Adobe Flash exploit grabs video and audio, long after “fix”

A security flaw in Adobe Flash thought to be repaired in October of 2011 has resurfaced again with a new proof-of-concept hack that can grab video and audio from a user’s computer without getting user authentication. Employing a transparent Flash object on a page to capture a user’s click, the exploit tricks a user into clicking to activate the object. The object can then take control of the camera and microphone regardless of the permissions set by the user.

The exploit was demonstrated by developer Egor Homakov and was based on code by Russian security researcher Oleg Filippov. (Note that the demonstration uses images of scantily-claid women and may not be considered safe for work.)

“This is not a stable exploit (tested on Mac and Chrome. I do use Mac and Chrome so this is a big deal anyway),” Homakov wrote. "Your photo can be saved on our servers but we don't do this in the PoC. (Well, we had an idea to charge $1 for deleting a photo but it would not be fun for you). Donations are welcome though.”

Read 3 remaining paragraphs | Comments

NSA gets early access to zero-day data from Microsoft, others

The National Security Agency (NSA) has used sensitive data on network threats and other classified information as a carrot to gain unprecedented access to information from thousands of companies in technology, telecommunications, financial, and manufacturing companies, according to a report by Michael Riley of Bloomberg. And that data includes information on “zero-day” security threats from Microsoft and other software companies, according to anonymous sources familiar with the data-swapping program.

The NSA isn’t alone in the business of swapping secrets with the corporate world. The FBI, CIA, and Department of Defense (DOD) also have programs enabling them to exchange sensitive government information with corporate “partners” in exchange for access to things like information on cyberattacks, traffic patterns, and other information that relate to network security.

The NSA’s dual role as the security arbiter for many government networks and as point organization for the US government’s offensive cyberwarfare capabilities means that the information it gains from these special relationships could be used to craft exploits to gain access to the computer systems and networks of foreign governments, businesses, and individuals. But it remains unclear just how much of a head start information about bugs actually gives NSA or whether companies actually delay posting fixes on the NSA's behalf.

Read 6 remaining paragraphs | Comments

Malware Using Fake Certificate to Evade Detection

Contributor: Hiroshi Shinotsuka

Malware authors are always seeking new ways to hone their craft. As cybercriminals are facing a multitude of preventative technologies from Symantec and users are becoming more security conscious, it is becoming increasingly difficult for the bad guys to win.

Recently, during research, we came across an oddly named sample, Word13.exe. Upon first glance, it appears to be a digitally signed file from Adobe.

Fake Certificate 4.jpg

Figure 1. Word13.exe file signed by Adobe

Fake Certificate 1.png

Figure 2. Fake digital signature properties

But upon closer inspection we found something very interesting.

Fake Certificate 2.png

Figure 3. Fake signature and certificate

It’s fake, as the “Issued By” field says "Adobe Systems Incorporated" - Adobe is a VeriSign customer. Also, in the certificate information, we see that the CA Root certificate is not trusted - another dead giveaway.

Fake Certificate 3.png

Figure 4. Legitimate Adobe signature and certificate

Symantec has protection in place and detects this file as Backdoor.Trojan.

Backdoor.Trojan will execute and inject itself into iexplore.exe or notepad.exe and start a back door function.

It may create the following files:

  • %UserProfile%\Application Data\ aobecaps \cap.dll
  • %UserProfile%\Application Data\ aobecaps \mps.dll
  • %UserProfile%\Application Data\ aobecaps \db.dat

It connects to the following command-and-control (C&C) server on port 3337:

  • Icet**** 

This back door may then perform the following actions:

  • Steal user and computer information
  • Create folders
  • Create, download, delete, move, search for, and execute files
  • Capture screenshots
  • Emulate mouse function
  • Steal Skype information

To ensure that you do not become a victim of this threat, please ensure that your antivirus definitions are always up-to-date and that your software packages are also regularly updated. Always double check the URL of the download that is being offered and, if applicable, check the certificate and signature just to be safe.

Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?

Aurich Lawson

In an age of smartphones and social networking, e-mail may strike many as quaint. But it remains the vehicle that millions of people use every day to send racy love letters, confidential business plans, and other communications both sender and receiver want to keep private. Following last week's revelations of a secret program that gives the National Security Agency (NSA) access to some e-mails sent over Gmail, Hotmail, and other services—and years after it emerged that the NSA had gained access to full fiber-optic taps of raw Internet traffic—you may be wondering what you can do to keep your messages under wraps.

The answer is public key encryption, and we'll show you how to use it.

The uses of asymmetry

The full extent of the cooperation between the NSA and various technology companies is unclear. It will probably remain that way for the foreseeable future. For the time being, however, it seems likely that the standard cryptographic tools used to secure data "in flight"—that is to say, the SSL that protects data traveling between machines on the Internet—remain secure as long as certain best practices are used.

Read 57 remaining paragraphs | Comments