Josh Wieder wrote in to Cryptome describing that while examining documents contain in WikiLeaks full Stratfor email dump he has so far identified 18 pieces of malware embedded in documents and WikiLeaks has taken no actions to warn potential views of the hazards these documents might present. Weider notes particularly that Adobe PDF, Microsoft Word, and Microsoft Excel documents have been found with embedded malware in the dump. These of course are all file formats which should be quarantined any time the are encountered in the wild and not opened in their intended runtimes without thorough examination. One particularly interesting tidbit is that according to Weider's initial analysis, it appears that the first infected files were introduced to Stratfor's email system through their Chief executive's wife as early as 2003.
Category Archives: Security
Kentucky Man Defends Home From Drone, Faces Charges
William Merideth of Hillview, Kentucky faces charges in the first degree of criminal mischief and wanton endangerment for shooting down a nuisance drone (archived) which was loitering within the bounds of his yard's privacy fence. His neighbors had complained to Merideth about the drone before it breeched the boundaries of Merideth's yard. Neighbor's complaints allowed Merideth the time to retrieve a shotgun which he used to responsibly ground the drone consciously avoiding discharge of his weapon over roads and neighboring properties. Continue reading
Phuctor Factors 100th RSA Modulus
The Phuctor, operated by No Such lAbs, has factored its hundredth modulus by using Euclid's Greatest Common Denominator algorithm. The Phuctor began digesting a dump of public keys from sks keyservers back in May. Less than two weeks later Phuctor had managed to factor a key attached to a key in the PGP strong set. Considering the way the news of Phuctor's first key factoring was handled all interested parties should examine the set of public keys factored for their own betterment.
Universal Shares Own Film With Pirates
On the 15th of this month Universal Pictures France filed a takedown request with Google (archived) demanding they remove from results sites hosting or linking pirated copies of Jurassic World. Among the addresses Universal demanded Google sanction was 127.0.0.1 which is the IP address a computer reserves for communicating with itself. This means that not only was Universal seeding its own film to pirates, it was likely doing so from the same machine used detect and prepare a report on infringement for Universal. Continue reading
Brute Force for keyboard-interactive OpenSSH Logins Discovered
There is a proof of concept which allows for an attacker to attempt to brute force OpenSSH servers with keyboard-interactive logins enabled. FreeBSD users are especially affected as FreeBSD allows keyboard-interactive OpenSSH logins by default. This brute force allows attempting up to 10,000 password entries at a time. For quite some time it has been known that all forms of password authentication over SSH are weaker by necessity than key based authentication which should be the only login method allowed on any machines over SSH. This is a rather minor enhancement to an existing protocol level vulnerability, but this incident should serve as a reminder that a well configured SSH server will by necessity only allow key based logins. A patch which corrects this issue has already been committed to the source tree and will be included with OpenSSH 7.0 which is due for release in a few weeks.
"Entertainment System" Vulnerability Turns Vehicles Into Hot Death
Reports (video) are in that cybersecurity researchers Charlie Miller and Chris Valasek have demonstrated a potentially life-threatening1 security vulnerability in a raft of new cars and trucks with "connected" entertainment systems. Continue reading
Michael Hastings, anyone ? ↩
Microsoft Product Critical Vulnerability Week After Update End of Life
Microsoft has now announced a vulnerability in all of its Windows products a week after their Windows Server 2003 product has reached end of life for continued support. For what little it is worth Microsoft has issued an emergency patch to address this vulnerability in supported versions of their Windows family of products. The vulnerability exists in the way Microsoft products handle Microsoft's own "OpenType" format for fonts. This exploit via fonts affecting Windows desktops and servers follows an April exploit which rooted Windows servers using their flawed JPEG handling mechanisms. Microsoft stands to profit from users of Windows Server 2003 both upgrading to a supported version or opting for premium beyond end of life support contracts.
ALM CEO Cries 'Terrorism' after Ashley Madison Hack
Billing itself as a dating site specifically for people in relationships who wish to have an affair, Ashley Madison was recently breached by an entity calling itself The Impact Team. A Gitlab user of the same name reportedly released a partial database dump containing members' personal information, including email and physical addresses and real names, though the dump was no longer accessible as of July 21st. In a message left on the site and since removed, the breacher claims to have "taken over all systems in [Avid Life Media (Ashley Madison's parent company)'s] entire office and production domains, all customer information databases, source code repositories, financial records, emails." The message lambasted ALM for charging its users a $19 fee to delete their account data while keeping their credit card purchase details including names and addresses on file, and threatened to release a complete database dump unless the company "shuts down" Ashley Madison and Established Men, another site it "owns". Continue reading
Ashley Madison Hacked
Extramarital dating site Ashley Madison has been hacked according to a report by Brian Krebs. The hack also affects other niche social networking properties operated by Ashley Madison's corporate parent Avid Life Media. The actors behind the attack call themselves "The Impact Group" and along with releasing corporate data on Avid Life Media they have claimed that one of Ashley Madison's more profitable services, a $19 charge for fully deleting one's account, is a complete lie as the company retains user information. According to the Impact group in 2014 "Full Delete" netted Ashley Madison 1.7 million US dollars in revenue while they were still retaining user's real names, addresses, and full billing information. The Impact Team demands Avid life take Ashley Madison and another site "Established Men" offline permanently in order to prevent the release of all information taken from Avid Life's servers.
This incident is just another blow to the world consumers have come to expect. In a world with strong and readily accessible cryptography there is no longer any compelling reason for users to depend so entirely on a service like Ashley Madison and leaving their interests in and activities oriented towards extramarital dating exposed.
US Can't Retain Drone Pilots
This week the United States Air Force (archived) unveiled a new program attempting to address what they describe as a "critical shortage" of pilots for their unmanned aircraft. In their desperation the Air Force is offering up front retention bonuses of up to seventy thousand United States dollars with an equal amount of bonus pay spread out over the duration of a retained pilot's nine year contract. The Air Force is also directing graduates of its undergraduate pilot training programs increasingly to roles involving unmanned aircraft. The atypical nine year contracts, along with the substantial monetary incentives being offered to retain drone pilots suggests that the United States Air Force could be facing problems supplying manpower to operate their drone fleet well into the future.