Information Security News
A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users' browsing sessions. Microsoft officials said they're working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.
The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages.
To demonstrate the attack, the demo injects the words "Hacked by Deusen" into the website of the Daily Mail. But it also could have stolen HTML-based data the news site, or any other website, stores on visitors' computers. That means it would be trivial for attackers to use it to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a user name and password. Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.
Millions of Android fans downloaded 'adware' game app – infosec biz
Card-game players are being warned about an Android app in Google's Play Store that reportedly slaps adverts all over your handheld. The accused app recreates Durak, a traditional Russian game, and is rather imaginatively called Durak Card Game.
This is a guest diary written byMr. William Glodek Chief, Network Security Branch, U.S. Army Research Laboratory
As a network analysis practitioner, I analyze multiple gigabytes of pcap data across multiple files on a daily basis. I have encountered many challenges where the standard tools (tcpdump, tcpflow, Wireshark/tshark) were either not flexible enough or couldnt be prototyped quickly enough to do specialized analyzes in a timely manner. Either the analysis couldnt be done without recompiling the tool itself, or the plugin system was difficult to work with via command line tools.
Dshell, a Python-based network forensic analysis framework developed by the U.S. Army Research Laboratory, can help make that job a little easier . The framework handles stream reassembly of both IPv4 and IPv6 network traffic and also includes geolocation and IP-to-ASN mapping data for each connection. The framework also enables development of network analysis plug-ins that are designed to aid in the understanding of network traffic and present results to the user in a concise, useful manner by allowing users to parse and present data of interest from multiple levels of the network stack. from tweaking an existing decoder to extract slightly different information from existing protocols, to writing a new parser for a completely novel protocol. Here are two scenarios where Dshell has decreased the time required to identify and respond to network forensic challenges.
The reservedips module will find all of the DNS request/response pairs for domains that resolve to a non-routable IP address, and display them on a single line. By having each result displayed on a single line, I can utilize other command line utilities like awk or grep to further filter the results. Dshell can also present the output in CSV format, which may be imported into many Security Event and Incident Management (SEIM) tools or other analytic platforms.
I can then extract the executable from the network traffic by using the rip-http module. The rip-http module will reassemble the IP/TCP/HTTP stream, identify the filename being requested, strip the HTTP headers, and write the data to disk with the appropriate filename.
There are additional modules within the Dshell framework to solve other challenges faced with network forensics. The ability to rapidly develop and share analytical modules is a core strength of Dshell. If you are interested in using or contributing to Dshell, please visit the project at https://github.com/USArmyResearchLab/Dshell.
Security researchers have once again found Google Play offering malicious apps that have been downloaded by millions of Android users. According to a blog post published Tuesday by antivirus provider Avast, the apps include the Durak card game app and at least two other titles. Combined, those apps have been installed as many as 15 million times. Researcher Filip Chytry wrote:
When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right?
Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
It's not the first time Google's official Android app bazaar has been found to host malicious apps. In the past, it has offered titles laced with surreptitious remote access trojans, Bitcoin miners, and rogue advertising networks. Three years ago, Google introduced a cloud-based scanner that scours Play for malicious apps, but attackers have been known to bypass it.
Google officials regularly remove apps from Play when they are found to be malicious. At the time this post was being prepared, all three flagged by Avast remained available for download.
Last year with OpenSSL, and this year with the GHOST glibc vulnerability, the question came up about what piece of software is using what specific library. This is a particular challenging inventory problem. Most software does not document well all of its dependencies. Libraries can be statically compiled into a binary, or they can be loaded dynamically. In addition, updating a library on disk may not always be sufficient if a particular piece of software does ues a library that is already loaded in memory.
To solve the first problem, there is ldd. ldd will tell you what libraries will be loaded by a particular piece of software. For example:
$ ldd /bin/bash
linux-vdso.so.1 = (0x00007fff9677e000)
libtinfo.so.5 = /lib64/libtinfo.so.5 (0x00007fa397b43000)
libdl.so.2 = /lib64/libdl.so.2 (0x00007fa39793f000)
libc.so.6 = /lib64/libc.so.6 (0x00007fa3975aa000)
The first line (linux-vdso) doesnt point to an actual library, but to the Virtual Dynamic Shared Object which represents kernel routines. Whenever you see an arrow (=), it indicates that there is a symlinkto a specific library that is being used.Another option that works quite well for shared libraries is readelf. e.g. readelf -d /bin/bash will list
To list libraries currently loaded, and programs that are using them, you can use lsof.
One trick with lsof is that it may appreviate command names to make the output look better. To fix this, use the +c 0">#lsof +c 0 | grep libc-
init 1 root mem REG 253,0 1726296 131285 /lib64/libc-2.5.so
udevd 836 root mem REG 253,0 131078 /lib64/libc-2.5.so (path inode=131285)
anvil 987 postfix mem REG 253,0 1726296 131285 /lib64/libc-2.5.so
The first column will tell you what processes need restarting. Also the number in front of the library (131285) is the inodefor the library file. As you may note above, the inode is different for some of these libraries, indicating that the library changed. These are the processes that need restarting.
It is always best to reboot a system to not have to worry about remnant bad code staying in memory.
In addition, if your system uses RPMs, you can find dependencies using the RPM. But this information is not always complete.
Posted by InfoSec News on Feb 03http://www.eweek.com/security/google-launches-new-incentive-program-for-bug-hunters.html
Posted by InfoSec News on Feb 03Forwarded from: Vic Vandal <vvandal (at) well.com>
Posted by InfoSec News on Feb 03http://mashable.com/2015/02/03/bmw-connecteddrive-locks/
Posted by InfoSec News on Feb 03http://www.techworld.com/news/security/dating-site-topface-pays-hacker-who-stole-20-million-credentials-3596333/
Posted by InfoSec News on Feb 03http://www.nextgov.com/cybersecurity/2015/02/white-house-debuts-dot-gov-cyber-enforcement-squad/104313/