Patrick Howell O’Neill – Page 13

Hackers beat Firefox and Safari to earn $105K at Pwn2Own

Posted on March 16, 2018 by Patrick Howell O'Neill

Zero-day exploits earned hackers $105,000 in total on Thursday during the second day of the Pwn2Own contest in Vancouver, British Columbia. Packed into a small basement room, a rapt crowd watched as Richard Zhu successfully hacked Firefox and gained control of the target computer to win $50,000 and clinch the overall victory for the competition. That in addition to his wins Wednesday, when he earned $70,000 successfully targeting Microsoft Edge with an exploit that took him almost a week of work to develop. Zhu, a veteran of the world class Carnegie Mellon University capture the flag (CTF) team as well as previous Pwn2Own competitions, had a particularly memorable run against Microsoft Edge when he debugged his exploit on the fly and on the clock, succeeding on his third and final attempt. It followed a three-strike failure when Zhu opened the contest with an unsuccessful attempt to hack Safari, Apple’s default browser. “I put a lot of work into […]

The post Hackers beat Firefox and Safari to earn $105K at Pwn2Own appeared first on Cyberscoop.

Continue reading Hackers beat Firefox and Safari to earn $105K at Pwn2Own→

Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own

Posted on March 15, 2018 by Patrick Howell O'Neill

Zero-day exploits netted hackers $135,000 in total on Wednesday during the Pwn2Own contest in Vancouver, British Columbia. Exploits targeting Apple Safari and Microsoft Edge web browsers were the highlight of Pwn2Own’s first day, a zero-day vulnerability hacking contest organized by Trend Micro’s Zero Day Initiative. Some of the best hackers in the world attended this year for a chunk of $2 million in prizes. One of the biggest wins of the day belonged to Samuel Groß (saelo) who successfully targeted Apple Safari with a macOS kernel escalation of privilege. He capped off his $65,000 payday with a bit of showmanship by signing the touchbar on a MacBook Pro: Success! Samuel Groß (@5aelo) manages to pop calc and brings back his trademark touchbar finesse. Now off to the disclosure room for confirmation and vendor notification. pic.twitter.com/REQh1kHBjB — Zero Day Initiative (@thezdi) March 14, 2018 Richard Zhu, a veteran of Pwn2Own, competed twice on Wednesday. […]

The post Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own appeared first on Cyberscoop.

Continue reading Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own→

China’s national vulnerability database is merely a tool for their intelligence agencies

Posted on March 9, 2018 by Patrick Howell O'Neill

China’s National Vulnerability Database is being manipulated so vulnerabilities used by Chinese-linked hacking groups can be taken advantage of, according to new research from Boston-based cybersecurity firm Recorded Future. The Chinese database (CNNVD) is on average two times faster and significantly more comprehensive than its U.S. counterpart, but researchers showed in November that Beijing’s intelligence community effectively runs the database. The Ministry of State Security (MSS), where the CNNVD is housed, evaluates vulnerabilities to see if they can be used in intelligence operations before the vulnerabilities are published. Now Chinese officials are doctoring initial vulnerability publication dates in what appears to be a sloppy cover-up. Recorded Future’s research looks at 267 high-threat vulnerabilities that the Chinese database published up to 156 days later than lower-threat vulnerabilities. Many of the vulnerabilities have been used in Chinese intelligence operations. “CNNVD had gone back and backdated the publication days for 99 percent of the vulnerabilities we identified,” […]

The post China’s national vulnerability database is merely a tool for their intelligence agencies appeared first on Cyberscoop.

Continue reading China’s national vulnerability database is merely a tool for their intelligence agencies→

Code for massive ‘Memcrashed’ DDoS attack made public

Posted on March 7, 2018 by Patrick Howell O'Neill

You, too, can now attempt a record-setting denial-of-service attack, as the tools used to launch the attacks were publicly posted to GitHub this week. Proof-of-concept code by Twitter user @037 combined with a list of 17,000 IP addresses of vulnerable Memcached servers allows anyone to send forged UDP packets to Memcached servers obtained from the Shodan.io computer search engine. It’s been just over a week since the first massive Memcached-fueled denial of service attack. The authors of the new tool is being released “to bring more attention to the flaw and force others into updating their devices.” The era of terabit DDoS attacks was ushered in this month with giant denial of service attacks last week set records with 1.35-terabit-per-second and 1.7 -terabit-per-second attacks. They used unsecured Memcached servers to launch the attacks, one of which targeted GitHub itself. The latter attack targeted an unnamed U.S. service provider, according to Arbor Networks. A second tool was released on […]

The post Code for massive ‘Memcrashed’ DDoS attack made public appeared first on Cyberscoop.

Continue reading Code for massive ‘Memcrashed’ DDoS attack made public→

Senators ask voting machine manufacturers if Russia reviews source code

Posted on March 7, 2018 by Patrick Howell O'Neill

Two Democratic senators sent a letter to U.S. voting machine manufacturers asking the companies if they allow Russian entities to review the source code of their products. Senators Amy Klobuchar, D-Minn., and Jeanne Shaheen, D-N.H., sent the letters to three largest election equipment vendors in the United States: Election Systems & Software, Dominion Voting Systems and Hart Intercivic. The senators said Russian source code review could help that country hack American election technology. Numerous American companies including Cisco, IBM and SAP allow the Russian government to review their source code to comply with the country’s regulations and gain entry into the country’s markets. “Foreign access to critical source code information and sensitive data continues to be an often overlooked vulnerability. Further, if such vulnerabilities are not quickly examined and mitigated, future elections will also remain vulnerable to attack,” the senators wrote. “The 2018 election season is upon us. Primaries have already begun, […]

The post Senators ask voting machine manufacturers if Russia reviews source code appeared first on Cyberscoop.

Continue reading Senators ask voting machine manufacturers if Russia reviews source code→

Equifax says 2.4 million more Americans impacted by 2017 mega-breach

Posted on March 2, 2018 by Patrick Howell O'Neill

What’s another couple million? The credit firm Equifax added 2.4 million Americans to the list of individuals impacted by the giant July 2017 breach. This is the second time they’ve added millions of names to the tally. The total now comes to around 148 million people. “Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them,” the company said in a statement.. Equifax lost a handful of executives following the breach but the company itself is doing fine. Equifax’s stock price is up, profits are climbing and Congress looks like it’ll take no legislative action to curb mega-breaches despite a handful of hearings on the topic. Last month, Equifax named Home Depot Chief Information Security Officer Jamil Farshchi as Equifax’s new CISO. His first job is not just cleaning up last year’s historic data breach but, maybe just […]

The post Equifax says 2.4 million more Americans impacted by 2017 mega-breach appeared first on Cyberscoop.

Continue reading Equifax says 2.4 million more Americans impacted by 2017 mega-breach→

Big banks want to weaken the internet’s underlying security protocol

Posted on March 1, 2018 by Patrick Howell O'Neill

The tech and financial industries are butting heads over the latter’s push to intentionally weaken a security protocol that underlies how the public securely accesses the vast majority of the internet. Critics are charging that the financial industry is pushing for a weakness in the new version of the Transport Layer Security (TLS) protocol, all for the sake of avoiding the time, effort and resources needs to adapt to the new standard. TLS is a bedrock internet security protocol used to secure everything from web browsing and email to instant messaging, voice, video and the internet of things. A new version, known as TLS 1.3, will usher in the largest changes in the protocol’s history. Contributors are hammering out the details before the update is likely finalized at the March meeting of the Internet Engineering Task Force (IETF), an independent group that designs internet standards. Heading into the meeting, the financial […]

The post Big banks want to weaken the internet’s underlying security protocol appeared first on Cyberscoop.

Continue reading Big banks want to weaken the internet’s underlying security protocol→

GitHub hit with record 1.35-Tbps denial of service attack, more attacks expected

Posted on March 1, 2018 by Patrick Howell O'Neill

GitHub suffered and survived a record 1.35-terabit-per-second denial of service attack on Wednesday, an unprecedented deluge of traffic that’s spotlighting just how powerful “amplification attacks” can be — and a new attack vector experts predict is about to become a lot more common. The top comment on the Hacker News discussion says it all: “Wow, 1.35Tbps? That’s a lot for a DoS attack, right?” It’s still early in 2018, but that could be the understatement of the year so far. Wednesday’s attack counts as the most powerful denial of service barrage against a single site in history. It’s significantly larger than the size of the 2016 Mirai botnet attacks that brought down a host of the internet’s biggest websites through an attack on Dyn that rippled out to other sites dependent on the company’s infrastructure and DNS services. GitHub went down a number of times during this week’s attack until traffic was moved to […]

The post GitHub hit with record 1.35-Tbps denial of service attack, more attacks expected appeared first on Cyberscoop.

Continue reading GitHub hit with record 1.35-Tbps denial of service attack, more attacks expected→

GitHub hit with record 1.35-Tbps denial of service attack, more attacks expected

Posted on March 1, 2018 by Patrick Howell O'Neill

The post GitHub hit with record 1.35-Tbps denial of service attack, more attacks expected appeared first on Cyberscoop.

Continue reading GitHub hit with record 1.35-Tbps denial of service attack, more attacks expected→

Trustico revokes 23,000 SSL certificates due to compromise

Posted on March 1, 2018 by Patrick Howell O'Neill

Strap in for this one: A bizarre mess in the world of security certificates has resulted in over 23,000 SSL certificates revoked in one fell swoop, accusations of malpractice and legal threats. As to why the conflict started in the first place, we don’t exactly know. Early Wednesday, thousands of customers began receiving emails from the security firm DigiCert saying their SSL certificates were being revoked because of a security compromise at Trustico. Trustico, a SSL reseller, quickly and emphatically denied that any compromise took place. In response, DigiCert began posting numerous private keys — after the impacted certificates were changed — as proof of compromise. Here’s the Wednesday morning email that started everything: @digicert can you please explain the email I received from rapidssl/digicert blaming @MrTrustico for the revocation of my certs in 24hrs due to them reporting a compromise of the private keys? Where’s the proof of the report/breach? Why are […]

The post Trustico revokes 23,000 SSL certificates due to compromise appeared first on Cyberscoop.

Continue reading Trustico revokes 23,000 SSL certificates due to compromise→