines and on mobile phones and then forward them to a honeypot," Patty Hsue, staff attorney in the Division of Marketing Practices at the FTC, told eWEEK.
Hsue is hopeful that the 2015 "Robocalls: Humanity Strikes Back" contest will build on the success that the FTC experienced with the 2014 "Zapping Rachel" contest. That contest was a successful experience for the FTC, which is why there is a new contest this year, she said.
Plus, the FTC wanted to get more security professionals interested in the topic of robocalls, which Hsue said did in fact happen. The FTC is active in an industry group called the Voice and Telephony Abuse Special Interest Group, which is a consortium of organizations looking at solutions for telephony abuse. Hsue said that as a result of the 2014 contest, the FTC was able to bring new organizations into the group.
The "Robocalls: Humanity Strikes Back" contest has multiple phases. In the first phase, which closed in June, contestants had to show a preliminary approach to identifying robocalls. In the second phase, which will be demonstrated at this year's DefCon, the contestants need to seed the honeypot to get inbound robocalls. The FTC is offering a total of $50,000 in cash prizes as part of the contest.
For the final phase of the contest, Hsue said that it's up to the contestants to determine how they will seed their honeypots. The winner will be determined based on the number of collected robocalls, as well as how well he or she explains the techniques and the uniqueness of the overall solution.
At the end of the contest, the winning technology will not become open-source and the FTC will not take any ownership of the technology. Hsue emphasized that the purpose of the contest is to stimulate the market and get the word out that robocall blocking technology could be useful to consumers.
"For this particular contest the IP [intellectual property] rights will remain with the contestant," she said. "Our hope is that the contestants will make the technology available by bringing it to market."
Many consumers in the U.S. today put their number on the Do Not Call Registry in an effort to limit marketing calls. Hsue said that whether or not robocalls are legal or illegal has nothing to do with the Do Not Call Registry.
"If you receive a robocall and you did not provide consent to receive that robocall, it's still illegal even if you never put your phone number on the Do Not Call Registry," Hsue explained.
Among the many challenges in stopping robocalls is that there isn't a great mechanism in place to properly report and identify them, which Hsue said is part of the impetus for the "Robocalls: Humanity Strikes Back" contest. By building honeypots and other tools to collect robocall information, it will help law enforcement efforts, she added. By also collecting the actual robocall data, which is part of the 2015 DefCon contest, the FTC will have even information available to potentially help identify the source of robocalls.
"We receive a lot of complaints about robocalls at the FTC, and one of the issues for law enforcement is caller ID spoofing," Hsue said. "It makes it very hard to identify who is responsible for making the robocall."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Eight Reasons Why Your Server Security Is Insufficient
Conventional interconnected IT environments—whether virtualized, cloud-enabled or neither—leave organizations more vulnerable to data breaches than ever before. Why is this the case? With increasing numbers of mobile users and virtual workloads, more application programming interface (API) integrations, rich partner and cloud interconnections, and rapid application adoption, it is no longer possible to rely on zone-based perimeter security. Attack surfaces are increasing. The armored-car approach—bullet-proofing the central server/networking/storage complex—simply isn't doing the job. Even new techniques like micro-segmentation, which divides a network into smaller zones and provides protection by making security adaptive and multilayered, are unproven. What's a data center manager to do? Objective self-evaluation is necessary. eWEEK, using resources that include our own archives, information from Forrester Research and industry insight from Skyport Systems, discusses in this slide show the most common reasons why servers and data itself are still as vulnerable as ever.
↧
Keep Dream of a Free and Open Internet Alive, Black Hat Keynoter Urges
Black Hat keynoter Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society, discusses the need for legal and policy change to defend Internet freedom.
LAS VEGAS—Will the dream of Internet freedom be dead in 20 years? That's the question that Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society, discussed in an hourlong keynote at the Black Hat USA security conference here today.
"I believe in the dream of a free and open Internet, and I believe in the freedom to tinker," Granick said.
Granick has spent much of the last decade defending security researchers, including Black Hat founder Jeff Moss, from the perils of the U.S. judicial system, and she's seen some trends emerge over that time that worry her. In her view, the Internet has become, either through neglect or evolutionary trends, more centralized and regulated than ever before.
Looking out 20 years into the future, Granick worries that Internet users won't be aware of technology decisions made by others that impact their rights and privacy.
"Software will decide whether a car runs over you or off a bridge," she said. "Things will happen and no one will really know why."
Granick sees the Internet becoming more like TV, so instead of a global conversation, it will become a one-way tool, and rather than being about enabling revolution, it will be used to reinforce existing power structures.
"Instead of routing around censorship, the Internet is facilitating surveillance, censorship and control," she said.
All is not lost though, and changes can be made now by asking the right questions. Among the questions posed by Granick: Should we be worrying more about a terrorist attack in New York or the ability of journalists to tell stories? How much free speech does a society really need? Can we use technology to adjust the balance of power between people and governments so we can get privacy back?
Granick emphasized that it's important to be able to "tinker"—that is, to be able to hack, manipulate and understand the technology we use. That said, she has seen laws like the Computer Fraud and Abuse Act (CFAA) limit the ability of security researchers and others to understand technology.
"Understanding technology is necessary in a democratic society," Granick said. "In the next 20 years, we'll have more devices and software will be in everything, and if we can't study it, we'll be surrounded by black boxes that do things that we can't understand."
Granick stressed that privacy is essential to liberty, and the reality is now is the golden age of surveillance. In her view, laws have fallen short of protecting privacy, instead enabling surveillance.
"Security is often about power. Those in power want it and want to deny it [security] to others," she said.
In the final analysis, to keep the dream of a free and open Internet alive, Granick said that we need to worry about the right issues and not be driven by unsubstantiated fears. The dream of Internet privacy can be enabled with end-to-end encryption that is the hands of users and laws that protect the rights of users.
"Humans are way more afraid of sharks than cows, but cows kill eight times more people than sharks—it's true, look it up," Granick said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
↧
Funtenna Malware Can Use Airwaves to Steal Data
LAS VEGAS—Airwaves are used every day to transmit data via known wireless protocols, but what if a device could be manipulated to cause it to be able transmit a non-WiFi signal that no one knew about?
At the Black Hat USA security conference here, Ang Sui, founder of Red Balloon Security, demonstrated and provided great detail into a proof of concept security attack called the Funtenna.
"Funtenna is malware that intentionally causes compromising emanation," Sui said.
Emanation is a form of radio frequency (RF) signal that is leaked from an electrical device or cable. So, for example, Sui was able to demonstrate how with a tiny bit of Funtenna code, he could get a low-cost laser printer to emanate a signal that could be encoded with information. That signal could then be picked up by an AM radio and then demodulated to get the encoded information.
In contrast with WiFi, the Funtenna signal is not monitored or protected by organizations, Sui said. If someone wanted to exfiltrate data from a secret location without anyone knowing it, Funtenna could one day be an option.
Funtenna can potentially make use of multiple forms of acoustic, subacoustic and even ultrasonic signals. Sui noted that there was some evidence in the leaked U.S. National Security Agency documents from whistleblower Edward Snowden that the spy agency has a similar form of radio transmission technology. Sui noted however that the NSA needed hardware to be installed, while Funtenna is software and makes use of cables on a device to emanate the required signal.
"So say there is a secret location that you want to exfiltrate data from and you need something non-obvious, so you won't get caught," Sui said. "With Funtenna, you can exfiltrate with only software that can evaporate when it's done."
Beyond just the leaked NSA documents, Sui noted that there is a rich history of academic papers about data emanation potential. One such paper published in December 2013 and co-authored by Adi Shamir is titled "RSA Key Extraction via Low Bandwidth Acoustic Cryptoanalysis."
Sui noted, however, that the majority of the prior research was about taking a faint accidentally leaked signal and then capturing it with a big powerful receiver. Funtenna is a bit different in that the signal is intentionally created and can be picked up with a low-power device.
Sui explained that Funtenna can be used to emanate a signal by turning GPIO (General Purpose Input/Output) or UART (Universal asynchronous receiver/transmitter) pins on a device on and off. In a live demo with a Pantum P250W wireless monochrome laser printer, Sui showed how Funtenna code could in fact emanate a signal that could be picked up on a regular handheld AM radio. Sui is planning on providing another demo of Funtenna at the DefCon conference on Aug. 8. The Funtenna code is also set to be publicly available at funtenna.org and in a Github repository.
"The key take away here is that Funtenna works," Sui said. "And network defenses like IPS [Intrusion Prevention System] and firewalls are no substitute for full host-based defenses.
"Here with Funtenna I can beat the best network detection in the world with just an AM radio," Sui added.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Watering Hole Campaign Compromises More Than 50 Companies
Further research into one China-linked espionage group finds a network of more than 100 Websites, serving a variety of industries and government agencies, that have been compromised to infect targets with espionage trojans.
An espionage group with links to China has systematically infected more than 100 Web destinations that are popular with a variety of industries and government agencies as part of a scheme to infect sensitive targets, managed-security firm Dell SecureWorks said on Aug. 5.
The team of spies, which Dell labeled "Threat Group 3390" and which security firm CrowdStrike calls "Emissary Panda," use sophisticated methods and detailed planning to infiltrate targets, Andrew White, senior security researcher with Dell SecureWorks' Counter Threat Unit, told eWEEK. By knowing which Websites their targets visit and compromising those sites, Threat Group 3390 has infected more than 50 companies in the automotive, electronic, aeronautical, pharmaceutical and oil-and-gas industries.
"They collect information on what data is on the network, and then they come back with a shopping list of what they are interested in, and exfiltrate the data," White said.
Espionage attacks have taken off in the past year. China-linked hackers have been tied to the breach of the Office of Personnel Management, which led to the exfiltration of files detailing the background checks on more than 22 million federal employees, contractors and job applicants. The same group has also been implicated in the breaches of health care insurer Anthem and United Airlines.
The group investigated by Dell SecureWorks is not new, but many of the details of their watering hole strategy were not previously known, White said. Security firm CrowdStrike noted the group's focus on embassies and dubbed it Emissary Panda.
While sophisticated, the group does not appear to exploit zero-day vulnerabilities, software flaws that have not yet been reported nor fixed, according to Dell SecureWorks' White. Instead, the attackers recycle exploits for software flaws that may be months, or even years, old.
"The exploits that they are using to get into these companies are nothing special," he said. "They count on companies not keeping their software up to date."
Dell SecureWorks believes that, even with 100 documented Web compromises, "it is seeing just a sliver of TG–3390's activity," according to the firm's analysis.
The researchers linked the group to China through an accumulation of circumstantial evidence, including the use of the PlugX remote access trojan, or RAT, popular in China, the groups operating hours that match China's daytime working hours and the use of the Baidu search engine for reconnaissance. The attackers also compromised an Uyghur cultural Website to use as a watering hole. The Chinese government has historically had an interest in the ethnic minority group.
Dell SecureWorks advised companies to look beyond just perimeter and endpoint defenses. Delving into access logs, especially privileged access logs, can help detect when attackers are moving from machine to machine inside the network perimeter. Restricting access to sensitive data and watching for the wholesale copying of information can also lead to earlier detection of breaches and limit the impact of a breach.
"There are a lot of things that companies can do to make it harder for the actor to move around, once they are inside," White said.
↧
Chilean Service Provider IIA Selects Flexiant Cloud Orchestrator to Deliver Cloud Services
Flexiant delivered IIA a complete cloud orchestration platform to get them to market quicklySantiago, Chile and London, UK - August 6, 2015 - Chilean service provider, IIA, has selected Flexiant Cloud Orchestrator to power its new cloud services. With ...
↧
Skyscape Cloud Services Announces Latest Wave Of Price Cuts
Skyscape's customers to benefit from savings of 50% per year, with reductions applied retrospectively from 1st August 2015London - August 6, 2015 - Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company has today announced further price cuts to its accredited cloud solutions. The company's customers will now benefit from a reduction of up to 50 percent for additional storage provided as part of Skyscape's Compute-as-a-Service offering, across both its Assured OFFICIAL and Elevated OFFICIAL cloud platforms, with reductions backdated to 1st August 2015. Skyscape has reduced the price of its Compute-as-a-Service storage offering by over 70 percent this year. On average, these latest pricing reductions could save Skyscape customers more than £9,000 per year, based on current consumption levels. The data storage provided as part of Skyscape's Compute-as-a-Service solution is now being used to host over a petabyte (1 million gigabytes) of data, in addition to the many petabytes currently hosted on Skyscape's Cloud Storage platform. "Due to increasing demand from our UK public sector customers and our successful community of more than 160 partner organisations, the Skyscape assured cloud platform has achieved unprecedented scale," said Simon Hansford, CEO of Skyscape Cloud Services. "We're delighted that our continued growth and success means that we can pass on these economies of scale to our customers, many of which face significant budget cuts as part of the 2015 Spending Review."Skyscape's new prices will make its services even more cost-effective for public sector organisations to store sensitive data, without compromising on security. The UK sovereign firm is one of the industry's most highly-accredited cloud services providers and with only UK-based data centres, its customers' data is never subject to foreign jurisdictional issues. Skyscape also continues to provide the cheapest connectivity options for data transfer between its platform and a customer's environment - including free PSN connectivity - ensuring that not only is data stored securely but it doesn't cost a fortune for customers to access it. Hansford continued: "We're committed to delivering demonstrable value to our customers and have always offered genuine pay-by-the-hour consumption pricing models as standard. Thanks to our growth - which has been accelerated by the opportunities afforded to SMEs by initiatives such as the G-Cloud Framework - this latest wave of cost reductions is the seventh we've been able to pass on to our customers since we first launched our services on the first G-Cloud iteration in 2012." Skyscape recently announced that it is embarking on an aggressive recruitment drive to support the company's expansion in the UK public sector market. Further information can be found on the Skyscape careers page at www.skyscapecloud.com/careers. About Skyscape Cloud ServicesSkyscape's assured cloud solutions have been specifically designed to meet the needs of the UK public sector, delivering UK sovereign services that are easy to adopt, easy to use and easy to leave, with genuine pay-by-the-hour consumption models. As a UK SME, Skyscape has won a number of high-profile contracts via the G-Cloud Framework and through its large number of channel partners that embed Skyscape's cloud platform in their solutions.Skyscape's full range of services are Pan Government Accredited (PGA) up to IL3, hence suitable for all data at OFFICIAL (including OFFICIAL-SENSITIVE) and connected to government networks including the Public Services Network (PSN), the N3 health network and others. Its services are delivered with leading technologies from the Skyscape Cloud Alliance Partners: QinetiQ, VMware, Cisco, EMC and Ark Data Centres. Skyscape has been named a "Cool Vendor" by analyst firm, Gartner. To learn more about Skyscape, visit www.skyscapecloud.com or follow on twitter @skyscapecloudMedia ContactsStacey Nardozzi/Charlotte MartinJohnson King, a Finn Partners Company +44 (0)20 7401 7968 SkyscapeTeam@johnsonking.co.ukSource: RealWire
↧
↧
Context researchers warn of compromises to corporate networks via Windows Updates at Black Hat USA
You have 1 malicious update ready to install…6 August 2015: Yesterday at Black Hat USA, researchers from UK-based Context Information Security demonstrated how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).WSUS allows admins to co-ordinate software updates to servers and desktops throughout their organisations, but the Microsoft default install for WSUS is to use HTTP and not SSL-encrypted HTTPS delivery. By exploiting this weakness, the Context researchers were able to use low-privileged access rights to set up fake updates that installed automatically. These updates could potentially download a Trojan or other malware and be used to set up admin access with a false user name and password. Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable. “It’s a simple case of a common configuration problem,” says Paul Stone, principal consultant at Context and one of the presenters at Black Hat yesterday. “While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.” Organisations can quickly find out if they are vulnerable by checking the WSUS group policy settings, while it is possible to check if an individual machine is incorrectly configured by looking at the appropriate registry keys. If the URL does not start with https, then the computer is vulnerable to the injection attack. While following Microsoft’s guidelines to use SSL for WSUS will protect against the described attacks, Context also suggests that there are further ‘defence in depth’ mitigations that could be implemented by Microsoft to provide further protection.“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” says Alex Chapman principal consultant at Context and joint presenter at Black Hat. “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”During the Black Hat presentation, the Context researchers also raised concerns about third-party drivers installed via Windows update. There are over 25,000 potential USB drivers that can be downloaded – although this list includes many duplicates, generic drivers and obsolete versions. “We have started to download and investigate some 2,284 third-party drivers,” said Stone. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the 'searching for Drivers' and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.” A detailed paper to accompany the Black Hat presentation entitled ‘Compromising the Windows Enterprise via Windows Update’ can be downloaded at: http://www.contextis.com/news/new-paper-released-compromising-windows-enterprise/ Paul Stone’s biography is available at: https://www.blackhat.com/us-15/speakers/Paul-Stone.html Alex Chapman’s Biography is available at: https://www.blackhat.com/us-15/speakers/Alex-Chapman.html About ContextEstablished in 1998, Context’s client base includes some of the world’s most high profile blue chip companies, alongside public sector and government organisations, for technical assurance, incident response and investigation services. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants frequently present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide. www.contextis.com For more information for editors, please contact:Allie Andrews PRPR, Tel + 44 (0)1442 245030 allie@prpr.co.uk Source: RealWire
↧
Computop and ACI Worldwide partner to offer eCommerce merchants integrated online payments and fraud solution
London, England - August 06, 2015 - Computop, a leading global payment service provider (PSP) has signed an agreement with global payments specialist ACI Worldwide to provide merchants an integrated online payments and fraud prevention solution powered by ACI's ReD Shield, a premier card-not-present (CNP) fraud detection and prevention solution for eCommerce merchants. The new service will offer merchants unique insight into their fraud risk and online customer activity, helping them to combat fraud and increase conversion rates. While 3D Secure* (3DS) authentication is a successful and established fraud prevention scheme in the card-not-present environment, some merchants say it contributes to so-called ‘basket abandonment' (i.e. shoppers abandoning an online purchase before proceeding to pay), and therefore to a reduction in sales. By using Computop Paygate integrated with Red Shield, merchants will be able to make an informed choice about whether or not to refer a transaction to 3D Secure. All transactions will undergo a thorough risk assessment ahead of any potential call out for 3DS authentication. If the transaction is low risk, the merchant may choose to approve without calling out to 3DS. If it is high risk, it can be declined automatically, avoiding the need to request a 3DS authentication. If the level of risk is ambiguous, then a request can be made for further validation through 3DS, via ReD Shield. This process will give those merchants that have ‘basket abandonment' concerns the freedom to choose which transactions warrant the added protection of 3DS. Ralf Gladis, CEO and co-founder, Computop, said, "ReD Shield adds great value to Computop's fraud solutions. Its in-depth statistics and manual review interface will help our customers simultaneously avoid fraud and improve conversion. What we are offering here is a contextual fraud prevention solution to help assess and act on risk factors before merchants are at the point of no return."Andy McDonald, European sales director, Payments and Fraud, ACI Worldwide, added, "We are delighted to partner with Computop. As eCommerce sales continue to rise globally, a growing number of merchants and PSPs recognise the benefits of a reliable online fraud prevention solution, delivered by expert risk analysts and informed by global fraud intelligence. Our solution not only offers a highly sophisticated level of fraud prevention, but enables eCommerce merchants to exercise choice over authentication processes-offering a better customer experience and increasing online sales."Note to editors:*3D Secure authentication is a fraud prevention scheme that is available to all companies using Computop's payment platform. It allows shoppers to assign a password to their card that is then verified whenever a payment is processed through a shop that supports 3D Secure. The addition of password protection allows extra security on transactions that are processed online. The scheme is a collective of Verified by VISA (VBV) and MasterCard Secure Code (MSC). 3D Secure offers companies liability cover for transactions that are verified by checks. About ACI Worldwide ACI Worldwide, the Universal Payments company, powers electronic payments and banking for more than 5,600 financial institutions, retailers, billers and processors around the world. ACI software processes $13 trillion each day in payments and securities transactions for more than 300 of the leading global retailers, and 18 of the top 20 banks worldwide. Through our comprehensive suite of software products and hosted services, we deliver a broad range of solutions for payment processing; card and merchant management; online banking; mobile, branch and voice banking; fraud detection; trade finance; and electronic bill presentment and payment. To learn more about ACI, please visit www.aciworldwide.com. You can also find us on Twitter @ACI_Worldwide.About Computop PaygateComputop Paygate is a PCI-certified payment platform that provides multichannel service providers and retailers with secure payment solutions and efficient fraud prevention for international markets. With just one interface needed, Computop Paygate allows retailers access to over 150 payment methods and acquiring banks including all relevant local and international payment options for e-commerce, m-commerce and Point of Sale (POS). Leading e-commerce solutions from the likes of Demandware, Gambio, hybris, Intershop, Magento, Oxid eSales, SAP Business, ByDesign and Websale all support Computop Paygate as a preferred payment service solution for global payment processing. In addition, Computop offers Computop Paygate as a white label solution to banks and payment service providers, enabling them to provide their customers with secure and seamless payment processing. About ComputopComputop is a leading global payment service provider (PSP) that provides compliant and secure solutions in the fields of e-commerce, PoS, m-commerce and Mail Order and Telephone Order (MOTO). The company, founded in 1997, is headquartered in Bamberg, Germany, with additional independent sales offices in China, the UK and the US. Computop processes transactions totalling $13+ billion per year for its client network of over 4,000 large international merchants within industries such as retail, travel and gaming. Global customers include C&A, Fossil, Metro Cash & Carry, Rakuten, Samsung and Swarovski. Following the recent asset deal with the Otto Group, Computop Paygate is now processing payments for all merchants that previously used EOS Payment including all 100 Otto retail brands. In cooperation with its network of financial and technology partners, which it has expanded over many years, Computop offers a comprehensive multichannel solution that is geared to the needs of today's market and provides merchants with seamlessly integrated payment processes.Please visit www.computop.com and www.youtube.de/ComputopTV. For further information please contact:Charlotte Hanson Ascendant Communications, for ComputopTel: +44 (0) 208 334 8041E-mail: chanson@ascendcomms.netKatrin BoettgerSenior PR Adviser ACI WorldwideTel: +44 (0) 7776 147 910Source: RealWire
↧
Windows Update vulnerability puts corporate networks at risk from malicious insiders, warn researchers
Windows Update 'may be hiding some serious threats' claim Context security researchers
↧
Researchers Demo How They Hacked a Jeep Remotely: Black Hat
Two researchers prove hacking a car remotely is possible and detail how they found and exposed flaws, which led Chrysler to the recall 1.4 million vehicles.
LAS VEGAS—Every year, there is always one marquee session at the Black Hat USA conference that captures the imagination of the public like no other. At this year's conference here, it was the remote car hacking attack, which led Fiat Chrysler Automobiles (FCA) to recall 1.4 million autos.
In front of an overflowing room, Twitter security researcher Charles Miller and IOactive Director of Vehicle Security Research Chris Valasek took great pleasure in a highly entertaining hour-long session detailing the steps and the outcome of their car hacking research.
"Please stop saying that whatever you have is unhackable; you're going to look silly," Valasek said.
Many security experts had said remote car hacking was not possible, Valasek said. Yet he and Miller proved otherwise.
Still, it wasn't easy, Valasek said.
The two researchers spent a year figuring things out and tried multiple approaches. They first looked at was the optional in-vehicle WiFi, a service for which FCA car owners can pay.
FCA is using WPA2 encryption, which is robust, but the company uses a pseudo-random password-generation sequence, which potentially could be guessed, though it would be highly impractical to attack in practice, Miller said.
"You'd have to drive next to the car you're trying to attack for an hour," Miller quipped.
FCA's Uconnect entertainment system also, however, makes use of cellular connections, which are also typically on by default. This represented a better target for Miller and Valasek.
Running a simple scan using the open-source Nmap port mapping tool, the researchers found that port 6667 was open. Port 6667 on a normal server is used for Internet Relay Chat (IRC), but on a Jeep, it's used for something called D-Bus, an interprocess communications mechanism. "D-bus can require authentication, but the Jeep implementation did not," Miller said.
Miller then used a program called Dfeet to look at services connected to D-bus and discovered that D-bus was running as root, meaning it has full access rights to connected systems. So with just four lines of Python code, a command could potentially be executed on the vehicle to perform operations.
Miller and Valasek had to do additional work to enable the controller area network (CAN) message bus on the vehicle, which is connected to steering, brakes and other activities, to receive and properly execute his D-bus messages.
At multiple points in the research, Miller said he broke the infotainment system and brought the Jeep into his Chrysler dealer.
"I gotta say this, Chrysler stands behind its products," Miller said, as he showed a picture of himself and his Jeep at a dealer garage.
Each time Miller took the Jeep to the dealer and they asked what happened, all he said was "I don't know, the screen just went all black."
While the research was done on Miller's own Jeep, which he was quick to note, he still drives today, the impact is massive because of the remote hacking capability. From a scanning perspective, the two researchers were able to figure out an IP range used by FCA for Uconnect in order to find potentially vulnerable vehicles.
FCA has now patched the cars, and perhaps even more importantly, Sprint, FCA's cellular carrier, is blocking access to port 6667, Valasek said. As a result, it's no longer possible to perform a remote hack on FCA vehicles.
Miller and Valasek both said they were proud of the fact that their work was able to have a real-world impact and that the issue has been patched and is no longer exploitable.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
↧
OPM Wins Pwnie for Most Epic Fail at Black Hat Awards Show
LAS VEGAS—The annual Pwnie Awards at the Black Hat USA conference here celebrate the best security vulnerabilities found by researchers and also ridicule the worst security responses. The Pwnies are a somewhat satirical event that doesn't take itself all that seriously, but it does represent a snapshot of the year that was in security.
The name "Pwnie" comes from the hacker vernacular "to pwn," which is the process of taking over or owning a target. The actual award given at the Pwnie show is a My Little Pony child's toy with an emblazoned Black Hat logo on its posterior.
One of the many categories at the Pwnie Awards is for the Most Epic Fail, with this year's nominees including the Ashley Madison and U.S. Office of Personnel Management (OPM) hacks. OPM came away with this year's Most Epic Fail award, as the hack of its systems resulted in 25.7 million Americans being at risk. OPM first admitted it was hacked on June 4, and over the course of the following weeks the true extent of the breach, and OPM's mismanagement, became known.
Another popular Pwnie category is the Pwnie for Epic 0wnage, awarded to the company or group that was most completely taken over and embarrassed in an attack. OPM was nominated for this award as well, as was security vendor Kaspersky Lab thanks to the Duqu 2.0 malware, which Kaspersky admitted on June 10 had infiltrated its own network.
"Kaspersky sees Duqu wherever they look, even their own network," remarked Pwnie judge Dino Dai Zovi.
Beating out both OPM and Kaspersky Lab for the Epic Ownage award, however, was Italian security firm Hacking Team, which itself was hacked in July, leading to the disclosure of 400GB of data, including multiple zero-day vulnerabilities in Microsoft and Adobe applications.
Security hype is what the Most Overhyped Bug Pwnie award is all about, and this year's award went to the Shellshock bug that impacted Linux systems in September 2014.
The Pwnie Awards also celebrate the best in research, and this year the Pwnie for Most Innovative Research went to the team of researchers from Inria, Microsoft Research, Johns Hopkins University, the University of Michigan and the University of Pennsylvania that disclosed the Logjam SSL/TLS vulnerability in May.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
Black Hat Researchers Hack Rifle for Fun
eWeek Editor's PickNews & ViewsCloud ComputingMobile and Wireless UpdateBest of eWeekeWeek Sunday BruncheCareers Smart MovesEnterprise Applications Topic Center UpdateEnterprise IT AdvantageeWeek Whitepaper Sp...
↧
New Techniques Could Prevent Use-After-Free Exploits: Black Hat
The single most pervasive zero-day is use-after-free (UAF), but new research from HP detailed at Black Hat could change that and eliminate many UAF bugs.
LAS VEGAS—Use-after-free memory flaws regularly impact Microsoft's Windows operating system and Internet Explorer Web browser, but thanks to new research from Hewlett-Packard, that could soon change.
Brian Gorenc, manager of vulnerability research for HP Security Research, detailed his research at a session at the Black Hat USA conference here Aug. 6 that could curb use-after-free (UAF) attacks. The research was also given to Microsoft earlier this year, as a submission to the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program, which resulted in a $125,000 award for HP's researchers.
UAF is a class of memory flaws that enable an attacker to make use of authorized memory that normally should not be accessible to an unauthorized application. With UAF, attackers have the potential to execute arbitrary code and take over a system.
HP looked at how UAF vulnerabilities work and researched how isolated heap memory protection works on Windows and how objects are located on a system, Gorenc told eWEEK.
"We started looking at Microsoft's memory protection techniques for weakness, and we found several techniques for bypassing the isolated heap," he said.
One of the things that HP discovered was that the isolated heap doesn't properly keep track of different object types, which is one potential path to exploitation using a technique known as type confusion. One mitigation that HP recommends is randomized heap allocations, which diminish the effectiveness of type confusion attacks, Gorenc said.
Going a step further, Gorenc and his team were able to use the isolated heap to actually bypass Microsoft's address space layout randomization (ASLR) feature.
"So we used one memory mitigation against another memory mitigation in order to make exploitation easier," he said.
HP is also suggesting a mitigation to prevent the ASLR bypass technique, with an approach Gorenc calls the entropy dependent loading of software libraries.
"With the entropy dependent approach, we're limiting the available memory region where objects can be loaded," he said. "The result is that there is only one location where a module can be loaded, where it can be checked."
HP provided Microsoft with multiple mitigations to help protect against the issues that Gorenc discussed at Black Hat. Some of the mitigations have been implemented, though not all. The ASLR bypass technique is still possible, he said.
If Microsoft implemented all the mitigations suggested by HP, UAF exploitation on the isolation heap would be a lot more difficult, if not impossible, he said.
Gorenc helps run HP's Zero Day Initiative (ZDI), which purchases vulnerabilities from researchers. With some mitigations already implemented, he said he has already seen a drop in UAF submissions against Microsoft.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
↧
More Pages to Explore .....
