Archive for September, 2014

Shellshock Linux & MACOS Vunerability Information and Tester

shellshock-vulnerability-logo.png

A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is based around Unix). Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271) could allow an attacker to gain control over a targeted computer if exploited successfully.

The vulnerability affects Bash, a common component known as a shell that appears in many versions of Linux and Unix. Bash acts as a command language interpreter. In other words, it allows the user to type commands into a simple text-based window, which the operating system will then run.

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received.

Symantec regards this vulnerability as critical, since Bash is widely used in Linux and Unix operating systems running on Internet-connected computers, such as Web servers. Although specific conditions need to be in place for the bug to be exploited, successful exploitation could enable remote code execution. This could not only allow an attacker to steal data from a compromised computer, but enable the attacker to gain control over the computer and potentially provide them with access to other computers on the affected network.

The following video provides an explanation of the Bash Bug vulnerability and demonstrates how a likely attack scenario through the CGI interface may work:

 

Has it been exploited yet?
There are limited reports of the vulnerability being used by attackers in the wild. Proof-of-concept scripts have already been developed by security researchers. In addition to this, a module has been created for the Metasploit Framework, which is used for penetration testing.

Once the vulnerability has been made public, it was only a matter of time before attackers attempted to find and exploit unpatched computers.

How can it be exploited?
While the vulnerability potentially affects any computer running Bash, it can only be exploited by a remote attacker in certain circumstances. For a successful attack to occur, an attacker needs to force an application to send a malicious environment variable to Bash.

The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.

shellshock-command-diagram-600px_v2.png
Figure 1. How a malicious command can be tacked-on to the end of a legitimate environment variable. Bash will run the malicious command first.

The consequences of an attacker successfully exploiting this vulnerability on a Web server are serious in nature. For example attackers may have the ability to dump password files or download malware on to infected computers. Once inside the victim’s firewall, the attackers could then compromise and infect other computers on the network.

Aside from Web servers, other vulnerable devices include Linux-based routers that have a Web interface that uses CGI. In the same manner as an attack against a Web server, it may be possible to use CGI to exploit the vulnerability and send a malicious command to the router.

Computers running Mac OS X are also potentially vulnerable until Apple releases a patch for the vulnerability. Again, attackers would need to find a way to pass malformed commands to Bash on the targeted Mac. The most likely avenue of attack against OS X would probably be through Secure Shell (SSH), a secure communications protocol. However, it appears that the attacker would need to have valid SSH credentials to perform the attack. In other words, they would already have to be logged in to an SSH session.

Internet of Things (IoT) and embedded devices such as routers may be vulnerable if they’re running Bash. However, many newer devices run a set of tools called BusyBox which offers an alternative to Bash. Devices running BusyBox are not vulnerable to the Bash Bug.

For website owners and businesses
Businesses, in particular website owners, are most at risk from this bug and should be aware that its exploitation may allow access to their data and provide attackers with a foothold on their network. Accordingly, it is of critical importance to apply any available patches immediately.

Linux vendors have issued security advisories for the newly discovered vulnerability including patching information.

*Red Hat has updated its advisory to include fixes for a number of remaining issues.

If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.

For consumers
Consumers are advised to apply patches to routers and any other web-enabled devices as and when they become available from vendors. Users of Apple’s Mac OS X should be aware that the operating system currently ships with a vulnerable version of Bash. Mac users should apply any patches for OS X when they become available.

 

In the interim, there’s a simple way to check if Linux-based sites and servers are vulnerable to the Bash/Shellshock bug. By using this Web-based tool and entering the appropriate information, you can quickly find out if you’re at risk. You can also check if your servers are vulnerable to the flaw by using this other Web-based testing tool, simply dubbed “ShellShock Tester.”

Reprint from http://www.symantec.com. Additional information from http://www.digitaltrends.com

Intel RealSense Brings PC Interaction to the Real World

Crafting Your Digital Double in 3D Just Got Easier

The ability to make realistic animated avatars is a whole lot of fun with Faceshift and Intel’s RealSense Technology.

Ever wonder what you’d look like as a monster? A little boy? A wicked witch? A cat or a dog? Now you can with cool, new 3D-tracking technology from Faceshift.

The small start-up based in Zurich, Switzerland, has a knack for facial movement tracking used in video games and films.

It’s something technologists attending the Intel Developer Forum in San Francisco next week will get to try. Sitting down in front of a computing device, they will have their face replicated then quickly animated across 16 tablet screens. These developers will also get to share their animation online right on the spot.

“We’re giving people a glimpse of the future,” said Doug Griffin, Faceshift’s vice president of North America.

“You can truly be any character you want.”

 

 

Until recently, facial-movement software like this has been limited to big entertainment companies like SEGA, Nickelodeon, Disney and DreamWorks.

“Our goal is to democratize facial-tracking technology,” said Griffin. “We want to make it available to a wide variety of games and animation studios — ultimately to consumers as well.”

Griffin wants to help people focus on storytelling and interactivity, rather than technology.

For most consumer users facial recognition software is a tool they use to log in, hands free, to their personal computer. But the technology is becoming more ubiquitous and its potential is huge.

Later this year, Intel RealSense technology will be embedded into All-in-Ones, Ultrabooks and 2 in 1 computers on the market, allowing your computer to understand you on a deeper level, specifically in 3D.

For software developers like Faceshift, these new technologies are key for bringing more natural, human interaction with our computers. It’s giving people the ability to use face and hand gestures plus voice controls to command their PC.

This set of technologies can also unlock new creativity for learning and communication.

“We use RealSense to understand the appearance and shape of someone’s face across different expressions,” explained Griffin.

“RealSense provides both video and depth at 60 frames per second.”

According to Griffin, this is the first time there’s been a sensor of this quality embedded in a consumer product.

Faceshift is an easy-to-use application. First, the camera scans your expressions. That data is used to train a personal avatar to move like you. Once your avatar moves to your liking, you export the animation to 3D software so it can be used for gaming or sharing on social sites.

People may say you work like a dog, but Faceshift can make you look like one, too.

Free I-Phone 6 Facebook Scam

Apple’s iPhone 6 FREE ? Of course not ! It’s only a hoax, but scammers have announced the just release iPhone 6 free.
Another Facebook scam is circulating across the popular social networking website just days after Apple unveiled its upcoming iPhone 6 and iPhone 6 Plus, as scammers take advantage of all the hype and use them to lure Facebook users.
THREE SIMPLE STEPS AND iPHONE 6 IS YOURS — REALLY?
As usual, This new scam promises a chance to Win a free iPhone 6 to those users who complete a series of steps, as reported by Hoax-Slayer. You just need to go through “three easy steps” to get a chance to win the device:
  • Like the Facebook page created to propagate the scam
  • Share the page with your Facebook friends
  • Download a “Participation Application”
But before you proceed to the last step, a pop-up window leads you to participate in a survey before you can download the application. The survey will ask you to share your name, address, phone number and email address – all the information that is collected by the third-party operating the survey page, and likely sold on to marketers.
SCAMMERS MAKING MONEY AND SPREADING MALWARES
Meanwhile, the scammer earns money for every survey through an affiliate marketing scheme. Even after completing the survey, the pop-up will inform you that your survey was not completed properly due to a ‘minor error’ and it will urge you to participate in yet another survey. No matter how many times you fill the surveys, most of the times you’ll not get to download the ‘application’.
In case, if you are directed to the download link, there is no guarantee that the download link is legitimate, but contains malicious code. It could lead you to a malicious software that could steal users’sensitive or financial information from the infected system. The only thing you can be guaranteed not to get is an iPhone 6!
FACEBOOK REMOVED iPHONE 6 SCAM, BUT YET MORE TO COME
This particular Facebook scam page has been removed by the social networking giant, but not before getting nearly 18,000 “likes”. Remember that surveys are always a pain, but scam pages or websites offering up random redirects always bear the possibility to be even more troublesome, because you simply never know where you’re going to end up.
We have seen various suspicious posts on Facebook, like “See your Friend’s naked video“, an app offering you a chance to see who has viewed your Facebook profile, and many more. Sometimes these scams are very obvious and easily avoidable, but many times they are irresistible and easy to fall for, just like this Win iPhone 6 scam.
SCAMS AT RISE, SO BE SAFE
With more tech skills, modern scammers have ability to reach billions of potential victims with just a single message or post, and their scams are getting more dangerous and critical day-by-day.
Despite Facebook’s security measures, safe and secured social networking rests in your own hands and if you aren’t paying attention to such scams, you could fall for one such even without ever realizing. So, if you are served with any suspicious link or post, do not try to click on it, no matter even if it’s from your closest friend.
Published by www.thehackernews.com
Current Specials

Current Specials

Current Specials