Posts Tagged: White House

Jul 15

Third Hacking Team Flash Zero-Day Found

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.


Continue reading →

Oct 14

Google Accounts Now Support Security Keys

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.

A $17 U2F device made by Yubikey.

A $17 U2F device made by Yubico.

The U2F standard (PDF) is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that’s been working to come up with specifications that support a range of more robust authentication technologies, including biometric identifiers and USB security tokens.

The approach announced by Google today essentially offers a more secure way of using the company’s 2-step authentication process. For several years, Google has offered an approach that it calls “2-step verification,” which sends a one-time pass code to the user’s mobile or land line phone.

2-step verification makes it so that even if thieves manage to steal your password, they still need access to your mobile or land line phone if they’re trying to log in with your credentials from a device that Google has not previously seen associated with your account. As Google notes in a support document, security key “offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.”

Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it doesn’t work for mobile-only users because it requires a USB port. Also, the security key doesn’t work for Google properties on anything other than Chrome. Continue reading →

Jan 11

‘White House’ eCard Dupes Dot-Gov Geeks

A malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters.

The attack appears to be the latest salvo from ZeuS malware gangs whose activities over the past year have blurred the boundaries between online financial crime and espionage, by stealing both financial data and documents from victim machines. This activity is unusual because most criminals using ZeuS are interested in money-making activities – such as swiping passwords and creating botnets – whereas the hoovering up of sensitive government documents is activity typically associated with so-called advanced persistent threat attacks, or those deployed to gather industrial and military intelligence.

On Dec. 23, the following message was sent to an unknown number of recipients;

“As you and your families gather to celebrate the holidays, we wanted to take
a moment to send you our greetings. Be sure that we’re profoundly grateful
for your dedication to duty and wish you inspiration and success in
fulfillment of our core mission.

Greeting card:


Merry Christmas!
Executive Office of the President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500

Recipients who clicked either of the above links and opened the file offered were infected with a ZeuS Trojan variant that steals passwords and documents and uploads them to a server in Belarus.  I was able to analyze the documents taken in that attack, which hoovered up more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims.  I feel reasonably confident I have identified several victims,  all of whom appear to be employees of some government or another. Among those who fell for the scam e-mail were:

-An employee at the National Science Foundation’s Office of Cyber Infrastructure. The documents collected from this victim include hundreds of NSF grant applications for new technologies and scientific approaches.

-An intelligence analyst in Massachusetts State Police gave up dozens of documents that appear to be records of court-ordered cell phone intercepts. Several documents included in the cache indicate the victim may have recently received top-secret clearance. Among this person’s cache of documents is a Department of Homeland Security tip sheet called “Safeguarding National Security Information.”

-An unidentified employee at the Financial Action Task Force, an intergovernmental body dedicated to the development and promotion of national and international policies to combat money laundering and terrorist financing.

-An official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.

-An employee at the Millennium Challenge Corporation, a federal agency set up to provide foreign aid for development projects in 15 countries in Africa, Central America and other regions.

The most interesting component of this attack was not the ZeuS variant, which by most accounts was an older, well-understood version of the banking Trojan. Rather, researchers are focusing on the component responsible for stealing documents, which suggests the handiwork of a novice who was quite active in 2010.

Continue reading →