Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Some of the world's leading websites—including those owned or operated by Bank of America, VMware, the US Department of Veteran's Affairs, and business consultancy Accenture—are vulnerable to simple attacks that bypass the transport layer security encryption designed to thwart eavesdroppers and spoofers.

The attacks are a variation on the so-called POODLE exploits disclosed two months ago against secure sockets layer (SSL), an encryption protocol similar to transport layer security (TLS). Short for "Padding Oracle On Downgraded Legacy Encryption," POODLE allowed attackers monitoring Wi-Fi hotspots and other unsecured Internet connections to decrypt HTTPS traffic encrypted by the ancient SSL version 3. Browser makers quickly responded by limiting or eliminating use of SSLv3, a move that appears to have averted widespread exploitation of the bug.

On Monday, word emerged that there's a variation on the POODLE attack that works against widely used implementations of TLS. At the time this post was being prepared, SSL Server Test, a free service provided by security firm Qualys, showed that some of the Internet's top websites—again, a list including Bank of America, VMware, the US Department of Veteran's Affairs, and Accenture—are susceptible. The vulnerability was serious enough to earn all sites found to be affected a failing grade by the Qualys service.

Read 5 remaining paragraphs | Comments

Sony Pictures attackers demand: “Stop the terrorist film!”

A new statement from the Sony Pictures cyber-attackers “Guardians of Peace” was posted on GitHub today, claiming that the GOP was not involved in threats to Sony employees over the weekend. Ars learned of the message through an e-mail sent from an account previously associated with the GOP, and the post included a message to Sony as well as a collection of links to download the private data of two Sony executives.

“We know nothing about the threatening e-mail received by Sony staffers, but you should wisely judge by yourself why such things are happening and who is responsible for it,” the message read.

While GOP claims to be “working all over the world,” the tone of the message from the group tilted toward implying at least some alignment with North Korea. The new message made demands regarding the distribution of the controversial comedy film The Interview—which has been the target of the North Korean regime’s ire since it was first announced earlier this year. A spokesperson for North Korea’s National Defense Commission said that The Interview was “a film abetting a terrorist act while hurting the dignity of the supreme leadership of the DPRK by taking advantage of the hostile policy of the US administration towards the DPRK.”

Read 5 remaining paragraphs | Comments

Powerful, highly stealthy Linux trojan may have infected victims for years

Researchers have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.

The previously undiscovered malware represents a missing puzzle piece tied to "Turla," a so-called advanced persistent threat (APT) disclosed in August by Kaspersky Lab and Symantec. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries. The unknown attackers—who are probably backed by a nation-state, according to Symantec—were known to have infected several hundred Windows-based computers by exploiting a variety of vulnerabilities, at least two of which were zero-day bugs. The malware was notable for its use of a rootkit that made it extremely hard to detect.

Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems.

Read 8 remaining paragraphs | Comments

Tor privacy service used in a majority of online bank heists, report says

The majority of bank account hijackings over the past decade used the Tor privacy service to hide thieves' locations, according to a US Treasury Department report obtained by KrebsOnSecurity reporter Brian Krebs.

The non-public report said the heists could have been prevented had financial institutions noticed that the accounts were being accessed over Tor IP addresses, according to an article Krebs published Friday. The report, which was produced by the Financial Crimes Enforcement Network, was based on a review of so-called suspicious activity reports (SARs) filed by banks. Krebs wrote:

"Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor related filings were rapidly rising," the report concluded. "Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet [link added] found that in the majority of the SAR filings, the underlying suspicious activity—most frequently account takeovers—might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses."

At first blush, the data appears to make a strong case that banks should block connections made over Tor, or at least to subject them to extra scrutiny. Krebs said it's not that simple. For one thing, the approach wouldn't be likely to provide a lasting benefit, since criminals have other resources besides Tor for covering their tracks. Additionally, banking restrictions on Tor could harm the privacy service. Current restrictions in place against Tor already pose an existential threat to its users and threaten to put them into a silo that's separate from non-private IP addresses. Tor users, for instance, are prevented from editing Wikipedia articles, and Google often subjects them to additional CAPTCHAs when performing searches.

Read 1 remaining paragraphs | Comments