Security News

Yahoo secretly scanned customer emails for U.S. intelligence

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence: Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Standard
Security News

9% of all https hosts and 6% of all ssh hosts on the web use hardcoded private keys embedded in firmware

9% of all https hosts and 6% of all ssh hosts on the web use hardcoded private keys embedded in firmware: In the course of an internal research project SEC Consult labs have analyzed the firmware images of more than 4000 embedded devices of over 70 vendors. The devices they have looked at include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. They have specifically analyzed cryptographic keys (public keys, private keys, certificates) in firmware images.

https://www.sec-consult.com/download/certificates.html

https://www.sec-consult.com/download/ssh_host_keys.html

The most common use of these static keys is:

  • SSH Host keys (keys required for operating a SSH server)
  • X.509 Certificates used for HTTPS (default server certificate for web based management)

As we may read on SEC Consult blog: In total we have found more than 580 unique private keys distributed over all the analysed devices. Correlation via the modulus allows us to find matching certificates.

We have correlated our data with data from Internet-wide scans (Scans.io and Censys.io) and found that our data set (580 unique keys) contains:

  • the private keys for more than 9% of all HTTPS hosts on the web (~150 server certificates, used by 3.2 million hosts)
  • the private keys for more than 6% of all SSH hosts on the web (~80 SSH host keys used by 0.9 million hosts)

So in total at least 230 out of 580 keys are actively used. Other research has pointed out the extent of this problem (Heninger, Nadia, et al. “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices”, Durumeric, Zakir, et al. “Analysis of the HTTPS certificate ecosystem”). However using our approach, an attribution at a vendor/product level is now possible. Plus the private keys have now been obtained.

Standard
Security News

Google’s VirusTotal Now Offers Apple Malware Scanning Sandbox

Google’s VirusTotal Now Offers Apple Malware Scanning Sandbox: Apple has seen more malware incidents this year than many previous years’ put together. It was only a matter of time before leading online virus scanner – VirusTotal opened its doors for Mac users to check for malware among their files.

Google’s VirusTotal is now offering support for malware detection in OS X files including Mac-O executables and DMG or ZIP files that contain Mac OS X apps.

The free online virus scanner is a favorite among end-users as well as white hats and malicious authors of malware who predictably use the scanner to see if their malware evades detection. The online virus tools routinely scans over a million files every day, a quick look at their most recent statistics reveals.

The service implements a sandbox to check programs for malware through various virus definition engines. Despite the novel service, it is possible that seasoned black hats will code their malware with evasive capabilities that often slip away unscathed from basic sandbox environments. The very notion of a sandbox may lead a capable malware to be dormant with the lack of a trigger, biding its time or completely shut off its malware capabilities to throw security researchers off its scent.

Standard
Security News

Paris Terrorists Used Double ROT-13 Encryption

Paris Terrorists Used Double ROT-13: The reports note that Abdelhamid Abaaoud, the “mastermind” of both the Paris attacks and a thwarted Belgium attack ten months ago, failed to use encryption whatsoever (read: existing capabilities stopped the Belgium attacks and could have stopped the Paris attacks, but didn’t). That’s of course not to say batshit religious cults like ISIS don’t use encryption, and won’t do so going forward. Everybody uses encryption. But the point remains that to use a tragedy to vilify encryption, push for surveillance expansion, and pass backdoor laws that will make everybody less safe — is nearly as gruesome as the attacks themselves.

Standard
Security News

Hacker Scripts (Fun for geeks)

NARKOZ/hacker: xxx: OK, so, our build engineer has left for another company. The dude was literally living inside the terminal. You know, that type of a guy who loves Vim, creates diagrams in Dot and writes wiki-posts in Markdown… If something – anything – requires more than 90 seconds of his time, he writes a script to automate that.

xxx: So we’re sitting here, looking through his, uhm, “legacy”

xxx: You’re gonna love this

xxx: smack-my-bitch-up.sh – sends a text message “late at work” to his wife (apparently). Automatically picks reasons from an array of strings, randomly. Runs inside a cron-job. The job fires if there are active SSH-sessions on the server after 9pm with his login.

xxx: kumar-asshole.sh – scans the inbox for emails from “Kumar” (a DBA at our clients). Looks for keywords like “help”, “trouble”, “sorry” etc. If keywords are found – the script SSHes into the clients server and rolls back the staging database to the latest backup. Then sends a reply “no worries mate, be careful next time”.

xxx: hangover.sh – another cron-job that is set to specific dates. Sends automated emails like “not feeling well/gonna work from home” etc. Adds a random “reason” from another predefined array of strings. Fires if there are no interactive sessions on the server at 8:45am.

xxx: (and the oscar goes to) fucking-coffee.sh – this one waits exactly 17 seconds (!), then opens an SSH session to our coffee-machine (we had no frikin idea the coffee machine is on the network, runs linux and has SSHD up and running) and sends some weird gibberish to it. Looks binary. Turns out this thing starts brewing a mid-sized half-caf latte and waits another 24 (!) seconds before pouring it into a cup. The timing is exactly how long it takes to walk to the machine from the dudes desk.

xxx: holy sh*t I’m keeping those

Standard
Security News

PHP static code analysis vs ~1000 top wordpress plugins = 103 vulnerable plugins found

PHP static code analysis vs ~1000 top wordpress plugins = 103 vulnerable plugins found: I’ve been making php static code analysis tool for a while and few months ago I ran it against ~1000 (more or less) top wordpress plugins.

Scanning results were manually verified in my spare time and delivered to official plugins@wordpress.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.

103 plugins vulnerable with more than 4.000.000 active installations in total (~30.000.000 downloads)

Standard
Security News

Anonymous announced #OpParis against the ISIS in response to the Paris attacksSecurity Affairs

Anonymous announced #OpParis against the ISIS in response to the Paris attacksSecurity Affairs: Last Friday was a sad day for the humanity, 129 innocent people were killed in the Paris attacks managed by members of the ISIS. Every event has consequences in the cyber space and vice-versa, the popular collective has launched a new operation against the ISIS. After the precedent #OpISIS, the popular collective Anonymous has now launched the #OpParis.

Standard
Security News

Cryptolocker/Cryptowall Ransomware Kit Sold for $3,000

Cryptolocker/Cryptowall Ransomware Kit Sold for $3,000: The Cryptolocker/Cryptowall 3.1 ransomware kit is being sold for $3,000 worth of bitcoins, according to a Pastebin post, which claims to even offer the source code along with the manual and free support.

For those interested in purchasing only a couple of binaries, the malware developers offer a bundle of 8 per customer for $400. However, the developer also seems open to an affiliation program in which both you – the customer – and the developer split the revenue 50/50.

“This is your chance to become a partner and join or buy build individual to you and use and to generate income and to convert and monetization,” reads the post. “If you are interested then contact i need a partnership and also i selling build to you.”

Standard
Security News

Need for cyber-insurance heats up, but the market remains immature

Need for cyber-insurance heats up, but the market remains immature: According to a survey conducted by Veracode and NYSE, 91 percent of 276 companies said they’d purchased cyber-insurance covering business interruption and data restoration, with 54 percent indicating they had also purchased coverage for expense reimbursement in the case PCI fines, breach remediation and extortion, for example. Some 52 percent of companies are purchasing coverage in the event of data stolen by employees. And 35 percent are seeking coverage against loss of sensitive data caused by software coding and human errors.

While the need for the insurance may be clear, obtaining coverage can be a frustrating experience. It certainly was for Wiora, who is close to picking a new cyber-insurance policy after several months of shopping. He was surprised by the lack of due diligence some insurers exhibit as they evaluate prospective customers for coverage. Cyber insurers typically require potential clients to complete lengthy questionnaires, often ranging from 150 to 300 questions, designed to determine whether they use encryption, as well as how their firewalls and password authentications are set up.

Standard