SECUREDROP >= 0.3 - Possible Backdoor & Privileges Escalation by Unauth User

President Barack Obama has signed a new executive order that imposes new economic sanctions on anyone who perpetrates cyber attacks against American interests, putting into practice an idea that has been floated for at least two years.

That would mean that if the United States can effectively identify a person or group of people conducting such breaches, and who have assets Stateside, then those assets could be frozen or have related financial transactions severely hindered.

"Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit," the president wrote on Medium.

Read 3 remaining paragraphs | Comments


Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support the HTTPS protocol.

Opportunistic encryption, as the feature is known, acts as a bridge between plaintext HTTP connections and fully compliant HTTPS connections based on transport layer security or its predecessor, protocol secure sockets layer. These traditional Web-based encryption measures require site operators to obtain a digital credential issued by a browser-recognized certificate authority and to implement TLS protection through OpenSSL or a similar code library. Even then, many sites are unable to fully encrypt their pages because they embed ads and other third-party content that's still transmitted in plaintext. As a result, large numbers of sites (including this one) continue to publish some or all of their content in HTTP, which can be readily manipulated by people with the ability to monitor the connection.

OE, as opportunistic encryption is often abbreviated, was turned on by default in Firefox 37, which was released this week. The move comes 17 months after an Internet Engineering Task Force working group proposed OE become an official part of the HTTP 2.0 specification. The move garnered critics and supporters alike, with the former arguing it may delay some sites from using the more secure HTTPS protections and the latter saying, in effect, some protection is better than none. The chief shortcoming of OE is its lack of authentication for cryptographically validating that a connected server is operated by the organization claiming ownership.

Read 2 remaining paragraphs | Comments

[security bulletin] HPSBST03298 rev.2 - HP XP Service Processor Software for Windows, Multiple Vulnerabilities
[security bulletin] HPSBGN03307 rev.1 - HP Intelligent Provisioning, Disclosure of Information
[security bulletin] HPSBMU03304 rev.1 - HP Insight Control server deployment on Linux and Windows, Remote Disclosure of Information
[SECURITY] [DSA 3211-1] iceweasel security update
LinuxSecurity.com: **19 Mar 2015, PHP 5.5.23**Core:* Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence)* Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence)* Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net)* Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike)* Fixed bug #69017 (Fail to push to the empty array with the constant value defined in class scope). (Laruence)* Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com)* Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus)* Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com)* Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (Stas)* Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski)* Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas)CGI:* Fixed bug #69015 (php-cgi's getopt does not see $argv). (Laruence)CLI:* Fixed bug #67741 (auto_prepend_file messes up __LINE__). (Reeze Xia)cURL:* Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on Win32). (Grant Pannell)* Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported by libcurl. (Linus Unneback)Ereg:* Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (Stas)FPM:* Fixed bug #68822 (request time is reset too early). (honghu069 at 163 dot com)ODBC:* Fixed bug #68964 (Allowed memory size exhausted with odbc_exec). (Anatol)Opcache:* Fixed bug #69125 (Array numeric string as key). (Laruence)* Fixed bug #69038 (switch(SOMECONSTANT) misbehaves). (Laruence)OpenSSL:* Fixed bugs #61285, #68329, #68046, #41631 (encrypted streams don't observe socket timeouts). (Brad Broerman)pgsql:* Fixed bug #68638 (pg_update() fails to store infinite values). (william dot welter at 4linux dot com dot br, Laruence)Readline:* Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters). (Laruence)SOAP:* Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (andrea dot palazzo at truel dot it, Laruence)SPL:* Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage). (Laruence)* Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after calling getChildren()). (Julien)ZIP:* Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap boundary) (CVE-2015-2331). (Stas)
LinuxSecurity.com: Security fix for CVE-2015-2331.

Google is cracking down on ad-injecting extensions for its Chrome browser after finding that almost 200 of them exposed millions of users to deceptive practices or malicious software.

More than a third of Chrome extensions that inject ads were recently classified as malware in a study that Google researchers carried out with colleagues from the University of California at Berkeley. The Researchers uncovered 192 deceptive Chrome extensions that affected 14 million users. Google officials have since killed those extensions and incorporated new techniques to catch any new or updated extensions that carry out similar abuses.

The study also found widespread use of ad injectors for multiple browsers on both Windows and OS X computers. More than five percent of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed, and nearly one-third have at least four installed. Google officials don't bar such ad injectors outright, but they do place restrictions on them. Terms of service for Chrome extensions, for instance, require that the ad-injecting behavior be clearly disclosed. Customers of DoubleClick and other Google-operated ads services must also comply with policies barring unwanted software.

Read 2 remaining paragraphs | Comments

ESA-2015-056: EMC PowerPath Virtual Appliance Undocumented User Accounts Vulnerability
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sometime within the past month, Rig exploit kit (EK) changed URL structure." />

Notice the PHPSSESID and ?req= patterns in the above example." />

Now, we dont see the PHPSSESID and ?req= patterns. Lets take a closer look at the more recent example of Rig EK." />

The data is gzip compressed, so you have to extract the file to see what it looks like." />

Finally, the exploit kit sends the malware payload. It" />

A copy of the decrypted malware payload can be found at: https://malwr.com/analysis/NzIwYjgwYTcyODhiNGUwNGIxOTRjMzllNjkwMGViMzc/

The malware payload didn" />

Keep in mind malware payloads differ among the criminal organizations that rent these exploit kits, and the payload can also change from day-to-day.

I havent heard too much yet about this recent change in URL patterns for Rig EK, but its certainly happening.

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status