Information Security News
by Cyrus Farivar
President Barack Obama has signed a new executive order that imposes new economic sanctions on anyone who perpetrates cyber attacks against American interests, putting into practice an idea that has been floated for at least two years.
That would mean that if the United States can effectively identify a person or group of people conducting such breaches, and who have assets Stateside, then those assets could be frozen or have related financial transactions severely hindered.
"Starting today, we’re giving notice to those who pose significant threats to our security or economy by damaging our critical infrastructure, disrupting or hijacking our computer networks, or stealing the trade secrets of American companies or the personal information of American citizens for profit," the president wrote on Medium.
Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support the HTTPS protocol.
Opportunistic encryption, as the feature is known, acts as a bridge between plaintext HTTP connections and fully compliant HTTPS connections based on transport layer security or its predecessor, protocol secure sockets layer. These traditional Web-based encryption measures require site operators to obtain a digital credential issued by a browser-recognized certificate authority and to implement TLS protection through OpenSSL or a similar code library. Even then, many sites are unable to fully encrypt their pages because they embed ads and other third-party content that's still transmitted in plaintext. As a result, large numbers of sites (including this one) continue to publish some or all of their content in HTTP, which can be readily manipulated by people with the ability to monitor the connection.
OE, as opportunistic encryption is often abbreviated, was turned on by default in Firefox 37, which was released this week. The move comes 17 months after an Internet Engineering Task Force working group proposed OE become an official part of the HTTP 2.0 specification. The move garnered critics and supporters alike, with the former arguing it may delay some sites from using the more secure HTTPS protections and the latter saying, in effect, some protection is better than none. The chief shortcoming of OE is its lack of authentication for cryptographically validating that a connected server is operated by the organization claiming ownership.
Google is cracking down on ad-injecting extensions for its Chrome browser after finding that almost 200 of them exposed millions of users to deceptive practices or malicious software.
More than a third of Chrome extensions that inject ads were recently classified as malware in a study that Google researchers carried out with colleagues from the University of California at Berkeley. The Researchers uncovered 192 deceptive Chrome extensions that affected 14 million users. Google officials have since killed those extensions and incorporated new techniques to catch any new or updated extensions that carry out similar abuses.
The study also found widespread use of ad injectors for multiple browsers on both Windows and OS X computers. More than five percent of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed, and nearly one-third have at least four installed. Google officials don't bar such ad injectors outright, but they do place restrictions on them. Terms of service for Chrome extensions, for instance, require that the ad-injecting behavior be clearly disclosed. Customers of DoubleClick and other Google-operated ads services must also comply with policies barring unwanted software.
Sometime within the past month, Rig exploit kit (EK) changed URL structure." />
Notice the PHPSSESID and ?req= patterns in the above example." />
Now, we dont see the PHPSSESID and ?req= patterns. Lets take a closer look at the more recent example of Rig EK." />
The data is gzip compressed, so you have to extract the file to see what it looks like." />
Finally, the exploit kit sends the malware payload. It" />
A copy of the decrypted malware payload can be found at: https://malwr.com/analysis/NzIwYjgwYTcyODhiNGUwNGIxOTRjMzllNjkwMGViMzc/
The malware payload didn" />
Keep in mind malware payloads differ among the criminal organizations that rent these exploit kits, and the payload can also change from day-to-day.
I havent heard too much yet about this recent change in URL patterns for Rig EK, but its certainly happening.