Forum Hijacks, Singapore Hacking, and IE 0day
Happy Friday, everyone! The weekend is hours away; but before running off to finish of the last of your work week tasks, why not sit down with a hot cup of joe and catch up on what happened in security news this week?
In this episode, I talk about security patches for Microsoft, Adobe, and OpenSSH, cover some interesting web site hijacks, warn you of a new APT attack that leverages an IE zero day flaw, and mention an interesting hacking arrest in Singapore. Click the big red YouTube play button to learn more, and don’t forget to peek at the Reference section for links to other InfoSec news from the week.
Have fun this weekend!
[youtube http://www.youtube.com/watch?v=VU_7KkQY1m4](Episode Runtime: 8:52)
Direct YouTube Link: http://www.youtube.com/watch?v=VU_7KkQY1m4
Episode References:
- Software Updates
- Microsoft Patch Day Summary (find more detail in individual posts on the blog) – WGSC
- Adobe Patch Day Summary – WGSC
- OpenSSH update correct post authentication vulnerability – OpenSSH
- State-sponsered attackers leveraging IE 0day in watering hole attack – Fireeye
- IE zero day delivers memory-only malware – Fireeye
- Attacker steals 860K credentials from MacRumors site – Ars Technica
- MacRumors attacker says he’s not a terrorist – Ars Technica
- Cracked.com hijacked with Nuclear Pack, and serving up ZeroAccess – Threat Post
- Facebook leverages Adobe breach leak to warn their users – Marketplace.org
- “The Messiah” threatens Singapore government sites due to licensing law – ChannelNewsAsia
- The Messiah’s Anonymous YouTube threat – YouTube
- Authorities arrest The Messiah and others – ZDNet
Extras:
- Tips for recognizing phishing emails (featuring me ^_^) – PC World
- Snowden Leak: GCHQ spoofs Linkedin and Slashdot to infect OPEC Engineers – Computer World
- More D-Link device security vulnerabilities – Threat Post
- Kaspersky claims Stuxnet infected a Russian nuclear facility (but NOT ISS) – Mashable
- Security update for new Blackberry device – Threat Post
- XSS flaw in RunKeeper app – Softpedia
- More Bitcoin exchange services claim hack (disappear with your money) – AP & Help Net
- New HTTP 2.0 standard will require encryption most of the time – PC World
- Mobile flaws found at Japan’s Pwn2Own contest – eWeek
- Google fixes Pwn2Own vulnerabilities with Chrome 31 – Android Authority
- A new variant of OS X spyware discovered – Tech World
- New exploit kit targets SilverLight users (NetFlix folks beware) – PC World
— Corey Nachreiner, CISSP (@SecAdept)
1. Article “IE zero day delivers memory-only malware”. Though such payload will nor survive after reboot – the value of “not to leave any artifact on the disk” is much more valuable for attackers. And also here is no need to redirect to other side for download additional bytes. Another one malware added to APT Pandora’s box…
2. OpenSSH vulnerability article: not for the first time I’m reading about the vulnerability of GCM (Galois/Counter Mode), which can be called “authenticated encryption” algorithm. It is used in commercial and open-source solutions, and (as a main benefit) provides high speed communication with authentication and encryption altogether. Agree, that this particular vulnerability is hardly exploitable due to incredible amount of work to reproduce the heap with a useful callback address after the rekey operation. And such callback address potentially can be used once again (to provide forgery data), as it considered valid. Don’t think, that we will see any exploitation code for such vulnerability.
Anyway – this article reminds me previous case with GCM…but in OpenSSL. “The game” played around GHASH computations (GHASH used by GCM for authentication) and the shifting required number of bytes to forge “correct” authentication tag for the auth mesage. Here is the link for a case. You can even not to read all formulas inside the article – just text and examples. It’s interesting, from my point of view. PDF file.
http://eprint.iacr.org/2013/157.pdf