Tag Archives: vulnerabilities

[ISN] NASA, Dept of Defense, Commerce etc probed over use of backdoored Juniper kit

www.theregister.co.uk/2016/01/26/juniper_us_government/ By Chris Williams The Register 26 Jan 2016 A bunch of US government departments and agencies – from the military to NASA – are being grilled over their use of backdoored Juniper firewalls. The House of Representatives’ Committee on Oversight and Government Reform fired off letters to top officials over the weekend, demanding to know if any of the dodgy NetScreen devices were used in federal systems. Juniper’s ScreenOS software – the firmware that powers in its firewalls – was tampered with by mystery hackers a few years ago to introduce two vulnerabilities: one was an administrator-level backdoor accessible via Telnet or SSH using a hardcoded password, and the other allowed eavesdroppers to decrypt intercepted VPN traffic. The flaws, which were smuggled into the source code of the firmware, were discovered on December 17 by Juniper, and patches were issued three days later to correct the faults. The backdoor (CVE-2015-7755) affects ScreenOS versions 6.3.0r17 through 6.3.0r20, and the weak VPN encryption (CVE-2015-7756) affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 6 critical updates for January Patch Tuesday

www.computerworld.com/article/3022060/security/6-critical-updates-for-january-patch-tuesday.html By Greg Lambert Computerworld Jan 13, 2016 Microsoft has started the year with a truly unusual Patch Tuesday. There are nine updates for January, with six rated as critical and the remaining three rated as important (the reverse of the usual distribution in terms of severity). January has a couple of additional surprises. First, it looks like MS16-009 did not make this Patch Tuesday release at all and may only surface later this month. Secondly, we see what has been rated as an important update with MS16-008 may contain the most severe vulnerability and the most risky patch contents. Thanks to Shavlik this month for their very helpful summary infographic detailing this January Patch Tuesday. MS16-001 — Critical The first update rated as critical for the year 2016 is MS16-001, an update for Microsoft Internet Explorer that attempts to resolve two reported vulnerabilities, that at worst could lead to a remote code execution scenario. This update affects all supported versions of Windows and will require a system restart due to the complete re-release of all IE related executables and supporting libraries. Microsoft has offered some advice on how to mitigate the risk of this particular vulnerability. However, this advice requires changing the ownership (and subsequent security settings) of one of IE’s core system libraries (VBScript.dll) which in practice is usually difficult to do and almost impossible to manage in an enterprise scenario. This is a “Patch Now” Microsoft update. MS16-002 — Critical The next critical update for this January Patch Tuesday is MS16-002 which attempts to resolve two reported vulnerabilities in Microsoft’s latest browser


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacking Team’s Leak Helped Researchers Hunt Down a Zero-Day

www.wired.com/2016/01/hacking-team-leak-helps-kaspersky-researchers-find-zero-day-exploit/ By Kim Zetter Security Wired.com 01/13/16 ZERO-DAY EXPLOITS ARE a hacker’s best friend. They attack vulnerabilities in software that are unknown to the software maker and are therefore unpatched. Criminal hackers and intelligence agencies use zero day exploits to open a stealth door into your system, and because antivirus companies also don’t know about them, the exploits can remain undetected for years before they’re discovered. Until now, they’ve usually been uncovered only by chance. But researchers at Kaspersky Lab have, for the first time, discovered a valuable zero-day exploit after intentionally going on the hunt for it. And they did so by using only the faintest of clues to find it. The malware they found is a remote-code execution exploit that attacks a vulnerability in Microsoft’s widely used Silverlight software—a browser plug-in Netflix and other providers use to deliver streaming content to users. It’s also used in SCADA and other industrial control systems that are installed in critical infrastructure and industrial facilities. The vulnerability, which Microsoft called “critical” in a patch released to customers on Tuesday, would allow an attacker to infect your system after getting you to visit a malicious website where the exploit resides—usually through a phishing email that tricks you into clicking on a malicious link. The attack works with all of the top browsers except Chrome—but only because Google removed support for the Silverlight plug-in in its Chrome browser in 2014. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] [CFP] Speak About Your Cyberwar at PHDays VI

Forwarded fFrom: Alexander Lashkov Positive Hack Days VI, the international forum on practical information security, opens Call for Papers. Our international program committee consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals. Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A new concept of PHDays VI is designed to show what the current vibe is in information security. We want researchers to speak about the real dangerous threats and possible consequences. We also expect developers and integrators to give real answers to these threats rather than to talk about empowering security technologies. Come and share your experience at PHDays VI in Moscow, May 17 and 18, 2016. Your topic can revolve around any modern infosec field: new targeted attacks against SCADA, new threats to medical equipment, vulnerabilities of online government services, unusual techniques to protect mobile apps, antisocial engineering in social networks, or what psychological constitution SOC experts have. In addition, this year, we are planning to discuss IS software design, development tools, and SSDL principles. Our key criteria is that your research should be unique and offer a fresh perspective on hacking, modern information technologies, and the role they play in our lives. If you have something interesting or surprising to share, but none of the formats are suitable for your participation, please apply anyway and be sure we will consider your work. The first stage of CFP ends on January 31, 2016. Apply now — the number of final reports is limited. In 2015, the forum brought together 3,500 participants. In 2016, it is expected to see 4,000 attendees: information security leaders, CIO and CISO of the world’s largest companies, top managers of giant banks, industrial and oil and gas producing enterprises, telecoms, and IT vendors, representatives from different government departments. Positive Hack Days featured a variety of distinguished participants including Bruce Schneier (the legendary cryptography expert), Whitfield Diffie (one of the inventors of asymmetric cryptography), Mohd Noor Amin (IMPACT, UN), Natalya Kasperskaya (CEO of InfoWatch), Travis Goodspeed (a reverse engineer and wireless enthusiast from the U.S.), Tao Wan (the founder of China Eagle Union), Nick Galbreath (Vice-President of IPONWEB), Mushtaq Ahmed (Emirates Airline), Marc Heuse (the developer of Hydra, Amap, and THC-IPV6), Karsten Nohl (a specialist in GSM engineering), Donato Ferrante and Luigi Auriemma (famous SCADA experts from Italy), and Alexander Peslyak (the creator of the password cracking tool John the Ripper). Find any details about the format, participation rules, and CFP instructions on the PHDays website: www.phdays.com/call_for_papers/


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] “Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic

arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/ By Dan Goodin Ars Technica Dec 17, 2015 An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday. It’s not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. There’s no evidence right now that the backdoor was put in other Juniper OSes or devices. “During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper Chief Information officer Bob Worrall wrote. “Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.” A separate advisory from Juniper says there are two separate vulnerabilities, but stops short of describing either as “unauthorized code.” The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. “The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic,” the advisory said. “It is independent of the first issue. There is no way to detect that this vulnerability was exploited.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] US Homeland Security wants heavy-duty IoT protection

www.networkworld.com/article/3014438/security/us-homeland-security-wants-heavy-duty-iot-protection.html By Michael Cooney LAYER 8 Network World Dec 11, 2015 The diversity and capabilities as well as a lack of security found in the multitude of devices in the Internet of Things world is making people at the US Department of Homeland Security more than a little concerned. This week it put out a call for “novel ideas and technologies to improve situational awareness and security measures for protecting IoT domains, as well as technologies that will help DHS operational and support components gain comprehensive and near continuous knowledge of IoT components and systems that affect their operations and assets.” By using the Internet and its various connection mediums (e.g., Bluetooth, Wi-Fi, serial interface, wireless), any IoT system can be connected to any other device on the Internet. This level of connectivity opens tremendous opportunities for the capabilities of IoT-based systems, but also allows every node, device, data source, communication link, controller and data repository attached to IoT to serve as a security threat and be exposed to security threats. Therefore, any IoT system’s security is limited to the security level of its least secure component, the DHS stated. IoT security efforts are further complicated by IoT’s convergence of physical components and the virtual information flows and connections of IoT. Therefore, DHS stated, in addition to the typical vulnerabilities of IT systems, IoT enabled systems create additional security concerns because IoT domains are:autonomous and control other autonomous systems; highly mobile and/or widely distributed; and are vulnerable to physical and virtual threats. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Apple fixes 49 security bugs in iOS 9.1; kills jailbreak

www.zdnet.com/article/apple-fixes-security-bugs-in-ios-9-1-kills-jailbreak/ By Zack Whittaker Zero Day ZDNet.com October 21, 2015 Apple has fixed 49 separate security vulnerabilities in iOS 9.1. The company, which released the software on Wednesday for iPhones and iPads, detailed the flaws in its updated security documentation. Two of the fixes were credited to PanguTeam, a well-known jailbreak team based out of China, which earlier this month released the first jailbreak tool for devices running iOS 9. Jailbreaking (similar to “rooting” for Android phones) allows a user to gain access to more features on a iPhone or iPad, but it comes with additional security risks. It’s not illegal but it will void a user’s warranty. Apple said a heap based buffer overflow issue could allow a malicious app “to elevate privileges,” similar to how jailbreaking works.Another flaw allows a malicious app to exploit a memory corruption issue to “execute arbitrary code with kernel privileges,” which Apple said it fixed this flaw with improved memory handling. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] When Security Experts Gather to Talk Consensus, Chaos Ensues

http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/ By Kim Zetter Security Wired.com 10.01.15 SECURITY RESEARCHERS AND vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. That’s the conclusion after a coalition of security vendors, academics, lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how to improve the sometimes-hostile system for reporting software vulnerabilities. But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs? The participants hit another sticking point when they tried to determine if they should hold a second meeting. “I spent $2,000 [to come to this meeting],” Dave Aitel, CEO and founder of the Florida-based security firm Immunity, told attendees. Whether or not there’s a second meeting, “should at least be an option” for discussion. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail