OpenSSL gears up to fix high impact vulnerabilities

OpenSSL project had announced on Thursday (April 28) upcoming security fixes for several vulnerabilities affecting the crypto library.

Every OpenSSL release since the infamous Heartbleed vulnerability1 of April 2014 has been met with nervous anticipation, and that applies as much to the upcoming 1.0.2h, 1.0.1t which will be released on May 3 between 12:00 and 15:00 UTC. These releases will patch several flaws, including ones rated 'high severity'.
Issues that have a high severity rating affect less common configurations or are less likely to be exploitable. The forthcoming releases are due to be out by next Tuesday. They are not accompanied by any logo or a catchy title.

OpenSSL versions 1.0.0 and 0.9.8 are no longer supported and they will not receive any security updates. Support for version 1.0.1 will end on December 31, 2016.

These updates will be the third round in a year. In January, the project released versions 1.0.2f and 1.0.1r to address a high severity flaw that allows attackers to obtain information that can be used to decrypt secure traffic, and a low severity SSLv2 cipher issue.

The last major flare-up on this front coincided with the DROWN vulnerability, which emerged last month in March. DROWN is a serious flaw that can be exploited to crack encrypted communications. DROWN affected a quarter of the top one million HTTPS domains and one-third of all HTTPS websites at the time of disclosure.

FBI paid $1.3 million for hacking a iPhone

Apple's war with the USA over decryption of iPhone came to halt when the director of the F.B.I. revealed that they paid at least $1.3 million to an undisclosed group hackers to hack  the encrypted iPhone used by an attacker in the mass shooting in San Bernardino, Calif.

At a conference on global security in London, James B. Comey Jr., the F.B.I. chief, was asked how much they  had to pay to the group to demonstrate how to bypass the phone’s encryption.

He replied, “A lot,”, as audience members at the Aspen Institute event laughed.

He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.”

The F.B.I. had refused to comment anything until Thursday about how much it paid for demonstration of the iPhone hacking.

If this price tag is true then it will be interesting to know how much other giant companies  have offered for identifying iOS vulnerabilities.

'Blackhole' exploit kit creator sentenced for 7 years

Dmitry Fedotov, a Russian national who created the infamous Blackhole exploit kit, was sentenced to 7 years in prison by a Moscow Court. Known as “Paunch” in the cybercrime world, Fedotov, along with his seven accomplices, was arrested in October 2013 for involvement in a criminal organization.

According to a Russian security firm, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity. The Blackhole exploit kit was rented for $500 per month if run on the seller’s server and $700 if customers wanted to run it on their own server.

Coming into existence in 2010, Blackhole exploit kit was responsible for large number of malware infections. It was stitched into malicious sites and exploited a variety of Web-browser vulnerabilities.

(pc-google images)
A few months before his arrest, Paunch teamed up with a fraudster known online as “J.P. Morgan” and announced that they had set aside $100,000 to acquire zero-day exploits. The budget for zero-days later doubled, and “J.P. Morgan” increased it to $450,000 after Fedotov’s arrest.

Russian authorities estimated that Paunch and his accomplices caused damage of 70 million rubles (approx. $2 million) at the time of his arrest.

Adobe Flash vulnerabilities more in focus for exploit kit writers: NTT reports

A study done by  NTT Group reveals that exploit kit writers are more interested in vulnerabilities in Adobe Flash rather than the Java vulnerabilities.

In 2015, the top 10 vulnerabilities targeted by exploit kits belonged to Adobe Flash. However in 2013, the scenario was different, the top 10 vulnerabilities targeted by exploit kits included one Flash and eight Java vulnerabilities.

The reason behind this shift is that the  vulnerabilities in Java have dropped drastically, while vulnerabilities in Flash has jumped by almost 312 per cent (four-fold) over 2014 levels, NTT reports.

In their latest global threat intelligence report that was published on Tuesday, states that spear phishing attacks accounted for approximately 17 per cent of incident response activities, and an 18 per cent rise in malware detected for every industry other than education.

The report consists of analysis of  threats and trends from the 1999, information from 24 security operations centers, seven R&D centers, 3.5 trillion logs, 6.2 billion attacks and nearly 8,000 security clients across six continents.

"NTT clients from the education sector tended to focus less on the more volatile student and guest networks, but malware for almost every other sector increased," a spokesman from NTT Group's Solutionary managed security service business commented.

Europol arrests Romanian group on ATM skimming operation

European Union’s law enforcement agency, Europol along with Italy's military, Carabinieri arrested 16 Romanian nationals who were operating a massive ATM skimming operation in three EU countries.

Authorities seized micro camera bars, card readers, magnetic strip readers and writers, computers, phones, flash drives, and plastic cards ready to be formed into credit card clones from individuals arrested from across Italy.

The group installed ATM skimming devices on cash machines across Italy, Denmark, and the UK. Later, the group collected credit card data from these devices, crafted cloned payment cards and pass them off to partners in Belize and Indonesia who made fraudulent transactions and emptied the victim’s accounts.

The money was later split across group members.

The damaged incurred by this criminal group’s activity is estimated at EUR 1.2 million ($1.35 million) in the past.

Officials started its investigation on the group in 2014 when they first came to know about it.

This isn’t the first time when group of Romanian nationals have been caught operating ATM skimming 
operations. In the past, many such activities have taken place.

However, intelligence agencies and security officials have been trying to make payment transactions safer for 
customers throughout Europe and elsewhere.

Open Sourced Vulnerability Database shuts down

Open Sourced Vulnerability Database (OSVDB), a website that provides unbiased and accurate information about software vulnerabilities, has decided to shut down permanently. 

This announcement came after the lack of industry support for the maintenance of the project. OSVDB was launched in March 2004 as a project whose goal was to provide precise and unbiased information about security vulnerabilities. It was guided by the non-profit organization Open Security Foundation (OSF).

In a brief statement, Brian Martin, one of the leaders of the OSDVB project, pointed out that they won’t be coming back. “As of today, a decision has been made to shut down the Open Sourced Vulnerability Database (OSVDB), and will not return. We are not looking for anyone to offer assistance at this point, and it will not be resurrected in its previous form,” Martin said in a blog post. “This was not an easy decision, and several of us struggled for well over ten years trying to make it work at great personal expense. The industry simply did not want to contribute and support such an effort,” he added.

The OSVDB blog will, however, continue to be a place for providing commentary on all things related to the vulnerability world.

Before the abrupt shut down, the site had managed to collect over 106,000 vulnerabilities in over 83,000 products from over 10,000 vendors.

Personal data of 50 million Turkish citizens including its President leaked online

Database of a massive leak posted online claims to contain details of almost 50 million Turkish citizens including country's president, Recep Tayyip Erdogan, his predecessor Abdullah Gul and Prime Minister Ahmet Davutoglu.

The bulk data, which contains 49,611,709 records, appeared on the website of an Icelandic group on Monday (April 04). The complete archive of 1.5 GB is available for downloading on both Torrent and Magnet URL.

On the download page, the hackers wrote: "Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?"
The hacker also listed a number of 'lessons' aimed at Turkish authorities including "bit shifting isn't encryption" and "putting a hardcoded password on the UI hardly does anything for security". Lastly, the hacker added: "Do something about Erdogan! He is destroying your country beyond recognition. Lessons for the US? We really shouldn't elect Trump, that guy sounds like he knows even less about running a country than Erdogan does."

The unnamed hacktivist have posted data which is usually included in a standard Turkey ID card. It holds the first and last names, national identifier numbers, mother and father's first names, gender, city of birth, date of birth, full address, ID registration cities and districts of citizens.

The Associated Press was able to partially verify the authenticity of the leak by running 10 non-public Turkish ID numbers against names contained in the dump. Eight out of ten were a match.

Turkish officials didn't immediately comment on the leak.

Experts speculate that data have been stolen from a government agency managing data of Turkish citizens.
If the authenticity of all 50 Million records gets verified, this will be one of the biggest public breaches of its kind, effectively putting two-thirds of the Nation's population at risk of identity theft and fraud.

The breach will be the biggest leaks after the one that occurred in U.S. government's Office of Personnel Management (OPM) in April 2015 that compromised the personal information of over 22 Million U.S. federal employees, contractors, retirees and others and exposed millions of sensitive and classified documents.

PowerWare uses Microsoft Word and PowerShell to infect users

US-based security firm, Carbon Black has discovered new ransomware variant known as PowerWare.
The ransomware discovered a week ago targeted a company in the healthcare industry.
As with all ransomware families identified this week, this one has a kink of its own and its mode of operation has never been seen before in other ransomware strains.
PowerWare is different from other crypto-ransomware samples because it is fileless, which is a tactic adopted by other malware families pushed in prolific exploit kits such as Angler.
The PowerWare ransomware is written completely in the Windows PowerShell scripting language. It uses a combination of Word files, macro scripts, and PowerShell scripting language to infect victims with its deadly payload.
PowerShell is a task automation and configuration management framework that's included in Windows and is commonly used by systems administrators. It has its own powerful scripting language that has been used to create sophisticated malware in the past.
In spite of its innovative methods, the ransomware still relies on old-school infection tactics that starts with spam email arriving in the victim's inbox. Emails contain Word documents with malicious macros which is an increasingly common attack technique.
Once enabled, the macro opens cmd.exe, which then calls PowerShell, a native Windows framework that uses a command-line shell to manage tasks, to download a malicious script. The use of PowerShell avoids writing files to the disk and allows the malware to blend in with legitimate activity on the computer.
PowerWare uses PowerShell to ultimately encrypt files stored on the machine once it’s compromised.
Once everything is encrypted, the ransom note is displayed on the victim’s screen asking them for $500 bitcoin in exchange for the encryption key; the ransom, however, goes up to $1,000 two weeks after infection.
The use of macros to push malware, meanwhile, has enjoyed resurgence in the last six months, not only with ransomware, but also banking malware such as Dridex. Macros, however, are disabled by default on Windows machines.
As for PowerSniff, discovered by Palo Alto, it uses macros to initiate a PowerShell instance which then downloads shellcode that writes the Ursnif point-of-sale malware directly into memory.
Both companies have published indicators of compromise for the respective malware families.
Multiple hospitals have recently fallen victim to ransomware attacks.
Attackers are not through testing the limits of what they can do with new features in ransomware samples.

Personal details of 2000 Southern expatriates leaked online

The personal details of more than 2000 foreign nationals living in Southern Thailand were briefly posted online over the weekend in a data breach.

This was uncovered by the users of social media after they spotted the names, addresses, professions and passport numbers of more than 2,000 expatriates, living in Thailand's southern provinces, principally Nakhon Si Thammarat province ,on a database.

According to reports in Bangkok Post, the website carried an immigration police seal but used a private Thai web address. The site was openly available without a password, and some users guessed the website’s less-than-secure administration password: 12345.

It was taken down early Monday, but not before the site’s existence had gone viral, the reports said. The removal of the data was ordered by Thai Deputy Prime Minister Prawit Wongsuwon as some foreigners were worried about their safety.

A digital advocacy group, Thai Netizens, tracked down the website’s owner Akram Aleeming, who in a facebook posted that the site had mistakenly been made public during testing stages.

“We were doing a demo,” Aleeming reportedly told AFP, the Paris-based newswire. “As people were concerned it might affect security, we closed it [the website].”

Security flaw in automatic doors

Automatic doors could also be hacked. I am sure you are pretty amazed by my first line but it is true. Doors used in secure areas likes airports, hospitals, government facilities and other organizations can easily be hacked due to a vulnerability in networked door controllers.

According to Ricky Lawshae, a researcher with Trend Micro's newly acquired DVLabs division, the security flaw exists in the VertX and Edge lines of door controllers from HID Global, manufacturers of smartcards, card readers and access control systems.

The problem lies in the HID's VertX and Edge controller which can be remotely controlled   over the network and have a service called discoveryd (discovery daemon) that listens to UDP probe packets on port 4070.

When it receives a packet, the door controller automatically responds with its physical MAC address, device type, firmware version and other identifying information, like the human readable name that was assigned to it.

"Since the device in this case is a door controller, having complete control includes all of the alarm and locking functionality," Lawshae said in a blog post. "This means that with a few simple UDP packets and no authentication whatsoever, you can permanently unlock any door connected to the controller."

HID have been informed about the flaws, and they are working to release the patch as soon as possible, but probably it will take a long to reach all customers or it might reach everyone ever.