Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.

In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site. The so-called FREAK attack—short for Factoring attack on RSA-EXPORT Keys—is possible when an end user with a vulnerable device—currently known to include Android smartphones, iPhones, and Macs running Apple's OS X operating system—connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many had presumed had been retired long ago. At the time this post was being prepared, most Windows and Linux end-user devices were not believed to be affected.

Attackers who are in a position to monitor traffic passing between vulnerable end users and servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. Attackers can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website's underlying private key. From that point on, attackers on a coffee-shop hotspot or other unsecured network can masquerade as the official website, a coup that allows them to read or even modify data as it passes between the site and the end user.

Read 10 remaining paragraphs | Comments


Since May of 2014, Ive been tracking a particular group that uses the Sweet Orange exploit kit to deliver malware. This group alsouses obfuscation to make it harder to detectthe infection chain of events.

By 2015, this group included more obfuscation within the initial javascript. It however, the result causes more work to detect the malicious activity.

Either way, the infection chain flows according to following block diagram:

Previous obfuscation

Below are images from an infection chain from July 2014 [1]. Here we find malicious javascript from the compromised website. In this image, Ive highlighted two areas:" />

Here" />

Recent obfuscation

Below are images from an infection chain by the same actor in February 2015 [2]. Again we find malicious javascript from the compromised website. However, in this case, there" />

First is the function that replaces any non-hexadecimal characters with nothing and replaces various symbols with the percent symbol (%). This time, we have unicode-based hexadecimal obfuscation and some variables thrown in. This does the same basic function as the previous example. Its now a bit harder to find when you" />

That URL is now obfuscated with unicode-based hexadecimal characters. For example, \u0074 represents the ASCII character t (lower case).

Once again, let" />

however, the result causes more work for analysts to fully map the chain of events. We can expect continued evolution of these obfuscation used by this and other actors.


Brad Duncan,Security Researcher atRackspace
Blog: www.malware-traffic-analysis.net-Twitter: @malware_traffic


[1] http://malware-traffic-analysis.net/2014/07/08/index.html
[2] http://malware-traffic-analysis.net/2015/02/09/index2.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: Several security issues were fixed in Thunderbird.
LinuxSecurity.com: Updated tomcat6 packages fix security vulnerabilities: Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote [More...]
LinuxSecurity.com: Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect [More...]
LinuxSecurity.com: Updated sympa packages fix security vulnerability: A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. This breach allows to send to a list or a user any file readable by the Sympa user, [More...]
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Updated patch package fixes security vulnerabilities: It was reported that a crafted diff file can make patch eat memory and later segfault (CVE-2014-9637). [More...]
[ MDVSA-2015:052 ] tomcat
[ MDVSA-2015:053 ] tomcat6
[ MDVSA-2015:051 ] sympa
[SECURITY] [DSA 3178-1] unace security update

Posted by InfoSec News on Mar 03


By Aliya Sternstein
March 2, 2015

The White House has released its yearly assessment of agency compliance
with the governmentwide cyber law known as the Federal Information
Security Management Act. And given the spate of breaches and hacks that
hit both government and the private sector, the results may not be all

Posted by InfoSec News on Mar 03


By Sun Ding
March 03, 2015

BEIJING, March 3 -- In light of successive revelations in recent years of
spying scandals perpetrated by the United Stateswith its sophisticated
hacking technology, it is justifiable for China to strengthen cyber
security regulation amid growing technology trade between the world's two
leading economies.

Last month, cyber security firm Kaspersky Lab...

Posted by InfoSec News on Mar 03


By Dan Goodin
Ars Techica
March 2, 2015

Uber is trying to force GitHub to disclose the IP address of every person
that accessed a webpage connected to a database intrusion that exposed
sensitive personal data for 50,000 drivers. The court action revealed that
a security key unlocking the database was stored on a publicly accessible...

Posted by InfoSec News on Mar 03


By Ashley Halsey III
The Washington Post
March 2, 2015

The Federal Aviation Administration has fallen short in its efforts to
protect the national air traffic control system from terrorists or others
who might try to hack into the computers used to direct planes in flight,...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

On Monday, Open Whisper Systems announced the release of Signal 2.0, the second version of its app for iOS. What makes this latest release special is that it allows users to send end-to-end encrypted messages, for free, to users of Redphone and TextSecure, Android apps supported by Open Whisper Systems that encrypt calling and text messages, respectively.

Previously, this kind of cross-platform secure messaging cost money in the form of a monthly subscription fee, and both the sender and the receiver of the message had to pay. (Or, encrypting messages cost considerable time and effort to implement without a dedicated app.) Signal and its Android counterpart TextSecure are unique in that they use forward encryption, which generates temporary keys for each message while still allowing asynchronous messaging through the use of push notifications and "prekeys." Ars reported on the implementation details in 2013.

Open Whisper Systems has pulled ahead of other privacy apps by making its interface easy for a person who doesn't know too much about encryption to use. It's also open source, so it can be vetted by experts, and its open encryption protocol can be adopted by other messaging apps. In fact last November, messaging platform Whatsapp deployed Open Whisper Systems' protocol for its 500 million Android users. Still, until now communicating with iOS users from an Android phone has been much more challenging.

Read 4 remaining paragraphs | Comments

Internet Storm Center Infocon Status