close
  • Sc chevron_right

    Hacking Digitally Signed PDF Files

    news.movim.eu / Schneier · 3 days ago - 21:13 · 1 minute

Interesting paper: “ Shadow Attacks: Hiding and Replacing Content in Signed PDFs “:

Abstract: Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content. A user opening a signed PDF expects to see a warning in case of any modification. In 2019, Mladenov et al. revealed various parsing vulnerabilities in PDF viewer implementations.They showed attacks that could modify PDF documents without invalidating the signature. As a consequence, affected vendors of PDF viewers implemented countermeasures preventing all attacks.

This paper introduces a novel class of attacks, which we call shadow attacks. The shadow attacks circumvent all existing countermeasures and break the integrity protection of digitally signed PDFs. Compared to previous attacks, the shadow attacks do not abuse implementation issues in a PDF viewer. In contrast, shadow attacks use the enormous flexibility provided by the PDF specification so that shadow documents remain standard-compliant. Since shadow attacks abuse only legitimate features,they are hard to mitigate.

Our results reveal that 16 (including Adobe Acrobat and Foxit Reader) of the 29 PDF viewers tested were vulnerable to shadow attacks. We introduce our tool PDF-Attacker which can automatically generate shadow attacks. In addition, we implemented PDF-Detector to prevent shadow documents from being signed or forensically detect exploits after being applied to signed PDFs.

  • Ar chevron_right

    Gab, the far-right website, has been hacked and 70GB of data leaked

    news.movim.eu / ArsTechnica · 7 days ago - 23:14

Gab, the far-right website, has been hacked and 70GB of data leaked

Enlarge (credit: Gab.com)

The founder of the far-right social media platform Gab said that the private account of former President Donald Trump was among the data stolen and publicly released by hackers who recently breached the site.

In a statement on Sunday, founder Andrew Torba used a transphobic slur to refer to Emma Best, the co-founder of Distributed Denial of Secrets. The statement confirmed claims the WikiLeaks-style group made on Monday that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in its code.

"My account and Trump's account were compromised, of course as Trump is about to go on stage and speak," Torba wrote on Sunday as Trump was about to speak at the CPAC conference in Florida. "The entire company is all hands investigating what happened and working to trace and patch the problem."

Read 10 remaining paragraphs | Comments

index?i=-9cQisZRe1I:_g_YJUBkEW4:V_sGLiPBpWUindex?i=-9cQisZRe1I:_g_YJUBkEW4:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Ar chevron_right

    Hackers tied to Russia’s GRU targeted the US grid for years

    news.movim.eu / ArsTechnica · Saturday, 27 February - 11:50 · 1 minute

Hackers tied to Russia’s GRU targeted the US grid for years

Enlarge (credit: Yuri Smityuk | Getty Images)

For all the nation-state hacker groups that have targeted the United States power grid —and even successfully breached American electric utilities —only the Russian military intelligence group known as Sandworm has been brazen enough to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016 . Now one grid-focused security firm is warning that a group with ties to Sandworm’s uniquely dangerous hackers has also been actively targeting the US energy system for years.

On Wednesday, industrial cybersecurity firm Dragos published its annual report on the state of industrial control systems security, which names four new foreign hacker groups focused on those critical infrastructure systems. Three of those newly named groups have targeted industrial control systems in the US, according to Dragos. But most noteworthy, perhaps, is a group that Dragos calls Kamacite, which the security firm describes as having worked in cooperation with the GRU's Sandworm. Kamacite has in the past served as Sandworm's "access" team, the Dragos researchers write, focused on gaining a foothold in a target network before handing off that access to a different group of Sandworm hackers, who have then sometimes carried out disruptive effects. Dragos says Kamacite has repeatedly targeted US electric utilities, oil and gas, and other industrial firms since as early as 2017.

Read 11 remaining paragraphs | Comments

index?i=464CCh06nmQ:Ygk3ti-Mb6Y:V_sGLiPBpWUindex?i=464CCh06nmQ:Ygk3ti-Mb6Y:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Sc chevron_right

    National Security Risks of Late-Stage Capitalism

    news.movim.eu / Schneier · Thursday, 25 February - 20:23 · 4 minutes

Early in 2020, cyberspace attackers apparently working for the Russian government compromised a piece of widely used network management software made by a company called SolarWinds. The hack gave the attackers access to the computer networks of some 18,000 of SolarWinds’s customers, including US government agencies such as the Homeland Security Department and State Department, American nuclear research labs, government contractors, IT companies and nongovernmental agencies around the world.

It was a huge attack, with major implications for US national security. The Senate Intelligence Committee is scheduled to hold a hearing on the breach on Tuesday. Who is at fault?

The US government deserves considerable blame, of course, for its inadequate cyberdefense. But to see the problem only as a technical shortcoming is to miss the bigger picture. The modern market economy, which aggressively rewards corporations for short-term profits and aggressive cost-cutting, is also part of the problem: Its incentive structure all but ensures that successful tech companies will end up selling insecure products and services.

Like all for-profit corporations, SolarWinds aims to increase shareholder value by minimizing costs and maximizing profit. The company is owned in large part by Silver Lake and Thoma Bravo, private-equity firms known for extreme cost-cutting.

SolarWinds certainly seems to have underspent on security. The company outsourced much of its software engineering to cheaper programmers overseas, even though that typically increases the risk of security vulnerabilities. For a while, in 2019, the update server’s password for SolarWinds’s network management software was reported to be “solarwinds123.” Russian hackers were able to breach SolarWinds’s own email system and lurk there for months. Chinese hackers appear to have exploited a separate vulnerability in the company’s products to break into US government computers. A cybersecurity adviser for the company said that he quit after his recommendations to strengthen security were ignored.

There is no good reason to underspend on security other than to save money — especially when your clients include government agencies around the world and when the technology experts that you pay to advise you are telling you to do more.

As the economics writer Matt Stoller has suggested , cybersecurity is a natural area for a technology company to cut costs because its customers won’t notice unless they are hacked ­– and if they are, they will have already paid for the product. In other words, the risk of a cyberattack can be transferred to the customers. Doesn’t this strategy jeopardize the possibility of long-term, repeat customers? Sure, there’s a danger there –­ but investors are so focused on short-term gains that they’re too often willing to take that risk.

The market loves to reward corporations for risk-taking when those risks are largely borne by other parties, like taxpayers. This is known as “privatizing profits and socializing losses.” Standard examples include companies that are deemed “too big to fail,” which means that society as a whole pays for their bad luck or poor business decisions. When national security is compromised by high-flying technology companies that fob off cybersecurity risks onto their customers, something similar is at work.

Similar misaligned incentives affect your everyday cybersecurity, too. Your smartphone is vulnerable to something called SIM-swap fraud because phone companies want to make it easy for you to frequently get a new phone — and they know that the cost of fraud is largely borne by customers. Data brokers and credit bureaus that collect, use, and sell your personal data don’t spend a lot of money securing it because it’s your problem if someone hacks them and steals it. Social media companies too easily let hate speech and misinformation flourish on their platforms because it’s expensive and complicated to remove it, and they don’t suffer the immediate costs ­– indeed, they tend to profit from user engagement regardless of its nature.

There are two problems to solve. The first is information asymmetry: buyers can’t adequately judge the security of software products or company practices. The second is a perverse incentive structure: the market encourages companies to make decisions in their private interest, even if that imperils the broader interests of society. Together these two problems result in companies that save money by taking on greater risk and then pass off that risk to the rest of us, as individuals and as a nation.

The only way to force companies to provide safety and security features for customers and users is with government intervention. Companies need to pay the true costs of their insecurities, through a combination of laws, regulations, and legal liability. Governments routinely legislate safety — pollution standards, automobile seat belts, lead-free gasoline, food service regulations. We need to do the same with cybersecurity: the federal government should set minimum security standards for software and software development.

In today’s underregulated markets, it’s just too easy for software companies like SolarWinds to save money by skimping on security and to hope for the best. That’s a rational decision in today’s free-market world, and the only way to change that is to change the economic incentives.

This essay previously appeared in the New York Times .

  • Ar chevron_right

    France ties Russia’s Sandworm to a multiyear hacking spree

    news.movim.eu / ArsTechnica · Wednesday, 17 February - 01:26

The logo of the French national cybersecurity agency Agence Nationale de la securite des systemes d

Enlarge / The logo of the French national cybersecurity agency Agence Nationale de la securite des systemes d'information(ANSSI) taken at ANSSI headquarters in Paris. (credit: Eric Piermont | AFP | Getty Images)

The Russian military hackers known as Sandworm , responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history , don't have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years.

On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia's GRU military intelligence agency, had breached several French organizations. The agency describes those victims as "mostly" IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris.

Read 8 remaining paragraphs | Comments

index?i=Qh_QT7je9XQ:FeCiswh-Jl4:V_sGLiPBpWUindex?i=Qh_QT7je9XQ:FeCiswh-Jl4:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Sc chevron_right

    SonicWall Zero-Day

    news.movim.eu / Schneier · Sunday, 14 February - 05:32 · 1 minute

Hackers are exploiting a zero-day in SonicWall:

In an email, an NCC Group spokeswoman wrote: “Our team has observed signs of an attempted exploitation of a vulnerabilitythat affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth.”

In Monday’s update, SonicWall representatives said the company’s engineering team confirmed that the submission by NCC Group included a “critical zero-day” in the SMA 100 series 10.x code. SonicWall is tracking it as SNWLID-2021-0001 . The SMA 100 series is a line of secure remote access appliances.

The disclosure makes SonicWall at least the fifth large company to report in recent weeks that it was targeted by sophisticated hackers. Other companies include network management tool provider SolarWinds, Microsoft, FireEye, and Malwarebytes. CrowdStrike also reported being targeted but said the attack wasn’t successful.

Neither SonicWall nor NCC Group said that the hack involving the SonicWall zero-day was linked to the larger hack campaign involving SolarWinds. Based on the timing of the disclosure and some of the details in it, however, there is widespread speculation that the two are connected.

The speculation is just that — speculation. I have no opinion in the matter. This could easily be part of the SolarWinds campaign, which targeted other security companies. But there are a lot of “highly sophisticated threat actors” — that’s how NCC Group described them — out there, and this could easily be a coincidence.

Were I working for a national intelligence organization, I would try to disguise my operations as being part of the SolarWinds attack.

EDITED TO ADD (2/9): SonicWall has patched the vulnerability.

  • Ar chevron_right

    A Windows Defender vulnerability lurked undetected for 12 years

    news.movim.eu / ArsTechnica · Saturday, 13 February - 12:10

A Windows Defender vulnerability lurked undetected for 12 years

Enlarge (credit: Drew Angerer | Getty Images)

Just because a vulnerability is old doesn't mean it's not useful. Whether it's Adobe Flash hacking or the EternalBlue exploit for Windows , some methods are just too good for attackers to abandon, even if they're years past their prime. But a critical 12-year-old bug in Microsoft's ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don't try to make up for lost time.

The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn't specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.

Read 8 remaining paragraphs | Comments

index?i=XP6R2T2YOe0:9kJf17INqo4:V_sGLiPBpWUindex?i=XP6R2T2YOe0:9kJf17INqo4:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA