Information Security News
Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.
In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected.
Attackers who are in a position to monitor traffic passing between vulnerable end users and servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. Attackers can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website's underlying private key. From that point on, attackers on a coffee-shop hotspot or other unsecured network can masquerade as the official website, a coup that allows them to read or even modify data as it passes between the site and the end user.
Since May of 2014, Ive been tracking a particular group that uses the Sweet Orange exploit kit to deliver malware. This group alsouses obfuscation to make it harder to detectthe infection chain of events.
Either way, the infection chain flows according to following block diagram:
First is the function that replaces any non-hexadecimal characters with nothing and replaces various symbols with the percent symbol (%). This time, we have unicode-based hexadecimal obfuscation and some variables thrown in. This does the same basic function as the previous example. Its now a bit harder to find when you" />
That URL is now obfuscated with unicode-based hexadecimal characters. For example, \u0074 represents the ASCII character t (lower case).
Once again, let" />
however, the result causes more work for analysts to fully map the chain of events. We can expect continued evolution of these obfuscation used by this and other actors.
Posted by InfoSec News on Mar 03http://www.nextgov.com/cybersecurity/2015/03/6-biggest-blunders-governments-annual-cyber-report-card/106512/
Posted by InfoSec News on Mar 03http://en.people.cn/n/2015/0303/c90780-8856255.html
Posted by InfoSec News on Mar 03http://arstechnica.com/security/2015/03/in-major-goof-uber-stored-sensitive-database-key-on-public-github-page/
Posted by InfoSec News on Mar 03http://www.washingtonpost.com/local/trafficandcommuting/faa-computers-vulnerable-to-hackers-gao-report-says/2015/03/02/388219ac-c119-11e4-9271-610273846239_story.html
On Monday, Open Whisper Systems announced the release of Signal 2.0, the second version of its app for iOS. What makes this latest release special is that it allows users to send end-to-end encrypted messages, for free, to users of Redphone and TextSecure, Android apps supported by Open Whisper Systems that encrypt calling and text messages, respectively.
Previously, this kind of cross-platform secure messaging cost money in the form of a monthly subscription fee, and both the sender and the receiver of the message had to pay. (Or, encrypting messages cost considerable time and effort to implement without a dedicated app.) Signal and its Android counterpart TextSecure are unique in that they use forward encryption, which generates temporary keys for each message while still allowing asynchronous messaging through the use of push notifications and "prekeys." Ars reported on the implementation details in 2013.
Open Whisper Systems has pulled ahead of other privacy apps by making its interface easy for a person who doesn't know too much about encryption to use. It's also open source, so it can be vetted by experts, and its open encryption protocol can be adopted by other messaging apps. In fact last November, messaging platform Whatsapp deployed Open Whisper Systems' protocol for its 500 million Android users. Still, until now communicating with iOS users from an Android phone has been much more challenging.