A security researcher has discovered that Yahoo has become a victim of the newly discovered Shellshock vulnerability (also known as bash bug) via Romanian hackers gaining access to Yahoo’s systems. There is already confirmation of the fact that Yahoo has been hacked via an email from Yahoo’s security team. This was originally submitted to Yahoo, but isn’t eligible for their bug bounty program, which for some reason doesn’t reward people for finding chinks in Yahoo’s armor for them before hackers do. This appears to be a significant flaw in Yahoo’s security policies and must be addressed by Marissa Mayer herself.

He states:
Disclosure and disclaimer: This document is being released due to several high profile companies being infiltrated using the recent Shellshock vulnerability, and what I have deemed as an improper response, or lack thereof, to resolving the issue from certain key companies contacted, as well as the FBI. Amongst the affected companies are Yahoo! and Lycos, major players and names in the technology world. This breach affects ALL of us in one way or another, and it’s crucial that this problem be resolved with haste. The FBI took the information down and went on their way. Yahoo! has not responded at all. I’ve attempted to email them, call them, and resorted to contacting Marissa Mayer directly via both email and Twitter, neither to which I have received a response as of yet. The ignoring of this issue is grossly negligent and even almost criminal. As such, I felt that for the safety of anyone using these services, it would be best to publicly disclose as much information as needed to get them moving and working towards resolving the issue before things get worse. All research and testing discussed in this paper was performed by Jonathan D. Hall of Future South Technologies.

Yahoo has been struggling to gain back trust from users after their email data breaches and the overall meltdown of the company as an internet destination for most users. Under Marissa Mayer’s rule, the company has tried to become more of a content provider rather than a search or news destination. Their most popular applications like Flickr have struggled to really retain their audiences and regain the losses to other services like 500px due to simply being too unwilling to listen to the community and simply give them what they want. Flickr was once the default destination for professional and amateur photographers and since the service’s decline tons of viable competitors have cropped up to give people what they want.

The problem here for Yahoo is that they simply are not taking security risks seriously and continually find themselves the targets of hackers. Why? Because they appear not to take security as seriously as they say they do. And Yahoo still has a fairly large user base, especially Yahoo mail, which means that they become a big juicy target for hackers that know that Yahoo is slow to adapt and secure. The security game is an ever evolving one and if your security team is not constantly working to address new threats and actively working to prevent them, then you are going to end up like Yahoo, a sitting duck and popular target.

Yahoo has said to Bloomberg that three of their servers were compromised but that no data was taken, which may still need to be evaluated if only three servers were accessed.

The post Yahoo Hacked via Shellshock Vulnerability appeared first on VR World.

There’s a very good chance that today’s Wired piece about Kevin Mitnick’s newest venture has a lot to do with the discovery of the Bash Bug within various Linux and Unix operating systems. This is a bug that could be considered a Zero Day exploit because of the fact that it is a security vulnerability within an application that is possible to exploit due to the fact that the software vendor has no knowledge of it yet or it has not been patched yet.

Either way, it is a vulnerability that someone can take advantage of. Now, Wired ran a piece about Kevin Mitnick and his security company which does security consulting which includes a whole host of internet and non-net consulting all pertaining to security. The Wired piece in question talks about one of Mitnick’s latest ventures which claims that his company is finding security researchers’ and hackers’ zero day exploits and selling them to the highest bidder.

“With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray,” Wired wrote.

Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.

And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells Wired in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”

Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far. But the website he launched to reveal the project last week offers to use his company’s “unique positioning among security researchers and the hacker community” to connect exploit developers with “discerning government and corporate buyers.”

In fact, they interviewed Mitnick appearing to take many of his quotes out of context in order to sell their own agenda that he is selling these Zero Day exploits to whomever will pay him. In fact, it seems odd that they would include commentary from people on Twitter as part of their article when its merely an opinion and doesn’t actually add anything to the piece, other than mentioning that Mitnick responded to his tweet.

The reality of the situation is that for people that discover vulnerabilities in government and corporate infrastructure, there is a very difficult balance to strike. Many ethical hackers looking to notify companies of their security holes eventually become the targets of investigations and attacked for what they do. Sure, there are plenty of unethical hackers out there that might try to hold a company ransom for a fee to give them the Zero Day that they’ve found, but that has nothing to do with what Mitnick is doing. They are offering researchers and security minded people an intermediary to help those companies find and close Zero Day exploits and to reward the researchers for their work and at the same time protect them from frivolous lawsuits if they try to approach the company directly.

Mitnick’s company vigorously vets all of their potential clients and makes sure that no bad actors are being involved in the process. They are not selling Zero Day exploits to competitors of the companies that have the security holes and they aren’t selling Zero Day exploits to the government that might make a company vulnerable. The goal is to help companies see their problems and give them the opportunity to fix them before they become public.

The post No, Kevin Mitnick is not Selling Zero Day Exploits to Hackers appeared first on VR World.

Internet Explorer has had a pretty bad reputation over the years as a pretty awful browser, and from the IE6 through the IE9 days, that was a pretty accurate statement. However, nowadays Internet Explorer is fairly good and the only browser on Windows worth anything for touch. The guys and gals over at FireEye managed to discover this Zero Day Exploit and dubbed the entire operation, “Operation Clandestine Fox.” They claim that this zero day exploit targets IE9 through IE11 browsers, which make up about 26% of all browser users around the world which is pretty significant. Microsoft has also put out a security bulletin on the issue stating that users using IE6 through IE11 could be affected, which would broaden the scope of this issue by millions more users.

While Microsoft claims this issue is occurring in “limited attacks” the potential for this attack to grow is now exponentially greater now that the issue has been discovered but not yet fixed. We don’t know the details of how long FireEye waited to let Microsoft resolve this issue before they announced it, but I have a feeling they didn’t just post about it and expect Microsoft to deal with the repercussions. Microsoft is a much more serious company when it comes to security, which is what makes this IE zero day vulnerability all the more puzzling. The fact that such a zero day has managed to exist through potentially all versions of IE and only get caught now is also a bit suspicious (now that we live in the post-Snowden era where anything could be deliberate).

The vulnerability itself as described by the FireEye team is that the exploit leverages a previously unknown use-after-free vulnerability as well as a well-known flash exploit to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections. What this ultimately means for users is that if you’re using Internet Explorer right now, you should probably stop doing so and switch to Chrome or Firefox until this issue gets resolved. Personally, I use four different browsers simultaneously, but I don’t really recommend that to anyone, especially in this case. If you must absolutely use Internet Explorer, then you should disable Flash (or uninstall it) and use your browser with a proper anti-virus application, even though it would just be easier to use Chrome or Firefox in the meantime.

The post Time to Run and Hide from Internet Explorer, For Now appeared first on VR World.