Adobe issues Emergency Flash Player update to patch critical zero-day threat

Adobe is recommending that users update their Flash Players immediately. The company has published an emergency security bulletin today, that addresses vulnerabilities the Flash Player and released a patch to fix a vulnerability which is currently being exploited in a sophisticated cyber espionage campaign.

"Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users apply the updates referenced in the security bulletin."

The vulnerability (CVE-2014-0497), allows an attacker to remotely take control of the targeted system hosting Flash. "These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system" advisory said.

The security hole affects the version 12.0.0.43 and earlier for both Windows and Mac OSs and Adobe Flash Player 11.2.202.335 and earlier versions for Linux.

The vulnerability was discovered by two researchers at Kaspersky Lab, Alexander Polyakov and Anton Ivanov.

The story started some month ago, when the Kaspersky Team discovered a new sophisticated cyber espionage operation which has been going on at least since 2007. The operation dubbed “The Mask” hit systems in 27 countries leveraging high-end exploits, the attackers adopted an extremely sophisticated malware which includes a bootkit and rootkit. 

The malicious code used is able to infect also Mac and Linux versions and included a customized attack against Kaspersky products.

“This is putting them above Duqu in terms of sophistication, making it one of the most advanced threats at the moment. Most interesting, the authors appear to be native in yet another language which has been observed very rarely in APT attacks. We will present more details about the “Mask” APT next week at the Kaspersky Security Analyst Summit 2014 (on Twitter, #TheSAS2014). ” Reports a post on SecureList blog.

Kaspersky Lab provides technical analysis of the exploits and payload. They discovered a total of 11 exploits, using same vulnerability and all are unpacked SWF files in  the following versions of Adobe Flash Player:

11.3.372.94 11.3.375.10 11.3.376.12 11.3.377.15 11.3.378.5 11.3.379.14 11.6.602.167 11.6.602.180 11.7.700.169 11.7.700.202 11.7.700.224

These exploits only work with Windows XP, Vista, 2003 R2, 2003, Windows 7, Windows 7x64, Windows 2008 R2, Windows 2008, 8, Windows 8x6, Mac OS 10.6.8.
Researchers discovered that these exploits had been detected on three different user machines, one of which worked under Mac OS 10.6.8 and the other two under Windows 7. They found that .docx document with the 0-day exploit was distributed via a targeted email mailing.

 

There are total three types of Shellcode:

First one is a primitive shellcode that reads an executable named a.exe from an SWF file and drops it to the hard drive. Only one of the 11 exploits in our possession included a payload.

The second type downloads and executes a file from a URL passed in the SWF file’s parameters. The third shellcode type, which is only present in some of the files, is the most interesting.

Adobe was informed of the availability of an exploit in the wild used to hit systems running the Flash Player, it recommends users update product installations to the latest versions:

1. Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.44.
2. Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.336.
3. Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.44 for Windows, Macintosh and Linux.
4. Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.0.
5. Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

  
Source: THN

98% of SSL enabled websites still using SHA-1 based weak Digital Certificates

The National Institute of Standards and Technology (NIST) had published a document on Jan 2011 that the SHA-1 algorithm will be risky and should be disallowed after year 2013, but it was recently noticed by Netcraft experts that NIST.gov website itself were using 2014 dated SSL certificate with SHA-1 hashes.
"From January 1, 2011 through December 31, 2013, the use of SHA-1 is deprecated for digital signature generation. The user must accept risk when SHA-1 is used, particularly when approaching the December 31, 2013 upper limit. SHA-1 shall not be used for digital signature generation after December 31, 2013." NIST in the document.
Digital signatures facilitate the safe exchange of electronic documents by providing a way to test both the authenticity and the integrity of information exchanged digitally. Authenticity means when you sign data with a digital signature, someone else can verify the signature, and can confirm that the data originated from you and was not altered after you signed it.

A digital certificate is essentially a bit of information that tells the Web server is trusted. Digital signatures are usually applied to hash values that represent larger data.

A Cryptographic hash function like MD5 and SHA-1 can transform input of an arbitrary length to an output of a certain number of bits, typically 128 or 160 bits. The output is called the hash value.

SHA-1 is a hashing algorithm that is currently enjoying widespread adoption. SHA-1 is a 160-bit hash functions, whose job is to ensure the integrity of a given piece of data. Different data yield unique hash values, and any change to a given piece of data will result in a different hash value. This was designed by the National Security Agency (NSA) to be a part of the Digital Signature Algorithm.

But in 2005, Cryptographic weaknesses were discovered in SHA-1. Hashes are designed to minimize the probability that two different pieces of data yield the same hash values, but yes, it is possible that two different data can have the same hash value, according to Cryptographic hash collision theory. 

In February 2005, three female Chinese researchers - Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu have reduced the amount of time needed to find two documents with the same signature. Brute-force is the best way to find such collision points, where two messages can have the same hash value.
The Strength of digital signature is determined by the cryptographic key i.e. 160-bit for SHA-1. There are 2¹⁶⁰ possible SHA-1 hash values and mathematical theory of Chinese researchers tell us that the chances that any two different pieces of data computing to the same value should be about 1 in 2⁶⁹, and the process is about 2,000 times faster than brute force.
At that time, it was predicted that practically doing so would take thousands of years, but today with modern cloud computing technology, such crypto attacks would cost only $700,000, which is an affordable project for well funded hacking group or Intelligence agencies like the NSA, GCHQ.
So it is potentially possible to exploit the SHA-1 crypto hash to spoof any digital signatures, and this is the reason that SHA-1 is being phased out of most governmental applications, and that NIST has recommended that SHA-1 not be used after 2013.

"An attacker able to find SHA-1 collisions could carefully construct a pair of certificates with colliding SHA-1 hashes: one a conventional certificate to be signed by a trusted CA, the other a sub-CA certificate able to be used to sign arbitrary SSL certificates. By substituting the signature of the CA-signed certificate into the sub-CA certificate, certificate chains containing the attacker-controlled sub-CA certificate will pass browser verification checks. This attack is, however, made more difficult by path constraints and the inclusion of unpredictable data in the certificate before signing it."  Netcraft expert said.

For the use of digital signatures, we need the collision resistance property of the hash function. So, the latest Digital certificates of NIST are now verified by VeriSign, and using SHA-2 (SHA-256) with RSA in their certificates.

"In total, more than 98% of all SSL certificates in use on the Web are still using SHA-1 signatures. Netcraft's February 2014 SSL Survey found more than 256,000 of these certificates would otherwise be valid beyond the start of 2017 and, due to the planned deprecation of SHA-1, will need to be replaced before their natural expiry dates."

But not only NIST, other US government organizations are also using an outdated hashing algorithm, including Obamacare website healthcare.gov, donogc.navy.mil and several others.

 However, in the same document, NIST also published a deadline of December 31, 2013 for switching over 1024 to 2048-bit certificate.

In February 2013, Symantec announced a multi-algorithm SSL certificates for Web servers that go beyond traditional crypto to include what’s known as the Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA).

ECC offers greater security as compared to other prevalent algorithms and 10,000 times harder to break than an RSA-bit key, i.e. Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate. 

Source: THN

British Intelligence Agency DDoSed Anonymous Chatrooms to disrupt communication

Since 2011, the collective hacking group, Anonymous and LulzSec were targeting both Government and law-enforcement websites of U.S and UK, by their own DDoS attack tactics which they used to communicate and plan on Chat rooms known as IRCs, but British intelligence agency GCHQ used their own weapon against them.

According to the recent Edward Snowden document, a division of Government Communications Headquarters (GCHQ), which is also very well known as the British counterpart of the NSA, had shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attacks, making the British government the first western government known to have conducted such an attack, NBC news reports.

The same DDoS technique the hackers use to take down government, political and industry websites, including the Central Intelligence Agency (CIA), Federal bureau of Investigation (FBI), the Serious Organized Crime Agency (SOCA), Sony News International and Westboro Baptist Church.

According to the PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, shows that there was a special GCHQ unit known as the Joint Threat Research Intelligence Group (JTRIG) launched an operation called ‘Rolling Thunder’ that perform massive DDOS attacks and uses other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

JTRIG also infiltrated anonymous IRC chatrooms to trace hacktivists real identities and to help send them to the prison for stealing data and attacking several government websites.

The operation allowed JTRIG to identify GZero, whose real name was Edward Pearson, a British hacker of age 25 from New York, who was prosecuted and sentenced to 26 months in prison for stealing 8 million identities and information from 200,000 PayPal accounts.

Another hactivist Jake Davis, nick named Topiary, an 18-year-old member of Anonymous and LulzSec spokesman for Scotland, was arrested in July 2011 and was sentenced to 24 months in a youth detention center.

Today Jake tweeted that, "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing" and "who are the real criminals?"

Source: THN

Google adds its Chrome apps and extensions to Bug Bounty Program

Google's Vulnerability Reward Program which started in November 2010, offers a hefty reward to the one who find a good vulnerability in its products. 

Now Google is getting a little more serious about the security of its Chrome Browser and has expanded its Bug Bounty Program to include all Chrome apps, extensions developed and branded as "by Google".

The Internet is a platform which has become a necessary medium for performing our daily tasks like reading news, paying bills, playing games, scheduling meetings and everything we perform on this platform is possible only because of the various applications maintained by the service providers.

"We think developing Chrome extensions securely is relatively easy, but given that extensions like Hangouts and GMail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly." Google said in a blog post.

Not only this, to improve the security of open-source projects like Open SSL, Linux Kernel or BND DNS software which is critical to the health of the Internet, Google encourages bug hunters by increasing the payouts for qualifying code improvements under its Patch Reward Program.

“The rewards for each vulnerability will range from the usual $500 up to $10,000 USD and will depend on the permissions and the data each extension handle. If you find a vulnerability in any Google-developed Chrome Extensions, please contact us at goo.gl/vulnz"

The New Reward structure is:

• $10,000 for complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code. 
• $5,000 for moderately complex patches that provide convincing security benefits.
• Between $500 and $1,337 for submissions that are very simple or that offer only fairly speculative gain. 

If you are a freelancer or Security enthusiast, then Bug bounty program is nothing more than a golden opportunity for you. "We look forward to ongoing collaboration with the broader security community, and we'll continue to invest in these programs to help make the Internet a safer place for everyone,"

Though it is good to have an in-house IT Security team, but collective and open way of penetration testing is an economically efficient mechanism for finding complex vulnerabilities.

Google has also scheduled its 4th 'Pwnium' hacking contest in March and $2.7 Million is up for Bug hunters to grab.

Source: THN

Facebook domain hacked by Syrian Electronic Army

On the 10th Anniversary of Social networking website Facebook, the hacker group 'Syrian Electronic Army' claimed that they managed to hack into the administrator account of the Facebook's Domain Registrar - MarkMonitor.

The hacking group changed the Facebook Domain's contact information to a Syrian email address on the company’s WHOIS domain information page, as shown.

"Happy Birthday Mark! http://Facebook.com owned by #SEA" the group tweeted.

Hackers also claimed that it had updated the nameserver information to hijack domain, but the process had to be abandoned because it was "taking too much time..." whereas, Facebook spokesperson did confirm that the website's domain record email contact information had been changed.

Why SEA Targeted Facebook? Syrian activists and Hackers claimed that Facebook has been deleting pages created by dissidents and removing content as it was violating the social network’s standards, according to Facebook, and that important information about the conflict is being lost as a result.

Journalists and activists involved in the Syrian revolution said that the deletion of Syrian opposition pages by Facebook removes important data and context about the revolution there, including some crucial information about chemical weapon attacks last year.

If SEA had succeeded in updating the nameserver record for Facebook, then the millions of users could have been directed to any other defaced or malicious website.

At the time of writing, the registrant contact details were restored and Facebook confirmed that no traffic to the website was hijacked, and that no users of the social network were affected.


Source: THN