Hackin9

LAS VEGAS—If you have an account on Github, StackExchange, or any one of countless other sites, there's a good chance hackers can identify the e-mail address you used to register it. That's because Gravatar, a behind-the-scenes service that says it works with millions of sites, broadcasts the information using cryptography that in many cases is trivial to crack.

People have been warning about the privacy risk posed by Gravatar, short for Globally recognized avatar, since at least 2009. That's when a blogger showed he was able to crack the cryptographic hashes that the service uses to uniquely identify its users. Gravatar, it turned out, derived the hashes with the user's e-mail address, and the blogger was able to translate about 10 percent of the more than 80,000 user IDs he harvested. Now, a researcher has upped the ante by using a more advanced cracking technique to de-anonymize participants advocating racial hatred and other extreme topics in online forums hosted in France.

Speaking at the PasswordsCon conference in Las Vegas Wednesday, security researcher Dominique Bongard said he identified the e-mail addresses of 45 percent of the e-mail addresses used to post comments he found in France's most well-known political forum, which he declined to mention by name. His job was made easier by Gravatar's use of the MD5 hash function, which is designed to generate hashes quickly and with a minimum of computing resources. Had Gravatar used bcrypt or another "slow" algorithm, his task would have taken considerably longer. In a country such as France, where there can be severe legal penalties for voicing extreme opinions, extracting the e-mail addresses isn't without it's consequences.

Read 5 remaining paragraphs | Comments

    


 
The Mactans charger uses a BeagleBoard for its computational power.
Billy Lau, Yeongjin Jang, and Chengyu Song

Plugging your phone into a charger should be pretty safe to do. It should fill your phone with electricity, not malware. But researchers from Georgia Institute of Technology have produced fake chargers they've named Mactans that do more than just charge your phone: they install custom, malicious applications onto iPhones.

Their bogus chargers—which do, incidentally, charge the phone—contain small computers instead of mere transformers. The iPhone treats these computers just as it does any other computer, but instead of just charging, it responds to USB commands. It turns out that the iPhone is very trusting of USB-attached computers; as long as the iPhone is unlocked (if only for a split second) while attached to a USB host, then the host has considerable control over the iPhone.

The researchers used their USB host to install an app package onto any iPhone that gets plugged in. iOS guards against installation of arbitrary applications with a strict sandboxing system, a feature that has led to the widespread practice of jailbreaking. This attack doesn't need to jailbreak, however.

Read 6 remaining paragraphs | Comments

    


 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Members of Judiciary Committee express concern over broad-ranging, secretive authorities under Foreign Intelligence Surveillance Act, push for bill to strengthen oversight, transparency.
 
RETIRED: Google Chrome Prior to 28.0.1500.95 Multiple Security Vulnerabilities
 

San Francisco Chronicle

General Alexander heckled during Black Hat keynote address
CSO Magazine
For those sitting near CSO that were willing to talk, the heckling marked a low point in Black Hat's history, but it serves to show just how passionate InfoSec people are at times, and how much of a pressure point the NSA's actions have become. The ...
Heckling and applause for NSA Director at Black Hat infosec conferencelegal Insurrection (blog)
In pictures: #BlackHat 2013SC Magazine Australia

all 105 news articles »
 

We got a couple readers reporting false postive issues with McAffees GTI and Artemis products. According to a knowledgebase article on McAfee's site, it appears that the file reputation system is producing bad results due to a server issue [1]

From our readers:

I've seen an explosion of detections under Artemis on files I wouldn't expect. One machine is trying to delete the autorun on a U3 USB drive's emulated CD. Community.McAfee.com slowed down and went offline. I've been on hold far longer than I'd expect for support. (Michael)
------------
McAfee VirusScan is eating files again. This time it’s their GTI servers. I managed to shut off heuristics via EPO before it got out of hand. Minor OS and app damage. (John)
------------
Artemis is a file reputation checking service from McAfee included in its Virus Scan Enterprise. Today it went on the fritz for my organization around 1600 EST. It was deleting random files such as our Cisco IP Communicator and all kinds of temp files etc. McAfee sent us a notification and will be sending more info out on its SNS mailing list. Advise all turn off Artemis features for home and business users and in the meantime they shut the cloud servers down. (Travis)


[1] https://kc.mcafee.com/corporate/index?page=content&id=KB78993

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
NSA Director General Keith Alexander.

LAS VEGAS—At the Black Hat security conference today, National Security Agency (NSA) Director Keith Alexander defended the NSA's data collection programs and described at a high level what data is collected and how it's used.

His presentation covered two programs, both revealed by Edward Snowden: telephone metadata collection and a program of collecting from the computer industry data relating to foreign nationals, of which PRISM is a component. According to Alexander, the phone metadata collection, authorized under FISA section 215, was both limited and tightly controlled. The NSA collects only the time and date of a call, the phone numbers involved in a call, the duration of a call, and the service provider that captured the information. Notably, he said that names, address information, and location information were not captured. Nor was any conversation data collected, such as the contents of voice calls or text messages.

While this data was collected, Alexander said that access to the information was tightly restricted. Free-for-all queries weren't permitted. Instead, numbers had to be individually approved by one of 22 people at the NSA, and only 35 analysts within the agency were authorized to run queries on those numbers. In 2012, he said that fewer than 300 numbers were added to the list.

Read 7 remaining paragraphs | Comments

    


 

San Francisco Chronicle

General Alexander heckled during Black Hat keynote address
CSO
For those sitting near CSO that were willing to talk, the heckling marked a low point in Black Hat's history, but it serves to show just how passionate InfoSec people are at times, and how much of a pressure point the NSA's actions have become. The ...
Sabras don their 'black hats' for cyber-warfareThe Times of Israel

all 71 news articles »
 
The average person could save big money with a 3D printer by printing just 20 products a year instead of buying them at a store, according to a Michigan Tech University study.
 
Congress will begin its summer break this week without any plan for high-skill immigration. Here's what to watch for when lawmakers return in September.
 

Sabras don their 'black hats' for cyber-warfare
The Times of Israel
“The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world — from the corporate and government sectors to academic and even underground ...

and more »
 
Facebook shares hit a high of $38.31 today shortly after the markets opened, but then quickly slid. It was the first time in over a year the stock was about $38.
 
IBM is the subject of a probe by the U.S. Securities and Exchange Commission into how it reports revenue related to its cloud computing business, the vendor revealed Wednesday.
 
Isis will roll out its mobile wallet application nationwide later this year following successful pilots that launched last fall in Austin, Texas, and Salt Lake City, Utah.
 
Microsoft today released a stripped-down version of Office for Android smartphones, continuing its strategy of tying its mobile suite to the Office 365 rent-not-buy subscription plans.
 
A proposed change to U.S. law that would allow state attorneys general to hold websites liable for content posted by users is a "dangerous path," a group of tech trade groups and legal scholars said Wednesday.
 
RSA is warning that a new banking Trojan, 'KINS,' with architectural similarities to previous Trojans, may start hitting PCs soon.
 
In biggest security acquisition since 2011, Cisco has announced it will buy IDS maker Sourcefire for $2.7 billion.
 
Turkish researcher Ibrahim Balic says he found multiple vulnerabilities at Apple's developer website, but did not intend to bring the site down.
 
Jerome Segura of Malwarebytes explains how to get around 'FBI ransomware' computer locking.
 
A study by Bit9 explains just how bad the Java problem really is: The most popular version has 96 severe vulnerabilities.
 
Despite DefCon founder's blog telling Feds to stay home, Black Hat says they're 'welcome' at the show.
 
Advanced persistent threats are on the rise, according to a report by FortiGuard Labs.
 
Video: Kevin Beaver uses real-life experiences with data loss prevention tools to help you with your technology choices, rollout and management.
 
Aveksa acquisition should help RSA compete in burgeoning identity management market.
 
July's Patch Tuesday found Microsoft rolling out seven patches, six of which are rated as critical.
 
Damballa executives say partnerships among security point product vendors are increasingly important, and will ultimately benefit enterprises.
 
Seattle-based application security company IOActive has uncovered significant vulnerabilities in Digital Alert Systems' DASDEC.
 
A Gartner analyst says enterprise BYOD -- specifically iOS and Android devices -- presents many pros and cons for enterprise endpoint security.
 

I’m fairly sure that the folks at Uniqul are serious–they’ve recently announced a product that uses facial recognition to extract your payments when you buy things. You scan your purchases, it scans your face, and then you or somebody whose face is similar to yours pays for your stuff.

From their PR pitch:

Long gone are the days of having to scour the bottom of your wallet for that missing nickel, having to pick out the applicable bonus and payment card or logging in on mobile phone wallets. Payment is handled simultaneously as your wares are scanned – which means that you will be saving that ca. 30 second payment time every time you pay with Uniqul! In other words the transaction becomes almost instant – all that is required is that you press an OK button on our Point-of-Sale tablet! Face recognition is handled automatically by our algorithms to ensure a high level of security and fast recognition.

I’ll concede, it would be pretty cool not to have to bother with things like mobile phone wallets (as if I had one). It would be cool to save the 30 seconds per transaction. But it would not be cool to have to make the awkward expressions people make when using the product, as shown in their promo video.

 

 

 
Feds indict, unmask hackers behind largest known data breach conspiracy targeting worldwide financial institutes, payment processors and retailers.
 
Starbucks has teamed up with Google to offer faster Wi-Fi in U.S. stores and plans to expand its mobile wireless charging to its shops in San Francisco.
 
A skeptical but mostly respectful crowd of Black Hat security attendees Wednesday listened intently as National Security Agency Director Keith Alexander defended controversial U.S. surveillance programs in a keynote address.
 
Several U.S. senators will push for changes in the way the National Security Agency collects the telephone records of millions of U.S. residents, with lawmakers saying they will focus on making the NSA program more transparent to the public.
 
With the Moto X smartphone launching tomorrow and the LG G2 arriving in another week, the pace of smartphone releases has reached a fever pitch. But the pace of big innovations seems to be slowing.
 
Oracle is preparing to roll out the latest member of its family of "engineered systems" that combine software and hardware, with the upcoming product focused on virtualization.
 
After a month delay and a price drop, Nvidia has started shipping the $299 Shield handheld gaming console via its website and online retail stores.
 
Google, looking to expand its Google Glass Explorer program, is asking testers of the technology to invite a friend to buy into using a prototype of the wearable computer.
 

Our reader Pete submitted an interesting set of log entries from his POP3 server:

LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]

rt is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Dell's board has struck down new shareholder voting guidelines for a buyout proposed by company founder Michael Dell and his associates, Silver Lake Partners, which are in a fight with investor Carl Icahn to take the PC maker private.
 
European researchers using the European Union-funded GEANT network will, from Wednesday, be able to access capacity of up to 2 terabits per second.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: An updated haproxy package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: An updated sos package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low [More...]
 
LinuxSecurity.com: Updated 389-ds-base packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: Updated wireshark package fixes security vulnerabilities: The Bluetooth SDP dissector could go into a large loop (CVE-2013-4927). The DIS dissector could go into a large loop (CVE-2013-4929). [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in phpmyadmin: * XSS due to unescaped HTML Output when executing a SQL query (CVE-2013-4995). [More...]
 
LinuxSecurity.com: Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
LinuxSecurity.com: The system could be made to crash or run programs as an administrator.
 
Data management is inherently tricky, but when it involves robots in space-communicating via a low-bandwidth intermittent link#8212;it's trickier. NASA is leveraging Data Distribution Service for Real-Time Systems to help it solve that problem as part of its Human Exploration Telerobotics project.
 
Of the top-selling smartphones in the U.S. in the past year, customers rated two Samsung smartphones higher than the last three Apple iPhone models.
 
Apple's new low-cost iPhone may be called the iPhone 5C, a name that didn't strike analysts as 'C' for 'Comforting.'
 
Moodle CVE-2013-2243 Information Disclosure Vulnerability
 
ASUS RT-AC66U CVE-2013-4659 Multiple Buffer Overflow Vulnerabilities
 
Ruby Phusion Passenger Gem 'Utils.cpp' Insecure Temporary File Creation Vulnerability
 
NEC will introduce no new smartphones, and will make current models only to order, as it struggles to find the economies of scale required to compete in the market.
 
When you're a programmer who also needs word processing abilities, nothing beats a solid text editor. We look at the current versions of five of the best known. Insider (registration required)
 
China's popular Xiaomi smartphone company is diving into the country's low-end handset market with a new product, taking note of the rumors that Apple is preparing its own budget iPhone.
 
Ride-sharing service warns its drivers to steer clear of San Francisco International Airport after officials there started issuing citations to drivers for picking up and dropping off passengers.
 
Warrants are not required by the U.S. government to access historical cell site information, an appeals court ruled in an order.
 
Sprint says it will have live LTE sites using former Clearwire spectrum across the U.S. next year and expects all its new mobile devices in 2014 to be equipped for those frequencies -- though not necessarily iPhones.
 
Eight months after the launch of Microsoft's Surface line, the company has yet to turn a profit on its first foray into tablet manufacturing and sales, according to a Tuesday regulatory filing.
 
TP-Link TL-SC3171 IP Cameras CVE-2013-2578 Multiple Remote Command Injection Vulnerabilities
 
Oracle Hyperion CVE-2013-3803 Directory Traversal Vulnerability
 
Internet Storm Center Infocon Status