Symantec Has Some Flaws With SEP
Symantec has warned of three serious vulnerabilities in its Endpoint Protection (SEP) software, and is advising users to update their systems.
The bugs affect all builds of the 12.1 version of the SEP software, with the first two flaws allowing authorised but low privilege users of the software to gain elevated and administrative access to the management console, which can be accessed either locally or through a web-based portal.
The third bug is in the sysplant driver and enables users to bypass the SEP’s security controls and run malware and other malicious code on a targeted client machines.
“Exploitation attempts of this type generally use known methods of trust exploitation requiring enticing a currently authenticated user to access a malicious link or open a malicious document in a context such as a website or in an email,” said the security firm.
There have been no recorded exploits of the flaws, so it would appear that Symantec has squashed the bugs before they became a real-world problem for its customers.
The first two bugs were discovered by security researcher Anatoly Katyushin from rival firm Kaspersky Labs, which is a little embarrassing. Discovery of the third bug was credited to the enSilo Research Team.
Symantec advises SEP users to update their software to the 12.1 RU6 MP4 version. It also recommends that users should take precautions and restrict remote access to the management console in order to prevent hackers from attacking client systems through the web portal.
While hackers can direct sophisticated malware at even the most robustly secured systems, exploiting flaws in software offers an easier route into machines and networks, providing hackers get in before the bugs are discovered and patched.
Recent examples can be seen with the discovery of iOS malware which threatens iPhones through an Apple DRM flaw, and an error on Code.org’s website which saw the emails of its volunteers exposed.
Courtesy-TheInq
Malware Turns Computers Into Cellular Antenna
Comments Off on Malware Turns Computers Into Cellular Antenna
A team of Israeli researchers have improved on a way to steal data from air-gapped computers, thought to be safer from attack due to their isolation from the Internet.
They’ve figured out how to turn the computer into a cellular transmitter, leaking bits of data that can be picked up by a nearby low-end mobile phone.
While other research has shown it possible to steal data this way, some of those methods required some hardware modifications to the computer. This attack uses ordinary computer hardware to send out the cellular signals.
Their research, which will be featured next week at the 24th USENIX Security Symposium in Washington, D.C., is the first to show it’s possible to steal data using just specialized malware on the computer and the mobile phone.
“If somebody wanted to get access to somebody’s computer at home — let’s say the computer at home wasn’t per se connected to the Internet — you could possibly receive the signal from outside the person’s house,” said Yisroel Mirsky, a doctoral student at Ben-Gurion University and study co-author.
The air-gapped computer that is targeted does need to have a malware program developed by the researchers installed. That could be accomplished by creating a type of worm that infects a machine when a removable drive is connected. It’s believed this method was used to deliver Stuxnet, the malware that sabotaged Iran’s uranium centrifuges.
The malware, called GSMem, acts as a transmitter on an infected computer. It creates specific, memory-related instructions that are transmitted between a computer’s CPU and memory, generating radio waves at GSM, UMTS and LTE frequencies that can be picked up by a nearby mobile device.
The GSMem component that runs on a computer is tiny. “Because our malware has such a small footprint in the memory, it would be very difficult and can easily evade detection,” said Mordechai Guri, also a doctoral student at Ben-Gurion.
Symantec Uncovers Advanced Spying Malware
Comments Off on Symantec Uncovers Advanced Spying Malware
An advanced malicious software application has been discovered that since 2008 was used to spy on private companies, governments, research institutes and individuals in 10 countries, anti virus software maker Symantec Corp said in a report on Sunday.
The Mountain View, California-based maker of Norton anti virus products said its research showed that a “nation state” was likely the developer of the malware called Regin, or Backdoor. Regin, but Symantec did not identify any countries or victims.
Symantec said Regin’s design “makes it highly suited for persistent, long-term surveillance operations against targets,” and was withdrawn in 2011 but resurfaced from 2013 onward.
The malware uses several “stealth” features “and even when its presence is detected, it is very difficult to ascertain what it is doing,” according to Symantec. It said “many components of Regin remain undiscovered and additional functionality and versions may exist.”
Almost half of all infections occurred at addresses of Internet service providers, the report said. It said the targets were customers of the companies rather than the companies themselves. About 28 percent of targets were in telecoms while other victims were in the energy, airline, hospitality and research sectors, Symantec said.
Symantec described the malware as having five stages, each “hidden and encrypted, with the exception of the first stage.” It said “each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.”
Regin also uses what is called a modular approach that allows it to load custom features tailored to targets, the same method applied in other malware, such as Flamer and Weevil (The Mask), the anti virus company said. Some of its features were also similar to Duqu malware, uncovered in September 2011 and related to a computer worm called Stuxnet, discovered the previous year.
Symantec said Russia and Saudi Arabia accounted for about half of the confirmed infections of the Regin malware and the other countries were Mexico, Ireland, India, Iran,Afghanistan, Belgium, Austria and Pakistan.
Did Stuxnet Infect A Russian Nuclear Plant?
Comments Off on Did Stuxnet Infect A Russian Nuclear Plant?
Kaspersky has claimed that the infamous Stuxnet computer worm “badly infected” the internal network of an unnamed Russian nuclear plant after it caused chaos in Iran’s nuclear facilities.
Speaking at a keynote presentation given at the Canberra Press Club 2013, Kaspersky CEO Eugene Kaspersky said a staffer at the unnamed nuclear plant informed him of the infection.
“[The staffer said] their nuclear plant network which was disconnected from the internet was badly infected by Stuxnet,” Kaspersky said.
“So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity.”
Stuxnet was discovered to have spread throughout industrial software and equipment in 2010 and is believed to have been created by the United States and Israel to attack Iran’s nuclear facilities. According to Kaspersky’s source, the malware was carried into the Russian nuclear plant and installed on a physically separated “air-gapped” network.
Kaspersky also made a rather outlandish joke during his speech, saying that all data is subject to theft. “All the data is stolen,” Kaspersky said. “At least twice.”
“If the claim of the Russian nuclear plant infection is true, then it’s easy to imagine how this “collateral damage” could have turned into a very serious incident indeed, with obvious diplomatic repercussions,” said security expert Graham Cluley.
“There is no way to independently verify the claim, of course. But it is a fact that Stuxnet managed to infect many computer systems outside of its intended target in Iran,” Cluley added. “Indeed, the very fact that it spread out of control, was what lead to its discovery by security firms.”
Earlier this year, Symantec claimed that the Stuxnet computer worm could date back further than 2010 and was more widespread than originally believed.
Symantec’s report called “The Missing Link” found a build of the Stuxnet attack tool, dubbed Stuxnet 0.5, which it said dated back to 2005 and used different techniques to sabotage industrial facilities.
Collaborating Viruses Showing Up
Two computer viruses are collaborating to defeat clean-up operations. Microsoft researcher Hyun Choi has found that the pair of viruses foil removal by regularly downloading updated versions of their malware partner.
It is the first time that such a defense plan has been noticed before. Choi said that the Vobfus and Beebone viruses, were regularly found together. Vobfus was the first to arrive on a machine, he said, and used different tactics to infect victims. Vobfus could be installed via booby-trapped links on websites, travel via network links to other machines or lurk on USB drives and infect machines they are plugged into.
Once installed, Vobfus downloaded Beebone which enrolled the machine into a botnet. After this the two start to work together to regularly download new versions of each other. If Vobfus was detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.
Vobfus become a persistent problem since 2009 when it first appeared.
Anonymous Goes After North Korea
Anonymous has restarted its attack against North Korea and once again is using a North Korean Twitter account to announce website scalps.
The Twitter account @uriminzok was the scene of announcements about the hacked websites during the last stage of Op North Korea, and reports have tipped up there again.
The first wave of attacks saw a stream of websites defaced or altered with messages or images that were very much not in favour of the latest North Korean hereditary leader, Kim Jong-un.
They were supported by a Pastebin message signed by Anonymous that called for some calming of relations between North Korea and the US, and warned of cyber attacks in retaliation.
“Citizens of North Korea, South Korea, USA, and the world. Don’t allow your governments to separate you. We are all one. We are the people. Our enemies are the dictators and regimes, our goals are freedom and peace and democracy,” read the statement. “United as one, divided by zero, we can never be defeated!”
Before the attacks restarted, the last Twitter message promised that more was to come. It said, “OpNorthKorea is still to come. Another round of attack on N.Korea will begin soon.” Anonymous began delivering on that threat in the early hours this morning.
More of North Korean websites are in our hand. They will be brought down.
— uriminzokkiri (@uriminzok) April 15, 2013
We’ve counted nine websites downed, defacements and hacks, and judging by the stream of confirmations they happened over a two hour period. No new statement has been released other than the above.
jajusasang.com twitter.com/uriminzok/stat…
— uriminzokkiri (@uriminzok) April 15, 2013
Downed websites include the glorious uriminzokkiri.com, a North Korean news destination. However, when we tried it we had intermittent access.
Last time around the Anonymous hackers had taken control of North Korea’s Flickr account. This week we found the message, “This member is no longer active on Flickr.”
Anonymous Attacks MIT
January 23, 2013 by admin
Filed under Around The Net
Comments Off on Anonymous Attacks MIT
Anonymous goes after the Massachusetts Institute of Technology (MIT) website after its president called for an internal investigation into what role it played in the prosecution of web activist Aaron Swartz.
MIT president Rafael Reif revealed the investigation in an email to staff that he sent out after hearing the news about Swartz’s death.
“I want to express very clearly that I and all of us at MIT are extremely saddened by the death of this promising young man who touched the lives of so many. It pains me to think that MIT played any role in a series of events that have ended in tragedy,” he wrote.
“I have asked Professor Hal Abelson to lead a thorough analysis of MIT’s involvement from the time that we first perceived unusual activity on our network in fall 2010 up to the present. I have asked that this analysis describe the options MIT had and the decisions MIT made, in order to understand and to learn from the actions MIT took. I will share the report with the MIT community when I receive it.”
Hacktivists from Anonymous defaced two MIT webpages in the wake of the announcement and turned them into memorials for Swartz.
Powerful “Flame” Virus Found In Iran
Security experts have uncovered a highly sophisticated computer virus in Iran and other Middle Eastern states that they believe was deployed at least five years ago to engage in state-sponsored cyber espionage.
Evidence suggest that the virus, dubbed Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010, according to Kaspersky Lab, the Russian cyber security software maker that claimed responsibility for discovering the virus.
Kaspersky researchers said on Monday they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.
Iran has accused the United States and Israel of deploying Stuxnet.
Cyber security experts said the discovery publicly demonstrates what experts privy to classified information have long known: that nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.
A cyber security agency in Iran said on its English website that Flame bore a “close relation” to Stuxnet, the notorious computer worm that attacked that country’s nuclear program in 2010 and is the first publicly known example of a cyber weapon.
Iran’s National Computer Emergency Response Team also said Flame might be linked to recent cyber attacks that officials in Tehran have said were responsible for massive data losses on some Iranian computer systems.
Hackers Plan To Go After Fox
Anonymous plans to take out the Fox news network because of its coverage of the Wall Street Protests.
Dubbed “Operation Fox Hunt”, Anonymous announced the plans on YouTube to attack the Fox News website on the anniversary of Guy Fawkes Day. Anonymous is also planning to target former Fox News personality Glenn Beck as well as current Fox News representative Sean Hannity and Bill O’Reilly during “Operation Fox Hunt”.
Anonymous said that it has had a gutsful of “right wing conservative propaganda” and “belittling the occupiers” of the Occupy Wall Street demonstrations. Anonymous recently a distributed denial-of-service attack against the Oakland police department’s website after a 24-year-old wounded Marine home from serving two tours in Iraq was critically injured in the Occupy Oakland protest. Police allegedly threw an object that fractured the marine’s skull landing him in the hospital.
The Linux Kernel Got Hacked
Servers that are part of the Linux kernel.org infrastructure were affected during a recent intrusion where attackers managed to gain root access and plant Trojan scripts.
According to an email sent out to the community by kernel.org chief administrator John Hawley, known as warthog9, the incident started with the compromise of a server referred to as Hera. The personal colocated machine of Linux developer H Peter Anvin (HPA) and additional kernel.org systems were also affected.
“Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this,” Hawley wrote.
The intrusion was discovered on 28 August and according to preliminary findings attackers gained access by using a set of compromised credentials. They then elevated their privileges to root by exploiting a zero-day vulnerability that the kernel.org administrators have yet to identify.
Fortunately, logs and parts of the exploit code were retained and will help the investigation. A Trojan was added to the startup scripts of affected systems, but gave itself away through Xnest /dev/mem error messages.
According to the kernel.org admins, these error messages have been seen on other systems as well, but it’s not clear if those machines are vulnerable or compromised. “If developers see this, and you don’t have Xnest installed, please investigate,” the administrators advised.
The good news is that the exploit failed on systems running the latest Linux kernel version, 3.1-rc2, which was released two weeks ago. This is possibly the fortunate consequence of one of the bugfixes it contains.