Category: Security


Dropbox drops a critical update, software wide open to hackers

Filed under: Applications, Cybersecurity, Exploit, Hackers, Security, Software, Windows by Ryan Boese — Leave a comment
November 10, 2011

Today sees Dropbox release a security update that plugs up a serious security vulnerability in the client software.

Prior to this update, all a third party needed to do to gain access to someone’s Dropbox account was to copy the Dropbox configuration files from one PC to another. These configuration files could be copied directly from the PC or extracted from a system backup. Once in possession of these files, the third-party had total access to the Dropbox account even if the user changed their password. The only way to revoke access was to unlink the rogue system from the account using the account setting page over on the Dropbox website.

Dropbox version 1.2.48 fixes this serious vulnerability. However, because the client software can take several weeks to auto update, you have to carry out the procedure manually.

If you’re a Dropbox user I strongly urge you to install this update immediately!

Source: ZDNet

Tags: , , , , ,
Comment

Adobe Abandons Mobile Flash Development

Filed under: Adobe, Android, Computers, Cybersecurity, Exploit, Flash, Hackers, Malware, RootKit, Security by Ryan Boese — 3 Comments
November 9, 2011

Latest Update: Adobe confirmed it will cease Flash development on mobile devices in a press release published Wednesday morning.

In an abrupt about-face in its mobile software strategy, Adobe will soon cease developing its Flash Player plug-in for mobile browsers, according to an e-mail sent to Adobe partners on Tuesday evening.

And with that e-mail flash, Adobe has signaled that it knows, as Steve Jobs predicted, the end of the Flash era on the web is coming soon.

The e-mail, obtained and first reported on by ZDNet, says that Adobe will no longer continue to “adapt Flash Player for mobile devices to new browser, OS version or device configurations,” instead focusing on alternative application packaging programs and the HTML5 protocol.

“Our future work with Flash on mobile devices will be focused on enabling Flash developers to package native apps with Adobe AIR for all the major app stores,” the quoted e-mail says.

In the past, Adobe has released software tools for mobile developers that create a single platform programmers can use to make applications that work across three major mobile platforms: Android, iOS and the BlackBerry OS. While it’s seemingly easier than learning all of the native languages for each operating system, some developers have claimed a loss in app performance when coding in a non-native language that then gets translated into other languages.

The move indicates a massive backpedaling on Adobe’s part, a company who championed its Flash platform in the face of years of naysaying about its use on mobile devices. Despite Flash’s near ubiquity across desktop PCs, many in the greater computing industry, including, famously, Apple Computer, have denounced the platform as fundamentally unstable on mobile browsers, and an intense battery drain. In effect, Flash’s drawbacks outweigh the benefits on mobile devices.

Flash became a dominant desktop platform by allowing developers to code interactive games, create animated advertisements and deliver video to any browser that had the plugin installed, without having to take into account the particulars of any given browser. However, with the development of Javascript, CSS, and HTML5, which has native support for video, many web developers are turning away from Flash, which can be a resource hog even on the most advanced browsers.

Apple made its biggest waves in the case against Flash in April of last year, when Steve Jobs penned a 1,500-word screed against the controversial platform, describing it as a technology of the past. Jobs and Apple disliked the platform so intensely, it has since been barred from use on all iOS devices.

Despite attempts to breathe life into Flash on other mobile devices — namely, Android and BlackBerry OS — Adobe has failed to deliver a consistently stable version of the platform on a smartphone or tablet. In WIRED’s testing of the BlackBerry PlayBook in April, Flash use caused the browser to crash on a consistent basis. And when Flash was supposed to come to tablets with Motorola’s Xoom, Adobe was only able to provide an highly unstable Beta version of Flash to ship with the flagship Android device.

“Adobe has lost so much credibility with the community that I’m hoping they are bought by someone else that can bring some stability and eventually some credibility back to the Flash Platform,” wrote software developer Dan Florio in a blog post on Wednesday morning.

The drastic reversal in Adobe’s mobile plans comes in the wake of the company cutting 750 jobs on Tuesday, a move prompted by what Adobe labeled “corporate restructuring.”

An Adobe representative did not immediately respond to a request for comment.

Source: Wired

Tags: , , , , , , ,
Comment

Microsoft quietly finding, reporting security holes in Apple, Google products

Filed under: Android, Apple, Applications, Exploit, Google, Internet, Microsoft, Security, Windows by Ryan Boese — Leave a comment
August 26, 2011

Researchers at Microsoft have been quietly finding — and helping to fix — security defects in products made by third-party vendors, including Apple and Google.

This month alone, the MSVR (Microsoft Security Vulnerability Research) team released advisories to document vulnerabilities in WordPress and Apple’s Safari browser and in July, software flaws were found and fixed in Google Picasa and Facebook.

The MSVR program, launched two years ago, gives Microsoft researchers freedom to audit the code of third-party software and work in a collaborative way with the affected vendor to get those issues fixed before they are publicly compromised.

The team’s work gained prominence in 2009 when a dangerous security hole in Google Chrome Frame was found and fixed but it’s not very well known that the team has spent the last year disclosing hundreds of security defects in third-party software.

Since July 2010, Microsoft said the MSVR team identified and responsibly disclosed 109 different software vulnerabilities affecting a total of 38 vendors.

More than 93 percent of the third-party vulnerabilities found through MSVR since July 2010 were rated as Critical or Important, the company explained.

“Vendors have responded and have coordinated on 97 percent of all reported vulnerabilities; 29 percent of third-party vulnerabilities found since July 2010 have already been resolved, and none of the vulnerabilities without updates have been observed in any attacks,” Microsoft said.

This week’s discoveries:

  • A vulnerability exists in the way Safari handles certain content types. An attacker could exploit this vulnerability to cause Safari to execute script content and disclose potentially sensitive information. An attacker who successfully exploited this vulnerability would gain sensitive information that could be used in further attacks.
  • A vulnerability exists in the way that WordPress previously implemented protection against cross site scripting and content-type validation. An attacker could exploit this vulnerability to achieve script execution.

Source: ZDNet

Tags: , , , , , , , , , ,
Comment

Firefox 6 patches 10 dangerous security holes

Filed under: Exploit, FireFox, Internet, Mozilla, Security, Windows by Ryan Boese — Leave a comment
August 16, 2011

Mozilla has shipped a critical Firefox update to fix at least 10 security vulnerabilities, some serious enough to expose web surfers to drive-by download attacks.

According to an advisory from the open-source group, 8 of the 10 vulnerabilities are rated “critical,” meaning that they can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Here’s a glimpse of the critical issues:

Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

These include a WebGL crash, a JavaScript crash, a crash in the Ogg reader, memory safety issues and unsigned scripts.  These all affected Firefox 4 and 5.

Mozilla also credited researcher Michael Jordon of Context IS  with reporting a pair of critical issues — that an overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code; and a potentially exploitable heap overflow in the ANGLE library used by Mozilla’s WebGL implementation.

Some additional security problems fixed:

  • Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability.
  • Mike Cardwell reported that Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Daniel Veditz reported that redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy.
  • nasalislarvatus3000 reported that when using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Firefox 6 is being distributed via the browser’s automatic update mechanism.

Source: ZDNet
Tags: , , , ,
Comment

Security expert warns hackers can attack Android

Filed under: Android, Applications, Cybersecurity, Exploit, Hackers, Internet, Security, Technology, Telecom, Wireless by Ryan Boese — Leave a comment
August 12, 2011

A mobile security expert says he has found new ways for hackers to attack phones running Google Inc’s Android operating system.

Riley Hassell, who caused a stir when he called off an appearance at a hacker’s conference last week, told Reuters he and colleague Shane Macaulay decided not to lay out their research at the gathering for fear criminals would use it attack Android phones.

He said in an interview he identified more than a dozen widely used Android applications that make the phones vulnerable to attack.

“App developers frequently fail to follow security guidelines and write applications properly,” he said.

“Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message.”

He declined to identify those apps, saying he fears hackers might exploit the vulnerabilities.

“When you release a threat and there’s no patch ready, then there is mayhem,” said Hassell, founder of boutique security firm Privateer Labs.

Hassell said he and Macaulay alerted Google to the software shortcomings they unearthed.

Google spokesman Jay Nancarrow said Android security experts discussed the research with Hassell and did not believe he had uncovered problems with Android.

“The identified bugs are not present in Android,” he said, declining to elaborate.

It was the first public explanation for the failure of Hassell and Macaulay to make a scheduled presentation at the annual Black Hat hacking conference in Las Vegas, the hacking community’s largest annual gathering.

They had been scheduled to talk about “Hacking Androids for Profit.” Hundreds of people waited for them to show up at a crowded conference room.

Hassell said in an interview late on Thursday the pair also learned — at the last minute — that some of their work may have replicated previously published research and they wanted to make sure they properly acknowledged that work.

“This was a choice we made, to prevent an unacceptable window of risk to consumers worldwide and to guarantee credit where it was due,” he said.

A mobile security researcher familiar with the work of Hassell and Macaulay said he understood why the pair decided not to disclose their findings.

“When something can be used for exploitation and there is no way to fix it, it is very dangerous to go out publicly with that information,” the researcher said. “When there is not a lot that people can do to protect themselves, disclosure is sometimes not the best policy.”

Hassell said he plans to give his talk at the Hack in The Box security conference in Kuala Lumpur in October.

Ryan:  If you are running an Android phone, two must have apps for your phone are:  Lookout Mobile Security for Android & Advanced Task Killer.

Source: Reuters

Tags: , , , ,
Comment

German hackers crack mobile phone GPRS code

Filed under: Cybersecurity, GPRS, Hackers, Security, Technology, Telecom, Wireless by Ryan Boese — Leave a comment
August 10, 2011

The discovery of a way to eavesdrop so-called General Packet Radio Service (GPRS) technology allows a user to read emails and observe the Internet use of a person whose phone is hacked, said Karsten Nohl, head of Security Research Labs.

“With our technology we can capture GPRS data communications in a radius of 5 km,” he told the paper before heading to a meeting of the Chaos Computer Club, a group that describes itself as Europe’s largest hacker coalition.

Phones using the newer UMTS standard are safer, Nohl said, but the crack effects industrial equipment, toll systems and anything using GPRS — including newer devices like Apple Inc’s iPhone or iPad which switch to the older GPRS in remote areas.

Source: Reuters

Tags: , , , , , , , ,
Comment

Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

Filed under: Adobe, Applications, Cybersecurity, Exploit, Google, Security, Windows by Ryan Boese — Leave a comment
August 10, 2011

A high-profile Google researcher has accused Adobe of hiding the fact that it patched a whopping 400 unique vulnerabilities in yesterday’s critical Flash Player update.

According to Tavis Ormandy, an information security engineer at Google who has a history of controversial vulnerability disclosures, the 400 unique Flash Player vulnerabilities were sent to Adobe as part of an ongoing security audit but there’s no documentation on these fixes in the new update.

“Apparently that number was embarrassingly high, and they’re trying to bury the results, so I’ll publish my own advisory later today,” Ormandy said on his Twitter feed.

Adobe’s advisory that accompanies the Flash Player update does in fact acknowledge Ormandy’s work:

Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release.

However, only 13 unique vulnerabilities are documented in the release and this prompted a series of snippy back-and-forth Twitter messages between Ormandy and Adobe spokeswoman Wiebke Lips.

“Tavis, please do not confuse sample files with unique vulnerabilities. What is Google’s agenda here?” Lips said. (This Twitter message has since been deleted).

Ormandy’s response:

“I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”

Almost lost in the public spat is the fact that Adobe’s ubiquitous Flash Player contains vulnerabilities that could lead to remote code execution attacks.  The security flaws, described as “critical,” affect Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for Android.

“These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warned.

Adobe also shipped separate advisories to warn about security holes in Shockwave, Flash Media Server, Photoshop and RoboHelp.

Source: ZDNet

Tags: , , , , , , , ,
Comment

Android App Turns Smartphones Into Mobile Hacking Machines

Filed under: Android, Applications, Cybersecurity, Exploit, Hackers, Mobile, Security, WiFi by Ryan Boese — Leave a comment
August 6, 2011

Dangerous hacks come in small packages.

Or they will, perhaps, when an app called Anti, or Android Network Toolkit, hits the Android market next week. The program, which Israeli security firm Zimperium revealed at the Defcon hacker conference in Las Vegas Friday and plans to make available to Android users in coming days, is designed for penetration testing–in theory, searching out and demonstrating vulnerabilities in computer systems so that they can be patched. Anti aims to bring all the hacking tools available to penetration testers on PCs to smartphones, with an automated interface intended to make sniffing local networks and owning remote servers as simple as pushing a few buttons.

“We wanted to create a penetration testing tool for the masses, says Itzhak “Zuk” Avraham, founder of Tel-Aviv-based Zimperium. “It’s about being able to do what advanced hackers do with a really good implementation. In your pocket.”

Anti, a free app with a $10 corporate upgrade, will offer a wi-fi-scanning tool for finding open networks and showing all potential target devices on those networks, as well as traceroute software that can reveal the IP addresses of faraway servers. When a target is identified, the app offers up a simple menu with commands like “Man-In-The-Middle” to eavesdrop on local devices, or even “Attack”; The app is designed to run exploits collected in platforms like Metasploit or ExploitDB, using vulnerabilities in out-of-date software to compromise targets.

A screenshot from Anti displaying target machines on the local network.

For now, the demonstration app Avraham showed me was equipped with only a few exploits: One aimed at a bug in Windows–the same flaw exploited by the Conficker worm in 2009–another targeting default SSH passwords in jailbroken iPhones, and a third exploiting a vulnerable, older version of Android. Zimperium has also built a Windows trojan that allows Anti to perform automated commands on hijacked machines like taking a screenshot, ejecting a CD, or opening the calculator, a common penetration-testing demonstration.

Even in its current form, the app raises the possibility of dangerous, stealthy attacks. A hacker could, for instance, walk into a coffee shop or a corporate office with his phone and start sussing out machines for data theft or malware infection. But Avraham says Zimperium will ask users in its terms of service to limit their hacking to “white hat” penetration testing.

Another screenshot showing command options on a target machine, including “man-in-the-middle” and “attack.”

“Hacking is not for the chosen few,” reads one description in the app’s documentation, formatted in Star Wars-style scrolling text. “Anti is your perfect mobile companion, doing it all for you. Please remember, with great power comes great responsibility. Use it wisely.”

Penetration testers who saw the app at Defcon were impressed. “It’s just sick,” says Don Bailey, a researcher with security firm iSec Partners. “The way it populates the screen with vulnerable targets…it’s really elegant.”

Another professional penetration tester for a defense contractor firm who asked that his name not be used called the app a “quick and dirty Swiss army knife for mobile pen testing.” “It’s so polished it’s almost like playing a video game,” he says, comparing it to penetration testing suites that cost thousands of dollars.

With its sheer simplicity, Anti’s impact could be comparable to that of Firesheep, a proof-of-concept tool released in October of last year that allowed anyone to easily snoop on devices on unsecured wi-fi networks that connected to unencrypted web pages. That tool was downloaded more than 1.7 million times, and no doubt used in some instances to spy on web users unawares. But it also helped inspire both Twitter and Facebook to encrypt traffic to their site and prevent such eavesdropping.

“People might use it in dangerous ways,” Avraham says with a shrug. “I really hope not. But I know this might be the risk to help people increase their security, and that’s our goal.”

Ryan: Great, now every kid that owns an Android phone can play wannabe hacker. Just what this world needs.

Source: Forbes

Tags: , , , , , , , , , , , , ,
Comment

Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries

Filed under: Apple, Computers, Cybersecurity, Exploit, Hackers, Laptop, Macbook, Security by Ryan Boese — Leave a comment
July 22, 2011

Your laptop’s battery is smarter than it looks. And if a hacker like security researcher Charlie Miller gets his digital hands on it, it could become more evil than it appears, too.

At the Black Hat security conference in August, Miller plans to expose and provide a fix for a new breed of attack on Apple laptops that takes advantage of a little-studied weak point in their security: the chips that control their batteries.

Modern laptop batteries contain a microcontroller that monitors the power level of the unit, allowing the operating system and the charger to check on the battery’s charge and respond accordingly. That embedded chip means the lithium ion batteries can know when to stop charging even when the computer is powered off, and can regulate their own heat for safety purposes.

When Miller examined those batteries in several Macbooks, Macbook Pros and Macbook Airs, however, he found a disturbing vulnerability. The batteries’ chips are shipped with default passwords, such that anyone who discovers that password and learns to control the chips’ firmware can potentially hijack them to do anything the hacker wants. That includes permanently ruining batteries at will, and may enable nastier tricks like implanting them with hidden malware that infects the computer no matter how many times software is reinstalled or even potentially causing the batteries to heat up, catch fire or explode. “These batteries just aren’t designed with the idea that people will mess with them,” Miller says. “What I’m showing is that it’s possible to use them to do something really bad.”

Miller discovered the two passwords used to access and alter Apple batteries by pulling apart and analyzing a 2009 software update that Apple instituted to fix a problem with Macbook batteries. Using those keys, he was soon able to reverse engineer the chip’s firmware and cause it to give whatever readings he wanted to the operating system and charger, or even rewrite the firmware completely to do his bidding.

From there, zapping the battery such that it’s no longer recognized by the computer becomes trivial: In fact, Miller permanently “bricked” seven batteries just in the course of his tinkering. (They cost about $130 to replace.) More interesting from a criminal perspective, he suggests, might be installing persistent malware on the chip that infects the rest of the computer to steal data, control its functions, or cause it to crash. Few IT administrators would think to check a battery’s firmware for the source of that infection, and if undiscovered the chip could re-infect the computer again and again.

“You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery.” says Miller.

That attack would require finding another vulnerability in the interface between the chip and the operating system. But Miller says that’s not much of a barrier. “Presumably Apple has never considered that as an attack vector, so it’s very possible it’s vulnerable.”

And the truly disturbing prospect of a hacker remotely blowing up a battery on command? Miller didn’t attempt that violent trick, but believes it might be possible. “I work out of my home, so I wasn’t super inclined to cause an explosion there,” he says.

In fact, the batteries he examined have other safeguards against explosions: fuses that contain an alloy that melts at high temperatures to break the circuit and prevent further charging. But Miller, who has worked for the National Security Agency and subsequently hacked everything from the iPhone to virtual worlds, believes it might still be possible. “You read stories about batteries in electronic devices that blow up without any interference,” he says. “If you have all this control, you can probably do it.”

Miller, currently a researcher with the consultancy Accuvant, isn’t the first to explore the danger of explosive batteries triggered by hackers. Barnaby Jack, a researcher for with antivirus giant McAfee, says he worked on the problem in 2009, but he says he ”benched the research when I didn’t succeed in causing any lithium ion fires. Charlie has taken it a lot further and surpassed where I was at the time.”

Miller says he’s received messages from several other researchers asking him not proceed with the battery work because it could be too dangerous. But Miller has worked to fix the problems he’s exposing. At Black Hat he plans to release a tool for Apple users called “Caulkgun” that changes their battery firmware’s passwords to a random string, preventing the default password attack he used. Miller also sent Apple and Texas Instruments his research to make them aware of the vulnerability. I contacted Apple for comment but haven’t yet heard back from the company.

Implementing Miller’s “Caulkgun” prevents any other hacker from using the vulnerabilities he’s found. But it would also prevent Apple from using the battery’s default passwords to implement their own upgrades and fixes. Those who fear the possibilities of a hijacked chunk of charged chemicals in their laps might want to consider the tradeoff.

“No one has ever thought of this as a security boundary,” says Miller. “It’s hard to know for sure everything someone could do with this.”

Source: Forbes

Tags: , , , , , , , , , , , ,
Comment

RIM warns of data leakage, denial-of-service vulnerability

Filed under: Applications, Blackberry, Exploit, Internet, RIM, Security, Technology by Ryan Boese — Leave a comment
July 14, 2011

Research in Motion (RIM) has shipped a patch to cover a serious security vulnerability that could allow attackers to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files.

The flaw, which may also allow denial-of-service attacks, is limited to the user permissions granted to the BlackBerry Administration API component, RIM said in an advisory.

“Successful exploitation of this issue could allow information disclosure. Successful exploitation may also result in resource exhaustion and therefore could be leveraged as a partial denial of service (DoS).”

RIM said issue affects the BlackBerry Administration Application Programming Interface (API) component within the BlackBerry Administration Service component of the following software versions: 

  • BlackBerry Enterprise Server version 5.0.0 for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise (with the BlackBerry® Administration API component installed as an option only)
  • BlackBerry Enterprise Server Express 5.0.0 for Microsoft Exchange and IBM Lotus Domino  (with the BlackBerry Administration API component installed as an option only)
  • BlackBerry Enterprise Server Express versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange
  • BlackBerry Enterprise Server Express versions 5.0.2 and 5.0.3 for IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.0.1, 5.0.2 and 5.0.3 for Microsoft Exchange and IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.0.1 for GroupWise

 

 The BlackBerry Device Software, Desktop Software and Internet Service are not affected by this vulnerability.  Patch information can be found in the RIM advisory.

 
Source: BlackBerry Knowledge Base

Tags: , , , , , ,
Comment