111233938
submission
Trailrunner7 writes:
There’s an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates.
The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes advantage of one of the inherent properties of the keyserver network that’s used to distribute certificates. Keyservers are designed to allow people to discover the public certificates of other people with them they want to communicate over a secure channel. One of the properties of the network is that anyone who has looked at a certificate and verified that it belongs to another specific person can add a signature, or attestation, to the certificate. That signature basically serves as the public stamp of approval from one user to another.
Last week, two people involved in the OpenPGP community discovered that their public certificates had been spammed with tens of thousands of signatures--one has nearly 150,000--in an apparent effort to render them useless. The attack targeted Robert J. Hansen and Daniel Kahn Gillmor, but the root problem may end up affecting many other people, too.
Matthew Green, a cryptographer and associate professor at Johns Hopkins University, said that the attack points out some of the weaknesses in the entire OpenPGP infrastructure.
"PGP is old and kind of falling apart. There's not enough people maintaining it and it's full of legacy code. There are some people doing the lord's work in keeping it up, but it's not enough," Green said. "Think about like an old hospital that's crumbling and all of the doctors have left but there's still some people keeping the emergency room open and helping patients. At some point you have to ask whether it's better just to let it close and let something better come along.
"I think PGP is preventing the development of better stuff and the person who did this is clearly demonstrating this problem."
109806324
submission
Trailrunner7 writes:
All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there’s a fix in the works, it has not yet been integrated.
The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the “docker cp” command, which copies files to and from containers.
“The most likely case for this particular vector would be a managed cloud which let you (for instance) copy configuration files into a running container or read files from within the container (through "docker cp"),,” Sarai said via email.
“However it should be noted that while this vulnerability only has exploit code for "docker cp", that's because it's the most obvious endpoint for me to exploit. There is a more fundamental issue here — it's simply not safe to take a path, expand all the symlinks within it, and assume that path is safe to use.”
109598606
submission
Trailrunner7 writes:
There’s yet another effort underway in Washington to establish an enforceable Do Not Track system that would provide a one-click mechanism for people to opt out of persistent web tracking by advertisers and social media platforms.
The latest push comes in the form of the Do Not Track Act, a bill unveiled this week by Sen. Josh Hawley (R-Mo.) that emulates the structure of the Do Not Call registry. It would establish a method for consumers to send a signal to online companies that would block them from collecting any information past what is necessary to deliver their services. The bill also would stop companies from building profiles of the people who activate the DNT mechanism or discriminating against them if they use the option.
Hawley’s bill makes the Federal Trade Commission the enforcement authority for the system and any person who violates the measure would be liable for penalties of $50 per user affected by a violation for every day that the violation is ongoing.
108139804
submission
Trailrunner7 writes:
A highly capable and resourceful attack team has been targeting national security organizations, telecommunications providers, ISPs, and energy companies in the Middle East and Africa via a DNS-hijacking campaign that stretches back to at least January 2017. The group uses a variety of techniques to manipulate the DNS system and is responsible for the only known DNS registry compromise, as well as a number of other successful intrusions.
The attackers behind this campaign, known as Sea Turtle. have compromised more than 40 separate organizations over the course of the last two years and have shown the ability to use several different tactics to accomplish their goals, including exploiting known vulnerabilities in web applications, routers and switches, stealing SSL certificates to set up man-in-the-middle servers, and spoofing VPN apps to steal credentials. Researchers from the Cisco Talos Intelligence Group have been tracking the attackers and said in a new report the group is distinct from the team behind previous DNS-hijacking operations such as DNSpionage and likely has backing from a nation state.
106016124
submission
Trailrunner7 writes:
Twitter, like a lot of platforms and services, is facing something of an identity crisis. Not in the traditional, Why are we all here sense, but in the ultra-modern, Who is running the accounts on our platform, sense.
From the beginning, Twitter’s creators made the decision not to require real names on the service. It’s a policy that’s descended from older chat services, message boards and Usenet newsgroups and was designed to allow users to express themselves freely. Free expression is certainly one of the things that happens on Twitter, but that policy has had a number of unintended consequences, too.
The service is flooded with bots, automated accounts that are deployed by a number of different types of users, some legitimate, others not so much. Many companies and organizations use automation in their Twitter accounts, especially for customer service. But a wide variety of malicious actors use bots, too, for a lot of different purposes. Governments have used bots to spread disinformation for influence campaigns, cybercrime groups employ bots as part of the command-and-control infrastructure for botnets, and bots are an integral part of the cryptocurrency scam ecosystem. This has been a problem for years on Twitter, but only became a national and international issue after the 2016 presidential election.
Twitter CEO Jack Dorsey said this week that he sees potential in biometric authentication as a way to help combat manipulation and increase trust on the platform.
“If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they’re interacting with and ideally that adds some more credibility to the equation. It is something we need to fix. We haven’t had strong technology solutions in the past, but that’s definitely changing with these supercomputers we have in our pockets now," Dorsey said.
104701306
submission
Trailrunner7 writes:
Like real estate, we’re not making any more IPv4 addresses. But instead of trying to colonize Mars or build cities under the sea, the Internet’s architects developed a separate address scheme with an unfathomably large pool of addresses. IPv6 has an address space of 2^128, compared to IPv4’s 2^32, and as the exhaustion of the IPv4 address space began to approach, registries started allocating IPv6 addresses and there now are billions of those addresses active at any given time. But no one really knows how many or where they are or what’s behind them or how they’re organized.
A pair of researchers decided to tackle the problem and both in the global address space and in smaller, targeted networks. Known as ipv666, the open source tool set can scan for live IPv6 hosts using a statistical model that the researchers built. The researchers, Chris Grayson and Marc Newlin, faced a number of challenges as they went about developing the ipv666 tools, including getting a large IPv6 address list, which they accumulated from several publicly available data sets. They then began the painful process of building the statistical model to predict other IPv6 addresses based on their existing list.
“There are devices out there on the network that are going to prefer IPv6 and your normal network firewall rules don’t apply. It seems bad. There are IPv6 ghost networks out there and we started thinking this might be kind of a perfect storm and all we have to do is find the devices,” Grayson said in an interview.
102765260
submission
Trailrunner7 writes:
Stock prices typically drop after a breach is disclosed, but they tend to bounce back within a few weeks, suggesting that investors don’t punish companies for security mistakes. Analysis by UK-based Comparitech found that breaches can impact—but it's muted—the company's stock performance.
Even though the stock price went back up after the initial breach disclosure, the prices weren’t as high as they would have been if the breach hadn’t happened. Three years after the data breach was disclosed, the stock price for the companies on average had risen 28.71 percent, but was down 15.58 percent compared to the NASDAQ index, which Comparitech used as a proxy for the wider market.
“In the longer term, share prices continue to grow, but not fast enough to keep up with the NASDAQ,” said Comparitech analyst Paul Bischoff.
The analysis focused on the closing share prices on the New York Stock Exchange for 24 companies that reported a data breach with at least a million records lost, including TJ Maxx, Apple, Yahoo, and LinkedIn.
102510454
submission
Trailrunner7 writes:
Researchers have discovered a weakness in all version of Android except 9, the most recent release, that can allow an attacker to gather sensitive information such as the MAC address and BSSID name and pinpoint the location of an affected device.
The vulnerability is a result of the way that Android broadcasts device information to apps installed on a device. The operating system uses a mechanism known as an intent to send out information between processes or applications, and some of the information about the device’s WiFi network interface sent via a pair of intents can be used by an attacker to track a device closely.
A malicious app--or just one that is listening for the right broadcasts from Android--would be able to identify any individual Android device and geolocate it. An attacker could use this weaknesses to track a given device, presumably without the user’s knowledge. Although Android has had MAC address randomization implemented since version 6, released in 2015, Yakov Shafranovich of Nightwatch Cybersecurity said his research showed that an attacker can get around this restriction.
102019088
submission
Trailrunner7 writes:
Twitter has something of a bot problem. Anyone who uses the platform on even an occasional basis likely could point out automated accounts without much trouble. But detecting bots at scale is a much more complex problem, one that a pair of security researchers decided to tackle by building their own classifier and analyzing the characteristics and behavior of 88 million Twitter accounts.
Using a machine learning model with a set of 20 distinct characteristics such as the number of tweets relative to the age of the account and the speed of replies and retweets, the classifier is able to detect bots with about 98 percent accuracy. The tool outputs a probability that a given account is a bot, with anything above 50 percent likely being a bot. During their research, conducted from May through July, Jordan Wright and Olabode Anise of Duo Security discovered an organized network of more than 15,000 bots that was being used to promote a cryptocurrency scam. The botnet, which is still partially active, spoofs many legitimate accounts and even took over some verified accounts as part of a scheme designed to trick victims into sending small amounts of the cryptocurrency Ethereum to a specific address.
Unlike most botnets, the Ethereum network has a hierarchical structure, with a division of labor among the bots. Usually, each bot in a network performs the same task, whether that’s launching a DDoS attack or mining Bitcoin on a compromised machine. But the Ethereum botnet had clusters of bots with a three-tier organization. Some of the bots published the scam tweets, while others amplified those tweets or served as hub accounts for others to follow. Wright and Anise mapped the social media connections between the various accounts and looked at which accounts followed which others to create a better picture of the network.
Anise and Wright will discuss the results of their research during a talk at the Black Hat USA conference on Wednesday and will release their detection tool as an open source project that day, too.
92382095
submission
Trailrunner7 writes:
A group of House Democrats has introduced a bill that would formalize a policy of the United States not sharing cyber intelligence with Russia.
The proposed law is a direct response to comments President Donald Trump made earlier this week after he met with Russian President Vladimir Putin. After the meeting, Trump said on Twitter that he and Putin had discussed forming an “impenetrable Cyber Security unit” to prevent future attacks, including election hacking. The idea was roundly criticized by security and foreign policy experts and within a few hours Trump walked it back, saying it was just an idea and couldn’t actually happen.
But some legislators are not taking the idea of information sharing with Russia as a hypothetical. On Wednesday, Rep. Ted Lieu (D-Calif.), Rep. Brendan Boyle (D-Pa.), and Rep. Ruben Gallego (D-Ariz.) introduced the No Cyber Cooperation With Russia Act to ensure that the U.S. doesn’t hand over any cybersecurity intelligence on attacks or vulnerabilities to Moscow. Recent attacks such as the NotPetya malware outbreak have been linked to Russia, as have the various attacks surrounding the 2016 presidential election.
91618111
submission
Trailrunner7 writes:
With the upcoming releases of iOS 11 and macOS High Sierra later this year, Apple is planning to force many users to adopt two-factor authentication for their accounts.
The company this week sent an email to customers who have the existing two-step verification enabled for their Apple IDs, informing them that once they install the public betas of the new operating systems they will be migrated to two-factor authentication automatically. Two-step verification is an older method of account security that Apple rolled out before full two-factor authentication was available. Apple is phasing that out and will be upgrading people with eligible devices automatically.
91327829
submission
Trailrunner7 writes:
A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker’s machine.
After releasing an initial draft of the bill in March, Rep. Tom Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker.
“The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion,” the bill says.
90467237
submission
Trailrunner7 writes:
A team of three doctoral students, looking for insights into the inner workings of tech support scams, spent eight months collecting data on and studying the tactics and infrastructure of the scammers, using a purpose-built tool. What they uncovered is a complex, technically sophisticated ecosystem supported by malvertising and victimizing people around the world.
The study is the first analysis of its kind on tech support scams, and it’s the work of three PhD candidates at Stony Brook University. The team built a custom tool called RoboVic that performed a “systematic analysis of technical support scam pages: identified their techniques, abused infrastructure, and campaigns”. The tool includes a man-in-the-middle proxy that catalogs requests and responses and also will click on pop-up ads, which are key to many tech-support scams.
In their study, the researchers found that the source for many of these scams were “malvertisements”, advertisements on legitimate websites, particularly using ad-based URL shorteners, that advertised for malicious scams. This gives the scammers an opportunity to strike on what would seem like a relatively safe page. Although victims of these scams can be anywhere, the researchers found that 85.4 percentof the IP addresses in these scams were located across different regions of India, with 9.7 percentlocated in the United States and 4.9 percent in Costa Rica. Scammers typically asked users for an average of $291, with prices ranging from $70 to $1,000.
89841685
submission
Trailrunner7 writes:
year after flaws in SS7, one of the underlying protocols in the cell network came to the public’s attention, two powerful members of Congress are asking the secretary of Homeland Security how DHS has addressed the threat and whether the department has sufficient resources to detect and defeat SS7-related attacks.
The flaws in SS7, a protocol that’s designed to connect various telecom carriers, can enable anyone with access to the system to carry out discreet surveillance against a victim, knowing only the target’s phone number. Many people at each of the carriers have access to the system, and security researchers have been warning about the problem for years. Last year, researchers demonstrated an attack on the phone of Rep. Ted Lieu (D-Calif.) using this technique, prompting Lieu to call on congressional leaders to address the issue.
Now, a year later, Lieu and Sen. Ron Wyden (D-Ore.) have sent a letter to John F. Kelly, secretary of Homeland Security, to detail what the department has done to address the SS7 problem and whether the federal government understands how this vulnerability could be used for surveillance.
“We are deeply concerned that the security of America’s telecommunications infrastructure is not getting the attention it deserves. Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones. We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance,” the letter says.
89586627
submission
Trailrunner7 writes:
A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.
Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.
The proposed legislation includes the caveat that victims can’t take any actions that destroy data on another person’s computer, causes physical injury to someone, or creates a threat to public safety. The concept of active defense has been a controversial one in the security community for several years, with many experts saying the potential downside outweighs any upside. Not to mention that it’s generally illegal.
