More SSL encryption issues

Posted on March 3, 2015 by Blueshell

Researchers have recently uncovered a major security flaw in software created by companies like Google and Apple, leaving many devices vulnerable to hacking attempts, reports HYPERLINK “http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/“The Washington Post. Called “FREAK” (Factoring Attack on RSA-EXPORT Keys), the vulnerability stems from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak “export-grade” products to ship to customers outside of the United States.

These restrictions were lifted more than a decade ago, but the weaker encryption has continued to be used by software companies as a result of the old policy and it has even been built into software in the U.S. The existence of lingering “export-grade” encryption was unnoticed until this year, when researchers found they could force browsers to use lower-grade 512-bit encryption and then crack it.

Hackers could potentially employ the same tactic, cracking weak encryption and then stealing passwords and other information. Researchers also believe the vulnerability could be used to launch attacks on and infiltrate major websites. In testing, the export-grade encryption key was breached in seven hours using computers and more than a quarter of encrypted sites were found to be vulnerable.

“We thought of course people stopped using it,” said Karthikeyan Bhargavan, a researcher at the French computer science lab INRIA whose team initially found the problem during testing of encryption systems.

Nadia Heninger, a University of Pennsylvania cryptographer, said, “This is basically a zombie from the ’90s… I don’t think anybody really realized anybody was still supporting these export suites.”

As pointed out by The Washington Post, the FREAK vulnerability is an example of the problems that can arise when the government gets involved in device security. Government officials have HYPERLINK “http://www.macrumors.com/2014/09/25/rbi-concerned-with-apple-encryption/“recently expressed concern over the privacy features that Apple and Google have been building into their smartphones in response to outrage over secretive government surveillance programs HYPERLINK “http://www.macrumors.com/2013/06/06/intelligence-program-gives-us-government-direct-access-to-customer-data-on-apple-servers/“like PRISM.

FBI Director James Comey has made remarks suggesting Apple and Google should scale back encryption, as government access to electronic devices is necessary in some cases. He has said that it may matter a “great, great deal” that the government be able to infiltrate the device of a kidnapper, criminal, or terrorist.

The researchers who discovered the flaw have notified government sites and major technology companies to fix the issue before it became widely publicized. FBI.gov and Whitehouse.gov have been fixed, and according to Apple spokeswoman Trudy Miller, Apple is preparing a security patch that will be “in place next week for both its computers and its mobile devices.”

 

Article curtesy of Mac rumours

 

Posted in Security Alerts | 2 Comments

Blue Shell Limited Joins MICTA

Posted on February 9, 2015 by Blueshell

Blue Shell is pleased to announce it is now a member of MICTA the Manx ICT Association and looks forward to helping progress the organisations aims in both the Corporate and Educational world.

Posted in Blue Shell News | Comments Off on Blue Shell Limited Joins MICTA

Blue Shell Becomes Official Oracle Gold Partner

Posted on February 9, 2015 by Blueshell

Nigel Bazley Technical Director said this is a massive boost for us and the distance we have traveled since April 2014, it enhances our ability to give a full and extensive support to customers.

 

Blue Shell Limited

Membership Level: Gold

Posted in Blue Shell News | Comments Off on Blue Shell Becomes Official Oracle Gold Partner

Microsoft Announces Windows 10 will be free to certain users

Posted on January 21, 2015 by Blueshell

Microsoft announced to day that its next version of its operating system Windows10 will be free to upgrade for the first year of its release. The upgrade will initially be available for Windows 8.1 users followed by Windows 7 .Terry Myerson, Microsoft’s executive vice president of operating systems said the free upgrade will also apply to windows 7 and Windows phone 8.1 devices. This follows a recent trend with apple offering its last two iterations for free.

Posted in Technology | 3 Comments

This Week is hour of code week

Posted on December 8, 2014 by nb1302

The Hour of Code is a global movement reaching tens of millions of students in 180+ countries. Anyone, anywhere can organize an Hour of Code event. One-hour tutorials are available in over 30 languages. No experience needed. <strong>Ages 4 to 104.</strong>
For more information click here
&nbsp;
<a title=”Hour of code week here in the UK” href=”http://hourofcode.com/uk” target=”_blank”>http://hourofcode.com/uk</a>
&nbsp;
Apple is also participating if you live near an Apple Store and fancy taking part follow this link for further information:
<a title=”Participating Apple Stores” href=”https://www.apple.com/uk/retail/code/” target=”_blank”>https://www.apple.com/uk/retail/code/</a>
&nbsp;
On the Isle of Man why not try the Manx ICT Association open to all ages and skill levels meet ever Saturday in Douglas for more information follow this link
&nbsp;
<a title=”Manx ICT Association” href=”http://www.micta.im/” target=”_blank”>http://www.micta.im/</a>
&nbsp;
Spread the word lets get the next generation coding and show how much fun it can be

Posted in News | Comments Off on This Week is hour of code week

A lesson here for those who believe it will never happen to me

Posted on November 26, 2014 by nb1302

Below is a lesson on no matter how big you are it could happen to you article is courtesy of the register
Sony Pictures is investigating a breach that has seen hackers supposedly steal reams of internal data and splash defacements across staff computers. The company is now in lock-down as it wrestles with the problem.
The beleaguered company, writes <i><a href=”http://variety.com/2014/biz/news/sony-targeted-by-apparent-hack-attack-to-corporate-systems-1201363734/” target=”_blank”>Variety</a></i>, has requested staff disconnect their computers and personal devices from the Sony network and shut down virtual private networks.<div><div id=”article-mpu-container”><div id=”ad-mu1-spot”><div id=”ad-mu1-spot_ad_container”>Cracking group Guardians of Peace claimed responsibility for a <a href=”http://imgur.com/qXNgFVz” target=”_blank”>defacement</a> appearing on staff machines that it stole internal corporate data. The group says it will leak more details to the public web depending on what Sony ‘decided’ in what appeared to be a reference to demands quietly sent to the company earlier.</div></div></div></div>Users have overloaded servers hosting the alleged 200Mb-plus breach caches grinding many to a crawl.<div><a href=”http://regmedia.co.uk/2014/11/24/gop.jpg” rel=”noreferrer”><img src=”http://regmedia.co.uk/2014/11/24/gop.jpg” alt=”Guardians of Peace” width=”535″ height=”313″ /></a>The alleged Guardians of Peace message.
</div>The group also hacked dozens of Twitter accounts linked to movies such as Stomp The Yard, Soul Surfer, and Starship Troopers.
News broke after a user claiming to be a former Sony staffer <a href=”http://www.reddit.com/r/hacking/comments/2n9zhv/i_used_to_work_for_sony_pictures_my_friend_still/” target=”_blank”>posted allegations</a> of the breach, including the defacement picture on Reddit. The account was a year ago linked to posts claiming to be a Sony employee and has since been deleted.
Sony spokeswoman Jean Guerin said it was “investigating an IT matter” but could not confirm the hack.<blockquote>”Hacked By #GOP Warning: We’ve already warned you, and this is just a beginning. We continue till our request be met. We’ve obtained all your internal data, including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world. Determine what will you do till November the 24th, 11:00 PM (GMT).</blockquote>Users have searched the alleged Sony data caches dumped online and reportedly found private PuTTY keys, passwords for Oracle and SQL databases, source code and production schedules and hardware inventory lists.
Included files were named ‘Jana’s passwords.xls’, ‘Extranet Oracle &amp; SQL passwords 4.3.06.txt’, and ‘ACCOUNTS WITHOUT PASSWORDS.xls’.
At least 20 alleged PuTTY keys were discovered by inquisitive users downloading the released data with one named AkamaiPrivateKey.ppk.
An alleged group of document file names was <a href=”http://imgur.com/a/0imAQby” target=”_blank”>published online</a> a user who downloaded some of the data caches.
<i>The Reg</i> will update this story as more details become available and once the trove downloads. ®
&nbsp;

Posted in Technology | 64 Comments

TA14-329A: Regin Malware

Posted on November 25, 2014 by nb1302

Original release date: November 25, 2014

Systems Affected

Microsoft Windows NT, 2000, XP, Vista, and 7

Overview

On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.

Description

Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.

Impact

Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. [1]

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). [2]
  • Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

MD5s: [1]

Stage 1 files, 32 bit:

06665b96e293b23acc80451abb413e50

187044596bc1328efa0ed636d8aa4a5c

1c024e599ac055312a4ab75b3950040a

2c8b9d2885543d7ade3cae98225e263b

4b6b86c7fec1c574706cecedf44abded

6662c390b2bbbd291ec7987388fc75d7

b269894f434657db2b15949641a67532

b29ca4f22ae7b7b25f79c1d4a421139d

b505d65721bb2453d5039a389113b566

26297dc3cd0b688de3b846983c5385e5

ba7bb65634ce1e30c1e5415be3d1db1d

bfbe8c3ee78750c3a520480700e440f8

d240f06e98c8d3e647cbf4d442d79475

ffb0b9b5b610191051a7bdf0806e1e47

Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

01c2f321b6bfdb9473c079b0797567ba

47d0e8f9d7a6429920329207a32ecc2e

744c07e886497f7b68f6f7fe57b7ab54

db405ad775ac887a337b02ea8b07fddc

Stage 1, 64-bit system infection:

bddf5afbea2d0eed77f2ad4e9a4f044d

c053a0a3f1edcbbfc9b51bc640e808ce

e63422e458afdfe111bd0b87c1e9772c

Stage 2, 32 bit:

18d4898d82fcb290dfed2a9f70d66833

b9e4f9d32ce59e7c4daf6b237c330e25

Stage 2, 64 bit:

d446b1ed24dad48311f287f3c65aeb80

Stage 3, 32 bit:

8486ec3112e322f9f468bdea3005d7b5

da03648948475b2d0e3e2345d7a9bbbb

Stage 4, 32 bit:

1e4076caa08e41a5befc52efd74819ea

68297fde98e9c0c29cecc0ebf38bde95

6cf5dc32e1f6959e7354e85101ec219a

885dcd517faf9fac655b8da66315462d

a1d727340158ec0af81a845abd3963c1

Stage 4, 64 bit:

de3547375fbf5f4cb4b14d53f413c503

Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.

Registry branches used to store malware stages 2 and 3:

\REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{39399744-44FC-AD65-474B-E4DDF-8C7FB97}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{3F90B1B4-58E2-251E-6FFE-4D38C5631A04}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}

IP IOCs [3]:

61.67.114.73

202.71.144.113

203.199.89.80

194.183.237.145

References

Revision History

  • November 25, 2014: Initial Release
Posted in Security Alerts | 2 Comments

Alert (TA14-323A) Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability

Posted on November 19, 2014 by nb1302

Latest alert from

 

NCCIC / US-CERT

Systems Affected

  • Microsoft Windows Vista, 7, 8, and 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

Overview

A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1(link is external)]

Description

The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.

Impact

A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]

Solution

An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1(link is external)3(link is external)]

References

Revisions

  • November 19, 2014: Initial Draft

 

Posted in Security Alerts | 3 Comments

TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)

Posted on November 14, 2014 by nb1302

NCCIC / US-CERT

National Cyber Awareness System:

TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)
11/14/2014 10:32 AM EST

 

Original release date: November 14, 2014

Systems Affected

  • Microsoft Windows Server 2003 SP2
  • Microsoft Windows Vista SP2
  • Microsoft Windows Server 2008 SP2
  • Microsoft Windows Server 2008 R2 SP1
  • Microsoft Windows 7 SP1
  • Microsoft Windows 8
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows RT
  • Microsoft Windows RT 8.1

Microsoft Windows XP and 2000 may also be affected.

Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]

Description

Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]

Impact

This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]

Solution

Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]

References

Revision History

  • November 14, 2014: Initial Release
Posted in Security Alerts | 3 Comments

TA14-318B: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability

Posted on November 14, 2014 by nb1302

NCCIC / US-CERT

National Cyber Awareness System:

TA14-318B: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability
11/14/2014 05:42 PM EST


Original release date: November 14, 2014

Systems Affected

  • Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

Overview

A vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.[1]

Description

The Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memory.[2] In certain circumstances, this library does not properly check sizes of arrays when an error occurs. The improper size allows an attacker to manipulate memory in a way that can bypass the Internet Explorer Enhanced Protected Mode (EPM) sandbox as well as the Enhanced Mitigation Experience Toolkit (EMET).

This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and VBscript.

Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647.

Impact

Arbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system.

Solution

An update is available from Microsoft.[3] Please see Microsoft Security Bulletin MS14-064 for more details and mitigation guidance, and apply the necessary updates.

References

Revision History

  • November 14, 2014: Initial Release
Posted in Security Alerts | 1 Comment