Slashdot Mirror

chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."

chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."

Trailrunner7 writes "In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to 'inspire researchers to focus their talents on defensive technologies,' the company said. Known as the Blue Hat Prize, after the company's regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs."

Trailrunner7 writes "Researchers from IBM's ISS X-Force plan to unveil a new system for running an open wireless network in a secure mode at the Black Hat conference here this week. The system mimics the way that Web sites browsers use digital certificates to establish a trusted connection with one another. X-Force researchers have been working on the system for a while now and the company plans to demonstrate the technology on Thursday during the conference. One of the main problems with public wireless networks is that they're susceptible to a number of simple attacks, including passive sniffing and man-in-the-middle. The X-Force system is designed to get around these problems by using a digital certificate to assure users that they are communicating with the wireless hotspot that they think they are."

Trailrunner7 writes "Former HBGary Federal CEO Aaron Barr says he will withdraw from a planned appearance at the DEFCON conference in the face of threatened legal action over his plans to take part in a panel discussion there. Barr notified DEFCON organizers on Wednesday that he was withdrawing from the Aug. 6 panel discussion after attorneys representing HBGary Federal threatened to file an injunction against him if he did not withdraw from the panel immediately. The incident is just the latest in a series of conflicts between Barr and HBGary Federal following attacks by the anarchic hacking group Anonymous on February 5."

Trailrunner7 writes "Reports that Iran had recovered from the infection of the Stuxnet worm may have been overblown, as a new report suggests the country is being forced to replace thousands of expensive centrifuges damaged by the worm. The report from the website DEBKAfile cites 'intelligence sources' in claiming that Stuxnet was not purged from Iran's nuclear sites and that the country was never able to return its uranium enrichment efforts to 'normal operation.' Instead, the country has said in recent days that it is installing newer and faster centrifuges at its nuclear plants and intends to speed up the uranium enrichment process, according to the country's foreign ministry."

Trailrunner7 writes "Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries, could also be used for more malicious purposes down the road. Miller discovered the default passwords set on the battery at the factory to change the battery into unsealed mode and developed a method that let him permanently brick the battery as well as read and modify the entire firmware. 'You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though,' Miller said."

Trailrunner7 writes "As state-level censorship continues to grow in various countries around the globe in response to political dissent and social change, researchers have begun looking for news ways to help Web users get around these restrictions. Now, a group of university researchers has developed an experimental system called Telex that replaces the typical proxy architecture with a scheme that hides the fact that the users are even trying to communicate at all."

Trailrunner7 writes with this news from ThreatPost: "A targeted attack on a defense contractor in March of this year resulted in the theft of 24,000 files by an unknown attacker, according to Defense Department officials. The attack, which officials say was the work of a foreign government, would represent one of the more serious known attacks on the department and its contractors. In a speech Thursday in which he unveiled the Department of Defense Strategy for Operating in Cyberspace, William J. Lynn, deputy defense secretary, said that the attack was just one of thousands such intrusions that the government and its contractors suffer every year."

Trailrunner7 writes "In the face of continued attacks on federal agencies and contractors such as Booz Allen Hamilton and IRC Federal that do highly sensitive security work for the U.S. government, Sen. John McCain has asked Senate leaders to appoint a select committee to look into the attacks and data leaks that have plagued Washington throughout 2011. In a letter to Democrat leader Harry Reid and Senate minority leader Mitch McConnell, McCain (R-Ariz.) said that a temporary Senate committee is necessary in order to get a handle on all of the disparate cybersecurity legislation proposals and to address the threat posed by groups such as Anonymous, LulzSec and Wikileaks."

Trailrunner7 writes "The Android platform seems to have become the playground of choice for attackers and malware authors looking to make a quick buck. The latest example is a premium-rate SMS Trojan that not only automatically sends costly SMS messages, but also prevents users' carriers from notifying them of the new charges. The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China. This is just the latest in a series of similar incidents in which attackers and scammers have inserted either outright malicious apps or seemingly benign apps containing malware into app markets. Most of the attacks have targeted Android users, and several times Google has had to remove malicious apps from the official Android market."

Trailrunner7 writes "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. This is the third major HIPAA fine issued by the Department of Health and Human Services in 2011, following a fine of $4.3 million for Cignet and a penalty of $1 million for Massachusetts General Hospital."

chicksdaddy writes with this excerpt from Threat Post: "A 10 year employee of CME Group in Chicago is alleged to have stolen trade secrets and proprietary source code used to run trading systems for the Chicago Mercantile Exchange and passed them to officials in China, where he hoped to set up a software firm to help create electronic exchanges, according to a criminal complaint filed in U.S. District Court in Illinois. Chunlai Yang, 49, is alleged to have downloaded "thousands of files" containing "source code and proprietary algorithms" used by CME to run its trading systems. The files were downloaded from a company-owned source code repository maintained by CME to Yang's work computer, then copied them to removable "thumb" drives. The complaint also cites personal e-mail correspondence between Yang and an official in China that contained proprietary CME information."

Trailrunner7 writes "Pavel Vrublevsky, the head of a prominent Russian payment-processing company, ChronoPay, was arrested in Russia on suspicion of hiring someone to launch a denial-of-service attack against one of his company's main competitors. The arrest is the latest in a series of high-profile actions against people and groups around the world suspected of being involved in the global cybercrime ecosystem."

Trailrunner7 writes "The FBI has made a major dent in the huge scareware and rogue antivirus problem, arresting two people and seizing dozens of computers, servers and bank accounts as part of a large-scale coordinated operation in twelve countries. The operation, which involved authorities in the United States, Germany, France, Latvia, the UK and several other nations, was designed to disrupt the scareware ecosystem that has been preying on users' security fears in an effort to scam them out of millions of dollars in licensing fees for useless or outright malicious software."

Gunkerty Jeb writes "Spammers, it turns out, aren't like everyone else: they have fewer friends. 'Social Graphs for Online Service Security,' a study done by researchers Yinglian Xie and Fang Yu, uses studies of legitimate and malicious social network usage to spot bogus email accounts that are used to push spam, malware, and otherwise malicious links. The researchers are analyzing natural social connections between users on the Web that are difficult for attackers or botnets to replicate. Spotting a spammer isn't hard, they say, when you look at his or her patterns of communication."

arglebargle_xiv writes "In a sign that many eyes don't really make (security) bugs shallow, a thirteen-year-old password-hashing bug that affects (at least) PHP, some Linux distros (Owl, ALT Linux, SUSE), and a variety of other apps has just been patched. This problem had been present in widely-used code since 1998 without anyone noticing it." Better late than never; reader Trailrunner7 points to this article outlining the dangers of old exploits, given old code for them to toy with.

Trailrunner7 writes "For the third time in the last few months, Google has had to remove a slew of malware-infected apps from the Android Market and suspend some publishers. Ten Android apps in the Official Android Market are known to be infected, but many more could be victims of the Plankton Trojan. Researcher Xuxian Jiang claims that early variants of the Trojan have evaded detection for as long as two months."

Trailrunner7 writes "The team behind the Metasploit Project is launching its own version of a bug bounty program: cash payouts for working exploits. The group is hoping to get exploit code for as many of its top 30 vulnerabilities as possible before the program expires later this summer. The amount of money paid for a working exploit module for Metasploit depends on the value of the vulnerability. A module for one of the vulnerabilities in the top five list — which includes a flaw in Google Chrome and another in the Windows DNS client — is worth $500. Modules for vulnerabilities in the separate top 25 list are worth $100 each under the rules."

chicksdaddy writes with this excerpt from ThreatPost: "The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner. Writing on his personal blog, Langner said that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., whose products were targeted by the Stuxnet worm, Threatpost reports."

On Wednesday we discussed news of Google's accusation that sources originating in China were interfering with Gmail using malware and phishing techniques, targeting Chinese political activists, US government officials, military personnel, and others. In response to the accusations, a Chinese official denied government involvement in the attacks, while the US government indicated they would investigate the matter. The attacks were more sophisticated than a typical phishing attempt, they involved Yahoo and Hotmail as well, and they have likely been going on for months. Now, according to a CBS report, "The Chinese military accused the US on Friday of launching a global 'Internet war' to bring down Arab and other governments, redirecting the spotlight away from allegations of major online attacks on Western targets originating in China."

Trailrunner7 writes "Researchers have identified a second large batch of apps in the Android Market that have been infected with the DroidDream malware, estimating that upwards of 30,000 users have downloaded at least one of the more than 30 infected apps. Google has removed the apps from the market. There are at least 34 applications that researchers have found in the Android Market in the last few days that had a version of the DroidDream malware dropped into them. Once a user installs one of the infected applications, the malicious component, which researchers have dubbed DroidDream Light, will kick in once the user receives an incoming call. The malware then gathers some identifying information from the phone, including its IMEI number, IMSI number, packages installed and other data, and then sends it off to a pre-configured remote server."

Trailrunner7 writes "Remote timing attacks have been a problem for cryptosystems for more than 20 years. A new paper shows that such attacks are still practical ... The researchers, Billy Bob Brumley and Nicola Tuveri of Aalto University School of Science, focused their efforts on OpenSSL's implementation of the elliptic curve digital signature algorithm, and they were able to develop an attack that allowed them to steal the private key of an OpenSSL server."

Trailrunner7 writes with an article in threatpost "Apple is planning to release an update specifically designed to protect users against the MacDefender malware that has been circulating for the last couple of weeks. The update for Mac OS X will automatically find and remove the malware on an infected machine and also will warn users if another infection attempt is detected.

Gunkerty Jeb writes "A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief. The hacker, who uses the handle 'Tinkode,' has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency."

Gunkerty Jeb writes "Barrett Brown, the reporter who became a media-friendly spokesperson for the shadowy hacking group Anonymous, says that he is quitting the group in the wake of a public feud that has broken out between different hacker factions within the loosely organized collective."

Trailrunner7 writes "A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected. Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components."

Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."

Trailrunner7 writes "The source code to the infamous Zeus crimeware kit, which has been sold on underground forums for years, has been leaked and is now available for anyone to see if they know where to look. Security researchers over the weekend noticed that files appearing to contain the source code for the Zeus crimeware kit were starting to pop up on various forums frequented by attackers and cyber-criminals. The Zeus exploit kit is perhaps the most well-known kit of its kind right now, and has been used by a variety of attackers for numerous malware campaigns and targeted attacks."

Trailrunner7 writes "Researchers at the French security firm VUPEN say they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine. The company said they are not going to disclose the details of the bugs right now, but they have shared information with some of their government customers. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said."

Trailrunner7 writes "The OpenID Foundation is warning users about a weakness in the software that could enable an attacker to change some of the data exchanged between parties that use OpenID. The group is telling sites that implement OpenID to update to a new version in order to fix the problem. The bug in OpenID lies in the system's Attribute Exchange, an extension that gives sites the ability to exchange identity information between endpoints. OpenID, an open source project that enables users to prove their identity to myriad sites without providing their passwords, is used by a slew of popular sites, including Google, Yahoo and Flickr."

Gunkerty Jeb writes "The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn't pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change."

Trailrunner7 writes "LastPass, a popular Web based password management firm, advised its customers to change the password they use to access the service following what the company said are signs that its network may have been compromised."

Trailrunner7 writes "The upcoming release of Adobe Flash Player 10.3 will give users of most of the major browsers the ability to delete Flash cookies in much the same way that they're able to erase normal Web cookies, thanks to a better integration with privacy settings in Internet Explorer and Google Chrome. The addition of the ability for users to delete the cookies set by plug-ins and browser add-ons gives them better control of the security and privacy of the content on their machines and is designed to address a serious issue that's been plaguing Flash for some time. Security and privacy experts have warned about the implications of so-called Flash cookies, which are set by Flash and difficult for users to find and delete."

Trailrunner7 writes "Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple's Mac OS X operating system has appeared. The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that's quite similar to the Zeus construction and has the ability to steal forms from Firefox." Mac users are also being targeted by a new piece of scareware called MAC Defender.

Gunkerty Jeb writes "The official line in Washington D.C. is that there's a new Cold War brewing, with an ascendant China in the place of the old Soviet Union, and cyberspace as the new theater of war. But work done by an independent security researcher suggests that the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."

Trailrunner7 writes "The FBI is warning businesses about an ongoing spate of attacks that are stealing millions of dollars from companies through unauthorized bank transfers to Chinese companies. The fraudulent wire transfers are not a new tactic, but the FBI says the current round of attacks is notable in that virtually all of the transfers are going to shell companies based in China and have cost U.S. businesses $11 million. The FBI said that many of the cases it has seen involve well-known pieces of malware, such as Zeus, SpyEye and others. The amount of money the attackers try to transfer varies from $50,000 up to nearly $1 million."

Trailrunner7 writes "A pair of Apple customers has filed a lawsuit against the company, alleging that Apple is invading their privacy by collecting location data about iPhone and iPad users without their knowledge." and theodp noted that the iPhone tracking 'Bug' is actually patent pending... which makes it harder to buy the mistake argument. As if that's not enough fun, South Korea, Italy, Germany and other countries are all looking into it.

Trailrunner7 writes "A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight. Developed by a group of academic researchers in the US and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive."

Trailrunner7 writes "Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday — just four days after it was disclosed — for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents. Adobe said it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel, but Reader X users will have to wait till June for a fix."

Trailrunner7 writes "What might the criminals who broke into Epsilon do with the email lists they have? The easiest thing to do is to sell these data sets on the black market or, potentially, to competitors of victim firms. According to the latest data from data-breaches.net, totals are up to 57 customers including credit card providers with branded cards — Visa (notices sent for at least 3 cards), the World Financial Network National Bank (12 cards) and Citi (3 cards). The criminals may make some money there and re-invest it into technology or services for other efforts. Once an attacker has gained a foothold on one or more systems used by their mark, they can begin harvesting credentials. The frequency with which average consumers use the same username/password combination across multiple sites is such that such information could lead to accessing other potentially-existing accounts on high-profile social networks."

Trailrunner7 writes "An analysis of the popular free mobile application from online music service Pandora.com that is the subject of a grand jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers. The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog."

Trailrunner7 writes "The recent attack on Comodo and several of its associated registration authorities has spurred quite a bit of re-examination of the way that the Web's certificate authority infrastructure works--or doesn't. One interesting result of this work is that the folks at the Electronic Frontier Foundation have discovered that there are more than 37,000 legitimate certificates issued by CAs for unqualified names such as 'localhost,' or 'Exchange,' a practice that could simplify some forms of man-in-the-middle attacks. 'Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail?"' Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack!'"

Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."

Trailrunner7 writes "The panic that arose yesterday about Samsung allegedly shipping laptops that contained a pre-installed keylogger turns out to have been a complete mistake after further investigation by security researchers and the company itself. In fact, the controversy was the result of a false positive from one commercial antimalware suite and nothing else. Several outlets reported on Wednesday that Samsung laptops had been found to contain a keylogger known as StarLogger right out of the box from the factory. However, upon closer inspection by security companies, the folder on the laptops that supposedly contained the malware was actually a directory that is part of Windows' multi-language support."

Trailrunner7 writes "Officials at Comodo have acknowledged that an additional two registration authorities affiliated with the company have been compromised in the wake of the high-profile attack on the company that was disclosed last week. Addressing a list of concerns about Comodo's practices raised by customers and browser vendors in the wake of the attack, Alden said that the company is now in the process of rolling out a new two-factor authentication system for its RAs. Comodo also is installing other security measures as a result of the attack."

chicksdaddy writes "A Massachusetts restaurant chain was the first company fined under the state's toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons' personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley."

chicksdaddy writes "A Massachusetts restaurant chain was the first company fined under the state's toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons' personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley."

Trailrunner7 writes "In a talk at the USENIX LEET workshop Tuesday, Nick Mathewson of the Tor Project discussed the group's recent challenges in responding to suppression efforts by governments in Egypt, China and elsewhere. What the Tor members have learned in these recent incidents is that while governments are becoming more up front about their willingness to shut off Internet access altogether or censor content, users are also becoming more resourceful. Mathewson said that the group is working on methods for alleviating the problems that national-level restrictions cause for Tor users. One method involves moving to a modular transport method in order to get around some of the throttling that ISPs perform on encrypted traffic in order to make Tor usage more difficult. In a separate talk at LEET, Stevens LeBlond of INRIA in France presented research on methods for tracing Tor users back to their IP address. One of the attacks, which LeBlond and his co-authors titled 'Bad Apple,' used an exit node that the researchers controlled in order to trace the streams of data sent by users of BitTorrent over Tor back to their IP addresses."

Trailrunner7 writes "Just days after news emerged of the attack on a registration authority in Europe tied to Comodo that caused the revocation of a number of fraudulent certificates from the major browsers, Mozilla officials have admitted they made a mistake by not disclosing the details of the incident to its users earlier. 'In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.'"