iOS Lock Screen Bypass Vulnerability Fixed By Apple

Apple has reportedly fixed a security flaw in the iOS operating system that would allow attackers to be able to bypass passcode lock screens on iPhone 6S and 6S Plus that are running version 9.3.1 of iOS. The bypass would have allowed malicious parties to be able to access the address book and photos of a targeted device, which could expose a lot of private data.

German security firm, Evolution Security, were responsible for discovering the bypass, which takes advantage of the integration of Siri with apps such as Twitter or Facebook, as well as the new 3D Touch feature that is included only in the iPhone 6S and 6S Plus. Even while the device is locked, an attacker would be able to request information on @ tags from Twitter, Facebook, and Yahoo. From there, the 3D touch’s hard push feature can be used to bring up the context menu for a string such as an email address. This menu provides the ability to add the data to a contact in the phone’s address book and from there, by accessing the choice to change user pictures, the photo gallery can be launched.

According to the Washington Post, the vulnerability was patched by Apple on Tuesday without users needing to install a software update. Considering the high level of security on the iPhone that led to Apple’s protracted battle with the FBI, it is surprising that so much user data can be exposed by a flaw in the lock screen, which is often the first and last line of defense for the security of the data on the device.

39 Android Flaws Fixed in Major Security Patch

Google’s latest patch for their Android operating system is one of the biggest security patches ever released for the OS. This monthly security update covers 39 vulnerabilities that had been found, of which 15 were of the highest rating, critical, which mean they could be used to lead to total compromisation of a device. This patch, which is part of the latest firmware image for Android devices rolled out to Nexus devices starting on Monday, with the update to be added to the Android Open Source Project during the next 24 hours.

One of the vulnerabilities that were included in this patch is one that Google was alerted to just two weeks ago, which has already been employed by a publicly available rooting application. With the tracking tag of CVE-2015-1805, this flaw was originally in the Linux kernel until April 2014, but until recently it wasn’t known that Android was also affected.

As many as nine critical remote code execution flaws were patched in Android’s media codec, media server, and Stagefright library. Of these, five were rated as high impact, including one privilege escalation vulnerability and four information disclosure issues. Critical flaws were also patched in the Android kernel, the Dynamic Host Configuration Protocol client, Qualcomm Performance module and the Qualcomm RF modules.

Aside from CVE-2015-1805’s use in a rooting application, there is no known exploitation of the other vulnerabilities fixed in this patch according to a security advisory from Google. As a result of the large number of high-impact and critical flaws fixed in this patch, it is highly recommended that any updates to Android 6 offered by manufacturers are installed before attacks that make use of them are released into the wild.

iOS Mobile Device Management Protocol Can be Abused to Load Malware

 

Apple has worked hard to make it difficult to allow users to unwittingly install unauthorized and malicious apps onto their devices. Despite this, there is still one way in that attackers are still able to exploit: the mobile device management protocol. Researchers from Check Point Software Technologies will be demonstrating the hack as part of a presentation at the Black Hat Asia security conference on Friday.

The technique to inject malware onto iOS devices involves taking advantage of the communication between MDM products and iOS devices being vulnerable to man-in-the-middle attacks and can be performed with minimal user interaction. MDM products are used by companies to configure, control and secure the devices of employees remotely, as well as providing access to private app stores for easy internal app deployment. Of course, this attack relies on the target device being registered to an MDM server in order for there to be a connection to hijack.

Initially, a user would have to be tricked into installing a malicious configuration profile on their device, which could be easy to slip in with a number of the profiles that corporate users are used to installing such as VPN, Wi-Fi, email and other important settings. The malicious profile would then install a root certificate to route the device’s internet connection through a proxy. This can be used to route all traffic through a server under the attacker’s control and engage the man-in-the-middle attack. From there, the attacker is free to push malicious apps to the device using a stolen enterprise certificate or a malware app could be disguised as an app the user expects. A user must still accept the choice to install the app, but even if it is refused, the attacker is free to push the request repeatedly, essentially locking the device up until the install is accepted.

Check Point have named this vulnerability Sidestepper, due to the fact that it effectively side-steps the new restrictions for enterprise app deployments in iOS9. Misuse of enterprise certificates is nothing new either, with Check Point finding that in one Fortune 100 company, over 300 sideloaded apps signed with over 150 enterprise certificates existed. So while MDM technologies may be great for businesses, users must be just as much on their guard against attacks targeting those deployments as any other app or profile they may install.

Stagefright Vulnerability Now a Serious Threat to Android Devices

 

The Stagefright vulnerability in Android is nothing new, however for a long time it was (mostly) harmless due to difficulties in reliably using the flaw for malicious purposes Unfortunately for Google and Android users, researchers at Isreali cyber-security firm NorthBit have developed a proof-of-concept exploit, named Metaphor, based on Stagefright that is able to reliably compromise Android devices.

The Metaphor exploit uses a set of back-and-forth communications that allow attackers to probe the defenses of a target device before attempting the compromise. When a victim visits a website that has a malicious MPEG-4 file embedded in it, it will cause Android’s built-in media server to crash, and send data on the device’s hardware to the attacker, it will then send another video file, capture additional data and finally deliver a video file that is able to compromise the device. The procedure may seem long and complicated, but in reality, Metaphor was found to be able to break into most devices within 20 seconds. Unfortunately for fans of stock Android, the attack was found to be most effectual on Nexus 5 devices running their stock firmware, but the customized versions of Android found on phones from HTC, LG and Samsung are not safe.

While this attack may pose a threat to the 275 million Android phones running versions 2.2 all the way to 5.1, devices that are running the most up-to-date version, 6.0 Marshmallow are safe. Additionally, the attack needs to be tailored to a specific set of Android hardware, so it is likely that only those running the most popular devices would be targeted for the attack, as well as many of them having already received patches specifically to defend against Stagefright. As a result, those with older Android devices may want to be careful or think about a new handset, lest they remain vulnerable to this exploit if it enters the wild.

Bounty for Chromebook Hack Doubled to $100,000

Many companies seek to outsource the finding of vulnerabilities in their products to external hackers, offering monetary rewards in exchange for details on successful hacks that they can fix. In a show that should both display their faith in the security of the Chromebook as well as entice more hackers and security experts to probe the laptops for vulnerabilities, Google has doubled the previous bounty offered for a Chromebook hack to $100,000.

This new and larger reward has a high bar set for anyone wishing to challenge the Chromebook’s security. In order to qualify for the full $100,000 bounty, a hack must be demonstrated that is delivered through a web page accessed in guest mode and have the compromise persist in guest mode, even between boots of the device. The reason this hack is challenging is that while in guest mode, a Chromebook is employing its highest levels of security. A guest user can download files, but is forbidden from installing apps, even those officially released from Google’s store, which circumvents one of the major angles of attack that are used by hackers. Chromebooks are also set to automatically install updates, runs all of its software in sandboxed environments and even has a “verified boot” function, which can detect if the OS is compromised by malware on boot and roll it back to a clean version.

“Since we introduced the $50,000 reward, we haven’t had a successful submission,” Google wrote on their security blog. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.” Whether that means that no-one can hack the Chromebook or simply not enough people have tried remains to be seen, but we will have to see whether anyone will be able to claim this bounty in the near future

Two Year Old Java Vulnerability Reappeared Thanks to Broken Patch

Back in 2013, Oracle released a patch for a critical security flaw in Java. Now it has been found that this patch was ineffectual and easily bypassed, once again making PCs and servers running even the latest version of Java vulnerable to it.

The tracking code for this flaw in the Common Vulnerabilities and Exposures (CVE) database was CVE-2013-5838 and managed to be rated at 9.3 out of 10 by Oracle according to the Common Vulnerability Scoring System (CVSS). This vulnerability allows attackers to escape from the Java security sandbox that usually limits the code that can be run in a Java virtual machine using the Java Runtime Environment. Able to be utilized remotely without authentication allows attackers to totally compromise a target system.

Now, researchers at Security Explorations discovered that the patch used to fix the vulnerability was majorly flawed, with the proof-of-concept code from 2013 requiring a change of only 4 characters in order to bypass it. The full details of the ability to bypass the patch were documented in a full technical report released by Security Explorations.

The versions of Java affected by this flaw include all of the latest versions: Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108. Additionally, Oracle’s original advisory stating that CVE-2013-5838 only affected client deployments of Java and is exploited through “sandboxed Java Web Start applications and sandboxed Java applets.” Security Explorations CEO Adam Gowdiak explained that this was incorrect, stating that “We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java.”

While attackers would still require an additional vulnerability in order to bypass the security prompts that feature in newer versions of Java, it is easily possible that victims could be convinced to allow the malicious applet to run.

Unlike many firms, Security Explorations did not report the issue to Oracle prior to releasing it publicly. Gowdiak stated that “We do not tolerate broken fixes any more,” and that there would be full public releases whenever broken vulnerability fixes are found. Oracle are yet to respond to the report, with it currently unknown if an emergency update will occur to patch the issue, or whether it will remain in place until the next quarterly Critical Patch Update, on April 19.

Adobe Issues Patch For Code-Execution Bug

Flash has long been at the heart of a debate over usability and security. The media player has long been used for everything from Youtube to online games, but it has often by problems with even the fixes containing problems. As a result, people are being told to avoid using the tool and instead using HTML 5, seems like we have yet another reason to listen given the latest patch to try to fix a code-execution bug.

By code-execution bug, we mean that it would be possible to execute code remotely, meaning they could quickly perform actions without your knowledge or say. This exploit is a rather large one, enabling a whole host of problems from the get go rather than others with specific purposes or problems.

The zero-day vulnerability was found by Anton Ivanov, a member of Kaspersky Lab, and was credit as such. Kaspersky Lab researchers have been observing the vulnerability and had seen it used in “a very limited number of targeted attacks”.

With so many vulnerabilities, it comes as no surprise that people are trying to steer away from using Flash. We recommend that if you don’t actively use the tool you remove it from your system, something that could only improve your security given flash’s checkered past. If you do use Flash, then we recommend that you update it now and make sure that you keep checking for security patches.

Researcher Finds New Way to Hijack Drones Mid-Flight

It is often easy to forget that while the majority of drones making the news are operated by hobbyists and amateurs, the US government is rolling out a number of more expensive UAVs for use by first responders and the police. Now, security researcher at IBM, Nils Rodday has potentially thrown a spanner in the works of this, by demonstrating that at least one model of these government standard drones has security vulnerabilities that allow it to be hacked from as far away as a mile, allowing an attacker to seize control of the craft for their own ends or simply cause it to drop from the sky.

The full extent of the vulnerability will be demonstrated by Rodday at the RSA conference this week where he will show how a $30,000 to $35,000 drone can be taken over or knocked out of the sky by a security flaw in its radio connection using just a laptop and a cheap radio chip connected via USB. Due to the fact that the connection between the operator and the drone are left unencrypted to allow commands to be processed more quickly, an attacker who can send the correct sequence of signals to the drone’s telemetry box can impersonate the true operator, locking them out of control of the drone. “You can inject packets and alter waypoints, change data on the flight computer, set a different coming home position,” Rodday says. “Everything the original operator can do, you can do as well.”

With the ongoing fear of irresponsible drone use by hobbyists, it is even more concerning that the expensive drones operated by official bodies are so vulnerable to attack. Should an attacker wish to cause serious harm, it would appear it could be done using a hacked police drone with surprising ease. “If you think as an attacker, someone could do this only for fun, or also to cause harm or to make a mess out of a daily surveillance procedure,” says Rodday.

One in Three Servers Affected by New TLS Decryption Hack

new vulnerability has been discovered by security researchers that could be used to allow eavesdroppers to spy on the traffic between users and as many as one-in-three HTTPS servers. The problem arises due to the fact that many HTTP servers still support the outdated and now-insecure Secure Sockets Layer (SSL) version 2 protocol. SSLv3 succeeded SSLv2 back in 1996, however, it was only officially deprecated by 2011, which has resulted in its continued presence in servers. Even SSLv3 has since been replaced with newer, more secure Transport Layer Security (TLS) versions 1.0, 1.1 and 1.2.

While SSLv2 is totally unsuitable for encrypted communications, it wasn’t until now that security researchers have thought that its continued support in servers would pose a security threat as most modern clients such as web browsers and others capable of TLS communications no longer support it. A newly released paper has found this assumption to be false by showing that a server supporting SSLv2 can be exploited by attackers to decrypt any traffic from its clients, even those using the most up-to-date TLS protocols.

The attack, which has come to be known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), has a number of prerequisites, but unlike some vulnerabilities, they remain practical to execute. Firstly, the server must either support SSLv2 or share its private key with another server that does, which is common in many organizations that share a key across both web and email servers. With this satisfied, the attack must then monitor several hundred encrypted communications between the victim and the server, whether by simply observing over a long period or using malicious code to force numerous connections to be repeatedly made with the sever. Even the requirement that the handshake must use the RSA key exchange algorithm is simple, as it is the most commonly used key exchange in TLS implementations.

Armed with this information, the attacker then connects to the server via SSLv2 multiple times using specially crafted handshake messages that contain modifications of the RSA ciphertext captured during the victim’s TLS connections. These connections will cause the server to leak further information regarding the secret keys used during the TLS connections despite failing. It was calculated that even in a worst-case scenario, an attacker would need to erform roughly 40,000 probe connections and 2^50 computations to decrypt one out of 900 observed TLS connections. It was estimated by the researchers that running the calculations for the attack on Amazon’s EC2 cloud computing platform would cost around $440. The attack is even significantly easier if the server is running a version of OpenSSL library that contains two known flaws.

As many as 17% of all HTTPS servers are directly vulnerable to the attack, with 25 percent of SMTP with STARTTLS servers, 20 percent of POP3S and IMAPS servers and 8 percent of SMTPS also vulnerable. Even amongst HTTPS servers that did not directly support SSLv2, those that shared their private keys with other web servers supporting SSLv2 raised the overall percentage of vulnerable servers to 33%. Thankfully, while DROWN attacks may expose critical information such as login or banking credentials, the attack would have to be executed from scratch for every user and the server’s long-term private keys are not exposed, only the keys negotiated for specific sessions.

Server administrators have been urged to ensure that SSLv2 has been disabled on their servers, including any sharing private keys. Instructions on how to do so have been provided by the researchers for the most common web servers and TLS libraries. For those unsure whether their server is vulnerable, even with SSLv2 disable, a tool has been released to determine is a server is vulnerable and affected by key reuse.

It is scary to think that some of the websites vulnerable to this issue include big names used in the everyday lives of many such as yahoo.com, weibo.com, buzzfeed.com, weather.com, flickr.com, and dailymotion.com.

Video Surveillance DVRs Exposed by Hard Coded Password

The security of devices that are internet accessible has become more and more critical in recent years. Recently cheap unsecured webcams have come under fire after many such devices were exposed by the Shodan search engine. Now as many as 46000 users of digital video recorders (DVRs) manufactured by Zhuhai RaySharp Technology may actually be making their property less secure, with it coming to light that the Chinese manufacturer has been using hard-coded unchangeable passwords for the highest user privileges in their software.

The vulnerability was discovered by security researchers from vulnerability intelligence firm Risk Based Security (RBS), who examined the software that the DVRs’ interface runs on. RaySharp’s DVR products have a web interface through which a user can view the camera feeds, manage settings and recordings and operate any pan or zoom features on the cameras. These web interfaces all run on a Linux OS based firmware, which on examination of the CGI scripts that manage the user authentication of the web interface a routine was found that checks to ensure the user-supplied username is “root” and the password is “519070”. Using these credentials to log into the web interface would provide full system access.

Using hard-coded passwords for small-scale systems used to be an accepted practice, where physical access to the system would generally be required regardless. Such things are now considered to be unacceptable by most, with many vendors developing secure systems and working to ensure vulnerabilities that do pop up are patched. That RaySharp still use hard-coded root passwords would be bad enough, but the Chinese firm also manufacture DVR products and provide firmware for a number of other companies worldwide with RBS researchers finding that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender and LOREX Technology, contain the same hard-coded root password. Another CGI script found in RaySharp firmware listed 55 vendors that apparently use the same firmware, so the impact could be much greater.

For those in possession of a DVR system from Raysharp or one of the other affected firms, RBS researchers chose to release information on the vulnerability, so that they can check for themselves whether their system possesses the issue. They recommend that any DVR that uses the username and password combination of root and 519070 should not be accessible on the internet and if access is required, it should be done by first logging into a VPN.

With the recent revelation that many webcams had been unwittingly exposed publicly online, it is likely that the same may occur for these DVRs. Hopefully, those with vulnerable DVR systems will discover the issue and take precautionary steps to avoid unwittingly sabotaging their own efforts to make their property or possessions safer.

eBay Vulnerability Exposes Users to Data Theft and Phishing Attacks

The eBay site is used by millions of people and as a result, has a level of trust with its users buying and selling countless items each day. Imagine then, how lucrative a target this massive user base could be for an attacker. Check Point’s security researchers have found just such a vulnerability in eBay that allows malicious users to bypass the code validation that is in-place and remotely control the vulnerable code to execute malicious Javascript code on the browsers of targetted users.

Check Point warn that leaving the flaw unpatched will expose the online marketplace’s huge userbase to the risk of data theft and phishing attacks while eBay believes that the actual risk of a malicious attack is very low. eBay was made aware of the vulnerability on December 15th, but they are yet to issue a complete patch for the weakness, instead claiming to have implemented additional security filters based on the report to reduce the risk.

eBay told Security Week “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure. We have not found any fraudulent activity stemming from this incident.”

One of the ways that an attacker could target eBay users is by first sending them to a legitimate page which contains the malicious code. By setting up an eBay store and adding malicious code to the description section of items, users can be tricked by attackers into visiting pages containing harmful code. This code could do a number of things once opened, from phishing for data or even downloading binaries to the computer or device. eBay report that as few as two in a million items listed on their site use active content, making the chance of being targeted by malicious content is low. Despite this, Check Point stated that they have demonstrated a proof-of-concept for the attack to the eBay security team, with them able to bypass restrictions and deploy malicious code to their seller page without any difficulty.

The finding was made public by Check Point public on Tuesday, hoping that it may push the e-commerce site to patch the vulnerability quickly. This is a good example of how even the sites that seem the most trustworthy can hide potential danger. Until a patch is released, taking care when using eBay may just be the best bet.

OpenSSL Bug Allowed Attackers to Decrypt HTTPS Traffic

The OpenSSL cryptographic library was recently updated in response to a high severity vulnerability that was found its code. The vulnerability made it possible for attackers to get hold of the decryption key used for traffic secured by HTTPS and other transport layer security methods.

Thankfully, while the consequences of the vulnerability were high, the flaw can only be exploited when a very specific set of conditions are met. For starters, only version 1.0.2 even contains the vulnerability. The application reliant on it must then use groups based on the digital signature algorithm (DSA), which then generate ephemeral keys using the Diffie-Hellman key exchange. Server applications typically re-use the same private Diffie-Hellman exponent for the lifetime of the server process, by default. The result is that the server’s encrypted traffic then becomes vulnerable to a key-recovery attack, the same being the case in configurations that rely on a static Diffie-Hellman cipher suite.

When the requirements are met, an attacker can make a barrage of handshake requests to the vulnerable endpoint system. With enough requests, partial secret values can be obtained and combined using the Chinese Remainder Theorem to calculate the encryption key. More extensive information on the attack and vulnerability can be found on Antonio Sanso’s blog and as part of an OpenSSL security advisory.

Thankfully, the majority of mainstream OpenSSL and DSA-based Diffie-Hellman reliant applications don’t seem to meet these requirements. For example, the common Apache Web Server enables the SSL_OP_SINGLE_DH_USE option, which causes different private exponents to be used across the process’ lifespan. Meanwhile, the two main forks of OpenSSL, do not have the vulnerability present in them. Google’s BoringSSL removed the option for SSL_OP_SINGLE_DH_USE some months earlier, while in LibreSSL, it was deprecated less than a week ago. Anything that uses a static cipher suite risks continuing to be vulnerable, however.

Sanso reported the bug privately to the OpenSSL project maintainers on the 12th of January, meaning it took only two weeks for them to identify, test and roll out a fix. Curiously, at the time of the bug being reported, a fix relating to the re-use of Diffie-Hellman exponents had already been committed to the OpenSSL but was yet to be part of a release. For obvious security reasons, details of the vulnerability were not publicly released until a patch was already available so that would-be attackers would not be aware of the attack vector until it was already removed. While it may only affect edge-cases, if you’re running a server that relies on OpenSSL 1.0.2, you should be sure to update to 1.0.2f and those on 1.0.1 should install 1.0.1r although support for 1.0.1 is finishing at the end of this year.

Microsoft Edge Browser is Storing Private Browsing Data

With the jump to Windows 10, Microsoft also hoped to say goodbye to their old Internet Explorer browser, one often berated by the tech savvy. In Edge, they included many features that were already staples among rival browsers, one such feature being the InPrivate browsing mode. It has come to light, however, that InPrivate may not be as private as it seems.

Researcher Ashish Singh found that the history of websites visited while using the InPrivate mode can be found by examining the WebCache file on the user’s hard drive. In fact, the browsing history of InPrivate can be found in the same “Container_n” table that stores browsing history from conventional tabs. As a result, if an attacker were able to access the table, they would be able to access the entire browsing history of a user, whether their browsing was done InPrivate or not. Singh wrote in Forensic Focus that “The not-so-private browsing featured by Edge makes its very purpose seem to fail.” The fact remains that this process would be difficult to perform by a regular user or attacker, and anyone wishing to uncover this ‘private’ browsing history would likely need to be skilled in the field and have local access to the target’s hard drive.

Edge is far from the first browser to employ a private browsing mode that is not fully secure and private browsing does often not ensure security. Private browsing features are a privacy feature first-and-foremost, and that one cannot fully protect against the most dedicated of attacks is perhaps unsurprising. The Verge has reported that Microsoft is investigating the results of Singh’s research into Edge “and we are committed to resolving this as quickly as possible.”

Shodan Makes Snooping on Vulnerable Webcams Easy

Shodan is a search engine designed to allow users to search through information on devices that are connected to the internet. The site, named after the AI from the System Shock series of games has been around since 2009, making news ever since as it has allowed access to potentially unsafe systems that have been exposed to the public internet, such as power stations and oddities including gym equipment. The newest feature to be added to Shodan has now put it back under the spotlight with a newly added section of the site allowing users to browse and view vulnerable webcams.

These feeds capture all manner of activities, from people’s offices and kitchens to far more worrying things including banks, schools, laboratories, drug plantations and even sleeping babies. Security researcher Dan Tentler told Ars Technica “It’s all over the place, practically everything you can think of.” He went on to explain that the prevalence of vulnerable Internet of Things (IoT) devices is the result of a race to the bottom by webcam manufacturers. Typical users tend not to value security and privacy to the point that they’d pay more for a product, allowing manufacturers to slash the costs of their devices to maximize profit. The end result of this race is a slew of cheap insecure devices being on the market and filling more and more homes as times go by.

The vulnerability of the devices is rooted in their use of the Real Time Streaming Protocol (RTSP) on port 554 to share their video, but often have no authentication systems in place to protect it from access. Many of the devices have surfaced on Shodan as the site crawls the internet searching for IP address with ports open to connections. If the port provides a video feed and lacks any authentication, it captures an image from the feed, records the IP address and port and moves on. While Shodan may take flak for publicly exposing so much private footage, it is hardly the one to blame and, in fact, sheds light on the poor state of security often applied to consumer IoT products. Tentler estimates that millions of insecure webcams are connected and easily discoverable through Shodan.

Shodan’s image is available to its paid users at images.shodan.io while those users with free accounts can find an array of video devices by using the search filter “port:554 has_screenshot:true“. It is truly frightening how much is haplessly made available to anyone online, with users expecting manufacturers to handle the security for them, but the manufacturers being unwilling to raise the cost for the sake of security. Hopefully, the images made public by this new feature of Shodan will convince both users and manufacturers to value cybersecurity more in this increasingly connected world.

D-Link Wi-Fi Webcam Turned into a Network Backdoor

Vectra Networks researchers today released an article demonstrating how they turned a $30 D-Link Wi-Fi webcam into a backdoor onto its owner’s network. Installing a device like a networked webcam may seem like a riskless action, but when the device can allow hackers to access the same network it becomes far more worrying.

Typically, attacks on Internet of Things devices are considered a waste of time due to their lack of valuable onboard data and lack of resources to manipulate. Vectra showed that should hackers focus on and be able to compromise a device’s flash ROM, they could replace the running code with their own tools such as those to create a backdoor. It doesn’t have to be a remote hack either, with the report stating “Once we have such a flash image, putting it in place could involve ‘updating’ an already deployed device or installing the backdoor onto the device somewhere in the delivery chain – i.e. before it is received and installed by the end customer.”

The first step of the attack on the webcam was to dump the flash memory from the device for analysis. It could then be determined that the ROM contains a u-boot and a Linux kernel and image with software used to update the firmware. With this, the steps used to verify firmware updates could be reverse engineered to allow it to accept a rogue update containing a Linux proxy service while also disabling the ability to reflash in future so the back door could not be removed. With all this in place, the hacker would be able to inject his own attacks into the rest of the network and use it as a pipeline to extract stolen data.

Such a compromise would be incredibly hard to detect by the user as long as the backdoor code did not interfere with the device’s normal operations. Even then, there would be no way for the device to be recovered and would instead have to be disposed of and replaced with a clean one. D-Link is yet to issue a patch for this vulnerability, but it is not expected they will, as a true fix would require specialist chips to verify updates or a Trusted Platform Module.

It is worrying that as we bring so many more tiny networked computers into our homes, they are far more of a risk than they seem. Vulnerabilities in even the smallest network device can compromise the security of an entire network and should not be overlooked.

ARRIS Cable Modems Have “Backdoor in the Backdoor”

Up to 600,000 ARRIS cable modems could be vulnerable to hacks via a “backdoor in the backdoor”, according to security researcher Bernardo Rodrigues. Rodrigues, who works as a vulnerability tester for the Globo TV network in Brazil, revealed on his blog that he had “found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including [the] TG862A, TG862G, [and] DG860A [models].” After extending his search, Rodrigues found that up to 600,000 ARRIS modems could be affected by the vulnerability.

Using the default username and password of “root” and “arris”, respectively, Rodrigues was able to SSH through a hidden HTTP admin interface, where he found a system-spawned ‘mini_cli’ shell which, given the right password, would allow him into a restricted technician shell. Rodrigues cracked the ARRIS password of the day, which was generated via the last five digits of the modem’s serial number.

Rodrigues even built a Puma5 Toolchain ARMEB to help demonstrate how the backdoor operates, which he has kindly hosted on Github. He has reported how he accessed the “backdoor in the backdoor” to the vendor, which asked that he not reveal the algorithm he used to generate the password of the day. He waited until the issue had been fixed before posting his exposé. It took 65 days for the vulnerability to be corrected.

Fully Patched Adobe Flash Hit by New Zero-Day Update

Just as day follows night, and just as UbiSoft thinks up new and amazing game elements to strip away and charge microtransactions for, another zero-day exploit has been discovered for Adobe Flash. But this isn’t any old zero-day exploit, it’s an exploit found in the fully patched version of Flash.

The vulnerability, discovered by Trend Micro yesterday, allows attackers to secretly install malware on computers that carry Flash versions 19.0.0.185 and 19.0.0.207, and possibly earlier versions, too. Attacks exploiting the vulnerability have so far only targeted government agencies, undertaken as part of cyber-espionage initiative Operation Pawn Storm. The researchers from Trend Micro wrote:

In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit. In this wave of attacks, the emails were about the following topics:

“Suicide car bomb targets NATO troop convoy Kabul”

“Syrian troops make gains as Putin defends air strikes”

“Israel launches airstrikes on targets in Gaza”

“Russia warns of response to reported US nuke buildup in Turkey, Europe”

“US military reports 75 US-trained rebels return Syria”

It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.

Operation Pawn Storm has hit a number of foreign agencies over the last few months, including politicians and journalists in Russia and iOS devices used by Western governments and news outlets.

Oh, and don’t use Flash.

Thank you Ars Technica for providing us with this information.

Image courtesy of Wikimedia.

Exploit Found In Netgear Routers

So we’ve all had those periods where we come home and think our stuff has been moved around, you know when you think you’ve put your keys down beside the door and you find them on the sitting room table. Now imagine that you came home and found that some of your technology has had its settings changed, and most worryingly the technology in question is your router, the central point for all your devices to enter the world wide web. Turns out this happened to Joe Giron when he found out that his router had its settings changed on the 28th September.

Joe Giron told the BBC that he had discovered that some settings, not any settings, but the admin settings on his personal router had been changed. After the device was changed it began to send web browsing data to an internet address, clearly for a malicious reason.

The router in question is one of Netgear’s, a known brand all around the world. Netgear has accepted that the vulnerability that Giron was affected by is “serious” but will affect less than 5,000 devices.

The problem is the data that was changed was the domain name server setting, normally set to your web providers or in this case Google’s. The DNS transforms web addresses into formats which computers can understand, most commonly a form of IP address. With control over these settings it’s not only possible to track visited sites but also redirect the user to whichever site you want.

Updated:

It has been confirmed by Netgear that  an update to deal with this issue will be released on the 14th October. Affected users will be prompted to update their firmware if they log into their admin settings or have the Netgear genie app installed on any connected device.

Thank you BBC for the information.

Wifatch: The Vigilante Malware

Malware. That one word which seems to inspire fear and dread in everybody who hears it, even more so when you’ve experienced it first hand on one of your many devices. Malicious Software, or Malware for short, is often used by people to spread itself over the internet or even WiFi in the hopes of creating openings for other malicious software, from a program that can redirect you when you go on the internet to one that encrypts your hard drive until you pay hundreds of pounds so that (if they are true to their word) they will release your files. The world has changed since those dark days, there is a new piece of software in the world; Wifatch is here.

Wifatch was found in late 2015 by Symantec and focuses on the bugs and security issues normally involved in routers (a piece of hardware we all use but rarely update). This malware doesn’t just infect your router and use it to spread to others, it closes off potentially dangerous loopholes and bugs on your router. That’s right, this malware, a piece of software that by its very nature breaches your security and trust, is trying to help stop you from being affected by … malware?

Not only does it block common points of danger for routers but it also tries to disinfect infected systems, even going so far as to reboot systems in the hopes of stopping any malware that is currently running.

The developer even left a funny message in its source code for those brave enough to browse it.

Is this the kind of software that we need? What do you think about this vigilante malware?

Thank you Symantec and the BBC for the information.

Images courtesy of Symantec.

WinRAR at Risk of Huge New Zero Day Vulnerability

WinRAR has a base of some 500 million users worldwide, those same users might want to take a look at a new Zero Day Vulnerability which has been detected within the newest version of the software. According to Mohammad Reza Espargham, who is a security researcher at Vulnerability – Lab, the stable version of WinRAR 5.21 for Windows computers is vulnerable to a “remote code execution (RCE) flaw”. Let’s digest this flaw by breaking it down and having a closer look.

The vulnerability works by being implemented by an attacker with the aim of inserting a malicious HTML code inside the “Text to display in SFX window” section when the user is creating a new SFX file. Below is a video which conveys a test that proves the existence of this flaw, albeit in a controlled environment.

The annoying flaw with SFX files is they will start auto functioning the moment a user clicks on them, therefore, consumers cannot identify or verify if the compressed .exe file is a genuine WinRAR module or a malicious one. As of writing, there is yet to be a patch released for this flaw and Windows users are advised to refrain from clicking on any files from unknown sources. If you wish to protect yourself further, then by all means use an alternative archiving product or use strict authentication methods to secure your system.

The knock on effect of any exploit can be harmful to users, especially when a product has a consumer base which is substantial in size.

Thank you thehackernews for providing us with this information.

Image courtesy of tecnoandroid

Android Lollipop Lock Screen Can be Bypassed Using Really Long Password

Any Android Lollipop device that is not using the latest build of the mobile operating system is vulnerable to having its lock screen bypassed by inputting a long string of characters as password. The bypass was discovered by researchers from the University of Texas this week and can be applied to any Android 5 device that does not have the latest security updates, released last week.

“A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device,” the researchers wrote on the University of Texas blog. “By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen.”

The Texas researchers also included a proof-of-concept video, tested using a Nexus 4 with an Android 5.1.1 factory image:

Google has patched the flaw, but in the meantime it is advised that Android Lollipop users that do not have the latest updates use either a PIN or pattern lock, since neither are vulnerable to the above exploit.

Thank you The Register for providing us with this information.

Chrome to Block Flash Ads from 1st September

Google has confirmed that from 1st September onwards, its Chrome internet browser will “begin pausing many Flash ads by default”. Though the announcement, made through the AdWord Google+ page, claims that the measure is being taken “to improve performance for users”, but it coincides with a raft of security concerns and zero-day vulnerabilities regularly reported within Adobe Flash.

The most recent Flash exploit, discovered in July, allowed hackers remote access to computers to execute malicious code. Soon after, Flash was blocked by Mozilla’s Firefox browser and by the beta version of Chrome. Google’s Tommi Li announced that the move was initiated to save laptop battery life, which seems farfetched.

YouTube has already transitioned from Flash to HTML5 to display its videos, with game streaming site Twitch following suit, while Amazon is also banning Flash ads on its domains from the start of next month. Apple has never allowed Flash on its mobile devices, citing its security holes as a rick to users, while Android removed Flash support three years ago for similar reasons.

Though the more advanced and secure HTML5 is slowly taking over – Google has even converted a number of its AdWords Flash ads into HTML5 – Flash ads still dominate the market. A report from Sizmek shows that advertisers delivered over 5.35 billion Flash ads during the first quarter of 2015, versus 4.25 billion HTML5 ads.

Thank you Ars Technica for providing us with this information.

New Android Vulnerability Affects Everything on the Device

Following Stagefright, another worrying Android vulnerability has been uncovered by researchers. The security flaw can be exploited by taking advantage of the operating system’s multitasking functionality, giving hackers access to every part of the device. “The enabled attacks can affect all latest Android versions and all apps (including the most privileged system apps) installed on the system,” Chuangang Ren, security researcher from Penn State University, warned.

The researchers from Penn State who discovered the Android Vulnerability presented a paper on it at the USENIX Security 15 conference in Washington DC last week. It explained:

Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implications of Android multitasking remain under-investigated.

With a systematic study of the complex task dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilising the task hijacking attack surface to implement UI spoofing, denial-of-service and user-monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities.

We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy.

The research team has notified Android about the vulnerability. Neither them nor Google – or Alphabet, as the parent company is now known – has commented on the findings of the paper.

UPDATE – 24th September, 2015:

Matt Penny from Google’s press office has issued the following statement:

“We appreciate this theoretical research as it makes Android’s security stronger. Android users are protected from attempts at phishing or hijacking like this (including manipulation of the user interface) with Verify Apps and Safety Net security features. Based on our research, fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014, and fewer than 0.15% of devices that only install from Google Play had a PHA installed.”

Thank you The Register for providing us with this information.

Image courtesy of Hacoder.

Intel Processors Vulnerable to Rootkit Exploit Since 1997

A researcher from the Battelle Memorial Institute has revealed that every Intel x86-based processor – and possibly some AMD processors – since 1997 are vulnerable to a rootkit exploit that could grant hackers access to the low-level firmware of a PC. Christopher Domas revealed the concern at the Black Hat 2015 conference in Las Vegas this week.

The vulnerable component of the chip is the System Management Mode, which is the part responsible for subsystem controls, such as power distribution. The exploit does require full system privileges, but a successful attack allows a hacker to delete a computer’s Extensible Firmware Interface, or even replace it with a rootkit. Such an attack would be completely undetectable by security scanners, and a rootkit would remain in place regardless of what is done to the board’s software of drives.

Since becoming aware of the bug, Intel has been working on a patch, but since the vulnerability has existed for nearly 20 years, it seems a little late. There’s no telling just how many PCs have fallen victim to this exploit, and it remains unlikely that any patch would reach every endangered processor. Thankfully, the difficulty of launching such an attack, both with the level of system privilege and coding skill required to abuse an exposed processor, means there should be few casualties.

Thank you HotHardware for providing us with this information.

Hackers Find Serious 0day Vulnerability in Mozilla Firefox

Mozilla got word this Wednesday that a severe Firefox 0day vulnerability was being exploited by an ad on a Russian website. Although the company was swift in delivering a fix, they are now urging users to check that they are running version 39.0.3 or later to prevent hackers from gaining access to their sensitive data.

It looks like the vulnerability affected a non-privileged part of Firefox’s built-in PDF viewer, where hackers were able to inject JavaScript files. Since they are in the same origin policy as the local browser, hackers could then have the script search and upload data to a server located in Ukraine, as sources indicate.

Security specialists found that the exploit mainly targeted developer-focused content, though it was released to the general audience. However, the attack seems pretty neat because you can have a large number of audience on the website, but have data transferred from browsers with significant relevance. The guys looking into the hack found that it did not leave traces of it behind, which means that even experienced users may be unaware if they have been the victim of a hack or not.

Though the hack affected only Windows and Linux systems, Mac users should also be on guard, since the hack can also be modified to target Macintosh OS’ too.

Thank you Sci-Tech Today for providing us with this information

Image courtesy of Wikimedia

New Android Vulnerability That Kills Devices Discovered

Following the discovery of the Stagefright vulnerability, another potentially dangerous Android hack has been found. The bug, uncovered by Trend Micro, can leave an Android device effectively dead, killing the screen and all communication functions, including calls, and can be found in Android 4.3 (Jelly Bean) up to the current Android 5.1.1 (Lollipop). Though it was first reported late-May of this year, there has not been a patch fix released through the Android Open Source Project (AOSP) code by the Android Engineering Team.

The fault can be exploited by either a malicious app or a phishing site, using a malicious MKV video file – much like Stagefright, which also used media files to compromise Android operating systems – designed to auto-start whenever the device boots.

As for the technical details, I’ll leave that to Trend Micro:

The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device. This service cannot correctly process a malformed video file using the Matroska container (usually with the .mkv extension). When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system).

The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data.

This wil cause the device to become totally silent and non-responsive. This means that:

  • No ring tone, text tone, or notification sounds can be heard. The user will have no idea of an incoming call/message, and cannot even accept a call. Neither party will hear each other.

  • The UI may become very slow to respond, or completely non-responsive. If the phone is locked, it cannot be unlocked.

Short of being careful and vigilant when downloading apps or visiting websites, the vulnerability will remain a potential threat until patched by Google.

Thank you Trend Micro for providing us with this information.

Image courtesy of Ausdroid.

Four New Bugs Have Been Found in Internet Explorer

I know most of you don’t even use Internet Explorer and we all know how it was humiliated throughout the years. However, since the new Microsoft Edge might be using some IE code, it’s worth pointing this out anyway.

It looks like security experts have encountered and disclosed four new vulnerabilities in Microsoft’s browser. The researchers have noted the issues through Hewlett-Packard’s Zero Day Initiative, a program which creates detection signatures and also reports them to their respective vendors.

Microsoft has already been notified, however, ZDI gives 120 days to the vendor to fix them. So, since Microsoft is more focused on Windows 10, the issues were not resolved and limited information about them have been released to the public. By limited information, it means that the actual code affected has not been released for the wise guys to figure out an actual working exploit.

However, one of the four exploits seems to have been disclosed in more detail. This is because at one of ZDI’s contest back in November, a hacker used the exploit and provided ZDI with the necessary information on how to take advantage of the vulnerability. If you’re curious, the exploit can be found here.

The remaining vulnerabilities are just theoretical at this point, but Microsoft should look into patching them as soon as possible before someone else manages to find a way to exploit them further.

Thank you PCWorld for providing us with this information