(credit: Clever Cupcakes)

Yahoo has sent out another round of notifications to users, warning some that their accounts may have been breached as recently as last year. The accounts were affected by a flaw in Yahoo's mail service that allowed an attacker—most likely a "state actor," according to Yahoo—to use a forged "cookie" created by software stolen from within Yahoo's internal systems to gain access to user accounts without a password.

Yahoo informed some users in e-mails this week that "Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account." The messages are regarding possible breaches using the cookie vulnerability in 2014.

The Associated Press' Raphael Satter reports that a Yahoo spokesperson acknowledged the company was notifying users of the potential breach of their accounts, but would not disclose how many users were affected.

Read 3 remaining paragraphs | Comments


Enlarge / Chairman of the Science, Space, and Technology Committee Lamar Smith, R-Texas, seen here in 2013. (credit: Bill Clark/CQ Roll Call)

Two Republican members of Congress sent a formal letter Tuesday to the Environmental Protection Agency’s Office of the Inspector General, expressing concern that “approximately a dozen career EPA officials” are using the encrypted messaging app Signal to covertly plan strategy and may be running afoul of the Freedom of Information Act.

The open source app has gained renewed interest in the wake of the election of President Donald Trump.

As Ars has reported previously, all Signal messages and voice calls are end-to-end encrypted using the Signal Protocol, which has since been adopted by WhatsApp and other companies. However, unlike other messaging apps, Signal’s maker, Open Whisper Systems, makes a point of not keeping any data, encrypted or otherwise, about its users. (WhatsApp also does not retain chat history but allows for backups using third-party services, like iCloud, which allows for message history to be restored when users set up a new device. Signal does not allow messages to be stored with a third party.)

The letter was written by Rep. Lamar Smith (R-Texas) and Rep. Darin LaHood (R-Ill.), who are the chair of the Committee on Science, Space, and Technology and the chair of the subcommittee on Oversight, respectively.

The congressmen note that the EPA has previously examined employee use of text messages to conduct government business and found that only a minuscule fraction of those messages was retained under FOIA.

“Not only does this demonstrate the vast issues presented with using text messages to conduct official business, but raises additional concerns about using messaging applications to conduct official business, which make it virtually impossible for the EPA to preserve and retain the records created in this manner to abide by federal record-keeping requirements,” they concluded.

The two republicans gave the agency until February 28 to respond.

The EPA OIG did not immediately respond to Ars’ request for comment.

UPDATE 5:49pm ETJennifer Kaplan, Deputy Assistant Inspector General for Congressional and Public Affairs, e-mailed: "In response to your inquiry below, the EPA OIG takes all congressional requests seriously. This request is under review by the Inspector General and his senior leadership team."

Read on Ars Technica | Comments

Advisory X41-2017-002: Multiple Vulnerabilities in ytnef
Cisco Security Advisory: Cisco UCS Director Privilege Escalation Vulnerability
CVE-2017-5585: SQL injection in OpenText Documentum Content Server 7.3 (PostgreSQL builds only)
CVE-2017-5586: Remote code execution in OpenText Documentum D2

I made the following demo for a customer in the scope of a security awarenessevent. When speaking to non-technical people, its always difficult to demonstrate how easily attackers can abuse of their devices and data. If successfully popping up acalc.exe with an exploit makes a room full of security people crazy, its not the case for users. It is mandatory to demonstrate something that will ring a bell in their mind.

As people want to be constantly online, they (ab)use of wireless access points. By default, connected devices keepahistory of all used wireless networks and constantly tryto find them again. The idea of the demo is simple:

  1. Collect all the SSIDs broadcasted by mobile devices presentin theaudience
  2. Geolocate the SSIDs using the Wigle API
  3. Display them on a map

[Note: For privacy reason, this demo must be performed with the authorization of people in the audience]

First, collect SSID padding:5px 10px"> # iwconfig $interface mode monitor # ifconfig $interface up # tshark -i $interface -n -l subtype probereq | tee -a /tmp/ssids.tmp Feb 7 18:37:39 Probe Request from 08:ee:8b:xx:xx:xx for SSID xxxx Airport Feb 7 18:36:54 20:a2:e4:xx:xx:xx trying to associate with Free Wireless Feb 7 18:36:49 Probe Request from 20:a2:e4:xx:x:xx for SSID Free Wireless Feb 7 18:36:25 Probe Request from 58:40:4e:xx:xx:xx for SSID Free Wireless Feb 7 18:36:22 Probe Request from 0c:e7:25:xx:xx:xx for SSID Free Feb 7 18:36:12 Probe Request from e8:50:8b:xx:xx:xx for SSID xxxxx-wifi Feb 7 18:36:04 f0:25:b7:xx:xx:xx trying to associate with Airport_Free_xxxxxx Feb 7 18:36:04 Probe Request from f0:25:b7:xx:xx:xx for SSID Airport_Free_WiFi_xxxxxx Feb 7 18:35:46 64:9a:be:xx:xx:xx trying to associate with swisscom Feb 7 18:35:46 Probe Request from 64:9a:be:xx:xx:xx for SSID swisscom Feb 7 18:35:40 Probe Request from 24:77:03:xx:xx:xx for SSID UM Feb 7 18:35:38 Probe Request from 24:77:03:xx:xx:xx for SSID UM Feb 7 18:35:34 Probe Request from 20:a9:9b:xx:xx:xx for SSID xxxxx Feb 7 18:35:31 Probe Request from 20:a2:e4:xx:xx:xx for SSID Free Wireless Feb 7 18:35:15 Probe Request from 8c:00:6d:xx:xx:xx for SSID xxxxNET Feb 7 18:35:15 Probe Request from 80:ea:96:xx:xx:xx for SSID Airport_Free_WiFi Feb 7 18:35:10 38:ca:da:xx:xx:xx trying to associate with xxxxNET

Let tshark collect SSIDs for a few minutes (the list will quickly grow). The next step is to use the Wigle[1] API to get geolocation data. padding:5px 10px"> # grep SSID /tmp/ssids.tmp | awk -F { print $(NF-1) }| sort -u width:801px" />

What about the accuracy of those maps? It relies on the Wigle database which is populated by volunteers. Generic SSIDs like Free Wifi or Guest wont give good results but a unique hotel name will make it perfectly. It is not possible to put the broadcasted SSIDs on a timeline to track the moves in the past but its easy to spot two people who met or visited the same place in the past.

Given that people keep their phone default name (iPhone of John Doe), this demogenerates always a little stress when you askthe victim: So, Mr Doe, How was your stay at the hotel La Playa?.


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


(credit: xxdigipxx)

For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.

Now, researchers have devised an attack that could spell the end of ASLR as the world knows it now. The attack uses simple JavaScript code to identify the memory addresses where system and application components are loaded. When combined with attack code that exploits vulnerabilities in browsers or operating systems, the JavaScript can reliably eliminate virtually all of the protection ASLR provides. The technique, which exploits what's known as a side channel in the memory cache of all widely used modern CPUs, is described in a research paper published on Wednesday. The researchers have dubbed the technique ASLR Cache or AnC for short.

"Fundamentally insecure"

The researchers said the side channel attack is much more damaging than previous ASLR bypasses, because it exploits a micro-architectural property of the CPU's that's independent of any operating system or application running on it. Whereas heap spraying and other forms of ASLR bypass can often be mitigated by software tweaks, there isn't much that can stop or lessen the effects of the JavaScript, which targets a CPU's MMU, or memory management unit. That's because CPU caching behavior and strong address space randomization are mutually exclusive. (Apple, however, recently hardened its Safari browser to partially mitigate such attacks. It's also possible to prevent JavaScript from running in a browser, but such blocking often severely degrades a site's usability.)

Read 5 remaining paragraphs | Comments

[security bulletin] HPESBHF03703 rev.1 - HPE Network Products including Comware v7 and VCX using OpenSSL, Remote Unauthorized Disclosure of Information
Cisco Security Response: Cisco Smart Install Protocol Misuse
[security bulletin] HPESBGN03697 rev.1 - HPE Business Service Management (BSM), Remote Disclosure of Information
Internet Storm Center Infocon Status