Language Selection

English French German Italian Portuguese Spanish

Security/Integrity/Proprietary: Microsoft, SWIFT, SymTCP, Emotet and CIA Leaks

Filed under
Security
  • Microsoft Patch Tuesday, February 2020 Edition

    A dozen of the vulnerabilities Microsoft patched today are rated “critical,” meaning malware or miscreants could exploit them remotely to gain complete control over an affected system with little to no help from the user.

    Last month, Microsoft released an advisory warning that attackers were exploiting a previously unknown flaw in IE. That vulnerability, assigned as CVE-2020-0674, has been patched with this month’s release. It could be used to install malware just by getting a user to browse to a malicious or hacked Web site.

    Microsoft once again fixed a critical flaw in the way Windows handles shortcut (.lnk) files (CVE-2020-0729) that affects Windows 8 and 10 systems, as well as Windows Server 2008-2012. Allan Liska, intelligence analyst at Recorded Future, says Microsoft considers exploitation of the vulnerability unlikely, but that a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September.

  • Forging SWIFT MT Payment Messages for fun and pr... research!

    TLDR: With a bit of research and support we were able to demonstrate a proof of concept for introducing a fraudulent payment message to move £0.5M from one account to another, by manually forging a raw SWIFT MT103 message, and leveraging specific system trust relationships to do the hard work for us!

  • SymTCP – a new tool for circumventing deep packet inspections

    In a paper (PDF) entitled ‘SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery’, academics from the University of California’s Department of Computer Science and Engineering demonstrate how to bypass DPI mechanisms, regardless of their application.

    According to the team, DPI systems often use simplified machine states of network stacks that are not exact implementation copies of end hosts. Discrepancies can then be exploited through packet fragmentation or manipulation.

    SymTCP first runs ‘symbolic execution’ on a server’s TCP implementation, and the resulting scan collects execution paths labeled as either ‘accept’ or ‘drop’ for packet inspection.

    The DPI system is then checked with generated packet sequences to ascertain which, if any, are processed in the same way by the DPI and the server.

    If discrepancies in handling are detected, the open source tool is able to create packets that can reach core elements in the code responsible for accepting or dropping requests, thereby potentially avoiding DPI middlebox checks.

  •                    

  • Emotet can spread to poorly secured Wi-Fi networks and computers on them

                         

                           

    After the malware infects a computer that has Wi-Fi capability, it uses the wlanAPI interface to discover any Wi-Fi networks in the area: a neighbor’s Wi-Fi network, a free Wi-Fi network at a café, or a Wi-Fi network of a nearby business.

  •                    

  • Emotet can now hack Wi-Fi networks

                         

                           

    This new strain utilizes wlanAPI.dll calls to discover wireless networks around a computer that is already infected with Emotet. By using the compromised machine's Wi-Fi connection, the malware tries to brute-force its way in to other password protected networks nearby.

                           

    After the compromised device has been successfully connected to another wireless network, the Emotet Trojan begins looking for other Windows devices with non-hidden shares. The malware then scans for all accounts on these devices and once again brute-forces the password for the Administrator account and all other users on the system.

  •                    

  • “What is the Root User?” Joshua Schulte Set Up the Shared “root” Password He’ll Use in his Defense

                         

                           

    In a full day of testimony yesterday, one of Joshua Schulte’s former colleagues, testifying under the name Jeremy Weber (which may be a pseudonym of a pseudonym under the protective order imposed for the trial) introduced a ton of detail about how the engineering group he and Schulte worked in was set up bureaucratically, how the servers were set up, and how relations between Schulte and the rest of the group started to go south in the months and weeks leading up to the date when, the government alleges, he stole CIA’s [cracking] tools. He also described how devastating the leak was for the CIA.

                           

    In that testimony, the government began to lay out their theory of the case: When Schulte lost SysAdmin access to the servers hosting the malware they were working on — and the same day the unit announced they’d soon be moving the last server to which Schulte had administrator privileges under the official SysAdmin group — Schulte went back to the back-up file of the server from the day the fight started blowing up, March 3, 2016, and made a copy of it.

                           

    But the government also started previewing what will likely be Schulte’s defense: that some of these servers were available via a shared root password accessible to anyone in their group.

  •                    

  • State officials press Congress for more resources to fight cyberattacks [iophk: Windows TCO]

                         

                           

    Tuesday's hearing follows months of escalating attacks against government entities across the nation, with most involving ransomware, which attackers use to lock down a system and demand payment to give the user access again.

  •        

  • Trump administration wants private sector to do more to counter foreign intelligence efforts

                                 

                                   

    The Trump administration’s counterintelligence strategy, released Monday, aims for stronger collaboration between the intelligence community and the private sector on detecting and stopping foreign intelligence threats to U.S. entities.

                                   

    The plan, which President Donald Trump approved in early January, emphasizes a longstanding government argument that the private sector must do more to prevent foreign espionage. As state-sponsored hackers target more U.S. companies, corporate America should prioritize preparations to stifle similar attacks in the future, the director of the National Counterintelligence and Security Center, Bill Evanina, told reporters at a briefing Monday.

  •                            

More in Tux Machines

Noise With Blanket

Videos/Audiocasts/Shows: Linux Journal Expats, Linux Experiment, and Krita Artwork

  • You Should Open Source Now, Ask Me How!

    Katherine Druckman chats with Petros Koutoupis and Kyle Rankin about FOSS (Free and Open Source Software), the benefits of contributing to the projects you use, and why you should be a FOSS fan as well.

  • System76 starts their own desktop environment, Arch goes the easy route - Linux & Open Source news

    This time, we have System76 working on their own desktop environment based on GNOME, Arch Linux adding a guided installer, Google winning its court case against Oracle on the use of Java in Android, and Facebook is leaking data online, again. Become a channel member to get access to a weekly patroncast and vote on the next topics I'll cover

  • Timelapse: inking a comic page in Krita (uncommented)

    An uncommented timelapse while inking this page 6 of episode 34 of my webcomic Pepper&Carrot ( https://www.peppercarrot.com/ ). During the process, I thought about activating the recorder and I even put a webcam so you can see what I'm doing on the tablet too. I'm not doing it for everypages; because you can imagine the weight on disk about saving around 10h of videos like this; and also how it is not multi-tasking: when I record, you don't see me open the door to get the mail of the postman, you don't see me cleaning temporary accident of a cat bringing back a mouse at home, you don't see me typing to solve a merge request issue to merge a translation of Pepper&Carrot.

Kernel Leftovers

  • [Intel-gfx] [RFC 00/28] Old platform/gen kconfig options series
  • Patches Resubmitted For Linux With Selectable Intel Graphics Platform Support

    Back in early 2018 were patches proposed for selectable platform support when building Intel's kernel graphics driver so users/distributions if desired could disable extremely old hardware support and/or cater kernel builds for specific Intel graphics generations. Three years later those patches have been re-proposed. The patches then and now are about allowing selectable Intel graphics "Gen" support at kernel configure/build time so that say the i8xx support could be removed or other specific generations of Intel graphics handled by the i915 kernel driver. This disabling could be done if phasing out older hardware support, seeking smaller kernel images, or other similar purposes. The patches don't change any default support levels but leaves things as-is and simply provides the knobs for disabling select generations of hardware.

  • Linux Kernel Runtime Guard 0.9.0 Is Released

    Linux Kernel Runtime Guard (LKRG) is a security module for the Linux kernel developed by Openwall. The latest release adds compatibility with Linux kernels up to soon to be released 5.12, support for building LKRG into kernel images, support for old 32-bit x86 machines and more. Loading the LKRG 0.9.0 module will cause a kernel panic and a complete halt if SELinux is enabled.

  • Hans de Goede: Logitech G15 and Z-10 LCD-screen support under Linux

    A while ago I worked on improving Logitech G15 LCD-screen support under Linux. I recently got an email from someone who wanted to add support for the LCD panel in the Logitech Z-10 speakers to lcdproc, asking me to describe the process I went through to improve G15 support in lcdproc and how I made it work without requiring the unmaintained g15daemon code.

Devuan 4.0 Alpha Builds Begin For Debian 11 Without Systemd

Debian 11 continues inching closer towards release and it looks like the developers maintaining the "Devuan" fork won't be far behind with their re-base of the distribution focused on init system freedom. The Devuan fork of Debian remains focused on providing Debian GNU/Linux without systemd. Devuan Beowulf 3.1 is their latest release based on Debian 10 while Devuan Chimaera is in the works as their re-base for Debian 11. Read more