Critical Internet Explorer exploit code released in the wild

Attack code that exploits a critical vulnerability in all supported versions of Microsoft’s Internet Explorer browser has been publicly released.

Monday’s release of a module for the Metasploit exploit framework used by security professionals and hackers could broaden the base of attackers who are capable of targeting the flaw. Until now, the bug has been known to be exploited in only a handful of highly targeted attacks aimed mostly at workers in Japanese government agencies and manufacturers. While the attack code has been available to anyone who knows where to find it, its inclusion in the open-source Metasploit could make it easier for some people to use.

Microsoft issued a temporary fix for the browser two weeks ago. The company, which is scheduled to release its next batch of security updates on October 8, hasn’t said when it will issue a permanent patch.

One of the groups carrying out the attacks is the same one that installed malware on computers belonging to security firm Bit9. The group has planted exploits on compromised websites known to be frequented by government and manufacturing employees. The exploits are used to remotely execute code that installs rootkit-style malware that’s used to download sensitive data from the infected machines. While the exploits target versions 8 and 9 of IE running on Windows XP and Windows 7 respectively, the “use after free” vulnerability is present in IE versions 10 and 11 as well, Microsoft has said.

Out of an abundance of caution, Windows users should be sure to install the temporary fix it regardless of the browser they regularly use.

Source:
http://arstechnica.com/security/2013/10/critical-internet-explorer-exploit-code-released-in-the-wild/

Posted in Internet, Security, Windows | No Comments

Security researchers create undetectable hardware trojans

A team of security researchers from the U.S. and Europe has released a paper showing how integrated circuits used in computers, military equipment and other critical systems can be maliciously compromised during the manufacturing process through virtually undetectable changes at the transistor level.

As proof of the effectiveness of the approach, the paper describes how the method could be used to modify and weaken the hardware random number generator on Intel’s Ivy Bridge processors and the encryption protections on a smartcard without anyone detecting the changes.

The research paper is important because it is the first to describe how someone can insert a hardware trojan into a microchip without any additional circuitry, transistors or other logic resources, said Christof Paar, chairman for embedded security, Department of Electrical Engineering and Information Technology at Ruhr University in Germany.

Hardware trojans have been the subject of considerable research since at least 2005 when the U.S. Department of Defense publicly expressed concerns over the military’s reliance on integrated circuits manufactured abroad, Paar said.

Often, the individual circuit blocks in a single microchip are designed by different parties, manufactured by an offshore foundry, packaged by a separate company and distributed by yet another vendor. This kind of outsourcing and globalization of chip manufacturing has led to trust and security issues, the paper noted.

Source:
http://www.computerworld.com/s/article/9242472/Security_researchers_create_undetectable_hardware_trojans

Posted in Hardware, Privacy, Security | No Comments

LastPass and the NSA Controversy

With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.

In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.

Although we are not currently in the position of having to consider closing the service, it is important to note that if LastPass had to be shut down, our users would be able to export their data or continue using LastPass in “offline” mode, although online login and syncing would no longer be possible.

We have consistently reiterated that LastPass cannot share what we cannot access. Sensitive user data is encrypted and decrypted locally with a key that is never shared with LastPass. As always, we encourage our users to create a strong master password to better protect themselves from brute-force attacks. Given our technology and lack of access to stored user data, it is more efficient for the NSA or others to try to circumnavigate LastPass and find other ways to obtain user information.

Ultimately, when you use an online service you’re trusting the people behind that service to have your best interests at heart and to fight on your behalf. We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.

Source:
http://blog.lastpass.com/2013/09/lastpass-and-nsa-controversy.html

Posted in Internet, Privacy, Security, Software | No Comments

The NSA Is Breaking Most Encryption on the Internet

The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They’re doing it primarily by cheating, not by mathematics.

It’s joint reporting between the Guardian, the New York Times, and ProPublica.

I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my two essays on today’s revelations.

Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted.

Source:
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html

Posted in Internet, Linux, Networking, Privacy, Security, Windows | No Comments

HTTP Nowhere for Firefox blocks all but encrypted traffic

Protecting your privacy online is a hot topic right now, with PRISM looming over the heads of all Internet users. But even if you take PRISM aside, there is a drive towards privacy on the Internet.

Firefox users can improve the visualization by installing extensions such as Safe. That does not take care of situations where unsafe or insecure contents are loaded on secure websites. Mozilla has plans to tackle those situations as well.

Sometimes though you may want even more assurance than that, make sure that your browser is protected when you visit important websites that offer https.
An idea that has been expressed recently is to create an encrypted-only mode in web browsers,much like the private browsing mode works today. But instead of making sure that no session date is recorded by the browser that may reveal the sites you have visited in it, it makes sure that only encrypted connections are allowed in it.

That’s where the Firefox extension HTTP Nowhere comes into play. You can use it to block any insecure traffic in Firefox, so that only https connections are permitted.

Source:
http://www.ghacks.net/2013/08/28/http-nowhere-firefox-blocks-encrypted-traffic/

Posted in Internet, Privacy, Security | No Comments