On Monday December 28 the Adobe company released the emergency security update closing 19 vulnerabilities in Flash Player product. The found errors of safety can be used by malefactors for execution of a malicious code on the computer of the victim, receiving over it complete control. In a zone of risk there are users of Flash Player for all existing OS.
The growing number of threats forces developers of means of the analysis of security to improve the solutions constantly. Now a wide choice of scanners of safety from different vendors who differ by the efficiency is presented at the market of IB. It makes impossible release of new versions of scanners without competitive analysis of similar products.
The Positive Technologies company developed own methodology of the competitive analysis for testing and comparison of scanners by objective criteria, it as types and amount of the found vulnerabilities, completeness of scanning of the different purposes. Besides, the database of the competitive analysis (DBCA — Database of Competitive Analysis) was created in which the unique vulnerabilities found in process of manual checks and automatic scanning of the synthetic purposes, real websites, CMS, web applications and other information systems safety scanners are collected (WebEngine – built in PT AF and PT AI, Acunetix, AppScan, etc.). DBCA is used for comparison of results of scanning by new versions of the Positive Technologies scanners with results of third-party scanners and eliminations of false drops (false positive).
However filling of DBCA demands months of manual skills of highly skilled test engineers. Processes of setup of environments and scanning take a lot of time, time of week. There is a process of validation of the found vulnerabilities even longer. So, three engineers of department of QA within a year worked on filling of the current base. In this regard there was a need of acceleration and automation of works.
The formal task of the DBCA conversion to the knowledge base, by use of NANOSECOND (as the decisive rule) and indistinct measuring scales was solved (for a linguistic assessment of results of classification in a form clear to the person). Practically DBCA was added with rules and mechanisms of elimination of the false drops which are in advance sorted by degree of confidence in their existence, estimated on an indistinct measuring scale. It allowed to accelerate work of test engineers on the analysis of results of scanning and elimination of false drops.
Researchers of safety Hector Marko (Hector Marco) and Ismael Ripoll (Ismael Ripoll) published information on the vulnerability in the popular Grub2 loader found by them 0-day which is used in the majority Linux-systems. Operation of vulnerability allows to get access to the abnormal Grub2 console in circumvention of the password. It, in turn, opens for the malefactor an opportunity carrying out the attack directed to increase of privileges in systems and access to all information.
On Tuesday December 14 the command of development Joomla released the urgent security update closing 0-day vulnerability which opens for malefactors a possibility of remote code execution. Hackers already actively try to attack the vulnerable websites.
In the summer of 2015 Internet users widely discussed problems of safety of anti-virus tools. Let's remind, then serious vulnerabilities were found in ESET products, and then and in BitDefender with Symantec. Current week it became known of the next problems with protection of anti-virus software. One of users of the Google Code resource published descriptions and test cases of operation of four serious vulnerabilities of an antivirus of Avast, two of which are critical.
2 years, 9 months ago
On December 3 in the program of the sixth international forum for practical safety of Positive Hack Days which will take place in Moscow on May 17 and 18, 2016 Call for Papers opens. The program committee considers requests for performances with reports both from recognized experts in the field of IB, and from the beginning researchers.
Cyberthreats specialists even more often should appear on different sides of barricades: competitive investigation — against DLP, developers of protective systems — against targeted cyberattacks, cryptographers — against reverser, SOC — against the advanced hackers. According to the new concept of PHDays we would like to reflect an objective status of the industry of safety in the Opposition format.
From researchers of vulnerabilities we wait for reports on real threats and their possible effects. From developers and integrators of security aids we want to hear not just stories about "the innovation technologies of protection", and responses to these specific threats. Perhaps, you faced the low-studied cyberattacks and could cope with them by nontrivial methods? Tell about the experience from PHDays tribune.
The report is logical continuation of the research "#root via SMS" completed in 2014 by the SCADA Strangelove command. Research affected vulnerabilities of modems only partially, within wider description of vulnerabilities of the equipment of telecom operators. The description of all found and used vulnerabilities in 8 popular models 3G-and 4G-modems available in Russia and worldwide is hereunder submitted. The found vulnerabilities allow to carry out remote execution of a code in web scenarios (RCE), any modification of a firmware, mezhsaytovy counterfeit of requests (CSRF) and mezhsaytovy execution of scenarios (XSS).
In research the most complete set of vectors of attacks to the clients of a telecom using these modems is also described — it can be identification of devices, code injection, infection of the user computer to which the modem, counterfeit of the SIM card and interception of data, position fix of the subscriber and access to its personal account on the operator's portal, and also target attacks (APT) is connected. Slides of the presentation of this research with ZeroNights 2015 are provided here.
On November 22, 2015 in a network mentioning of it on Habré). The first the programmer Joe Nord who described it in the blog paid attention to an error. The developer reported that he purchased the Dell Inspiron 5000 notebook on which the root certificate of safety under the name eDellRoot was preset
The problem is that the private key of this root certificate is stored on the computer that opens for malefactors ample opportunities on carrying out attacks like "people in the middle of" (man in the middle).
Last year malefactors made 30% more attacks to the Russian banks, than the previous year. Tried to display about 6 billion rubles. It becomes frequent attack possible because of insufficient security of finance applications.
On our statistics, more than a half of systems of remote bank service (54%) contained XSS vulnerabilities which allow to perform MitM-attack and to intercept access to Internet banking. With mobile banking applications the situation looks not better: 70% of "purses" for Android and 50% for iOS in 2014 contained the vulnerabilities sufficient for receipt of access to the account.
To reveal vulnerabilities at an early stage much cheaper, than then to disentangle effects of their operation. In the middle of October experts of Positive Technologies Timur Yunusov and Vladimir Kochetkov held a two-day master class in safe development of banking applications. Today we represent short retelling.
Conversation on problems of safety and their possible solutions should be begun with typical problems of security of banking applications.
Recently on Habré and Giktayms there were many articles (1, 2, 3, 4, 5, 6, 7)about the SIM card allocated with unprecedented and unprecedented opportunities that caused concern and interest in different circles. There was a set of scepticism and disputes, and then the different theories occasionally shaking by the irreality. Let's try to slightly open a veil of secrecy from a technical aspect. Naturally, these tests would not be possible without this SIM card which to us was kindly provided by MagisterLudi.
For those who do not want to read many letters — I summarize: there is no forced enciphering, there is no protection against complexes of interception, there is no connection to BS second for the signal level, substitution of number is, substitution of a voice is, billing is, there is no concealment of IMSI, there is no concealment of location.