Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: Motherboard)

VTech, the hacked maker of electronic toys and apps that leaked the data of 4.8 million customers, including hundreds of thousands of children, exposed gigabytes' worth of pictures and chat histories on the same compromised servers, according to an article published on Motherboard, the website that first broke news of the breach.

The news website said a hacker who asked to remain anonymous was able to download almost 200 gigabytes' worth of photos of both parents and children who had registered with the site. The hacker also obtained logs of chats conducted between parents and their kids and in some cases recordings of conversations. VTech encouraged parents to take the headshots and use them with apps that allow them to interact with children. The hacker, who said he didn't intend to publish or sell the data, provided Motherboard with 3,832 image files and at least one audio recording for verification purposes.

It's not clear why VTech stored the data on its servers in the first place. The article reported:

Read 1 remaining paragraphs | Comments

 

In response to a demand for backdoor access to its enterprise messaging products, BlackBerry is completely pulling out of the Pakistan market. The announcement comes as a ban on providing BlackBerry Enterprise Services over mobile networks in Pakistan was due to take effect today.

The Pakistan Telecommunications Authority's ban on BlackBerry Enterprise Services (BES) was issued this summer, and it was planned to become effective on November 30, as Ars reported in July. "Security reasons" were cited as the cause of the ban. But just before the restriction was announced, Privacy International issued a report that warned of the Pakistani Inter-Services Intelligence (ISI) agency's efforts to gain network surveillance capabilities within the country that rival those of the National Security Agency.

While the government has pushed back the effective date of that order to December 30, BlackBerry COO Marty Beard announced today that the company would exit the Pakistani market completely rather than meet government demands for unfettered access to the service's message traffic.

Read 2 remaining paragraphs | Comments

 

Enlarge (credit: Malwarebytes)

An active hacking campaign is forcing Reader's Digest and many other websites to host malicious code that can surreptitiously infect visitors with malware and linger for days or weeks before being cleaned up.

Reader's Digest has been infected since last week with code originating with Angler, an off-the-shelf hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack scripts, researchers from antivirus provider Malwarebytes told Ars. People who visit the site with outdated versions of Adobe Flash, Internet Explorer, and other browsing software are silently infected with malware that gains control over their computers. Malwarebytes researchers said they sent Reader's Digest operators e-mails and social media alerts last week warning the site was infected but never got a response. The researchers estimate that thousands of other sites have been similarly attacked in recent weeks and that the number continues to grow.

"This campaign is still ongoing and we see dozens of new websites every day being leveraged to distribute malware via the Angler exploit kit," Malwarebytes Senior Security Researcher Jérôme Segura wrote in an e-mail. "This attack may have been going on for some time but we noticed a dramatic increase in infections via WordPress sites in the past couple of weeks."

Read 3 remaining paragraphs | Comments

 

SHA1 (Secure Hashing Algorithm 1) has been in use for about 20 years. More recently, some weaknesses have been identified in SHA1, and in general, faster computing hardware makes it more and more likely that collisions willbe found. As a result, SHA2 starts to replace SHA1and you should see this impacting your users next year. Various software will stop trusting SHA1 signatures, and users may receive warnings about invalid signatures or certificates as a result.

First a very quick primer on digital signatures. The signature verifies who created the document (the signer) and that the document wasnt altered after the fact. In order to do so, a hash of the document is created. Then, the author uses a private key to encrypt the hash. Anybody else may now use the signers public key to decrypt the hash, and verify that the hash is correct. If I can create a second document with the same hash, then I could just copy the signature from the first document and claim the second document is valid. This is the type of collision that a secure hash function is trying to make very difficult. Collisions are always possible with the hash being shorter then the original document. But for a good hash function,it is very very hard to create a second document that matches the firstone.SHA2, which is going to replace SHA1, is actually a set of different hash functions (SHA-224through SHA-512).

The most likely area where you will see issues are SSL certificates. SSL certificates are digitally signed by the certificate authority. Until recently, SHA1 was the default hashing algorithm and there are many certificates still out there that are signed using a SHA1 hash. In addition, some intermediate certificates used by certificate authorities to sign server certificates are still based on SHA1 (and more of a problem as these certificates tend to have a long live time). Thereare a couple legacy operating systems where you will have issues implementing SHA2, in particular Windows XP SP2 and earlier.

To create SHA2 compliant certificate requests with openssl, you need to add the -sha256 option. For example:

openssl req -out mydomain.csr -key mydomain.key -new -sha256 . Some old versions of openssl may not support this option.

A good overview of operating systems supporting or not supporting SHA256 can be found here:https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility

Here is a quick table to summarize when SHA1 based certificates are no longer going to work:

Microsoft
Server Authentication (e.g. https) 1/1/2017
Code Signing 1/1/2016 This is your first deadline. But it will not affect web browsers. However, make sure software you distribute is signed using SHA2.
Timestamping Certificates 1/1/2017 SHA1 certificates may not be issuedafter 1/1/2016
S/MIME Certificates N/A recommended to no longer issue SHA1certificates
OSCP/CRL Signing Certificates N/A SHA2 recommended, but no policy enforced
OCSPResponses 1/1/2017 if certificate is SHA2, then OCSP signature has to be SHA2 after 1/1/2016
CRL Signatures N/A no specific policy enforced
Code Signature File Hashes N/A no specific policy enforces
Timestamp Signatures Hashes 1/1/2017 (some 1/1/2016)
Mozilla TLS Server Certificates not be valid after 1/1/2017
not issues after 1/1/2016
existing certificates will be fine unless they expire after 1/1/2017
Google Chrome TLS Server Certificates secure, but with minor errors if valid until 12/31/2016
affirmatively insecure if valid beyond 1/1/2017

I was not able to find any announcement from Apple regarding OS X or iOS and how it will deal with SHA1 in the future.

If you are concerned about a web server and if it still uses a SHA1based certificate, then please check ssllabs.com, orhttp://sha1affected.com.

And what about SHA3? It got ratified recently, and should start showing up in standard libraries soon. But at this point, there is no timetable to phase out SHA2.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SE-2014-02] Errata document for Issue 42 (CVE-2015-4871 affecting Java SE 7)
 
LSE Leading Security Experts GmbH - LSE-2015-10-14 - HumHub SQL-Injection
 

Posted by InfoSec News on Nov 30

http://www.theguardian.com/news/2015/nov/27/hsbc-whistleblower-jailed-five-years-herve-falciani

By Juliette Garside
The Guardian
27 November 2015

The whistleblower who exposed wrongdoing at HSBC’s Swiss private bank has
been sentenced to five years in prison by a Swiss court.

Hervé Falciani, a former IT worker, was convicted in his absence for the
biggest leak in banking history. He is currently living in France, where
he sought refuge...
 

Posted by InfoSec News on Nov 30

http://www.reuters.com/article/2015/11/27/us-cymmetria-hire-idUSKBN0TG28W20151127

By Jim Finkle
Reuters.com
Nov 27, 2015

Computer security startup Cymmetria has hired a well-known retired U.S.
government computer-forensics expert, Jim Christy, as vice president of
investigations and digital forensics.

Christy started this week at the provider of technology that targets the
psychology of attackers, tricking them into revealing themselves...
 

Posted by InfoSec News on Nov 30

http://abcnews.go.com/International/fathers-rights-protesters-scale-roof-buckingham-palace-grounds/story?id=35477272

By CAROLYN DURAND
ABC News
Nov 29, 2015

Two men involved in a fathers' rights group scaled a roof of a building on
the Buckingham Palace grounds, remaining there for a few hours before
climbing down and surrendering to police.

The men climbed onto the roof of the Queens Gallery, a public art gallery
on the Buckingham...
 
Proftpd 1.3.5a LATEST 0day Follow-up report (Part 2), Patch released!! 29/11/2015 --- Advanced Information Security Corporation
 
Proftpd 1.3.5a LATEST (0-day) Follow-up report (Part 2), Patch released!! 29/11/2015 --- Advanced Information Security Corporation
 
Belkin N150 Wireless Home Router Multiple Vulnerabilities
 

Posted by InfoSec News on Nov 30

http://www.nextgov.com/cybersecurity/2015/11/secret-dhs-audit-could-prove-governmentwide-network-surveillance-isnt-really-governmentwide/124018/

By Aliya Sternstein
Nextgov.com
November 25, 2015

A secret federal audit substantiates a Senate committee's concerns about
underuse of a governmentwide cyberthreat surveillance tool, the panel's
chairman says.

The intrusion-prevention system, named EINSTEIN 3 Accelerated, garnered
both...
 

Posted by InfoSec News on Nov 30

http://www.scmp.com/news/china/diplomacy-defence/article/1885101/chinese-public-security-chief-heads-us-talks-cybercrime

By Jun Mai
scmp.com
30 November 2015

The first high-level dialogue between the United States and China on
cybercrime is under way this week to flesh out a deal reached in September
by the presidents of the two countries.

State media reported on Sunday that Minister of Public Security Guo
Shengkun would be in the US until...
 

The Register

Connected smart cars are easily trackable, warns infosec bod
The Register
Black Hat Europe Upcoming connected cars that communicate with other vehicles or roadside systems might easily be tracked even by snoopers with limited resources unless the technology is tweaked, an expert in automated and connected vehicle ...

and more »
 

Posted by InfoSec News on Nov 30

http://www.theregister.co.uk/2015/11/29/hello_barbie_controversy_reignited_with_insecurity_claims/

By Richard Chirgwin
The Register
29 Nov 2015

Back in February, The Register queried the security and privacy
implications of Mattel's “Hello Barbie”, and now the doll has hit the
shelves, a prominent security researcher has turned up the first security
problems with the toy.

After an initial flurry of concern, the issue went quiet,...
 

Posted by InfoSec News on Nov 30

https://www.rt.com/news/323641-modpos-complex-cash-malware/

RT.com
27 Nov, 2015

Security experts have exposed a cash register malware of previously unseen
complexity and secretiveness. It is unknown who created the virus and
profited from it, but it has been stealing personal data for years,
affecting millions of people.

Malware, or ‘malicious software’, is software that is used to disrupt
computer systems or gather secret or sensitive...
 
Proftpd 1.3.5a LATEST 0day Follow-up report (Part 2), Patch released!! 29/11/2015 --- Advanced Information Security Corporation
 
Proftpd 1.3.5a LATEST 0day Follow-up report (Part 2), Patch released!! 29/11/2015 --- Advanced Information Security Corporation
 
Proftpd 1.3.5a LATEST 0day Follow-up report (Part 2), Patch released!! 29/11/2015 --- Advanced Information Security Corporation
 
Proftpd 1.3.5a LATEST 0day Follow-up report (Part 2), Patch released!! 29/11/2015 --- Advanced Information Security Corporation
 
Internet Storm Center Infocon Status