“Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic

An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through network virtual private networks, officials from the company warned Thursday.

It's not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. There's no evidence right now that the backdoor was put in other Juniper OSes or devices.

"During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Juniper Chief Information officer Bob Warrall wrote. "Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."

Read 4 remaining paragraphs | Comments

IRS Releases Fourth Tax Security Tip

Original release date: December 17, 2015

The Internal Revenue Service (IRS) has released the fourth in a series of tips intended to help the public protect personal and financial data online and at home. This tip focuses on protecting your passwords. Recommendations include creating longer and more complex passwords, not using the same passwords for multiple accounts, and changing your passwords on a regular basis.

US-CERT encourages users and administrators to review the IRS Security Awareness Tax Tip Number 4 and the US-CERT Tip Choosing and Protecting Passwords for additional information.

This product is provided subject to this Notification and this Privacy & Use policy.

Outlook “letterbomb” exploit could auto-open attacks in e-mail

One of a heaping collection of critical bug fixes pushed out by Microsoft on December 8 as part of the company's monthly "Patch Tuesday" was an update to the Microsoft Office suite designed to close a vulnerability that would allow an attacker to sneak past Outlook's security features. While the patch addressed multiple vulnerabilities in the way Office manages objects in memory, the most severe of them allows for remote code execution through a "specially crafted Microsoft Office file," Microsoft reported.

Now more details of just how bad that vulnerability is have been provided by security researcher Haifei Li in a paper entitled "BadWinmail: The 'Enterprise Killer' Attack Vector in Microsoft Outlook." The vulnerability allows a crafted attachment to an e-mail to bypass Outlook's layers of security by exploiting Office's Object Linking and Embedding (OLE) capabilities and Outlook's Transport Neutral Encapsulation Format (TNEF)—the e-mail attachment method associated with Outlook messages' winmail.dat attachments.

The winmail.dat file includes instructions on how to handle attachments embedded within it. "When the value of the 'PidTagAttachMethod' [within winmail.dat] is set to ATTACH_OLE (6)," Haifei wrote, "the 'attachment file' (which is another file contained in the winmail.dat file) will be rendered as an OLE object."

Read 6 remaining paragraphs | Comments

Behold, the catalog of cellphone spying gear the feds don’t want you to see

(credit: The Intercept)

A secret catalog of cellphone spying gear has been leaked to The Intercept, reportedly by a person inside the intelligence community who is concerned about the growing militarization of domestic law enforcement.

Among the 53 items are the now-familiar Stingray I/II surveillance boxes. They're billed as the "dragnet surveillance workhorse [that] has been deployed for years by numerous local law enforcement agencies across the United States." It has a range of 200 meters and sells for $134,000. A chief selling point is the "ready-made non-disclosure agreements from the FBI and Harris Corp. [that] will provide a pretext for concealing these features from the public." The listing also touts Harris' "next-generation Hailstorm, a must-have for cracking the 4G LTE network."

Besides manufacturing the Stingray brand of surveillance gear, Harris once employed a spokesman name Marc Raimondi. According to an Intercept article accompanying the leaked catalog, Raimondi is now a Department of Justice spokesman who says the agency's use of stingray equipment is legal.

Read 3 remaining paragraphs | Comments