Malicious online ads expose millions to possible hack

December 7, 2016 – 5:46 AM

Since October, millions of internet users have been exposed to malicious code served from the pixels in tainted banner ads meant to install Trojans and spyware, according to security firm ESET.

The attack campaign, called Stegano, has been spreading from malicious ads in a “number of reputable news websites,” ESET said in a Tuesday blog post. It’s been preying on Internet Explorer users by scanning for vulnerabilities in Adobe Flash and then exploiting them.

The attack is designed to infect victims with malware that can steal email password credentials through its keylogging and screenshot grabbing features, among others.

The attack is also hard to detect. To infect their victims, the hackers were essentially poisoning the pixels used in the tainted banner ads, ESET said in a separate post.

The hackers concealed their malicious coding in the parameters controlling the pixels’ transparency on the banner ad. This allowed their attack to go unnoticed by the legitimate advertising networks.

Victims will typically see a banner ad for a product called “Browser Defense” or “Broxu.” But in reality, the ad is also designed to run some Javascript that will secretly open a new browser window to a malicious website designed to exploit vulnerabilities in Flash that will help carry out the rest of the attack.

Source:
http://www.computerworld.com.au/article/611235/malicious-online-ads-expose-millions-possible-hack/?

Mozilla and Tor release urgent update for Firefox 0-day under active attack

November 30, 2016 – 9:15 PM

Developers with both Mozilla and Tor have published browser updates that patch a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

“The security flaw responsible for this urgent release is already actively exploited on Windows systems,” a Tor official wrote in an advisory published Wednesday afternoon. “Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately.”

The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation. Shortly after this post went live, Mozilla security official Daniel Veditz published a blog post that said the vulnerability has also been fixed in a just-released version of Firefox for mainstream users. On early Wednesday, Veditz said, his team received a copy of the attack code that exploited a previously unknown vulnerability in Firefox.

The attack executed code when targets loaded malicious JavaScript and code based on scalable animation vector graphics. The exploit used the capability to send the target’s IP and MAC address to an attacker-controlled server. The code in general resembles the types of so-called network investigative techniques used by law-enforcement agencies, and specifically one that the FBI used in 2013 to identify Tor-protected users who were trading child pornography.

Source:
http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-active-attack/

Major Linux security hole gapes open

November 16, 2016 – 5:51 AM

Sometimes Linux users can be smug about their system’s security. And sometimes a major hole that’s been hiding in Linux since about version 2.6 opens up and in you fall.

The security hole this time is with how almost all Linux distributions implement Linux Unified Key Setup-on-disk-format (LUKS). LUKS is the standard mechanism for implementing Linux hard disk encryption. LUKS is often put into action with Cryptsetup. It’s in Cryptsetup default configuration file that the problem lies and it’s a nasty one. Known Linux distributions with this bug include Debian, Ubuntu, Fedora, Red Hat Enterpise Linux (RHEL), and SUSE Linux Enterprise Server (SLES).

As described in the security report, CVE-2016-4484, the hole allows attackers “to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”

Now for the really embarrassing part. Want to know how to activate it? Boot the system and then hold down the enter key. Wait. After about a minute and a half, you’ll find yourself in a BusyBox root shell. You now control the horizontal, you now control the vertical, and whoever owns the system is not going to be happy with you.

Source:
http://www.zdnet.com/article/major-linux-security-hole-gapes-open/

Web Of Trust (WOT) Browser Add-On Caught Selling Users

November 8, 2016 – 5:44 AM

Browser extensions have become a standard part of the most popular browsers and essential part of our lives for surfing the Internet.

But not all extensions can be trusted.

One such innocent looking browser add-on has been caught collecting browsing history of millions of users and selling them to third-parties for making money.

An investigation by German television channel NDR (Norddeutscher Rundfunk) has discovered a series of privacy breaches by Web Of Trust (WOT) – one of the top privacy and security browser extensions used by more than 140 Million online users to help keep them safe online.

Web of Trust has been offering a “Safe Web Search & Browsing” service since 2007. The WOT browser extension, which is available for both Firefox and Chrome, uses crowdsourcing to rate websites based on trustworthiness and child safety.

However, it turns out that the Web of Trust service collects extensive data about netizens’ web browsing habits via its browser add-on and then sells them off to various third party companies.

What’s extremely worrying? Web of Trust did not properly anonymize the data it collects on its users, which means it is easy to expose your real identity and every detail about you.

Source:
http://thehackernews.com/2016/11/web-of-trust-addon.html

Moving Beyond EMET

November 3, 2016 – 6:27 PM

Microsoft’s Trustworthy Computing initiative was 7 years old in 2009 when we first released the Enhanced Mitigation Experience Toolkit (EMET). Despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply too slow to respond quickly to emerging threats. Our commercial customers were particularly exposed since it often took years to deploy new OS versions in large scale environments. And thus, EMET was born as a stop-gap solution to deliver tactical mitigations against certain zero-day software vulnerabilities.

For Microsoft, EMET proved useful for a couple of reasons. First, it allowed us to interrupt and disrupt many of the common exploit kits employed by attackers at the time without waiting for the next Windows release, thus helping to protect our customers. Second, we were able to use EMET as a place to assess new features, which directly led to many security innovations in Windows 7, 8, 8.1, and 10.

But EMET has serious limits as well – precisely because it is not an integrated part of the operating system. First, many of EMET’s features were not developed as robust security solutions. As such, while they blocked techniques that exploits used in the past, they were not designed to offer real durable protection against exploits over time. Not surprisingly, one can find well-publicized, often trivial bypasses, readily available online to circumvent EMET.

Second, to accomplish its tasks, EMET hooks into low-level areas of the operating system in ways they weren’t originally designed. This has caused serious side-effects in both performance and reliability of the system and the applications running on it. And this presents an ongoing problem for customers since every OS or application update can trigger performance and reliability issues due to incompatibility with EMET.

Finally, while the OS has evolved beneath it, EMET hasn’t kept pace. While EMET 5.5x was verified to run on Windows 10, its effectiveness against modern exploit kits has not been demonstrated, especially in comparison to the many security innovations built-in to Windows 10.

Source:
https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/