http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/ By Dan Goodin Ars Technica Jan 26 2015 Adobe Systems is once again rolling out an emergency Flash update that patches a critical vulnerability under active attack to compromise the computers of unsuspecting users. The latest Flash versions fix a remote code-execution bug that, as Ars reported last week, recently came under attack in the Angler exploit kit. Malware purveyors and other types of online crooks use such kits to seed compromised websites with attack code. Once people visit the sites with vulnerable computers, the booby-trapped pages surreptitiously exploit the vulnerabilities and install backdoors that can be used to log keystrokes, steal passwords, and install new pieces of malware at will. An advisory Adobe published late last week warned that the bug resides in versions running on Windows, Macs, and Linux systems. So far, reports suggest that in-the-wild exploits are limited only to Windows systems. The vulnerability stems from a so-called use-after-free bug that allows attackers to corrupt the memory of affected computers. Trend Micro has additional technical details here. “A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 188.8.131.527 and earlier versions for Windows and Macintosh,” the Adobe advisory stated. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.” […]
http://www.bankinfosecurity.com/shellshock-ddos-attacks-spike-a-7365 By Mathew J. Schwartz Bank Info Security September 29, 2014 Distributed-denial-of-service attacks that target the Bash flaws known as Shellshock have spiked in recent days. “We’re seeing north of 1.5 million #shellshock attacks across the @CloudFlare network daily,” says Matthew Prince, CEO of the content delivery network and DDoS defense firm CloudFlare. Prince says that count is determined by the company’s Web application firewall detecting attempted attacks that use the Shellshock flaw. Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about the Bash bug went public last week. Since then, security software vendor Trend Micro says it’s also seen Shellshock-related IP address probes directed against unnamed institutions in Brazil, as well as at least one financial services firm in China. “Attackers were trying to see if several IPs owned by the institution were vulnerable to a Shellshock vulnerability, specifically CVE-2014-6271. Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to use the command … ‘uname’ [to display] system information, including the OS platform, the machine type, and the processor information.” To date, however, the security software vendor hasn’t seen the exploit being used to deliver malware payloads. “At first glance, retrieving system information might seem harmless,” Trend Micro says. But this reconnaissance “could possibly be a sign of preparation for … more damaging attacks.” […]
http://www.bloomberg.com/news/2014-09-05/jpmorgan-had-exodus-of-tech-talent-before-hacker-breach.html By Hugh Son and Michael Riley Bloomberg.com Sep 5, 2014 As hackers pierced JPMorgan Chase & Co.’s (JPM) defenses in June, the bank’s cybersecurity chief was just getting acquainted with his employer and its sprawling technology infrastructure. Greg Rattray, a former U.S. Air Force commander for information warfare, became JPMorgan’s head of information security that month after upheaval at the highest levels of the bank’s tech division. His predecessor, Anthony Belfiore, had resigned early this year to join at least five JPMorgan leaders at First Data Corp. In between, Anish Bhimani was acting security officer while holding at least one other tech role. “It sucks that this happened at the beginning of Greg’s watch, but this is a legacy issue,” said Tom Kellermann, chief cybersecurity officer at anti-virus software firm Trend Micro Inc. “They had an acting person who was juggling way too much, with no one fully dedicated to the role for a bit of time.” JPMorgan, led by Chief Executive Officer Jamie Dimon, 58, has rushed to determine the scope of the assault and restore confidence in security at the biggest U.S. lender. While hackers targeted other banks’ systems, JPMorgan is the only bank said to have had gigabytes of data stolen, including information on customer accounts. […]
http://www.bankinfosecurity.com/treasurys-new-focus-on-cyber-risks-a-7068 By Tracy Kitten Bank Info Security July 17, 2014 Treasury Secretary Jacob Lew this week took the precedent-setting step of publicly addressing what he referred to as the financial system’s cybersecurity shortcomings. Lew’s comments were noteworthy because they apparently mark the first time a member of the Treasury Department has directly addressed cyber-risks. Lew’s remarks about the need for banking institutions, retailers and all other parties involved in financial services to make cybersecurity, and cyberthreat information sharing, a top priority could signal a policy shift for the Treasury, says Tom Kellerman, chief cybersecurity officer at Trend Micro. “This is the first time a Secretary of Treasury has made such a declaration,” Kellermann says. “The regulators and bank examiners will now become much more proactive in their roles.” Point-of-sale attacks against major retailers, including Target Corp., Neiman Marcus and retail crafts store chain Michaels, illustrate why cyberthreat information sharing is needed to adequately protect the country’s critical infrastructure, Lew noted during the Delivering Alpha conference hosted July 17 by cable news station CNBC and global financial magazine Institutional Investor. […]
Forwarded from: security curmudgeon
http://www.techweekeurope.co.uk/news/microsoft-word-vulnerability-used-target-taiwanese-government-145370 By Thomas Brewster Tech Week Europe May 13, 2014 A vulnerability in Microsoft Word has been used to target a range of Taiwanese government bodies and an educational institute, a security company has warned. Whilst a patch was released by Microsoft in its April Patch Tuesday release, attackers continue to use the flaw in the knowledge that organisations would have failed to update their systems. The first attack spotted by researchers at Trend Micro used an email with a malicious attachment, claiming to have been sent by a government employee offering information on a national poll. The second used similar tactics, but focused on free trade issues, with an attachment containing a title about a work project. Both dropped malware onto the targets’ systems, which was capable of stealing files and persistent surveillance. The attacks have been tied to a campaign known as Taidoor, which has used zero-day flaws in Internet Explorer to hit high-profile targets in the past. […]
http://www.eurekalert.org/pub_releases/2013-12/pm-fcs121613.php Contact: Annie Touchette annie.touchette/at/polymtl.ca 514-231-8133 Polytechnique Montréal Montreal, December 16, 2013 – Installing computer security software, updating applications regularly and making sure not to open emails from unknown senders are just a few examples of ways to reduce the risk of infection by malicious software, or “malware”. However, even the most security-conscious users are open to attack through unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of poor user choices. “The reality is that successful malware attacks depend on both technological and human factors,” says Professor José Fernandez. “Although there has been significant research on the technical aspects, there has been much less on human behaviour and how it affects malware and defence measures. As a result, no one at the present time can really say how important these factors are. For example, are users who are older and less computer-savvy more open to infection?” It is therefore necessary to take a closer look at the impact that both technological and human factors have on the success or failure of protective mechanisms. To answer this type of question, Prof. Fernandez and his team drew inspiration from the clinical trial method to design the first-ever study applied to computer security. In a fashion similar to medical studies that evaluate the effectiveness of a particular treatment, their experiment was aimed at assessing the performance of anti-virus software and the likelihood that participants’ computers would become infected with malware. The four-month study involved 50 subjects who agreed to use laptops that were instrumented to monitor possible infections and gather data on user behaviour. “Analyzing the data allowed us not only to identify which users were most at risk, based on their characteristics and behaviour, but also to measure the effectiveness of various protective measures,” says Polytechnique student Fanny Lalonde Lévesque, who is writing her master’s thesis on this project. This pilot study provided some very interesting results on the effectiveness of computer defences and the risk factors for infection. For example, 38% of the users’ computers were exposed to malware and 20% were infected, despite the fact that they were all protected by the same anti-virus product, which was updated regularly. With regard to the users themselves, there did not seem to be any significant difference in exposure rates between men and women. In addition, the most technically sophisticated users turned out to be the group most at risk… This result may seem counter-intuitive, as it contradicts the opinion of some computer experts who argue that people should have a kind of “Internet license” before going online. “The results of this study provide some intriguing insights. Are these ‘expert’ users at higher risk because of a false sense of security, or because they are naturally curious and therefore more risk-tolerant? Further research is needed to understand the causes of this phenomenon, so that we can better educate and raise awareness among users,” says Professor Fernandez. In the future, this type of study will help provide scientific data to support decision-making on security management, education, regulation and even computer security insurance. A second phase, which will involve hundreds of users over a period of several months, is already being prepared. The initial results of this experiment were presented at the ACM Conference on Computer and Communications Security (CCS), which took place November in 2013 in Berlin, Germany. ### This research was carried out with the financial support of the Natural Sciences and Engineering Research Council of Canada Internetworked Systems Security Network (NSERC ISSNet), Trend Micro and MITACS.
http://www.darkreading.com/attacks-breaches/researchers-highlight-security-vulnerabi/240162568 By Brian Prince Dark Reading October 11, 2013 When it works normally, the Automatic Identification System (AIS) used by ships can be a captain’s best friend, helping him or her avoid collisions on the high seas. Under the control of a hacker however, AIS could become a captain’s worst enemy. At the upcoming Hack in the Box Security Conference in Malaysia, a team of security researchers are preparing to demonstrate how an attacker could hijack AIS traffic and perform man-in-the middle attacks that enable them to turn the tracking system into a liability. AIS is an automatic tracking system intended to help identify and locate vessels electronically to help avoid collisions on the water. AIS transponders on the ships include a GPS receiver and VHF transmitter, which transmits information to other vessels or base stations. AIS is required on many vessels, including international voyage ships weighing 300 tons or more and all passenger ships regardless of size. According to Trend Micro’s Kyle Wilhoit, one of the researchers who worked on the project, says the attacks can be broken up into two categories: those that target the AIS Internet providers that collect and distribute AIS information, and those that target flaws in the actual specification of the AIS protocol used by hardware receivers in all of the vessels. Without getting too deep into the vulnerabilities ahead of the presentation, which is slated for Oct. 16, Wilhoit explains that the upstream providers fail to authenticate AIS sentences coming from ships. […]