Category: Vulnerability


The Heartbleed bug: Am I at risk and do I really have to change my password?

The discovery of Heartbleed, a flaw in one of the most widespread encryption standards used online, has panicked webmasters and users alike.

The bug has gone unnoticed for more than two years and could have potentially given hackers access to an unlimited array of secure data — everything from passwords and login details to credit card numbers and addresses.

Although it’s difficult to say exactly how many websites have been exposed, the lower estimates are around 500 million with a large number of major web companies (Google, Facebook, Yahoo, etc) all forced to update their software to protect against the bug.

However, there have been quite a lot of mixed messages as to whether or not users should change their passwords, with some outlets urging that you should create new ones immediately while others are advising that you wait.

To add to the confusion there’s also been reports of hackers sending out phishing emails related to Heartbleed — in order to trick users into giving up passwords that have yet to be compromised. Be on the look out for these and don’t follow any links in suspicious looking emails – if you want to change a password go to the site directly.

Which sites are affected?
Most Google sites and services (including Gmail and YouTube – but not Chrome) were affected, as were sites maintained by Yahoo (including Tumblr and Flickr). Facebook was also hit by the bug although Twitter and LinkedIn were not.

Other big sites that have confirmed that they weren’t affected include Amazon, Hotmail and Outlook, eBay, PayPal and all of Apple’s properties — including iCloud and iTunes. If you want to check whether or not a site you use is still affected then you can do so here — just enter the URL.

Another big worry is for online banking, but thankfully we have some good news in that department. Lloyds, HSBC, RBS, Natwest, Santander and the Co-Op have all confirmed that they were not affected by the bug (they were using different encryption standards). Barclays has yet to issue a statement.

However, this does not mean that your credit card details are completely safe — as they could have been compromised via your Gmail or another third-party site. The security of mobile banking apps is still a developing situation as well.

So do I need to change my passwords?
In a word: Yes. For the sites we’ve listed above as being affected (including Gmail, Yahoo, Tumblr, Flickr, Facebook) it definitely won’t hurt to change your password some time in the next couple of weeks.

Although security experts have warned that you shouldn’t be too quick to change passwords, this is because not all website have patched their servers and changing your password before this happens could make matters worse. The sites we’ve listed above have patched their servers and if you want to check one we’ve not mentioned — click here and enter the URL.

Unfortunately, some sites (including Google) have specifically said that users don’t need to change their passwords. While it’s true that some sites are confident that they fixed the bug a while back, as most of us are guilty of changing our passwords less frequently than we should do (aka never) we think that this is as good an opportunity as ever to be a bit more security-conscious.

What should my new password be?
In lists of the most frequently used passwords online there’s some obvious clangers that we know you’re too smart to use (these include old standbys such as ‘123456’ and ‘password’ itself) but just because a password doesn’t look obvious to you that doesn’t make it safe.

This means that you shouldn’t really use any single words that are found in the dictionary, any words connected to you (place of birth or pets’ names), nor should you use any obvious ‘substitutions’ (eg pa55w0rd — more complicated variations are required) or patterns derived from your keyboard layout (eg ‘1qaz2wsx’ or ‘zxcvbnm’).

It’s wise to use a variety of characters in your password (including upper and lower case as well as numbers) but an easy way to get more secure is to start thinking of your password as a passphrase.

The easiest way of increasing the difficulty of a password is by simply making it longer — so try combining multiple words together and then adding in numbers between them.

You could pick a number of some significance to you (for example a loved one’s birthday, ie 12/08/1970) and then splicing this with a nonsensical phrase (‘shoesplittingwatchwizard’) to get a suitably difficulty password: Shoe12Splitting08Watch1970Wizard.

Other suggested methods for making a strong and memorable password include taking a sentence or a favourite line from a song as a starting point. So you might take the line “When you call my name it’s like a little prayer” and turn it into wuCmNilaLP. Madonna is optional of course, but we think this a fun method — especially if you can work in numbers somewhere.

You should also use different passwords for your different accounts (perhaps the most difficult piece of advice to follow of all) and if you want to be really secure you should also set up two-step authentication where available.

Ryan says: I recommend everyone on any of the sites mentioned in this article to change their passwords ASAP.

New Microsoft Word Zero-Day Used in Targeted Attacks

Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word that is being actively exploited in targeted attacks directed at Microsoft Word 2010.

“The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,” Microsoft explained in the advisory.

If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges.

Applying the Microsoft Fix it solution, “Disable opening RTF content in Microsoft Word,” prevents the exploitation of this issue through Microsoft Word, Microsoft said.

Specifically, the issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted, giving a potential attacker the ability execute arbitrary code on the affected system.

“In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted RTF file that is used to attempt to exploit this vulnerability, Microsoft explained. “In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.”

The vulnerability could be exploited through Microsoft Outlook only when using Microsoft Word as the email viewer, Microsoft warned. By default, Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft.

 Source: Security Week

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.

“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as “an important (and at the same time embarrassing) bug discovered during an audit for Red Hat.” Debian’s advisory is here.

As was the case with last week’s critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced “goto fail” command, the mistakes involve errors with several “goto cleanup” calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It’s significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.

Security researchers are still studying the vulnerability and assessing its effect on the wide array of OSes and applications that depend on GnuTLS. For the moment, readers should assume that the severity is critical given the dizzying amount of downstream code that may be affected. One example: the apt-get installer some distributions of Linux use to distribute and update applications relies on GnuTLS, although exploits against the package can probably be caught by cryptographic code-signing of the downloaded program (thanks to readers for pointing out this secondary level of protection). Version 3 of lib-curl, which is distributed in Debian and Ubuntu, also depends on GnuTLS. Some Debian- and Ubuntu-based virtual private networking applications that work with Cisco Systems hardware are also affected. This list goes on and on.

Source: ArsTechnica

Bitcoins, other digital currencies stolen in massive ‘Pony’ botnet attack

Cybercriminals have infected the computers of digital currency holders, using a virus known as “Pony” to make off with account credentials, bitcoins and other digital currencies in one of the largest attacks on the technology, security services firm Trustwave said.

The attack was carried out using the “Pony” botnet, a group of infected computers that take orders from a central command-and-control server to steal private data. A small group of cybercriminals were likely behind the attack, Trustwave said.

Over 700,000 credentials, including website, email and FTP account log-ins, were stolen in the breach. The computers belonging to between 100,000 and 200,000 people were infected with the malware, Trustwave said.

The Pony botnet has been identified as the source of some other recent attacks, including the theft of some 2 million log-ins for sites like Facebook, Google and Twitter. But the latest exploit is unique due to its size and because it also targeted virtual wallets storing bitcoins and other digital currencies like Litecoins and Primecoins.

Eighty-five wallets storing the equivalent of $220,000, as of Monday, were broken into, Trustwave said. That figure is low because of the small number of people using Bitcoin now, the company said, though instances of Pony attacks against Bitcoin are likely to increase as adoption of the technology grows. The attackers behind the Pony botnet were active between last September and mid-January.

“As more people use digital currencies over time, and use digital wallets to store them, it’s likely we’ll see more attacks to capture the wallets,” said Ziv Mador, director of security research at Chicago-based Trustwave.

Most of the wallets that were broken into were unencrypted, he said.

“The motivation for stealing wallets is obviously high—they contain money,” Trustwave said in a blog post describing the attack. Stealing bitcoins might be appealing to criminals because exchanging them for another currency is easier than stealing money from a bank, Trustwave said.

There have been numerous cyberattacks directed at Bitcoin over the last year or so as its popularity grew. Last year, a piece of malware circulating over Skype was identified as running a Bitcoin mining application. Bitcoin mining is a process by which computers monitor the Bitcoin network to validate transactions.

“Like with many new technologies, malware can be an issue,” said a spokesman for the Bitcoin Foundation, a trade group that promotes the use of Bitcoin, via email. Wallet security should improve, the spokesman said, as more security features are introduced, like multisignature transactions, he said.

Digital currency users can go to this Trustwave site to see if their wallets and credentials have been stolen.

Source: PC World

Apple Fixes “Fundamental” SSL Bug in iOS 7

Apple quietly released iOS 7.06 late Friday afternoon, fixing a problem in how iOS 7 validates SSL certificates. Attackers can exploit this issue to launch a man-in-the-middle attack and eavesdrop on all user activity, experts warned.

“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said in its advisory.

Users should update immediately.

Watch Out for Eavesdroppers
As usual, Apple didn’t provide a lot of information about the issue, but security experts familiar with the vulnerability warned that attackers on the same network as the victim would be able to read secure communications. In this case, the attacker could intercept, and even modify, the messages as they pass from the user’s iOS 7 device to secured sites, such as Gmail or Facebook, or even for online banking sessions. The issue is a “fundamental bug in Apple’s SSL implementation,” said Dmitri Alperovich, CTO of CrowdStrike.

The software update is available for the current version of iOS for iPhone 4 and later, 5th generation iPod Touch, and iPad 2 and later. iOS 7.06 and iOS 6.1.6. The same flaw exists in the latest version of Mac OS X but has not yet been patched, Adam Langley, a senior engineer at Google, wrote on his ImperialViolet blog. Langley confirmed the flaw was also in iOS 7.0.4 and OS X 10.9.1

Certificate validation is critical in establishing secure sessions, as this is how a site (or a device) verifies that the information is coming from a trusted source. By validating the certificate, the bank website knows that the request is coming from the user, and is not a spoofed request by an attacker. The user’s browser also relies on the certificate to verify the response came from the bank’s servers and not from an attacker sitting in the middle and intercepting sensitive communications.

Update Devices
It appears Chrome and Firefox, which uses NSS instead of SecureTransport, aren’t affected by the vulnerability even if the underlying OS is vulnerable, Langley said. He created a test site at https://www.imperialviolet.org:1266. “If you can load an HTTPS site on port 1266 then you have this bug,” Langley said

Users should update their Apple devices as soon as possible, and when the OS X update is available, to apply that patch as well. The updates should be applied while on a trusted network, and users should really avoid accessing secure sites while on untrusted networks (especially Wi-Fi) while traveling/

“On unpatched mobile and laptop devices, set ‘Ask to Join Networks’ setting to OFF, which will prevent them from showing prompts to connect to untrusted networks,” wrote Alex Radocea, a researcher from CrowdStrike.

Considering recent concerns about the possibility of government snooping, the fact that iPhones and iPads were not validating certificates correctly can be alarming for some. “I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control,” Matthew Green, a cryptography professor at Johns Hopkins University, posted on Twitter.

Check out this video from News Loop:

 

Source: PC World Security Watch

iPhones, iPads vulnerable to hacking: Apple

A major flaw in Apple software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said Friday.

If attackers have access to a user’s network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook, experts said.

“It’s as bad as you could imagine, that’s all I can say,” said Johns Hopkins University cryptography professor Matthew Green.

Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited. But a statement on its support website was blunt: The software “failed to validate the authenticity of the connection.”

Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.

Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.

Apple did not reply to requests for comment.

The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple’s stature and technical prowess. The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

Friday’s announcement suggests that enterprising hackers could have had great success as well if they knew of the flaw.

Ryan:  Kinda told you Apple lovers that this gear is very insecure.. did ya listen to me?

Here Is How Hackers Can Spy On Your MacBook Camera

Just a few months ago, a story broke about how Samsung smart TVs were susceptible to remote spying by users that hack into the built-in camera. Now, new research demonstrates that MacBook webcams are just as susceptible to being hacked and spied-on as televisions.

Researchers at John Hopkins University discovered exactly how the hacking process is possible without signaling for the light adjacent to the camera to turn on, which is usually an indication that the camera is on.

The primary researcher, computer science professor Stephen Checkoway, published a paper in conjunction with graduate student Matthew Brocker entitled “iSeeYou: Disabling the MacBook Webcam Indicator LED” that contains the detailed process of remotely spying on others’ laptops. Although the researchers could only prove their methods worked with MacBooks created before 2008, they suggest that the process could be successfully repeated with newer computers.

The Washington Post recently ran an article detailing the story of Miss Teen USA Cassidy Wolf, who received nude photographs of herself via email. After an FBI investigation, the authorities discovered that Wolf’s former high school classmate Jared Abrahams had hacked into her computer, as well as the computers of several other women, and had been spying on them via their webcam.

The case of Wolf as well as the new research from John Hopkins raises several issues about privacy and security in the modern world. While Apple’s light was intended as a security feature to alert users when their camera was on, it appears that hackers have found an easily solution to disable that feature. According to The Washington Post, the FBI has been using similar hacking technology for years.

Source: PRPick.com

‘Critical’ security warning for BlackBerry Z10

A vulnerability in the BlackBerry Protect software built into Z10 smart phones could allow hackers to gain access to the passwords of some devices, according to a security advisory issued by BlackBerry

By taking advantage of “weak permissions” malicious applications will be able to:

  • Gain the device password if a remote password reset command had been issued through the BlackBerry Web site
  • Intercept and prevent the phone from acting on BlackBerry Protect commands, such as remote wipe
BlackBerry said the issue is with the BlackBerry Protect software and not the Z10’s operating system.

“The most severe potential impact of this vulnerability requires a BlackBerry Z10 smart phone user to install a specially crafted malicious app, enable BlackBerry Protect and reset the device password through BlackBerry Protect,” the advisory said.

With the device password and physical access to the phone, an attacker can:

• Access the functionality of the smartphone (including the BlackBerry Hub, apps, data, and the phone) by unlocking the smartphone.
• Unlock the work perimeter on a BlackBerry Z10 smartphone that has BlackBerry Balance technology enabled if the work perimeter password is the same as the device password.
• Access the smartphone over a USB tether with either BlackBerry Link or the computer’s file viewer, allowing access to the smartphone’s personal files, contacts, PIM data, and so on. The attacker could also access work perimeter content on BlackBerry Balance smartphones if the work perimeter is unlocked and access over a USB tether is allowed by a policy that the IT administrator sets.
• Enable development mode after accessing the smartphone over a USB tether, allowing remote access as a low privilege development user.
• Change the current device password, allowing the attacker to deny access to the legitimate user of the smartphone.
• Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.

An attacker can also gain Wi-Fi access to the phone if the owner enables Wi-Fi storage access on the Z10 and sets a storage access password that is the same as the device password.

Researchers describe hacking iOS devices with malicious charger

Researchers from the Georgia Institute of Technology will be demonstrating a proof-of-concept method of hacking an iPhone using a malicious USB charger. Billy Lau, Yeongjin Jang, Chengyu Song announced the demonstration for Black Hat USA 2013, an annual conference for hackers and security researchers that begins on July 27th in Las Vegas.

The short version is the three researchers found a way to use USB protocols to bypass some of Apple’s security features in iOS that prevent unauthorized software from being installed on your iOS device. The three built a charger based on a BeagleBoard (see below)—a US$125 computer-on-a-circuit-board—that was able to successfully insert malware onto an iPhone plugged into it.

Worse, they can do so in under a minute.

“Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” the researchers wrote on their BlackHat presentation description. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

In the demonstration, they said will discuss Apple’s existing security mechanisms that protect against “arbitrary software installation,” which in layman’s terms essentially means malware. They will then describe how standard USB capabilities can be, “leveraged to bypass these defense mechanisms.” To finish it off, they will demonstrate how this same process can be used to then hide the resulting malware from the user the same way Apple hides its own built in software.

The three researchers named their malicious charger “Mactans.”

The BeagleBoard it is based on is an off-the-shelf circuit board that can be used to create all manner of tiny computing devices running Angstrom (Open Embedded), Debian, Ubuntu, and Gentoo. There are other BeagleBoard products as well, including a slightly larger model with a 1GHz Sitara ARM Cortex-A8 processors that can run Android.

The point the researchers are making is that their method can be accomplished with readily available technology.

“While Mactans was built with limited amount of time and a small budget,” they wrote, “we also briefly consider what more motivated, well-funded adversaries could accomplish.”

The researchers will offer methods for protecting yourself against such an attack—we’ll throw out that you should probably be choosy about using a charger whose provenance you can’t verify—and what Apple can do to make this attack, “substantially more difficult to pull off.”

Source: UPI

Apple finally fixes App Store flaw by turning on encryption

Apple has finally fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.

The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection. In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi.

It also allows the installation of apps, including extremely expensive ones that top out at $999.99, without the user’s consent, which can create serious consequences because Apple doesn’t give refunds. To do this, an attacker needs to be on the same private or public Wi-Fi network, including, for example, a coffeeshop, hotel, or airport network.

Security researcher Elie Bursztein discovered the vulnerability and reported it to Apple last July. Apple fixed the problem in a recent update that said “content is now served over HTTPS by default.” Apple also thanked Bernhard Brehm of Recurity Labs and Rahul Iyer of Bejoi.

Bursztein, who works at Google, in Mountain View, Calif., but emphasized this was work done at home in his spare time, published a personal blog post today that described details about the App Store vulnerability and included videos of how an attacker was able to steal passwords or install unwanted apps.

Publicizing this flaw, Bursztein said, highlighted how necessary encrypted HTTPS connections were. “Many companies don’t realize that HTTPS is important for mobile apps,” he said. But if they rely on Web connections or Webviews, he added, they are vulnerable to attacks: “Providing a concrete example seems a good way to attract developer attention to the issue.”

As a postdoctoral researcher at Stanford University, Bursztein published research that included demonstrating flaws in Captchas and the Web interfaces of embedded devices. At the Defcon conference in Las Vegas two years ago, he demonstrated how to bypass Windows’ built-in encryption that Web browsers, instant messaging clients, and other programs used to store user passwords.

Bursztein’s blog post comes a day after Apple’s marketing chief, Phil Schiller, took a security-related swipe at Google on Twitter by pointing to a report on the rise of Android malware.

 

Source: CNET

Lock Screen Security Bug Found: Samsung Galaxy S3

Following closely on the heels of a Samsung Galaxy Note 2 security vulnerability, another Samsung user has found that the bug affects other models.

Unlike the Samsung Galaxy Note 2 flaw, the bug allows for full access to the Samsung Galaxy S3. The method is similar in that it requires a fleet-fingered user to hop through a number of screens.

As discovered by Sean McMillian, the smartphone can be manipulated by tapping through the emergency call, emergency contacts, home screen, and then the power button twice. McMillian admits that the bug isn’t consistent — sometimes, he said, it works right away, while other times it takes 20 attempts.

Indeed, we weren’t able to replicate the bug after many tries (Engadget was able to do it, but it took a long time). That suggests that would-be snoopers must act quickly and deftly, but the lesson here (and always) is to keep a watchful eye on that $500 smartphone.

As McMillian indicates, the bug seems to be related to Samsung’s software and not an Android-wide issue. Judging by the similarities in the two flaws, we might expect Samsung to issue software updates to address the concerns.

Source: CNET