Today In Security: Mitro Joins Twitter, Microsoft Launches EMET 5.0, Tor Hacked
Security is paramount in today's connected world, and there's a constant flow of new measure being implemented all while breaches and hacks seem to proliferate at an alarming pace. Case in point is security-related news from the last day or so.
Password security startup Mitro announced on Friday that it was acquired by Twitter for an undisclosed amount. The Mitro team will be joining Twitter's location team in New York to focus on geo-related projects, the company said.
Founded in 2012, Mitro developed a password manager that works in an Internet browser so that web surfers can store and share information such as passwords, 2-factor backup codes, credit cards and more. The information is stored and encrypted on the local hard drive so that Mitro doesn't have access to your personal information. Users merely install an extension to get started.
The company said that it has uploaded its server and client code on Github, released under the GPL license.
"We've been working hard to build a secure, easy-to-use password manager for individuals and groups," the Mitro team said. "We've made great progress and we believe that the community can help us accomplish even more. With that in mind, we're excited to be receiving advice and assistance from the Electronic Frontier Foundation (EFF) in transitioning Mitro to a sustainable, community-run project. The service will continue to operate as-is for the foreseeable future."
In other security news, Microsoft updated its blog with news that the Enhanced Mitigation Experience Toolkit (EMET) 5.0 is now available to download and use. This free tool helps detect and block techniques that are typically used to exploit corruption vulnerabilities in memory. This updated toolkit includes two new mitigation and a number of new configuration options.
The first new mitigation is Attack Surface Reduction (ASR). Microsoft defines this as a "mechanism to block the usage of specific modules or plug-ins within an application." The company provides an example, saying that EMET 5.0 can prevent Microsoft Word from loading the Adobe Flash Player plugin. This tool can also prevent Internet Explorer from loading the Java plug-in.
"By default, EMET 5.0 is configured to block some modules and plug-ins from being loaded by Internet Explorer while navigating to websites belonging to the Internet Zone, and to also block the Adobe Flash plug-in from being loaded by Microsoft Word, Excel, and PowerPoint," the blog stated. "We have chosen modules that are commonly used in certain exploitation scenarios, but like all EMET features and mitigations, the ASR is completely configurable to satisfy everybody's needs and to be tailored to specific systems' requirements."
The second mitigation introduced by EMET 5.0 is Export Address Table Filtering Plug (EAF+). Integrity checks on stack registers and stack limits are performed when exploit tables are read from certain lower-level modules. EAF+ also prevents "memory read operations on the PE header, sections, import/export table pointers of selected modules when they originate from suspicious code that may reveal memory corruption bugs used as 'read primitives' for memory probing."
In addition to the two mitigations, EMET 5.0 also includes 64-bit Return Oriented Processing (ROP) mitigations, strict checks for Certificate Trust rules, a new EMET service, and hardening and better application compatibility.
"We also refactored many components of the EMET 5.0 engine, in order to maximize application compatibility, also with some popular anti-malware products, and reduce potential false-positives," the blog said.
Finally, the Tor network has confirmed that a group of relays were attempting to de-anonymize users who were accessing the network's hidden sites and services. The attacking relays joined the Tor network on January 30, and were discovered and removed on July 4. Hackers modified Tor protocol headers to do traffic confirmation attacks, the Tor Projects blog said on Thursday.
"Unfortunately, it's still unclear what 'affected' includes," the blog said. "We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic. The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service."
The blog added that the Tor Project has no idea how much data the attackers managed to keep. There's also a possibility that the attackers' protocol header modifications may have helped other hackers de-anonymize users. Relays are encouraged to update Tor to close the protocol vulnerability used by the attackers.
The Tor Project is hoping that the attacks were conducted by two university researchers who planned to reveal the "relay early" attack at the Black Hat USA 2014 convention, but canceled their presentation.
"We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how 'relay early' cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild," the Tor Project said.