FBI Admits Use of Zero-Day Exploits and Stingrays

In a profile of Amy Hess, the FBI’s executive assistant director for science and technology and overseer of the bureau’s Operational Technology Division, conducted by the Washington Post in the wake of the San Bernardino shootings, the FBI executive openly admitted to the use of a number of techniques the FBI use in order to track down criminals. Amongst the methods brought to light by reporter Ellen Nakashima are Zero-Day Exploits, Stingrays and the OTD’s Remote Operations Unit of hacking technicians.

For those unaware, a Stingray is a type of “cell-site simulator” that imitate cellular towers, in order to collect communications data from mobile telephones within range, both suspect and bystander alike. The tool has been a long-kept secret by the FBI, with them requiring local law enforcement members involved in their use to sign nondisclosure agreements. While Hess insisted that the FBI never enacted a gag on the police, they wanted to keep the details of the device’s functionality shielded.

A zero-day exploit is a flaw in a piece of software that can be manipulated in order to exploit it in some way, that are unknown to the software’s vendor and thus unpatched. Usage of these can allow for easier hacks into suspects PCs or mobile devices, however favoring such techniques is unreliable, and thus not a preferred method to use.

The real worry with these types of attacks are the privacy implications on the common person. A stingray’s data would have to be checked in order to identify the suspect’s data, meaning that the privacy of everyone within proximity of the device potentially has their privacy violated. Holding on to known exploits instead of reporting them to the software developers for patching opens any user of the software open to attack from a hacker were the exploit discovered by another unsavory party. As a result of these implications, both are seen as controversial by privacy advocates and as a result, governments have often tried to distance themselves from discussion of their use. Now, in an unusual moment of transparency, the FBI has potentially put itself a little closer to the disc

Fully Patched Adobe Flash Hit by New Zero-Day Update

Just as day follows night, and just as UbiSoft thinks up new and amazing game elements to strip away and charge microtransactions for, another zero-day exploit has been discovered for Adobe Flash. But this isn’t any old zero-day exploit, it’s an exploit found in the fully patched version of Flash.

The vulnerability, discovered by Trend Micro yesterday, allows attackers to secretly install malware on computers that carry Flash versions 19.0.0.185 and 19.0.0.207, and possibly earlier versions, too. Attacks exploiting the vulnerability have so far only targeted government agencies, undertaken as part of cyber-espionage initiative Operation Pawn Storm. The researchers from Trend Micro wrote:

In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit. In this wave of attacks, the emails were about the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

Operation Pawn Storm has hit a number of foreign agencies over the last few months, including politicians and journalists in Russia and iOS devices used by Western governments and news outlets.

Oh, and don’t use Flash.

Thank you Ars Technica for providing us with this information.

Image courtesy of Wikimedia.

Chrome to Block Flash Ads from 1st September

Google has confirmed that from 1st September onwards, its Chrome internet browser will “begin pausing many Flash ads by default”. Though the announcement, made through the AdWord Google+ page, claims that the measure is being taken “to improve performance for users”, but it coincides with a raft of security concerns and zero-day vulnerabilities regularly reported within Adobe Flash.

The most recent Flash exploit, discovered in July, allowed hackers remote access to computers to execute malicious code. Soon after, Flash was blocked by Mozilla’s Firefox browser and by the beta version of Chrome. Google’s Tommi Li announced that the move was initiated to save laptop battery life, which seems farfetched.

YouTube has already transitioned from Flash to HTML5 to display its videos, with game streaming site Twitch following suit, while Amazon is also banning Flash ads on its domains from the start of next month. Apple has never allowed Flash on its mobile devices, citing its security holes as a rick to users, while Android removed Flash support three years ago for similar reasons.

Though the more advanced and secure HTML5 is slowly taking over – Google has even converted a number of its AdWords Flash ads into HTML5 – Flash ads still dominate the market. A report from Sizmek shows that advertisers delivered over 5.35 billion Flash ads during the first quarter of 2015, versus 4.25 billion HTML5 ads.

Thank you Ars Technica for providing us with this information.

Four New Bugs Have Been Found in Internet Explorer

I know most of you don’t even use Internet Explorer and we all know how it was humiliated throughout the years. However, since the new Microsoft Edge might be using some IE code, it’s worth pointing this out anyway.

It looks like security experts have encountered and disclosed four new vulnerabilities in Microsoft’s browser. The researchers have noted the issues through Hewlett-Packard’s Zero Day Initiative, a program which creates detection signatures and also reports them to their respective vendors.

Microsoft has already been notified, however, ZDI gives 120 days to the vendor to fix them. So, since Microsoft is more focused on Windows 10, the issues were not resolved and limited information about them have been released to the public. By limited information, it means that the actual code affected has not been released for the wise guys to figure out an actual working exploit.

However, one of the four exploits seems to have been disclosed in more detail. This is because at one of ZDI’s contest back in November, a hacker used the exploit and provided ZDI with the necessary information on how to take advantage of the vulnerability. If you’re curious, the exploit can be found here.

The remaining vulnerabilities are just theoretical at this point, but Microsoft should look into patching them as soon as possible before someone else manages to find a way to exploit them further.

Thank you PCWorld for providing us with this information

How a Hacker Made $45,000 Selling 0Day Exploits to Hacking Team

We previously reported that Italian spyware company, Hacking Team, has been hacked and had 400 GB of data publicly released via torrent websites. Well, Arstechnica reportedly found how easy it was doing business with the latter company by digging through their emails.

It seems that a Russian hacker approached the Hacking Team in 2013 with a few 0day bugs he found on Windows, OS X and iOS operating systems, with price ranges of $30,000 to $45,000. The company apparently was not interested in the latter, but it did show interest in another exploit offered by the hacker, namely the “Adobe Flash Player 9.x/10.x/11.x with the RCE exploit for the current Flash Player 11.9.x for Windows 32/64-bit and OS X 64-bit”.

The correspondence even revealed how the money was transferred to the hacker. According to the findings, the hacker received the money via bank wire transfer in three instalments, one of $20,000 in October 2013, the other of $15,000 in November 2013 and the last one of $10,000 in December 2013. There has not been any evidence of the hacker and the company doing any business up until 2015, when the Russian hacker received another $35,000 in his bank account in Moscow.

Arstechnica also approached the hacker and surprisingly, he explained that such transactions are very common between companies such as Hacking Team and freelance hackers. He stated that such transactions are “routine sales like with ZDI, VCP, pentesters and other legal 0day buyers”. I don’t know about you, but this information is as exciting as it is scary. So what are your thoughts on this?

Thank you arstechnica for providing us with this information

Swedish Hacker Finds Serious Security Flaw in OS X Yosemite

The white-hat hacker Emil Kvarmhammer from the Swedish security firm Truesec has found a serious security hole in Apple’s new OS X Yosemite. He dubbed the new vulnerability “rootpipe” and explains that it is a so-called privilege escalation vulnerability. This means that an attacker could get full root access without the need for any password and thereby take over the entire system.

Kvarnhammer didn’t disclose any details about the flaw and this is of course to give Apple time to come up with a fix before it becomes widely abused on unsuspecting users. While the bad news is that there isn’t a fix yet, nor is there any real time frame for it. The good news is that you can limit the damage a potential attacker can cause you to almost zero with just a few easy steps.

Most Apple machines are set up with just one user that has full admin privileges and there is no limit to the damage that can be done when the admin user is infected. So the first step would be to set up a user for everyday tasks next to the admin account.

The easiest way to do this without having to redo all your configurations is to create a new user and give him admin rights. Then log into that new admin user and remove the admin rights from your day-to-day user. Done. You’ll have to provide the admin password when you want to make changes to the systems such as install software, but that’s a tiny hassle in return for the huge security improvement. This is also good advice for any user of Windows or Linux.

The second step you can take to protect your data in case of an infection is to use the Apple’s FileVault tool. This will encrypt the hard drive without a too big hit on the system performance. You might not even notice it, depending on which Mac you own.

“Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password. However, rootpipe circumvents this,” said Emil Kvarnhammer.

Kvarnhammer said he found the bug while researching new flaws in Mac OS X for two presentation he had to do. By studying the code and trying to follow the same lines of thought the original programmer had, he discovered this new flaw. Truesec works with responsible disclosure and they have received a time-frame from Apple when they are allowed to tell us more about this flaw and how it works. This date wasn’t revealed either, but there is talk about a full-disclosure from Apple about the issue in January 2015. So the fix might not be an easy one, either that or they feel confident enough that no one else will find it before then.

Thanks to Macworld for providing us with this information 

Images courtesy of Macworld