Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

A medium case insensitivity credential flaw in ConnectionExists() comparing passwords with strequal() was not fixed given the obscurity and difficulty of the attack.

The remaining bugs were shuttered in seven patches after two vulnerabilities were combined in the largest cURL fix to date.

More fixes are on the way, cURL lead developer and Mozilla engineer Daniel Stenberg says.

"While working on the issues one-by-one to have them fixed we also ended up getting an additional four security issues to add to the set [from] three independent individuals," Stenberg says.

"All these issues [made for] a really busy period and … I could get a short period of relief until the next tsunami hits."

Five Mozilla engineers from the Berlin-based Cure53 team which conducted the 20-day source code audit.

"Sources covering authentication, various protocols, and, partly, SSL/TLS, were analysed in considerable detail. A rationale behind this type of scoping pointed to these parts of the cURL tool that were most likely to be prone and exposed to real-life attack scenarios," the team wrote in the [PDF].

"At the same time, the overall impression of the state of security and robustness of the cURL library was positive."

Stenberg says he applied for the audit fearing a recent run of security vulnerability reports may have pointed to undiscovered underlying problems.

The report was finished 23 September and fixes produced over the ensuing months.

The developer says fewer checks and possible borked patches may result from the decision to audit in secret.

"One of the primary [downsides] is that we get much fewer eyes on the fixes and there aren’t that many people involved when discussing solutions or approaches to the issues at hand," Stenberg says.

"Another is that our test infrastructure is made for and runs only public code [which] can’t really be fully tested until it is merged into the public git repository." ®

Audit vulnerabilities:

  • CRL -01-021 UAF via insufficient locking for shared cookies ( High)
  • CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
  • CRL -01-009 Double - free in krb 5 read _ data () due to missing realloc () check ( High)
  • CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
  • CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
  • CRL -01-007 Double - free in aprintf () via unsafe size _t multiplication ( Medium)
  • CRL -01-013 Heap overflow via integer truncation ( Medium)
  • CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
  • CRL -01-011 FTPS TLS session reuse ( Low)

Sponsored: The state of mobile security maturity

The Register - Security

Great if you want to hear someone chew or breathe. Pic: The Lives of Others

Experimental malware has highlighted the possibility that hackers might be able to turn headphones into microphones in order to snoop on computer users.

Research by computer scientists at Ben-Gurion University, Israel, has revealed that both headphones and loudspeakers present a potential bugging risk. The boffins put together proof-of-concept malware, dubbed SPEAKE(a)R, in order to validate the risk.

"Malware can use a computer as an eavesdropping device, even when a microphone is not present, muted, taped or turned off," the researchers warn. In a paper, SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit (PDF), the researchers survey the scope of the risk and access potential countermeasures. Possible hardware-based defences include using only active one-way speakers or deploying either white noise emitters or an audio jammer.

Youtube Video

A speaker converts an electric signal into a sound wave. A microphone converts sound to an electrical signal. "The difference between these two pieces of equipment is that they have been optimised for the direction of conversion," according to Paul Farrington, manager of EMEA solution architects at application security firm Veracode. "However, there is little to prevent the conversion happening in the reverse direction."

This feature of consumer tech coupled with the possibility of hacking an audio port's role in the PC from output to input creates a bugging risk.

"The RealTek codec chip vulnerability is apparently allowing malware running on the device to take advantage of the physical properties of the connected equipment to use the ports to accept input when they should be restricted to output only," Farrington continued.

RealTek or operating system developers might be able to deliver a software patch to mitigate this chip vulnerability and help secure IO ports, according to Farrington. ®

Sponsored: The state of mobile security maturity

The Register - Security

A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.

Cobalt hackers are behind synchronized ATM heists

Setup and execution of the attacks

The group sent out spear-phishing emails – purportedly sent by the European Central Bank, the ATM maker Wincor Nixdorf, or other banks – to the target banks’ employees. The emails delivered attachments containing an exploit for an MS Office vulnerability.

“If the vulnerability is successfully exploited, the malicious module will inject a payload named Beacon into memory. Beacon is a part of Cobalt Strike, which is a multifunctional framework designed to perform penetration testing. The tool enables perpetrators to deliver the payload to the attacked machine and control it,” the researchers explained in a recently released paper.

Additional methods and exploits were used to assure persistence in the targeted machines, to gain domain administrator privileges, and ultimately to obtain access to the domain controller. From that vantage point, they were able to obtain Windows credentials for all client sessions by using the open source Mimikatz tool.

The attackers would ultimately gain control over a number of computers inside the bank’s local network. Some of them are connected to the Internet, and others not, but the latter would receive instructions from the central Cobalt Strike console through the former.

“After the local network and domain are successfully compromised, the attackers can use legitimate channels to remotely access the bank, for example, by connecting to terminal servers or via VPN acting as an administrator or a standard user,” the researchers noted. The attacker have also installed a modified version of the TeamViewer remote access tool on the compromised devices, just in case.

Once constant access was assured, the criminals searched for workstations from which they could control ATMs. They would load the ATMs with software that allows them to control cash dispensers.

The final strikes happened in a few hours on the same day, when money mules would go to the targeted ATMs, send an SMS with the code identifying the ATM to a specific phone number, the criminals would make it spit out all the cash, and the mules would leave with it.

Some interesting things about the gang’s capabilities

The Cobalt gang uses a number of legitimate, open and closed source tools – Cobalt Strike (a tool for penetration testing), Mimikatz, SDelete (a free tool available on the Microsoft website that deletes files beyond recovery), and TeamViewer.

“Once an ATM is emptied, the operator launches the SDelete program, which removes les used with a special algorithm, which prevents information from being recovered. Thereafter, the ATM restarts,” the researchers explained. “In addition, operators disable the bank’s internal servers involved in the attack using the MBRkiller malware that removes MBR (master boot record). Such a careful approach significantly complicates further investigation.”

The ATM manipulation software also contains code that allows it to record a log containing information about the banknotes dispensed – the gang obviously does not trust the money mules to correctly report the amount that was stolen from each ATM.

Which banks were hit?

IB Group did not name them, but only noted that they are based in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, the UK and Malaysia.

According to Reuters, Diebold Nixdorf and NCR, the world’s two largest ATM makers, have provided banks with information on how to prevent or at least minimize the impact of these attacks.

It is unknown how much money the group was able to steal.

Help Net Security

Kiwicon Not every demo at security cons goes off without a hitch: Badass hackers Ryan and Jeremy electrocuted themselves when building what could have been the first device capable of wirelessly exploiting door-opening push buttons.

The pair demonstrated the trial and terror process of building the box at the Kiwicon hacking event in New Zealand last Friday.

Before its insides dissolved due to extreme heat, the device it was capable of activating the push buttons that open doors to allow egress from secure buildings - but from the outside of that building.

Ryan and Jeremy's beefed-up electromagnet is the latest in a niche line of research which would allow attackers to enter buildings by using the devices to unlock the push-button door controls.

"I guess they really are touch-to-enter buttons," Jeremy told the 2,000 laughing hackers at the Michael Fowler centre, Wellington.

"Should you be worried about this? Ehh probably not."

Ryan (left) and Jeremy. Image: Darren Pauli, The Register.

The pair chalked their work up as a failed-but-fun experiment, but in reality it was something more akin to success. Others interested in the field could leverage their work, as Ryan and Jeremy did others, to build a more stable device.

If that were to happen, scores of buildings would be at risk of break and entry.

Right now, penetration testers on red teaming assignments rely on extendable sticks to shove between automatic doors. Such rigs allow them to physically depress the buttons in a much more obvious attack.

Ryan explained one beefed-up prototype that used ignition coils bought from car parts chain Supercheap Auto: "Instead of driving that small coil, it drives this massive coil, which goes into an even bigger coil which generates a large voltage which then jumps the spark gap and, instead of igniting fuel, it hits the touch-to-exit button," he says.

"The air is literally conducting electricity, it's scary stuff."


'It was just a tickle'.

During the testing process his mobile phone stopped working.

The pair, who again requested photographic anonmity, then increased the amount of electrons running through their prototype.

The current hopped across the helping hands and through Jeremy; "it was just a tickle" he says, asking delegates to please not inform his wife.

Several pieces of equipment melted including a high current motor driver which blew up instantly in a puff of blue smoke. Another piece of kit became so heated its solder melted.

A prototype

A prototype.

They reworked some existing research which failed to open the push-to-exit buttons building an electromagnetic interference fuzzer which used a scripting language and a VLSI interface into testing equipment, plus a microphone used to detect if the contraption worked.

Lab gear.

Lab gear.

The lab gear helped the pair better understand the right frequencies required to interfere with the push-to-exit button. They found that lots of noise forces the exit buttons to reduce sensitivity, and that suddenly removing that noise causes buttons to unlock.

"Some of these devices implement frequency-shifting so they are trying to evade interference like that," Ryan says.

The final prototype: A microcontroller taped to a battery, taped to a resonance circuit, taped to more batteries. RIP.

A final balled-up and taped device proved able to unlock the devices through a glass door, meaning attackers could use it to enter locked buildings, but it soon melted.

"Forunately for us the frequency intereference doesn't have to come from directly in front of the reader, and can come from the sides," Ryan says. "The range wasn't great though, and then we realised we were only using a fourth of the power, so we increased it."

"The hole in the middle?" he says, pointing to a burnt-out integrated circuit; "not meant to be there."

"We're good at prototypes." ®

Sponsored: The state of mobile security maturity

The Register - Security

Here’s an overview of some of last week’s most interesting news, podcasts, reviews and articles:

Researchers reveal WiFi-based mobile password discovery attack
A group of researchers has come up with WindTalker, a new attack method for discovering users’ passwords and PINs as they enter them into their smartphones.

New users flock to ProtonMail in wake of Trump’s victory
ProtonMail is a Swiss-based secure email service launched by a group of CERN and MIT scientists in 2013.

Ransoc browser locker/ransomware blackmails victims
An unusual combination of browser locker and ransomware, dubbed Ransoc by researchers, is targeting users who visit adult sites.

Review: iStorage diskAshur Pro SSD
The iStorage diskAshur Pro SSD is the hard drive for users with security on their mind.

Traveling on business? Beware of targeted spying on mobile
Corporate spying is a real threat in the world of cyber war. Employees traveling on behalf of their company could create opportunities for sophisticated adversaries to take sensitive corporate data. This is especially true if they are not careful with their mobile devices.

Low-cost PoisonTap tool can compromise locked computers
Dubbed PoisonTap, the tool consists of a Raspberry Pi Zero controller with a USB or Thunderbolt plug, loaded with open source software. All in all, this setup can be achieved by anyone who has $ 5 to spare.

Fraudsters accessed Three UK customer database with authorised credentials
Three UK, a telecom and ISP operating in the United Kingdom, has suffered a data breach.

8 million GitHub profiles scraped, data found leaking online
Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

Encryption ransomware hits record levels
PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months

How hackers will exploit the Internet of Things in 2017
Here are three IoT threats likely to emerge in 2017 and what organizations can do to protect themselves.

Why Unidirectional Security Gateways can replace firewalls in industrial network environments
In this podcast recorded at IoT Solutions World Congress Barcelona 2016, Andrew Ginter, VP of Industrial Security at Waterfall Security, talks about Unidirectional Security Gateways. They can replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks.

Final warning: Popular browsers will soon stop accepting SHA-1 certificates
Starting with Chrome 56, planned to be released to the wider public at the end of January 2017, Google will remove support for SHA-1 certificates. Other browser makers plan to do the same.

Researchers identify domain-level service credential exploit
The exploit could allow cyber attackers to harvest encrypted service credentials from the registry and inject them into a new malicious service to achieve lateral movement and full domain compromise.

Dangerous Android threat points to Italian spyware maker
A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Compromised: 339 million AdultFriendFinder users
Friend Finder Networks, the company that operates sites like Adultfriendfinder.com (“World’s largest sex & swinger community”), and Cams.com (“Where adults meet models for sex chat live through webcams”) has been breached – again!

Weave a web of deception to secure data
How can organizations leverage deception-based network security to keep sensitive data safe? Here are three basic steps what to look for.

Analyzing the latest wave of mega attacks
A new report, using data gathered from the Akamai Intelligent Platform, provides analysis of the current cloud security and threat landscape, including insight into two record‑setting DDoS attacks caused by the Mirai botnet.

Cloud adoption hits all-time high, Microsoft and Google dominate
Fifty-nine percent of organizations worldwide now use Office 365 or G Suite, up from 48 percent in 2015.

Critical Linux bug opens systems to compromise
Researchers from the Polytechnic University of Valencia have discovered a critical flaw that can allow attackers – both local and remote – to obtain root shell on affected Linux systems.

Facebook, Google ban fake news sources from their ad networks
Despite Mark Zuckerberg’s dismissive attitude regarding the claim that Facebook had an inappropriate impact on the US elections, the company has moved to bar sources of fake news from its Facebook Audience Network ads.

The new age of quantum computing
Quantum encryption is the holy grail of truly secure communications. If and when quantum computing becomes a widespread reality, many public-key algorithms will become obsolete.

Consumer and business perspectives on IoT, augmented reality risks
As every business becomes a digital business, the spread of technology such as augmented reality (AR) and Internet of Things (IoT) devices can add significant business value and personal convenience. Yet a new study from ISACA shows that consumers and IT professionals disagree on the risks and rewards.

Waterfall BlackBox: Restoring trust in network information
Waterfall Security Solutions announced the launch of the Waterfall BlackBox, developed to maintain the integrity of log repositories in the event of a cyber attack. Based on Waterfall’s patented unidirectional technology, the Waterfall BlackBox creates a physical barrier between networks and logged data, so that stored logs become inaccessible to attackers who are trying to cover their tracks.

Cyber risk in advanced manufacturing: How to be secure and resilient
Study results indicate nearly 40 percent of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38 percent of those impacted indicated cyber breaches resulted in damages in excess of $ 1 million.

New infosec products of the week​: November 18, 2016
A rundown of infosec products released last week.

Help Net Security

Which country has the best hackers: Russia or China? Credit: Pixabay

For many years I worked for Foundstone teaching hacking classes and doing penetration testing. It was the most enjoyable job I ever had.

As part of that job, I traveled the world, including China, and got to determine firsthand which country had the best hackers. Although I didn't travel to Russia during that time, lots of Russian-born hackers showed up in my classes.

[ Watch out for 11 signs you've been hacked -- and learn how to fight back, in InfoWorld's PDF special report. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

Rumblings of cyberwar

Foreign hacking is top of mind right now, thanks to Russia's attempts to shake up the U.S. presidential election. With a high degree of confidence, U.S. intelligence agencies say the highest levels of Russia's government are behind the Democratic National Committee email leaks intended to embarrass Hillary Clinton. According to the reports I've read, most of these Russian hacks seems to be based on simple password phishing.

China has been involved in hacking American (and other) companies for decades. Most computer security experts believe that China already has every intellectual property secret it wants. I didn't believe the Chinese hacking rumors for years because accusers failed to provide public evidence. I've since changed my tune because many companies have released that evidence, and it appears quite convincing. Also, the Chinese government's tight control over its domestic internet makes it unlikely that Chinese hackers could have hacked U.S. targets without either direct orders -- or at least tacit acceptance.

Regardless, recent evidence suggests that Chinese hacking against American companies has decreased since President Obama and Chinese leaders signed an antihacking agreement last year. I've been involved in dealing with advanced persistent threat (APT) attacks for more than a decade, and I'm personally hearing less complaints about Chinese intrusions.

Which hackers cause the most damage?

If by "damage" you mean frequency and severity of attacks, Chinese hackers take the No. 1 spot. Very likely tens of thousands of them, funded by the government, have broken into any company they like. I'm convinced they've stolen more secrets and intellectual property than any other country, with a single breach potentially incurring many millions of dollars in damage. 

I've seen American companies work on a secret new product, only to have a Chinese company release a very similar, if not identical product first. Sometimes even the wording in the documentation is identical. I've seen entire American company divisions shut down as a result. 

Russia's hackers are more focused on direct financial crime and probably incur hundreds of millions of dollars in damage each year. Who knows -- it could be billions of dollars. But if I compare the direct financial costs of Russia versus China, China probably wins that battle due to its theft of high-value intellectual property.

What about Russia's impact on the American elections, especially if that hacking results in a presidency friendly to the Russian government? Luckily, despite Russia's best efforts, the American voting system is probably too much of a hodgepodge systems to be affected in a material way.

Best hacking skills

In my personal experience, the best hackers have always come from the United States or one of its friendly allies. I know that sounds biased, but when I taught hacking classes, the U.S. hackers always completed the hacking tests the fastest.

In the Foundstone classes we ran little tests during the day that allowed our students to practice some skill we had taught them. Most students, regardless of country, tended to perform roughly the same. At the end of the class, we had a major capture-the-flag test, which required that students put together everything we had taught them, but in slightly different ways. It required thinking outside the box. U.S. students were always able to complete the major test and were always fastest.

Unfortunately, my Foundstone experiences ended 10 years ago. Since then, several other countries have risen to become part of the elite club of hackers. Israel, for such a small country, has an enormous number of incredible hackers, and they enjoy a well-earned reputation as the best-thinking defenders.

Who's the best?

Sorry to disappoint you, but the real answer is that we don't know who's best. To be a "good" hacker you have to be invisible. The best hackers are the ones we don't see and don't know about.

But the real irony is that breaking into most organizations requires little in the way of advanced techniques anyway. Even the elite hacking units don't use their best stuff unless they have to. Why hack smart and give away your best stuff when you can hack like any script kiddie and get into the same results without being discovered?

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and
InfoWorld Security Adviser

Computer hackers have broken into a database of Three Mobile customers and accessed their personal details in order to steal smartphones, the UK network said on Thursday.

A spokesman for the company said there had been an uptick in attempted phone fraud over the past four weeks, both through burglaries of Three retail stores and intercepting customer phone upgrades.

"In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system.

"This upgrade system does not include any customer payment, card information or bank account information," the spokesman said.

Three Mobile Cyber Attack and Data BreachPersonal details including names and addresses were accessed and are believed to have been used by fraudsters to order the phone upgrades, which were sent to eight customers and intercepted.

A probe is currently underway to determine how many more of the company's nine million customers have had their data breached, while the eight known clients have been contacted by Three.

A source close to the matter was quoted by The Telegraph as saying the private information of two thirds of Three customers could be at risk.

"The investigation is ongoing and we have taken a number of steps to further strengthen our controls," said the company spokesman.

Three people were arrested on Wednesday in connection to the fraud and have since been bailed.

A 48-year-old man from Kent, south-east England, and a 39-year-old man from Manchester, north-west England, were arrested on suspicions of computer misuse offences.

A 35-year-old man also from Manchester was arrested on suspicion of attempting to pervert the course of justice.

Related: TalkTalk Handed Record Fine for Data Breach

Related: Information Commissioner Talks Privacy Laws in Post-Brexit UK

view counter

© AFP 2016


SecurityWeek RSS Feed

Dan Tentler. Image: Darren Pauli / The Register.

Dan Tentler at Kiwicon. Image: Darren Pauli / The Register.

Kiwicon When Dan Tentler hacked writer Kevin Roose's Mac, his chief problem wasn't trying to pop the shell; it was trying to reign in the hundreds of shells he spawned.

Tentler had been tasked with breaching Roose's computer for a documentary showcasing penetration testers' ability to compromise users.

Tentler, also known as "Viss", told the Kiwicon hacking conference in Wellington today how he manually wrote exploits to gain access to Roo's laptop after discovering it was a Mac, but soon had access to his webcam, email, and Nest CCTV cameras.

"Shells were spawning everywhere, hundreds, so I had to write some scripts to shut them down," Tentler told the conference.

"You can do a lot of damage, but a lot of it is manual [hacking]."

With Roose's laptop boned, Tentler set about pushing limits. He set the Mac's text to speech tool to utter various sentences to mess with the writer. In one instance he made the computer say "wouldn't it be funny if I started talking to you" while Roose was in a cafe, frightening the life out of the unsuspecting writer.

In another, he made the computer remark "you look bored" after spying on him through his open webcam.

Tentler continued the absurdity getting one of his friends to drive to Roose's house and stand in front of the writer's now compromised webcams with a sign reading "Viss was here". ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads

The Register - Security

Two teenagers suspected of being members of the Lizard Squad and PoodleCorp hacking groups were arrested last month by law enforcement authorities in the United States and the Netherlands.

Zachary Buchta, of Fallston, Maryland, and Bradley Jan Willem van Rooy, of Leiden, the Netherlands, have been charged with conspiracy to cause damage to protected computers, which carries a maximum sentence of ten years in prison.

The suspects, both aged 19, have been accused by U.S. authorities of operating a service that allowed users to launch distributed denial-of-service (DDoS) attacks. They are also suspected of trafficking payment card information stolen from thousands of individuals.

The Lizard Squad and PoodleCorp are best known for massive DDoS attacks that disrupted the servers of several gaming companies, including the PlayStation Network, Xbox Live, EA and Blizzard. The Lizard Squad is also known for hacking the websites of companies such as Lenovo, Malaysia Airlines and Cox.

According to the Department of Justice, Buchta used the online monikers [email protected],” “pein,” “xotehpoodle” and “lizard,” while van Rooy used the nicknames “Uchiha,” [email protected],” “dragon” and “fox.”

The FBI’s complaint also mentions two other individuals associated with Lizard Squad and PoodleCorp. They have not been named, but they use the online monikers “Chippyshell” and “AppleJ4ck.”

The complaint also shows that Buchta was linked by investigators to the @fbiarelosers account, which had discussed the DDoS attacks in private conversations with other members of LizardSquad, based on messages sent via Twitter. Records obtained by investigators from Twitter, AT&T and Sprint linked the Twitter account to a phone number associated with Buchta’s residence.

Records from Comcast showed that his IP often connected to an overseas VPN service that had been used to access the @fbiarelosers account and the websites operated by Lizard Squad and PoodleCorp. The FBI determined that Buchta’s Comcast account had accessed the @fbiarelosers account at the exact time when it had been used to discuss DDoS attacks.

Van Rooy, who is currently in custody in the Netherlands, did not even bother to hide his real IP address, which he used to access @UchihaLS and other Twitter accounts associated with the Lizard Squad. Subscriber records allowed law enforcement to link the IP to a residence in Leiden.

In private conversations with other Twitter users, @UchihaLS said he lived above a police station and claimed that even if they could trace him, they would simply “think it as a hoax.” These messages and a photograph shared by @UchihaLS linked van Rooy to the account.

Last year, police in the UK questioned at least two individuals suspected of being involved with the Lizard Squad, but so far there is no news of a conviction. A teen in Finland, also suspected of being a member of the group, was convicted last year on fraud and harassment charges, but he only received a suspended sentence.

Authorities in the UK also arrested six individuals accused of using the Lizard Squad’s LizardStresser DDoS service.

Related: UK Crime Agency Website Downed by Hackers as Revenge

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed