Information Security News
by Sean Gallagher
A report published by the House Committee on Science, Space and Technology today found that hackers purported to be from China had compromised computers at the Federal Deposit Insurance Corporation repeatedly between 2010 and 2013. Backdoor malware was installed on 12 workstations and 10 servers by attackers—including the workstations of the chairman, chief of staff, and general counsel of FDIC. But the incidents were never reported to the US Computer Emergency Response Team (US-CERT) or other authorities, and were only brought to light after an Inspector General investigation into another serious data breach at FDIC in October of 2015.
The FDIC failed at the time of the "advanced persistent threat" attacks to report the incidents. Then-Inspector General at FDIC, Jon Rymer, lambasted FDIC officials for failing to follow their own policies on breach reporting. Further investigation into those breaches led the committee to conclude that former FDIC CIO Russ Pittman misled auditors about the extent of those breaches, and told employees not to talk about the breaches by a foreign government so as not to ruin FDIC Chairman Martin Gruenberg's chances of confirmation.
The cascade of bad news began with an FDIC Office of the Inspector General (OIG) investigation into the October "Florida incident." On October 23, 2015, a member of the Federal Deposit Insurance Corporation's Information Security and Privacy Staff (ISPS) discovered evidence in the FDIC's data loss prevention system of a significant breach of sensitive data—over 1,200 documents, including Social Security numbers from bank data for over 44,000 individuals and 30,715 banks, were copied to a USB drive by a former employee of FDIC's Risk Management Supervision field office in Gainesville, Florida. The employee had copied the files prior to leaving his position at FDIC. Despite intercepting the employee, the actual data was not recovered from him until March 25, 2016. The former employee provided a sworn statement that he had not disseminated the information, and the matter was dropped.
Over a month after a prominent staffer at the Tor Project left the organization amid public accusations of sexual misconduct, the project has shaken up its entire seven-person board of directors, replacing the seven who have left as of Wednesday with six new members.
The Tor Project is the Massachusetts-based nonprofit that maintains Tor, the well-known open-source online anonymity tool.
In June 2016, Jacob Appelbaum, one of Tor’s most public-facing developers and a member of the "Core Team," denounced the accusations as a "calculated and targeted attack has been launched to spread vicious and spurious allegations against me."
by Jonathan M. Gitlin
As we have seen in the past couple of years, car hacking is becoming an ever-greater threat. Many of the systems in our vehicles—and the standards to which they were designed—predate the connected car era. And so computerized vehicle systems lack some of the basic kinds of security that we would otherwise expect as default given the ramifications of a hack. The car-hacking problem gained widespread attention in July 2015, when hackers revealed that 1.4 million Chrysler and Dodge vehicles were vulnerable to an exploit—via the car's infotainment system—that could allow a malicious hacker to take over control of the vehicles' throttle, brakes, and even steering.
On Wednesday morning, Fiat Chrysler Automobiles (FCA) announced it has created a bug bounty program, using Bugcrowd's platform to allow the security community to inform it about possible exploits.
"We want to encourage independent security researchers to reach out to us and share what they’ve found so that we can fix potential vulnerabilities before they’re an issue for our consumers," said Titus Melnyk, senior manager of security architecture at FCA. "Exposing or publicizing vulnerabilities for the singular purpose of grabbing headlines or fame does little to protect the consumer. Rather, we want to reward security researchers for the time and effort, which ultimately benefits us all."
For more than two decades, Microsoft Windows has provided the means for clever attackers to surreptitiously install malware of their choice on computers that connect to booby-trapped printers, or other devices masquerading as printers, on a local area network. Microsoft finally addressed the bug on Tuesday during its monthly patch cycle.
The vulnerability resides in the Windows Print Spooler, which manages the process of connecting to available printers and printing documents. A protocol known as Point-and-Print allows people who are connecting to a network-hosted printer for the first time to automatically download the necessary driver immediately before using it. It works by storing a shared driver on the printer or print server and eliminates the hassle of the user having to manually download and install it.
Researchers with security firm Vectra Networks discovered that the Windows Print Spooler doesn't properly authenticate print drivers when installing them from remote locations. The failure makes it possible for attackers to use several different techniques that deliver maliciously modified drivers instead of the legitimate one provided by the printer maker. The exploit effectively turns printers, printer servers, or potentially any network-connected device masquerading as a printer into an internal drive-by exploit kit that infects machines whenever they connect.
by Sean Gallagher
When we reviewed the Blackphone 2 last September, the company behind the privacy-focused smartphone was in transition. Silent Circle had moved to bring the Blackphone joint venture with the Madrid-based Geeksphone back under its umbrella, hired a telecom industry veteran as CEO, and was fine-tuning its marketing to go after an enterprise audience. The phone’s Android-based operating system, rebranded as Silent OS, became simultaneously more user-friendly and more hardened, paving the way for features that would be incorporated into Android for Work.
Less than a year later, Silent Circle has substantially changed. For starters, that new CEO is gone. Bill Conner resigned June 27 after, as he put it, Silent Circle "extended its privacy leadership into the enterprise as a secure communications SAAS [Software as a Service] company." The company’s general counsel is now serving as interim CEO as it seeks new leadership.
Over the course of the last year, many more core security team members—including co-founder and Chief Technology Officer Jon Callas, Chief Architect Mike Kershaw (AKA "dragorn," creator of the Kismet wireless network security tool), and Chief Security Officer Dan Ford—left the company. Callas remains as an investor, but he now works for Apple. There have also been layoffs.
Drupal announced that they will release today (Wed July13th 2016 16:00 UTC) a patch that will fix highly critical remote code execution vulnerabilities in contributed modules. Drupal core is not affected.
The vulnerability is a PHP Arbitrary Code Execution and is rated up to 22/25 (based on risk calculation model used by Drupal - details here). The vulnerable modules are used on between 1.000 and 10.000 instances.
If you maintain one or more Drupal websites, review the list of affected contributed modules and apply the patch as soon as possible if youre affected.
Link to the advisory ID: DRUPAL-PSA-2016-001
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
A few months ago, I wrote a diary called Unity Makes Strength which was illustrated with an example of integrationbetween a malware analysis solution and a next-generation firewall. The goal is to increase the ability to block malicious traffic as soon as possible. Today, Id like to explain how to improve the detection of malware on Windows computers thanks to the integration of MISPand OSSEC. I already presented the Malware Information Sharing Platformin another diary. About OSSEC, in a few words, it is ahost-based IDS with many extra features like log centralisation, real-time alerting, file integrity monitoring and much more.
To achieve the detection of malicious files or registry keys on the Windows host, lets use a very interesting feature of OSSEC called rootcheck that performs rootkit detection. OSSEC comes with a default configuration that contains interesting examples but the malware landscape changing daily, this configuration is obsolete. The goal is to search a MISP database for recent IOCs and inject them into the OSSEC configuration. Both solutions are really open to the world and an integration is quite easy.">A">instance can be fully managed with the available REST API. To simplify the use of this API, there is even a Python library called PyMISP. Here is a very simple example to get the latest events from"> from pymisp import PyMISPfrom keys import misp_url, misp_key, misp_verifycertmisp = init(miss_url, misp_key)result = misp.download_last(1d)for event in result: print json.dumps(e) + \n"> MISP PyMISP.py (via the REST API) IOC-list OSSEC OSSEC agents
I wrote a small script called MOF which stands for MISP OSSEC Feeder. It extracts the interesting file names fromMISP. The following type of attributes are extracted:
To reduce the risk of"> # ./mof.py -husage: misp_ossec_export.py [-h] -t TIME [-o OUTPUT]Extract IOCs from MISP and generate an OSSEC rootcheck file.optional arguments: -h, --help show this help message and exit -t TIME, --time TIME Time machine (ex: 5d, 12h, 30m). -o OUTPUT, --output OUTPUT Output file# ./mof.py -o /var/ossec/etc/shared/misp_windows_ioc.txt
The script requires the PyMISP library that can be installed easily via a pip install pymisp.
The generated rootcheck configuration file looks like below. IOC"> ## OSSEC RootCheck IOC generated by MOF (MISP OSSEC Feeder)# https://github.com/xme/## Generated on: Mon Jul 11 22:06:56 2016# MISP url: https://misp.home.rootshell.be/# Wayback time: 30d#[MISP_2073] [any] [Packrat: Seven Years of a South American Threat Actor][MISP_2200] [any] [Click-Fraud Ramdo Malware Family Continues to Plague Users][MISP_2210] [any] [Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom]
The next step is to integrate this new file into your OSSEC agent.txt file. Please have a look at the OSSEC documentation for a complete description of this shared agents configuration. Here is mine (stored in /var/ossec/etc/shared/agent.conf">
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant