Tuesday, November 25, 2014

Adobe Releases Security Updates for Flash Player



Adobe has released security updates to address a vulnerability in Flash Player which could potentially allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review Adobe Security Bulletin APSB14-26(link is external) and apply the necessary updates.

Adobe Releases Security Updates for Flash Player



Adobe has released security updates to address a vulnerability in Flash Player which could potentially allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review Adobe Security Bulletin APSB14-26(link is external) and apply the necessary updates.

NC Attorney General warns of scammers posing as Duke Energy


RALEIGH, N.C. — North Carolina’s attorney general is warning Duke Energy customers to watch for a new phone scam in which the caller claims the customer’s power bill is overdue, according to a recent press release.




Attorney General Roy Cooper said the scammers are calling Duke Energy customers saying their power will be cut off if they don’t pay their bill immediately.

“Scammers continue to make calls threatening consumers and small businesses to pay up or lose power, and we’re concerned that the cold weather will give their threats extra force,” Cooper said.

Cooper says “Duke Energy” shows up on the caller ID and the victims are told to pay their bill by putting money onto a prepaid card.


NC Attorney General warns of scammers posing as Duke Energy


RALEIGH, N.C. — North Carolina’s attorney general is warning Duke Energy customers to watch for a new phone scam in which the caller claims the customer’s power bill is overdue, according to a recent press release.




Attorney General Roy Cooper said the scammers are calling Duke Energy customers saying their power will be cut off if they don’t pay their bill immediately.

“Scammers continue to make calls threatening consumers and small businesses to pay up or lose power, and we’re concerned that the cold weather will give their threats extra force,” Cooper said.

Cooper says “Duke Energy” shows up on the caller ID and the victims are told to pay their bill by putting money onto a prepaid card.


Docker has released a critical security advisory



Docker has released a critical security advisory to address vulnerabilities in Docker versions prior to version 1.3.2, one of which could allow an attacker to escalate privileges and execute remote code on an affected system.


US-CERT encourages users and administrators to review Docker's Security Advisory(link is external) and apply the necessary updates.



Docker has released a critical security advisory



Docker has released a critical security advisory to address vulnerabilities in Docker versions prior to version 1.3.2, one of which could allow an attacker to escalate privileges and execute remote code on an affected system.


US-CERT encourages users and administrators to review Docker's Security Advisory(link is external) and apply the necessary updates.



Wednesday, November 19, 2014

Microsoft Releases Out-of-Band Security Bulletin for Windows Kerberos Vulnerability



Microsoft has released security updates to address a remote elevation of privilege vulnerability which exists in implementations of Kerberos KDC in Microsoft Windows. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.




US-CERT encourages users and administrators to review Microsoft Security Bulletin MS14-068(link is external) , Vulnerability NoteVU#213119, and Alert TA14-323A for additional details, and apply the necessary updates.

Microsoft Releases Out-of-Band Security Bulletin for Windows Kerberos Vulnerability



Microsoft has released security updates to address a remote elevation of privilege vulnerability which exists in implementations of Kerberos KDC in Microsoft Windows. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.




US-CERT encourages users and administrators to review Microsoft Security Bulletin MS14-068(link is external) , Vulnerability NoteVU#213119, and Alert TA14-323A for additional details, and apply the necessary updates.

Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability



Systems Affected

Microsoft Windows Vista, 7, 8, and 8.1
Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Overview


A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1(link is external)]
Description


The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.
Impact


A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]
Solution


An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1(link is external), 3(link is external)]
References

Microsoft Security Bulletin MS14-068(link is external)
Vulnerability Note VU#213119
Microsoft Security Research and Defense Blog(link is external)
Revisions



November 19, 2014: Initial Draft

Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability



Systems Affected

Microsoft Windows Vista, 7, 8, and 8.1
Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Overview


A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1(link is external)]
Description


The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.
Impact


A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]
Solution


An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1(link is external), 3(link is external)]
References

Microsoft Security Bulletin MS14-068(link is external)
Vulnerability Note VU#213119
Microsoft Security Research and Defense Blog(link is external)
Revisions



November 19, 2014: Initial Draft

Friday, November 14, 2014

Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)



11/14/2014 10:32 AM EST






Original release date: November 14, 2014

Systems Affected
Microsoft Windows Server 2003 SP2
Microsoft Windows Vista SP2
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008 R2 SP1
Microsoft Windows 7 SP1
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows RT
Microsoft Windows RT 8.1

Microsoft Windows XP and 2000 may also be affected.
Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]
Description

Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]
Impact

This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]
Solution

Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]
References
[1] NIST Vulnerability Summary for CVE-2014-6321
[2] Microsoft Security Bulletin MS14-066 - Critical
[3] Microsoft, Secure Channel
[4] Reddit, Microsoft Security Bulletin MS14-066
[5] Pastebin, SChannelShenanigans
[6] Winshock.txt
Revision History
November 14, 2014: Initial Release

Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)



11/14/2014 10:32 AM EST






Original release date: November 14, 2014

Systems Affected
Microsoft Windows Server 2003 SP2
Microsoft Windows Vista SP2
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008 R2 SP1
Microsoft Windows 7 SP1
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows RT
Microsoft Windows RT 8.1

Microsoft Windows XP and 2000 may also be affected.
Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]
Description

Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]
Impact

This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]
Solution

Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]
References
[1] NIST Vulnerability Summary for CVE-2014-6321
[2] Microsoft Security Bulletin MS14-066 - Critical
[3] Microsoft, Secure Channel
[4] Reddit, Microsoft Security Bulletin MS14-066
[5] Pastebin, SChannelShenanigans
[6] Winshock.txt
Revision History
November 14, 2014: Initial Release

Monday, November 10, 2014

Microsoft Ending Support for Windows Server 2003 Operating System



Systems Affected

Microsoft Windows Server 2003 operating system
Overview


Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1](link is external) After this date, this product will no longer receive:
Security patches that help protect PCs from harmful viruses, spyware, and other malicious software
Assisted technical support from Microsoft
Software and content updates
Description


All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2](link is external) As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3](link is external)
Impact


Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.
Solution


Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.

The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2](link is external)

Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4(link is external),5(link is external)] US-CERT does not endorse or support any particular product or vendor.
References

[1] Microsoft Product Lifecycle Listing(link is external)
[2] Microsoft Support Lifecycle Policy FAQ(link is external)
[3] Redmond Magazine, Prepare for Windows Server 2003's End of Support(link is external)
[4] Windows Server 2003 Migration Support(link is external)
[5] TechTarget, Weighing next steps following Windows Server 2003 end-of-life(link is external)
Revisions



November 10, 2014: Initial Release

Microsoft Ending Support for Windows Server 2003 Operating System



Systems Affected

Microsoft Windows Server 2003 operating system
Overview


Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1](link is external) After this date, this product will no longer receive:
Security patches that help protect PCs from harmful viruses, spyware, and other malicious software
Assisted technical support from Microsoft
Software and content updates
Description


All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2](link is external) As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3](link is external)
Impact


Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.
Solution


Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.

The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2](link is external)

Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4(link is external),5(link is external)] US-CERT does not endorse or support any particular product or vendor.
References

[1] Microsoft Product Lifecycle Listing(link is external)
[2] Microsoft Support Lifecycle Policy FAQ(link is external)
[3] Redmond Magazine, Prepare for Windows Server 2003's End of Support(link is external)
[4] Windows Server 2003 Migration Support(link is external)
[5] TechTarget, Weighing next steps following Windows Server 2003 end-of-life(link is external)
Revisions



November 10, 2014: Initial Release

Thursday, November 6, 2014

FBI arrests Blake “Defcon” Benthall, alleged operator of Silk Road 2.0



The FBI announced that yesterday it arrested Blake Benthall, aka "Defcon," the alleged owner and operator of Silk Road 2.0. Benthall was apprehended in San Francisco and will be presented today in a federal court in SF before Magistrate Judge Jaqueline Scott Corley.

“As alleged, Blake Benthall attempted to resurrect Silk Road, a secret website that law enforcement seized last year, by running Silk Road 2.0, a nearly identical criminal enterprise," Manhattan US Attorney Preet Bharara said in a statement. "Let’s be clear—this Silk Road, in whatever form, is the road to prison. Those looking to follow in the footsteps of alleged cybercriminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired.”

FBI arrests Blake “Defcon” Benthall, alleged operator of Silk Road 2.0



The FBI announced that yesterday it arrested Blake Benthall, aka "Defcon," the alleged owner and operator of Silk Road 2.0. Benthall was apprehended in San Francisco and will be presented today in a federal court in SF before Magistrate Judge Jaqueline Scott Corley.

“As alleged, Blake Benthall attempted to resurrect Silk Road, a secret website that law enforcement seized last year, by running Silk Road 2.0, a nearly identical criminal enterprise," Manhattan US Attorney Preet Bharara said in a statement. "Let’s be clear—this Silk Road, in whatever form, is the road to prison. Those looking to follow in the footsteps of alleged cybercriminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired.”

Wednesday, November 5, 2014

Google Releases Tool For Finding TLS/SSL Vulnerabilities and Misconfigurations



Google has released a new network traffic security testing tool that can be used to check if devices and applications are impacted by Transport Layer Security/ Secure Sockets Layer (TLS/SSL) vulnerabilities and if the cryptographic protocols are configured correctly.

The tool, dubbed Nogotofail, has been used internally by the Android Security Team for some time. However, on Tuesday, it was released as an open source project to allow anyone to test their applications and contribute to making the tool better.

"Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy," Android Security Engineer Chad Brubaker, one of the tool's developers, wrote in a post on the Google Online Security blog.

Google Releases Tool For Finding TLS/SSL Vulnerabilities and Misconfigurations



Google has released a new network traffic security testing tool that can be used to check if devices and applications are impacted by Transport Layer Security/ Secure Sockets Layer (TLS/SSL) vulnerabilities and if the cryptographic protocols are configured correctly.

The tool, dubbed Nogotofail, has been used internally by the Android Security Team for some time. However, on Tuesday, it was released as an open source project to allow anyone to test their applications and contribute to making the tool better.

"Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy," Android Security Engineer Chad Brubaker, one of the tool's developers, wrote in a post on the Google Online Security blog.

Tuesday, November 4, 2014

Undercover Video Allegedly Shows How Easy It Is to Commit Voter Fraud in North Carolina



Controversial, undercover filmmaker James O’Keefe has released a new video alleging he was offered ballots in North Carolina “some 20 times” by giving election officials the names of inactive voters.

In the video (originally released to the Daily Mail), O’Keefe says there are over 700,000 such voters in the state, “which creates a recipe for voter fraud on a massive scale.” He set out to show just what that fraud might look like by visiting numerous early voting places.

Undercover Video Allegedly Shows How Easy It Is to Commit Voter Fraud in North Carolina



Controversial, undercover filmmaker James O’Keefe has released a new video alleging he was offered ballots in North Carolina “some 20 times” by giving election officials the names of inactive voters.

In the video (originally released to the Daily Mail), O’Keefe says there are over 700,000 such voters in the state, “which creates a recipe for voter fraud on a massive scale.” He set out to show just what that fraud might look like by visiting numerous early voting places.

Smart offers mobile-based protection against ATM, credit card fraud



MANILA – A unit of Smart Communications Inc has launched an anti-fraud security service aimed at minimizing ATM and credit card scams.

A service of Smart e-Money Inc, “LockByMobile” allows mobile subscribers to lock and unlock accounts at different levels—by account, by channel, or by transaction settings.

Using the company’s proprietary, patented and Payment Card Industry-Data Security Standard certified platform, this mobile application can be downloaded via Google Play or Apple Store. This will be made available to card issuers worldwide using smartphones provided by any mobile network operator.

Its patented features include enabling the cardholder to lock or unlock the account by transaction or by channel. Through locking by transaction, a cardholder can set an amount threshold; limit the types of merchants where the card can be used; and limit transactions to certain countries and currencies. This will come in handy when the cardholder travels overseas.

LockByMobile also has built-in fraud alert mechanisms that are preventive rather than reactive, ensuring that a transaction will not push through unless it is within the security setting set by the cardholder.

"It's an innovative mobile financial solution that we've developed to address a common pain point of any cardholder—that of having the power to protect one's card accounts in a simple but powerful and convenient way. Having that additional layer of security can give the customer peace of mind," Orlando B. Vea, Smart e-Money president, said in a statement.

Smart offers mobile-based protection against ATM, credit card fraud



MANILA – A unit of Smart Communications Inc has launched an anti-fraud security service aimed at minimizing ATM and credit card scams.

A service of Smart e-Money Inc, “LockByMobile” allows mobile subscribers to lock and unlock accounts at different levels—by account, by channel, or by transaction settings.

Using the company’s proprietary, patented and Payment Card Industry-Data Security Standard certified platform, this mobile application can be downloaded via Google Play or Apple Store. This will be made available to card issuers worldwide using smartphones provided by any mobile network operator.

Its patented features include enabling the cardholder to lock or unlock the account by transaction or by channel. Through locking by transaction, a cardholder can set an amount threshold; limit the types of merchants where the card can be used; and limit transactions to certain countries and currencies. This will come in handy when the cardholder travels overseas.

LockByMobile also has built-in fraud alert mechanisms that are preventive rather than reactive, ensuring that a transaction will not push through unless it is within the security setting set by the cardholder.

"It's an innovative mobile financial solution that we've developed to address a common pain point of any cardholder—that of having the power to protect one's card accounts in a simple but powerful and convenient way. Having that additional layer of security can give the customer peace of mind," Orlando B. Vea, Smart e-Money president, said in a statement.

Saturday, November 1, 2014

Facebook just created a new Tor link for users who wish to remain anonymous



Facebook just took the surprising step of adding a way for users of the free anonymizing software Tor to access the social network directly. Tor is an open source project that launched in 2002 to provide a way for people to access the internet without sharing identifying information such as their IP address and physical location with websites and their service providers. People who download the free Tor software can visit websites while keeping the actual location of their computer and its make and model secret. While Tor users could previously access Facebook before today, it often loaded irregularly with incorrectly displayed fonts and sometimes didn't load at all, because Facebook's security features treated Tor as a botnet — a collection of computers designed to attack it.

Facebook just created a new Tor link for users who wish to remain anonymous



Facebook just took the surprising step of adding a way for users of the free anonymizing software Tor to access the social network directly. Tor is an open source project that launched in 2002 to provide a way for people to access the internet without sharing identifying information such as their IP address and physical location with websites and their service providers. People who download the free Tor software can visit websites while keeping the actual location of their computer and its make and model secret. While Tor users could previously access Facebook before today, it often loaded irregularly with incorrectly displayed fonts and sometimes didn't load at all, because Facebook's security features treated Tor as a botnet — a collection of computers designed to attack it.

Don't Fall for This Walmart Mystery Shopper Scam



When Janelle Martin and her husband, James, recently received a check for $1,991.62 that appeared to be from Walmart, her jaw dropped. “That’s an awful lot of money to receive in the mail,” she says. But her excitement quickly faded to skepticism when she read the letter that accompanied the check.
SEE ALSO: 10 Legitimate Work-at-Home Jobs

The letter asked them to register the check they received online, then deposit it in their bank account and use some of the money to complete a mystery shopping assignment. Although there are legitimate mystery shopping opportunities, the Martins were seeing red flags. The check supposedly was issued by Wachovia, which was bought by Wells Fargo in 2008 and no longer offers accounts under the Wachovia name. And a little searching on the Internet by the Martins turned up complaints about similar checks and letters.


What seemed like a windfall actually was a scam.

Don't Fall for This Walmart Mystery Shopper Scam



When Janelle Martin and her husband, James, recently received a check for $1,991.62 that appeared to be from Walmart, her jaw dropped. “That’s an awful lot of money to receive in the mail,” she says. But her excitement quickly faded to skepticism when she read the letter that accompanied the check.
SEE ALSO: 10 Legitimate Work-at-Home Jobs

The letter asked them to register the check they received online, then deposit it in their bank account and use some of the money to complete a mystery shopping assignment. Although there are legitimate mystery shopping opportunities, the Martins were seeing red flags. The check supposedly was issued by Wachovia, which was bought by Wells Fargo in 2008 and no longer offers accounts under the Wachovia name. And a little searching on the Internet by the Martins turned up complaints about similar checks and letters.


What seemed like a windfall actually was a scam.