Number: IRCNE2014062212
Date: 2014-06-08

According to “itpro”, Japanese researchers have uncovered another vital flaw in OpenSSL that has been active and available to criminals for more than 16 years.

In a blog entry, Masashi Kikuchi, one of the security researchers at Lepidum, outlined how the flaw, named the CCS Injection Vulnerability, has been active since before 1998. The exploit affects a protocol used at the end of an SSL communication named the ChangeCipherSpec.

Hackers with knowledge of the bug have been able to intercept and then decrypt data travelling between OpenSSL servers and clients, conducting so-called “man-in-the-middle” attacks.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” wrote Kikuchi.

“If the reviewers had enough experience, they should have been verified the OpenSSL code in the same way they do their own code. They could have detected the problem [earlier].”

The team behind OpenSSL have acknowledged the security flaw and published an advisory asking users to upgrade their software to avoid the bug.

“The good news is that these attacks need a man-in-the-middle position against the victim and that non-OpenSSL clients (Internet Explorer, Firefox, Chrome and Safari) aren't affected,” wrote Google software engineer Adam Langley in a post on the exploit. “None the less, all OpenSSL users should be updating,”

شماره: IRCNE2014062211
تاريخ: 17/3/93

سيسكو خبر از تبليغات خرابكارانه روي دامنه‌هاي متعلق به ديزني، فيس‌بوك، روزنامه گاردين و برخي كمپاني‌هاي ديگر داد كه كاربران را گرفتار بدافزاري مي‌كنند كه فايل‌هاي كامپيوتر را رمزگذاري مي‌كند و تا زماني كه كاربر پول پرداخت نكند، آنها را آزاد نمي‌كند.
تحقيقات سيسكو يك روش پيچيده و مؤثر براي آلوده كردن تعداد زيادي كامپيوتر به بدافزار گروگان‌گير را كشف كرده است.
سيسكو محصولي به نام Cloud Web Security (CWS) دارد كه مشترياني را كه در حال مرور وب هستند نظارت مي‌كند و درصورتي‌كه بخواهند به دامنه‌هاي مشكوك وارد شوند، گزارش مي‌دهد. CWS روزانه ميلياردها درخواست صفحه وب را نظارت مي‌كند.
اين شركت خاطرنشان كرد كه براي بيش از 17% از كاربران CWS، درخواست‌هاي ورودي به 90 دامنه را مسدود كرده است كه بسياري از آنها سايت‌هاي وردپرس بوده‌اند.
تحقيقات بيشتر نشان داده است كه بسياري از كاربران CWS پس از مشاهده تبليغات بر روي دامنه‌هاي پرترافيك مانند apps.facebook.com، awkwardfamilyohotos.com، theguardian.co.uk و go.com، به كار خود پايان داده‌اند.
البته تبليغات خاص كه بر روي اين دامنه‌ها مشاهده شده‌اند مورد بررسي قرار گرفته‌اند. چنانچه بر روي اين تبليغات كليك شود، قربانيان وارد يكي از 90 دامنه ذكر شده مي‌شوند.
سبك حمله كه تحت عنوان تبليغ بدافزاري شناخته مي‌شود، مدتهاست كه به يك مشكل بدل شده است. شبكه‌هاي تبليغاتي گام‌هايي را براي تشخيص و شناسايي تبليغات خرابكارانه كه بر روي شبكه آنها قرار مي‌گيرد برداشته‌اند، ولي بررسي‌هاي امنيتي بي عيب نيستند.
به طور معمول تبليغات خرابكارانه به سراغ وب‌سايت‌هايي مي‌روند كه از حضور اين تبليغات ناآگاه هستند. كاربران انتظار دارند كه زماني كه به سراغ سايت معتبري مي‌روند، اين سايت قابل اعتماد باشد. اما به علت وجود لينك‌هاي متعدد به سايت‌هاي مختلف در عمل اينطور نيست.
90 دامنه‌اي كه اين تبليغات خرابكار ترافيك را به سوي آن هدايت مي‌كنند نيز هك شده‌اند. در مورد سايت‌هاي وردپرس به نظر مي‌رسد كه مهاجمان از حملات brute force براي دسترسي به كنترل پنل سايت استفاده كرده‌اند. سپس يك كيت سوء استفاده به نام Rig اضافه شده است كه به سيستم قرباني حمله مي‌كند.
كيت سوء استفاده Rig كه نخستين بار در ماه آوريل توسط Kahu Security كشف شد، بررسي مي‌كند كه آيا كاربر از يك نسخه آسيب‌پذير فلش استفاده مي‌كند يا خير. درصورت مثبت بودن نتيجه، بلافاصله سيستم وي مورد سوء استفاده قرار مي‌گيرد.
در مرحله بعدي حمله، يك برنامه گروگان‌گير به نام Cryptowall نصب مي‌شود. اين برنامه فايل‌هاي كاربر را رمز مي‌كند و از وي درخواست پول مي‌نمايد. پيچيدگي اين عمليات به اين صورت تكميل مي‌شود كه وب‌سايتي كه كاربر مي‌تواند از طريق آن پول را پرداخت كند، يك وب‌سليا پنهان است كه از The Onion Router يا شبكه TOR استفاده مي‌كند.
براي دسترسي به اين وب‌سايت، كاربر بايد TOR را نصب كند كه Cryptowall وي را در اين مورد راهنمايي مي‌كند. كساني كه در پرداخت پول تأخير كنند، با افزايش مبلغ آن مواجه خواهند شد.
با توجه به استفاده از TOR و زنجيره پيچيده حملات، سيسكو هنوز نتوانسته است مهاجمان پشت اين حمله را شناسايي كند.

شماره: IRCNE2014062210
تاريخ:17 /03/93
بنا به گزارشات چندين آسيب پذيري در OpenSSL برطرف شده است. قابل توجه ترين آسيب پذيري مربوط به آسيب پذيري MitM در SSL/TLS بوده است.

تمامي نسخه هاي كلاينت OpenSSL آسيب پذيري مي باشند. تنها نسخه هاي 1.0.1 و 1.0.2-beta1 از سرورهاي OpenSSL آسيب پذير است.

به كاربران توصيه مي شود تا موارد زير را اجرا نمايند:

• كاربران OpenSSL 0.9.8 DTLS بايد به نسخه 0.9.8za ارتقاء دهند.
• كاربران OpenSSL 1.0.0 DTLS بايد به نسخه 1.0.0m ارتقاء دهند.
• كاربران OpenSSL 1.0.1 DTLS بايد به نسخه 1.0.1h ارتقاء دهند.

شركت گوگل نسخه جديدي از كروم را براي اندرويد منتشر كرده است كه نسخه OpenSSLآن 1.0.1h مي باشد.

موارد ديگري كه در OpenSSL برطرف شده است عبارتند از:

• آسيب پذيري قطعه نامعتبر DTLS: سرريز بافر به طور بالقوه مورد سوء استفاده قرار مي گيرد تا كدي دلخواه بر روي سيستم اجرا شود.
• حفره بازگشت DTLS: منجر به انكار سرويس مي شود.
• ارجاع مجدد اشاره گر NULL در SSL_MODE_RELEASE_BUFFERS: منجر به انكار سرويس مي شود.
• تزريق نشست يا انكار سرويس SSL_MODE_RELEASE_BUFFERS: منجر به تزريق داده بين بخشي يا انكار سرويس مي شود.
• انكار سرويس ناشناس ECDH: منجر به انكار سرويس مي شود.

شماره: IRCNE2014062208
تاريخ:17/03/93

شركت مايكروسافت پيش هشدارهاي سه شنبه اصلاحيه ماه ژوئن را منتشر كرد. اين شركت هفت بولتن و به روز رساني امنيتي را منتشر خواهد كرد. دو به روز رساني حداقل حاوي يك آُسيب پذيري بحراني مي باشند.

بولتن يك يك مشكل بحراني اجراي كد در IE مي باشد كه تمامي نسخه هاي IE را از جمله IE 11 در ويندوز 8.1 تحت تاثير قرار مي دهد. نسخه هاي Server Core از ويندوز سرور تحت تاثير اين آسيب پذيري قرار ندارند.

بولتن دو غيرعادي است زيرا بخشي از محصولات آفيس و ويندوز را تحت تاثير قرار مي دهد. يك آسيب پذيري اجراي كد از راه دور است و براي تمامي نسخه هاي ويندوز در رده امنيتي بحراني قرار دارد. هم چنين اين آسيب پذيري براي كنسول Microsoft Live Meeting 2007 و تمامي نسخه هاي Microsoft Lync به استثناي Lync Server در رده اميتنتي بحراني قرار دارد. اين مشكل براي آفيس 2007 و 2010 در رده امنيتي مهم قرار گرفته است. آفيس 2013 تحت تاثير قرار ندارد.

مابقي آسيب پذيري ها داراي رده امنيتي مهم مي باشند. بولتن سه تنها آفيس 2007 و Microsoft Office Compatibility Pack Service Pack 3 را تحت تاثير قرار مي دهد.

بولتن چهار و پنج اطلاعاتي در خصوص افشاي مشكلات در ويندوز و سرور Lync را ارائه مي دهد. بولتن شش يك مشكل انكار سرويس در تمامي نسخه هاي ويندوز است و بولتن هفت يك مشكل جاسوسي كردن است كه ويندوز 7، 8.x و سرور 2012 را تحت تاثير قرار مي دهد.

ID: IRCNE2014062211
Date: 2014-06-07

According to “ComputerWorld”, Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found.
The finding comes shortly after technology companies and U.S. law enforcement banded together in a large operation to shut down a botnet that distributed online banking malware and so-called "ransomware," a highly profitable scam that has surged over the last year.
Cisco's investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog.
"It really is insidious," said Levi Gundert, a former Secret Service agent and now a technical lead for threat research and analysis at Cisco, in a phone interview Friday.
Cisco has a product called Cloud Web Security (CWS) which monitors its customers web surfing and reports if they are browsing to suspected malicious domains. CWS monitors billions of web page requests a day, Gundert said.
The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers, he said.
Further investigation showed that many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as "apps.facebook.com," "awkwardfamilyphotos.com," "theguardian.co.uk" and "go.com," a Disney property, among many others.
Certain advertisements that appeared on those domains, however, had been tampered with. If clicked, they redirected victims to one of the 90 domains.
The style of attack, known as "malvertising," has long been a problem. Advertising networks have taken steps to try and detect malicious advertisements placed on their network, but the security checks aren't foolproof.
Occasionally, bad advertisements slip in, which are shown on a vast array of websites that have signed up with the network or its affiliates. The websites where the ads appear are often unaware they're being abused.
"It goes to show that malvertising is a real problem," Gundert said. "People expect when they go to a Tier 1 website that it is a trustworthy place to visit, but because there are so many third-party external links, that's not really true."
The 90 domains the malicious advertisements pushed traffic to had also been hacked, Gundert said. In the case of the WordPress sites, it appears the attackers used brute-force attacks -- which involves guessing login credentials -- to access the site's control panels. Then, an exploit kit called Rig was inserted, which attacked the victim's computer, Gundert said.
The Rig exploit kit, first spotted in April by Kahu Security, checks if users are running an unpatched version of Flash, Java or the Silverlight multimedia program. If someone's computer isn't patched, "you're instantly exploited," Gundert said.
In the next stage of the attack, a ransomware program called "Cryptowall," a relative of the infamous Cryptolocker malware, is installed. It encrypts the user's files, demanding a ransom. In another sign of the operation's sophistication, the website where users can pay the ransom is a hidden website that uses The Onion Router, or the TOR network.
To navigate to a TOR hidden website, a user must have TOR installed, which Cryptowall helpfully provides instructions for how to install. Those who delay paying the ransom find it increases as time passes.
Because of the use of TOR and the technically complex attack chain, Cisco hasn't yet been able to identify a group behind the attacks.

Number: IRCNE2014062210
Date: 2014-06-07

According to “zdnet”, the OpenSSL project has reported fixes for several vulnerabilities, at least one of them serious.The most significant vulnerability is SSL/TLS MITM vulnerability (CVE-2014-0224).

All client versions of OpenSSL are vulnerable. OpenSSL servers are only known to be vulnerable in versions 1.0.1 and 1.0.2-beta1.

OpenSSL provides this advice:

• OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
• OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m
• OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h
• Google has released a new version of Chrome for Android, incrementing the OpenSSL version used in it to 1.0.1h.

The same updates fix several less-serious issues:

• DTLS invalid fragment vulnerability (CVE-2014-0195) — A buffer overrun, potentially exploitable to run arbitrary code on the system.
• DTLS recursion flaw (CVE-2014-0221) — Denial of service
• SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) — Denial of service
• SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) — Cross-section data injection or denial of service
• Anonymous ECDH denial of service (CVE-2014-3470) — Denial of service

Number: IRCNE2014062209
Date: 2014-06-07

According to “computerworld”, the ransomware model is increasingly being adopted by cybercriminals who target mobile users, one of their latest creations being able to encrypt files stored on the SD memory cards of Android devices.

A new threat dubbed Android/Simplock.A was identified by researchers from antivirus firm ESET over the weekend and while it's not the first ransomware program for Android, it is the first one seen by the company that holds files hostage by encrypting them.

"Android/Simplocker.A will scan the SD card for files with any of the following image, document or video extensions: jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypt them using AES [the Advanced Encryption Standard]," the ESET researchers said Wednesday in a blog post.

The malware will then display a ransom message in Russian asking for a payment of $21.40 to be made through a service called MoneXy, suggesting that, at least for now, this threat targets users in Russian-speaking countries.

Using encryption to hold files hostage is a technique made popular among malware writers by Cryptolocker, a Windows ransomware program that infected more than 250,000 computers during the last three months of 2013.

The new threat masquerades as an application called "Sex xionix," but it wasn't found on Google Play and its distribution so far is most likely low.

Another interesting aspect of Simplock.A is that it uses a .onion command-and-control (C&C) domain address. The .onion pseudo-top-level domain is only used inside the Tor anonymity network for accessing so-called hidden services.

Number: IRCNE2014062208
Date: 2014-06-07

According to “zdnet”, Microsoft has released their advance prenotification for this month's Patch Tuesday updates. The company will release seven security bulletins and updates. Two of the updates will be for at least one critical vulnerability.

Bulletin one (which will likely be released as MS14-030) is a critical remote code execution Internet Explorer bug, affecting all versions of Internet Explorer, including IE11 in Windows 8.1. Server Core versions of Windows Server do not include IE and are not affected.

Bulletin two is unusual in that it affects a broad selection of both Windows and Office products. It is a remote code execution vulnerability and rated critical on all versions of Windows, Server Core included. It is also critical on Microsoft Live Meeting 2007 Console and all versions of Microsoft Lync, but not Lync Server. It is also rated Important for Office 2007 and Office 2010. Office 2013 appears not to be affected.

All the remaining vulnerabilities have a maximum rating of Important. Bulletin three affects only Office 2007 and Microsoft Office Compatibility Pack Service Pack 3.

Bulletins four and five describe information disclosure bugs in Windows and Lync Server respectively. Bulletin six is a denial of service bug in all Windows versions since Vista, and bulletin seven is a "tampering" bug, a type not often described. Windows 7, 8.x and Server 2012 are affected.

شماره: IRCNE2014052207
تاريخ:10 /03/93

گوشي هاي اندرويد و مسيرياب هاي بيسيم كه از طريق واي فاي قابل دسترس هستند ممكن است در معرض خطر گونه جديدي از آسيب پذيري Heartbleed قرار داشته باشند.
Luis Grangeia، متخصص امنيت و مدير خدمات امنيتي در SysValue برداري را كشف كرده است كه از طريق آن مي توان به دستگاه هاي بي سيم و گوشي هاي اندرويد حمله كرد.
خط حمله جديد “Cupid” مي تواند مانند رويه مشابه با آسيب پذيري اصلي Heartbleed عمل نمايد با اين تفاوت كه اين حمله بر روي ارتباطات بي سيم انجام مي گيرد.
با توجه به يافته هاي Grangeia، هنوز مشخص نيست كه چه تعدادي از دستگاه ها ممكن است تحت تاثير اين آسيب پذيري قرار داشته باشند اما سرعت گسترش اين حمله بيشتر از آسيب پذيري اصلي Heartbleed مي باشد. مسيرياب هاي مبتني بر EAP آسيب پذيرترين دستگاه ها نسبت به حمله “Cupid” مي باشند.
Grangeia اظهار داشت كه اين حمله قبل از لاگين و در مرحله تاييد هويت اتفاق مي افتد بنابراين براي اجراي آن به هيچ اعتبارنامه اي نياز نيست.
گوشي هاي اندرويد كه در حال حاضر نسخه 4.1.1 از Jelly Bean را اجرا مي كنند بواسطه ارتباطات بي سيم آسيب پذير مي باشند. يك مهاجم مي‌تواند از طريق يك شبكه آلوده، ارتباطي را به دستگاه قرباني باز نمايد و اطلاعاتي را كه مي خواهد از روي گوشي قرباني بردارد.
ميليون ها دستگاه اندرويد هم چنان از Jelly Bean نسخه 4.1.1 استفاده مي كنند اگرچه نسخه به روز رساني شده آن همزمان با كشف آسيب پذيري اصلي Heartbleed منتشر شد و به كاربران توصيه شد تا از سيستم عامل خود را به نسخه جديد به روز رساني نمايند. ممكن است سيستم عامل هاي iOS و Mac OSX تحت تاثير حمله Cupid قرار داشته باشند.

Number: IRCNE2014052207
Date: 2014-05-31

According to “itpro”, Android phones and wireless routers accessible via Wi-Fi might be at risk from attackers utilising a new form of the Heartbleed bug, it has been revealed.

Security expert Luis Grangeia, a partner and security services manager at SysValue, has apparently found a vector through which the bug can attack wireless devices and Android phones.

Dubbed “Cupid”, the new attack line would perform the same procedure as the original Heartbleed bug except over wireless connections instead of the open web.

It’s unclear how many devices may be vulnerable but the spread will probably be more contained than the original, according to Grangeia. EAP-based routers are the most vulnerable to Cupid as they need both an individual login and password, which an attacker would be able to pull from the router or server.

“The attack occurs before login, specifically on the authentication stage, so no credentials are needed to perform it," said Grangeia.

Android devices that are still running the 4.1.1 version of Jelly Bean are also particularly vulnerable through their wireless connectivity. An attacker could open up a connection to the device via the infected network and lift as much information as they want from the victim’s phone.

Millions of Android devices still use the 4.1.1 version of Jelly Bean, despite an update being released in the wake of the original Heartbleed discovery. Mac OSX and iOS might also be at risk to Cupid, added Grangeia, who urged administrators to “test everything”.