Zicutake [Audio]

USAComment.com
Zicutake USA Comment | Search Articles










Zicutake Formation University:

USAComment.com | Search Articles of Onion.to
Search Articles of Onion.to:

Shorten that long URL into a tiny URL:
Example, enter the url: http://zicutake.usacomment.com = Tinyurl.com/hox5dyn


USAComment.com | TALK

 
Tweets by Zicutake


SEND YOUR HISTORY:

Contact Us

Friday, December 1, 2017

#Security

#Security


Researchers discover a vulnerability in the DIRTY COW original patch

Posted: 01 Dec 2017 12:37 PM PST

Researchers discovered that the original patch for the Dirty COW vulnerability (CVE-2016-5195) is affected by a security flaw.

The original patch for the Dirty COW vulnerability (CVE-2016-5195) is affected by a security flaw that could be exploited by an attacker to run local code on affected systems and exploit a race condition to perform a privilege escalation attack.

The vulnerability was rated as "Important" and it received a score 6.1 on the CVSS scale, it was patched in October 2016.

The name 'Dirty COW' is due to the fact that it's triggered by a race condition in the way the Linux kernel's memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

According to the security advisory published by Red Had, the vulnerability, tracked as CVE-2016-5195, allows local attackers to modify existing setuid files.

Dirty Cow

Now the flaw in the original patch, tracked as CVE-2017-1000405, was identified by researchers at the security firm Bindecy.

” In the “Dirty COW” vulnerability patch (CVE-2016-5195), can_follow_write_pmd() was changed to take into account the new FOLL_COW flag (8310d48b125d “mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp“). We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function. touch_pmd() can be reached by get_user_pages().” reads the advisory published by Bindecy.

“In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()’s logic – pmd can become dirty without going through a COW cycle – which makes writing on read-only transparent huge pages possible.”

The new bug is not as severe as the original ‘Dirty cow’ vulnerability that affected many more Linux distributions and the Android operating system.

The current bug doesn’t affect Android and Red Hat Enterprise Linux, anyway millions of machines are vulnerable.

According to Red Hat, the vulnerability does not affect the Linux kernel packages shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

The patch released in October 2016 patch addressed the Dirty COW vulnerability for both regular pages and transparent huge pages.

Eylon Ben Yaakov published a technical report on the flaw in the DIRTY COW patch.

The researchers reported the flaw to the Linux Kernel Organization on November 22, the patch was committed to the mainline kernel on November 27, the flaw was officially released on December 1.

Bindecy experts published a PoC code that overwrites the zero-page of the system.

The advisory published by Red Hat includes a mitigation suggestion that consists in disabling the use of "zero page".

"It is possible to prevent the zero page from being mapped as a huge page, by modifying a configuration tunable in the /sys directory… This prevents the flaw from being exercised in this method. # echo 0 > /sys/kernel/mm/transparent_hugepage/use_zero_page Disabling huge pages: It is possible to mitigate this flaw by disabling hugepages on a system," according to Red Hat

Pierluigi Paganini

(Security Affairs – Dirty Cow flaw, hacking)

The post Researchers discover a vulnerability in the DIRTY COW original patch appeared first on Security Affairs.

Russian cybercriminal Roman Seleznev gets another prison sentence

Posted: 01 Dec 2017 07:11 AM PST

Seleznev gets another prison sentence. He received 14-year prison sentence for charge in Nevada and another 14 years for the second charge in Georgia.

In April, the Russian hacker Roman Seleznev, aka Track2, Bulba and Ncux, was sentenced to 27 years in prison, he was convicted of causing $170 million in damage by hacking into point-of-sale systems.

The 33-year-old was previously sentenced by a U.S. court to 27 years in prison for 38 counts of wire fraud, hacking, identity theft, and payment card fraud.

Seleznev was pleading guilty to racketeering and conspiracy to commit bank fraud charges on September 7, now he received further 14-year prison sentence for the first charge in Nevada and another 14 years for the second charge in Georgia.

Seleznev must pay roughly $51 million in the Nevada case and more than $2.1 million in the Georgia case.

The overall sentence is added to the previous 27-year sentence.

Seleznev was one of the members of the criminal ring known as Carder.su focused on identity theft and credit card fraud. The hackers advertised his website on Carder.su offering stolen payment card data.

According to the US prosecutors, activities conducted by members of Carder.su caused $50,893,166.35 losses, roughly the same amount that Seleznev has been ordered to pay.

Roman Seleznev

Authorities conducted a massive operation against members of the Carder.su community, they charged 55 individuals and 33 of them have already been convicted.

Seleznev admitted being a "casher" in the Georgia case, he withdrew cash using stolen bank account information. He was involved in a fraudulent activity against an Atlanta-based firm that processed credit and debit card transactions for financial institutions.

Crooks stole more than 45 million payment cards from the financial firm, then they used them to withdraw over $9.4 million from 2,100 ATMs in 280 cities worldwide in less than 12 hours.

Pierluigi Paganini

(Security Affairs – carding, cybercrime)

 

The post Russian cybercriminal Roman Seleznev gets another prison sentence appeared first on Security Affairs.

Google Chrome will block code injection from third-party software within 14 months

Posted: 01 Dec 2017 05:27 AM PST

Google announced the block of code injection from third-party applications into the Chrome browser. Developers have 14 months to update their code.

Google continues to improve security of its product and services, the IT giant announced the for blocking third-party applications from injecting code into the Chrome browser.

The decision of the company will have a significant impact on many applications from third-party, including antivirus and security software that use to inject code into the browser processed to intercept cyber threats.

“Roughly two-thirds of Windows Chrome users have other applications on their machines that interact with Chrome, such as accessibility or antivirus software.” states the blog post published on Google Chromium.

“In the past, this software needed to inject code in Chrome in order to function properly; unfortunately, users with software that injects code into Windows Chrome are 15% more likely to experience crashes”

The tech giant will introduce the security improvements in three main phases over a 14-months plan.

Below the plan

Phase 1:

In April 2018, starting with Chrome 66 will begin showing users a warning after a crash, alerting them that third-party software attempted to inject code into the browser and providing suggestions on possible fixes or instructions to remove that software.

code injection

Phase 2:

Starting from July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes.

If this blocking prevents the Chrome browser from starting, it will restart and allow the injection. Google experts decided that in this scenario, the browser will show a warning that guides the user to remove the software.

Phase 3:

In January 2019, Chrome 72 will remove the warning and will block code injection by default.

 

Google will allow some exceptions for Microsoft-signed code, accessibility software, and IME (Input Method Editor) type-assist software.

While most software that injects code into Chrome will be affected by these changes, there are some exceptions. Microsoft-signed code, accessibility software, and IME software will not be affected. As with all Chrome changes, developers are encouraged to use Chrome Beta for early testing.” continues Google. 

According to the search giant, fewer crashes means more happy users and the company is committed in giving the users a better experience.

Developers of Windows software that works with Chrome are encouraged to switch Chrome channels and test their code through the Beta channel that allow to test it on next versions of the browser.

Developers can start using new modern Chrome features such as browser extensions or the Native Messaging API, instead of the code injection.

Pierluigi Paganini

(Security Affairs – Chrome, code injection)

The post Google Chrome will block code injection from third-party software within 14 months appeared first on Security Affairs.

Reading the NTT 2017 Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report

Posted: 01 Dec 2017 03:24 AM PST

NTT Security, a company of the tech giant NTT Group focused on cyber security, has released its 2017 Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report.

The research includes data collected over the last three months from global
NTT Security managed security service (MSS) platforms and a variety of open-source intelligence tools and honeypots.

The report is very interesting and full of precious information, it is organized in the following sections:

  • Global Threat Visibility.
  • China's Cybersecurity Position is More Complicated Than You Realize.
  • The Face of the Insider Threat

Let’s analyze in detail each session:

Global Threat Visibility

NTT Security Global Threat Intelligence Center observed significant increase (+24% from Q2 '17) in the number of security events during Q3 '17, Finance was a privileged target of threat actors, experts observed a notable increment of detection of malicious activities in Q3 '17 (+25%).

Global Threat Intelligence Center NTT Report

The experts observed a worrisome increase in the number of phishing campaigns and malware infections, up more than 40 percent since Q2 '17.

“Attack techniques have shifted from formal reconnaissance and exploitation to an increased dependency on botnet infrastructure, phishing campaigns, malicious attachments and links.” states the report.

Interesting the data related to the attack sources, China leads the Top Ten char, followed by China, the novelty is represented by India that made a huge jump from outside the number three.

NTT Global Threat Intelligence Center

China's Cybersecurity Position is More Complicated Than You Realize

Attacks from China moved up from the number three spot in Q2 ’17 to number two in Q3 ’17.

The presence of China doesn’t surprise any more, but it is interesting to highlight that during Q3 ’17, finance and manufacturing were the most heavily targeted industries from Chinese attackers, with 40 percent and 31 percent, respectively.

NTT Security confirms that for the past five years IP addresses in China have ranked within the top three of all source countries (consider also that IP addresses within the United States have always been the number one source of attacks).

“It is important to note that the term "Chinese sources" does not imply attribution, necessarily, to any entity associated with China. Threat actors often route through several nodes, making it difficult to determine the true source of malicious activity” continues the report.

The Face of the Insider Threat

The report highlights the danger of insider threats, 30 percent of them will put an organization at risk, in most cases organizations totally ignore the risks.

The report distinguishes “Accidental Threat Facts” such as Accidental disclosure (e.g., unsecured databases, default internet-facing username and password logins), Improper or accidental disposal of physical records (e.g.,disposal of paper without shredding.), Accidental damage (e.g., accidental misconfiguration or command which results in loss of data or connectivity) from “Malicious Insider Threat.”

According to the experts, Insider threats cost organizations more than $30 million.

“In 2016, large organizations with more than 75,000 employees spent an average of $7.8 million to address and resolve a single insider threat incident, while small organizations of between 1,000 and 5,000 employees and contractors spent an average of $2 million per incident.” states the report.

Below a summary of other key findings in the Q3 Global Threat Intelligence Center Quarterly Threat Intelligence Report include:

  • A notable increase in the number of security events during Q3 ’17 – up 24 percent from Q2 ’17
  • The finance industry had the most detections for malicious activity in Q3 ’17 – representing 25% of all cybersecurity attacks
  • Rounding out the top five targeted industries were: manufacturing at 21%, business services at 16%, health care at 13% and technology at 12%
  • Phishing campaigns and malware infections both increased by more than 40% over Q2 ’17
  • Attacks from China moved up from the number three spot in Q2 ’17 to number two in Q3 ’17
  • As an attack source, India also made a huge jump from outside the top 10 up to number three, most likely due to outside actors leveraging vulnerable and/or compromised infrastructure.

The NTT Security Q3 Threat Report can be downloaded for free at www.nttsecurity.com/en-us/gtic-2017-q3-threat-intelligence-report.

Pierluigi Paganini

(Security Affairs – Quarterly Threat Intelligence Report, Global Threat Intelligence Center)

The post Reading the NTT 2017 Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report appeared first on Security Affairs.

Cryptocurrency Miners hidden in websites now run even after users close the browser

Posted: 01 Dec 2017 12:04 AM PST

Some websites use a simple trick to keep their cryptocurrency miners scripts running in the background even when the user has closed the browser window.

Website administrators and crooks are looking with an increasing interest at JavaScript-based cryptocurrency miners due to rapid increase in cryptocurrency prices.

These scripts exploit the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies. Some websites use a simple technique to keep their cryptocurrency mining JavaScript under the radar and secretly running in the background even when the users close his web browser.

In many cases the scripts are used as an alternative monetization model to banner ads. Recently, the Pirate Bay was spotted using the Coinhive browser-based cryptocurrency miner service.

The scripts can mine cryptocurrencies as long as the visitors are on their site, they lost access to the computer processor and associated resources when the Window is closed.

Experts from security firm Malwarebytes have discovered that some websites use a simple trick to keep their cryptocurrency mining scripts running in the background even when the user has closed the browser window.

The technique leverages a hidden pop-under browser window that is opened by the mining window and that fits behind the taskbar and hides behind the clock on Microsoft’s Windows computer.

This hidden window is used to run the crypto-miner code consumes CPU cycles and power from visitor’s computer until he will not spot the window and close it.

“The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock.” reads the blog post published by MalwareBytes.

“The hidden window's coordinates will vary based on each user's screen resolution, but follow this rule:

  • Horizontal position = ( current screen x resolution ) – 100
  • Vertical position = ( current screen y resolution ) – 40

If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:”

cryptocurrency miners

The technique is simple as efficient, it is difficult to identify and able to bypass most ad-blockers. Experts observed that the cryptocurrency miners run from a crypto-mining engine hosted by Amazon Web Servers.

“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the "X" is no longer sufficient.” continues the post.

“The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser's icon with slight highlighting, indicating that it is still running.”

To remain under the radar, the code of cryptocurrency miners runs in the hidden browser maintains CPU usage threshold to a medium level.

These scripts work on the latest version of Google’s Chrome web browser running on the most recent versions of Microsoft’s Windows 7 and Windows 10.

cryptocurrency miners 2

cryptocurrency miners 3

Users can spot miner windows by looking for any browser windows in the taskbar or running the Task Manager on their computer to ensure there is no running browser processes that are consuming CPU resources.

Some antivirus software block cryptocurrency miners, an alternative is represented by web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners.

Unfortunately, No Coin still not support Microsoft Edge, Apple Safari, and Internet Explorer.

Pierluigi Paganini

(Security Affairs – cryptocurrency miners, hacking)

The post Cryptocurrency Miners hidden in websites now run even after users close the browser appeared first on Security Affairs.