New ASLR-busting JavaScript is about to make drive-by exploits much nastier

February 18, 2017 – 7:01 AM

For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.

Now, researchers have devised an attack that could spell the end of ASLR as the world knows it now. The attack uses simple JavaScript code to identify the memory addresses where system and application components are loaded. When combined with attack code that exploits vulnerabilities in browsers or operating systems, the JavaScript can reliably eliminate virtually all of the protection ASLR provides. The technique, which exploits what’s known as a side channel in the memory cache of all widely used modern CPUs, is described in a research paper published on Wednesday. The researchers have dubbed the technique ASLR Cache or AnC for short.
“Fundamentally insecure”

The researchers said the side channel attack is much more damaging than previous ASLR bypasses, because it exploits a micro-architectural property of the CPU’s that’s independent of any operating system or application running on it. Whereas heap spraying and other forms of ASLR bypass can often be mitigated by software tweaks, there isn’t much that can stop or lessen the effects of the JavaScript, which targets a CPU’s MMU, or memory management unit. That’s because CPU caching behavior and strong address space randomization are mutually exclusive. (Apple, however, recently hardened its Safari browser to partially mitigate such attacks. It’s also possible to prevent JavaScript from running in a browser, but such blocking often severely degrades a site’s usability.)


This ‘invisible’ memory-based malware is infiltrating organisations across the globe

February 9, 2017 – 4:53 AM

Cybercriminals are launching ‘invisible’ attacks to infiltrate the networks of organisations to steal login credentials and financial data — and the only tool they’re using is legitimate software.

It’s thought that over 140 organisations including banks, telecommunications companies, and government organisations across the globe have fallen victim to these hidden malware attacks.

Discovered by cybersecurity researchers at Kaspersky Lab, the attacks use widely-available tools, including penetration-testing and administration software as well as the PowerShell framework for task automation in Windows, to hide malware in victims’ computer memory, instead of the more traditional tactic of dropping it onto the hard drive.

This form of attack leaves investigators with almost no evidence that an attack took place, and any indication of an incident is removed when the system is rebooted.

The discovery came after Kaspersky Lab was contacted by banks which had found Meterpreter penetration-testing software in the memory of their servers when it wasn’t supposed to be in that location.

Meterpreter had its code combined with legitimate PowerShell scripts and other utilities, with the aim of stealing administrator passwords and remotely controlling machines and systems. All of these factors indicate the attackers are attempting to make off with credentials about financial processes.

This ‘invisible’ method of attack makes it difficult to uncover details about incidents because a lack of traces of hacker activity mean the normal processes of incident response don’t apply.


A Study on Private Browsing: Consumer Usage, Knowledge, and Thoughts

February 3, 2017 – 11:53 AM

At DuckDuckGo, our vision is to raise the standard of trust online. To that end, we strive to understand what people know about online privacy and how they use the privacy features available to them. This report focuses on the feature in web browsers commonly referred to as “Private Browsing.”

“Private Browsing,” “Privacy Mode,” “Secret Mode,” or “Incognito Mode” is a system of web browsing that clears browsing history and file cache after use. Despite Private Browsing being one of the most commonly known and used privacy features, we find that most people misunderstand the privacy protections it provides.

Our findings are based on a survey conducted with a random sampling of 5,710 Americans who were asked to share their experiences with Private Browsing.

Source (pdf download):

Look before you paste from a website to terminal

February 1, 2017 – 4:04 PM

Most of the time when we see a code snippet online to do something, we often blindly copy paste it to the terminal. Even the tech savy ones just see it on the website before copy pasting. Here is why you shouldn’t do this.


Easy-to-exploit authentication bypass flaw puts Netgear routers at risk

February 1, 2017 – 4:02 PM

For the past half year Netgear has been working on fixing a serious and easy-to-exploit vulnerability in many of its routers. And it’s still not done.

While Netgear has worked to fix the issue, the list of affected router models increased to 30, of which only 20 have firmware fixes available to date. A manual workaround is available for the rest.

The vulnerability was discovered by Simon Kenin, a security researcher at Trustwave, and stems from a faulty password recovery implementation in the firmware of many Netgear routers. It is a variation of an older vulnerability that has been publicly known since 2014, but this new version is actually easier to exploit.

In January 2014, a researcher found that he could trick the web-based management interface of Netgear WNR1000v3 routers to disclose the admin’s password. The exploit involved passing a numerical token obtained from one script called unauth.cgi to another called passwordrecovered.cgi. Neither of them required authentication to access.

Last year, Kenin came across this old exploit when he wanted to break into his own router — a different Netgear model — and realized that it worked. The researcher decided to write a script to automate the exploit so that other people could test their own router models, but due to a programming error the script didn’t pass the correct token to passwordrecovered.cgi. Yet the exploit still worked.