Ad-Block, and Why You Should Too... →
via the eponymous Darren Pauli, comes this tell-all of poisoned Google Inc. (NasdaqGS: GOOG) and Yahoo! (NasdaqGS: YHOO) advertising.
One Third of Industrial Control Systems Breached →
via DarkMatters at Norse Corporation, and written by Anthony Freed, comes this troubling post detailing the true scope of Industrial Control Systems (ICS) security fails in the previous twelve month period... Astounding.
"Of the reported attacks, 32% targeted the Energy Sector, with attacks against Critical Manufacturing systems following up at a close second place at 27%, Healthcare with 6%, Water supply systems and Communications each with 6%, and Government Facilities at just over 5%." - via DarkMatters writer Anthony Freed
Crypto-Ransomware Extortion Increases
via TrendMicros' TrendLabs Threat Response Engineer Anthony Joe Melgarejo, cryptographic extortion enabled ransomware appears to be enlarging it's genre attack footprint based on first quarter 2015 statistics. Read the bad news here.
Deployable Force Protection Adapter Red Team
"They exposed weaknesses in the armor, illustrating that "we as scientists and engineers think we have a great solution and ha-ha moments, thinking Soldiers will love this" new piece of gear. Then the Red Team would show up and show all the weaknesses, she said, so "we started solving those problems." From that point on, anything deployed to small forward operating outposts of 300 people or less gets a Red Team going over from "the construct of the operational perspective, technology perspective, and how we could integrate it in such a way not to create inherent vulnerabilities. It's been very effective." - via David Vergun writing at the United States Army
iOS FREAKING →
News, via Ars Technica's inimitable Dan Goodin, detailing the FireEye discovery of remnant iOS application FREAK HTTPS vulnerabilities, regardless of host device patching.
'Security researchers from FireEye recently examined the most popular apps on Google Play and the Apple App Store and found 1,999 titles that left users wide open to the encryption downgrade attack. Specifically, 1,228 Android apps with one million or more downloads were vulnerable, while 771 out of the top 14,079 iOS apps were susceptible. Vulnerable apps were those that used—or in the case of iOS, could use—an affected crypto library and connected to servers that offered weak, 512-bit encryption keys. The number of vulnerable apps would no doubt mushroom when analyzing slightly less popular titles.' - via Ars Technica's Dan Goodin
Rubbing Out FREAK →
News, via iMore's Rene Ritchie, of the latest attack vector on iOS - monikered FREAK (aka "Factoring RSA Export Keys"). Plans to rub-it-out early next week, in the midst of Apple Inc.'s (NasdaqGS: AAPL) latest iOS update process have been published. Better late than never, eh?
Sunday Security Maxim
Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Equation Group →
Going dark in 2014, the Equation Group's malware command and control servers have reportedly been migrated onto United States soil... This, after a nefariously successful run targeting thousands of victims in at least 40 countries. Focusing on vertical industry segments such as medical, telecom and aerospace sectors, including diplomatic missions, research institutions, military, governments, the Equation Groups' malware is apaprently fostering speculation as to connections between and betwixt US agencies.
"In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency." - via ArsTechnica's Dan Goodin
iOS Espionage Tool Discovered
In a typically fascinating post, over at TrendLabs, written by Lambert Sun, Brooks Hong (Mobile Threat Analysts) and Feike Hacquebord (Senior Threat Researcher), we learn of a recently discovered iOS espionage tool. Ladies and Gentlemen, Girls and Boys, behold, the money quote:
"We found two malicious iOS applications in Operation Pawn Storm. One is called XAgent (detected as IOS_XAGENT.A) and the other one uses the name of a legitimate iOS game, MadCap (detected as IOS_ XAGENT.B). After analysis, we concluded that both are applications related to SEDNIT. The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is live." - via TrendMicro's TrendLabs blog authors Lambert Sun, Brooks Hong and Feike Hacquebord.
Beemers, Vulnerable →
News, of vulnerabilities discovered within the Bayerische Motoren Werke AG (XETRA: BMW AG) Connected Drive system, now in many BMW cars and SUVs. Specifics revolve about the capability for remote unlock, and the hack thereof.
Securosis' Toddle
In an outstanding video piece, the Gentlemen of Securosis contemplate the apparent second childhood of Goggle, Inc. (NasdaqGS: GOOG) and Microsoft Corporation (NasdaqGS: MSFT).
IoT, Automated Tank Gauge Infrastructure Flaws →
via Rapid7's HD Moore, comes news of the latest flaw in the Internet of Things realm, this time, focusing on the fueling infrastructure worldwide. Specifically, the gauges that meter and permit the dispensing of liquid and gaseous matériel... Evidently, these automated tank gauges (monikered ATGs) not only possess IP connectivity, but they also have tremendously flawed software componentry to boot. What Could Possibly Go Wrong.
GoDaddy, Compromised Again... →
What, really? Apparently, GoDaddy security has failed to measure up, yet again. via Swati Khandelwal writing at HackerNews, comes the sorry tale of failed code (in the form of XSRF vulnerabilities), obvious failed quality control, and on top of all of that, no security checks pre-deployment. Astounding.
The Sleeper Awakens →
Evidence, via George I. Seffers of indications that the United States Department of Defense has awoken to the realization, that with nearly ubiquitous connectivity, comes potentially lethal levels of vulnerability, leading to in extremis scenarios.
Physical Access Not Required →
Physikalisch Zugriff Nicht Erforderlich
More interesting security slap and tickle at the Chaos Computer Club confab in Germany... This time, apparently the lack of physical access was not an impediment in the second well publicized defeat of Apple Inc.'s [NasdaqGS: AAPL] TouchID. Jan Krissler, holding forth at the conference has detailed the steps taken to overcome the vaunted security of TouchID via a presentation entitled 'Gefahren von Kameras für (biometrische) Authentifizierungsverfahren [31c3] '.
'Krissler said he used commercially available software called VeriFinger to pull off the feat. The main source was a close-up picture of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.' - via Emil Protalinski writing at VentureBeat
Name'd →
Everything you would want to know about the naming of malware, via Violet Blue for Zero Day. Enjoy.
Wait, What..., Again?
In not-unsurprising-cruft-news, additional, vulnerability-laden, Unix and Unix-like (read Linux) utilities have been detected, requiring updates. The list, enumerated by HD Moore, the CTO of Rapid7 (and of Metasploit fame) includes wget, tnftp, symlink issues and others. Questions have arisen, as to why these utilities have not been scrutinized earlier...
' “wget versions prior to 1.16 are vulnerable to a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target,” said HD Moore, the chief research officer at Rapid7 who found the vulnerability, in a blog post Tuesday...' - via PCWorld's Lucian Constantin
Input Validation, du Jour →
Not to be undone by the well reported Bourne Again Shell vulnerability of two weeks past, now, via, Robert Lemos, writing at ArsTechnica, comes this sordid tale of poor punctuation coupled with input validation issues. In which, the vulnerability at hand, opens up a logical path within the Microsoft Corporation (NasdaqGS: MSFT) Windows in-built shell, where all the badness is vectored...