Tag Archives: apple

Broken Apple SSL – WSWiR Text Edition

RSA 2014, EMET Bypass, and Broken SSL

This week I attended the 2014 RSA Security Conference, one of the biggest information security (and cryptography) conferences of the year. This was the busiest RSA Conference in the show’s history, which suggests that more and more businesses, governments, and organizations are becoming increasingly concerned about cyber security. As a side effect, the show also kept me too busy to produce my normal infosec news video. Instead, I offer a written summary of this week’s major security news and RSA stories below.

  • Apple fixes serious SSL vulnerability in their OSs – This week, Apple released security updates for iOS 6.x and 7.x, OS X, Quicktime, Safari, and Apple TV. Though these updates fix a wide swath of vulnerabilities in those forenamed products, the most astonishing fix corrects a very serious SSL/TLS vulnerability that affects the iOS and OS X operating systems (OS). SSL/TLS is designed to protect and encrypt your network communications, but this flaw allows anyone on the same network as you to intercept and read your communications in a Man-in-the-Middle attack. In short, if you use Apple products, you SSL communications have been open to interception for the last few months, making it especially scary if you joined any open Wifi networks. Apple’s updates fix the issue, and many more, so be sure to go get them. See Apple’s security update summary page for more details.
  • EMET suffers from a bypass vulnerability – EMET—short for Enhanced Mitigation Experience Toolkit—is a free Microsoft tool designed to make it harder for cyber attackers to actually exploit memory corruption type vulnerabilities. I doesn’t prevent a product from having a memory corruption flaw, rather it adds various memory protection mechanisms (like stronger Address Space Layout Randomization or ASLR) to make it harder for attackers to injection their malicious shell code into certain memory locations. It’s a tool I often recommend users install to help mitigate the risk of many vulnerabilities. Well this week, researchers at Bromium Labs proved that EMET is not bulletproof. They released a paper [PDF] showing how attackers could bypass some of EMET’s protections. Microsoft has acknowledged the flaws, and also has a new version in beta (EMET v5.0) that plugs some of the holes.
  • Academic researchers disclose the first AP virus – Researchers from a number of universities in Europe released a paper describing the first ever wireless access point (WAP) virus, which they dub Chameleon. Chameleon first tries to find unsecured wireless APs (for instance, ones using weak WEP encryption, or no encryption). Once it can access the victim AP’s wireless network, it then leverages flaws in the AP firmware to try and infect the AP with its virus. Then it continues scanning for new victim APs. As a research project, this attack was only done in a lab environment, and has never been seen in the wild. However, now that it’s out I suspect criminal hackers might copy this technique in the real world one day.
  • RSA Security Conference Summary – Here are a few of the big themes and news from this year’s RSA Conference.
    • Government and the NSA have broken our trust – In general, the buzz on the show floor was how governments around the world, especially the U.S. and the NSA, have broken our trust with their spying campaigns. While many agree that some sort of international spy agency should exist, most think the NSA has crossed the line with the amount of data they are collecting; which includes data from normal private citizens. The lack of transparency in these government cyber espionage operations has poisoned the industry’s confidence in all online security and communications, making it difficult to know what to trust. Many speakers at the conference criticized these government operations, especially when the governments in question designed malware which they released into the wild.
    • Destructive attacks get more real – In one session, researchers from CrowdStrike demonstrated a vulnerability in Apple computers that they could exploit to actually cause your device to overheat, potentially catching on fire. One of my predictions this year was to expect more destructive malware, and this example may unfortunately help that prediction come true. As an aside, other researchers at the show also demonstrated an attack against Apple iOS devices that allows malicious programs to log touch input—kind of like a keylogger for finger swipes.
    • Lots of vulnerabilities in RSA mobile app – A few weeks before the show, researchers at IOActive checked out the RSA mobile app for the 2014 conference. Turns out it suffered from six vulnerabilities that attackers could leverage to do many things, including disclose the personal information of some of the attendees, or to inject additional code into the app to phish credentials, and other bad things. Check out IOActive’s blog for more details, but it’s ironic that a security conference’s app suffers from the flaws the conference is supposed to educate against.

Well that’s all I have time for this week. However, if you’d like links to other security stories from the week, check out the extra below. I’ll return with my normal video updates next Friday.

Extras Stories:

— Corey Nachreiner, CISSP (@SecAdept)

Hackers Lose Rights – WSWiR Episode 82

PHP.Net Hijack, Rooted ReadyNAS, and Harassed “Hacker”

This week you get two Infosec videos for the price of one! Of course, free plus free is still… well, free.

Last week, I had a busy travel schedule in the Middle East and Holland, and I did not find the time to produce my weekly security news summary on Friday. And yet, there was still plenty of security news to cover, so I didn’t want to leave you hanging. Hopefully, you can still learning something interesting, even if it comes a few days late.

Last week’s much belated episode includes, news of Cheney’s cardiac defibrillator hacking scare, a PHP.net watering hole attack, yet another rooted consumer router, and a story about how just calling yourself a hacker may cost you some Constitutional rights. Watch the video below, and check the Reference section for more details.

Thanks for watching and I’ll see you again in two days, when I post this week’s video!

(Episode Runtime: 7:07)

Direct YouTube Link: http://www.youtube.com/watch?v=rqD01VqkYmI

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

IceFog APT – WSWiR Episode 79

Fake Fingerprints, IOS DoS Flaws, and IceFog APT

Are you Ready for the latest InfoSec news?

This week, I’m traveling in the windy city of Chicago, speaking at ISC²’s Security Congress Conference. As a result, I did not have time to create a full length video; but fear not. My short video quickly summarizes the five big security stories, and I’ll share a few more written details and links below:

(Episode Runtime: 2:25)

Direct YouTube Link: http://www.youtube.com/watch?v=wYkOtYFci38

  • iPhone 5s’s TouchID hacked in a few days [video] – Shortly before the iPhone 5s’ release, hackers around the world were discussing how easy it would be to hack the device’s new TouchID fingerprint scanner. In fact, some even setup a fund to reward the first to do it. Well they did not disappoint. Just a day or two after its release, researchers from the Computer Chaos Club (CCC) in Germany were successful, using old, well-known technique they have demonstrated before. Check out the video to see how easy it is.
  • Cisco releases many IOS updates, mostly to fix DoS vulnerabilities – On Wednesday, Cisco posted eight security advisories, describing many vulnerabilities in the IOS firmware used on their routing devices. Most of the vulnerabilities are denial of service (DoS) flaws. If you manage Cisco IOS devices, you should install these updates as soon as you can.
  • 200% increase in nasty extortion ransomware – ESET, an anti-virus company, reported seeing a 200% increase in a particular ransomware variant called FileCoder (or CryptoLocker by other AV companies). This nasty malware find many types of documents and images on your computer, and encrypts them using fairly strong public/private key crypto. It then asks you to pay around $300 to get your files back. So far the good guys haven’t cracked it’s encryption, and they are unlikely to do so without actually obtaining the attacker’s private key. If you do pay the ransom, the malware does seem to stick to its word, and decrypt your files. However, I don’t recommend capitulating with criminals. The malware mostly spreads via phishing emails. So if you warn your user about this, you may be able to avoid it. As an aside, a twitter follower anecdotally shared that he’s seen a Cryptolocker infection at his client’s site, which seems to confirm the potential increase in this malware campaign.
  • Kaspersky uncovers IceFog APT campaign [video] – During the week, one of our partners, Kaspersky, released details about a new APT campaign that’s targeting organizations in South Korea and Japan. The attackers seem to be a small group of very skilled hackers, who are targeting government institutes, military contractors, and telecom or satellite operators. Like most APTs of late, the attack starts with a spear-phishing email containing a documents. For more interesting details about this advanced attack campaign, see Kaspersky’s report or watch their video.
  • Criminals steal data from data brokers, and resell on the underground - A well-known security journalist, Brian Krebs, posted an in-depth story about an attack campaign against various data broker organizations. Essentially, attackers gained access to the networks of data brokers like LexisNexus and Dun & Bradstreet, and then leverage this access to loot the personal customer information these brokers collect. The criminals then resell this information on their malicious identity theft service sites. Be sure to read Krebs’ article for the full scoop.

Extra References:

— Corey Nachreiner, CISSP (@SecAdept)

Hidden Lynx – WSWiR Episode 78

NASDAQ Vulnerabilities, NASA Defacement, and Hidden Lynx

It’s that time again; when I summarize the biggest information security (Infosec) news into a short video. If you’d like to get a quick take of what’s going on in the computer security industry, this is the show for you.

This week’s episode includes a quick note on the latest software updates, a story about NASDAQ’s delayed reaction to vulnerabilities on their site, news about Brazilian hackers potentially mistaking NASA for the NSA, and the uncovering of an advanced cyber criminal gang responsible for some of the most concerning attacks over the last few years. Check out the video for the full skinny, and don’t forget to take a peek at the Reference section for links to other stories.

Have a fun weekend and a fantastic day.

(Episode Runtime: 8:37)

Direct YouTube Link: http://www.youtube.com/watch?v=V23GxAovB-w

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Blackhat 2013 – WSWiR Episode 72

Details on Femtocell hacking, Mactans, and SCADA Honeypots

This is the week of the Blackhat and Defcon security conferences; two of the biggest security research conferences of the year. So rather than quickly summarize InfoSec newslike I do most weeksI’ll share details about three of my favorite talks from this year’s Blackhat show (Defcon is going on now).

Two of my favorite presentations fill in details about stories from past episodes. Both the researchers that hacked a Verizon femtocell, and the ones that created a malicious iOS charger, shared the technical details around these attacks. Want to learn how it’s done? Watch below.

The third interesting talk centers around using honeypots to learn who are attacking our SCADA systems. While the attacker profile data shared in the presentation was interesting, I was more concerned with how the researcher profiled his attackers. Essentially, he hacked them back. His hack back technique was at best legally grey area, and at worst totally illegal. And this researcher’s actions were not the exception. I attended a few talks this year where researchers used hacking techniques to out their attacks. Perhaps the industry is adopting “strike back” after all.

In any case, if you’d like a quick glimpse of some of my favorite presentations from the show, be sure to click play below. I will also post some written summaries about the talks I attended in the next few days. Finally, though I didn’t have time to cover the regular Infosec news this week, be sure to check the Reference section for links to a few fairly important industry stories.

(Episode Runtime: 15:15)

Direct YouTube Link: https://www.youtube.com/watch?v=-xBHxQUVJnU

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Car Hacking Exposed – WSWiR Episode 71

Tor Botnets, SIM Hacking, and Pwned Prius

Blackhat and Defcon are only a few days away, so this week’s InfoSec news summary covers previews of some of the research experts plan on disclosing during next week’s security bonanza.

During this week’s episode, learn about the latest Tor-based botnets, hear how hackers can force malware through your phone’s SIM card, and see a couple researchers totally take over a Prius car with a laptop. Watch below, and check the Reference section for other interested security stories.

Show Notes: I had unexpected microphone cable problems during my recording, which I didn’t learn about until after my shoot. It caused some hum and clicks in this week’s video. I apologize for the bad audio, and will be sure to check it next week.

Also, I will be attending Blackhat next week. I still plan to post at least one video, but it may not appear at its regular time.

(Episode Runtime: 10:09)

Direct YouTube Link: https://www.youtube.com/watch?v=Pa3QsIS-TK8

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Rogue Femtocell Sniffs Cellular Data – WSWiR Episode 70

Google Glass Hijack, Steganography Backdoor, and Femtocell Hack

After a week missing-in-action due to vacation, I’m back with another news-packed InfoSec summary video for the week. If you’d like to quickly hear the highlights about the latest updates, breaches, and malware, give our weekly video a go.

In this week’s episode I cover some interesting new Mac malware, a Google Glass hijacking vulnerability, how to hide web backdoors in images, and a rogue femtocell. For all that and more, click play below; and don’t forget to check the Reference section for extras.

Have a great weekend, and stay safe online!

(Episode Runtime: 15:18)

Direct YouTube Link: https://www.youtube.com/watch?v=pjWEkd2htzQ

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Major Android Flaw Means More Trojans – WSWiR Episode 69

Snowden’s Hacker CV, Uplay Breach, and Serious Android Vulnerability

Last Thursday, US citizens celebrated our 4th of July, Independence Day holiday, which traditionally means that few workers came into the office on Friday. For that reason, I decided to hold onto last week’s InfoSec summary video until today. What better way to start the week than learning about the latest security news with a hot cup of joe.

In last week’s episode, I cover news of Snowden’s hacking credentials, the latest OS X update, a Ubisoft network breach, and a critical security vulnerability that affects 99% of Android users. For the details on those stories and more, watch our video below.

As an aside, I am taking a bit of time off at the end of the week, so I will either skip this Friday’s video, or post a short one on Monday.

(Episode Runtime: 7:21)

Direct YouTube Link: https://www.youtube.com/watch?v=DTjkmKKy-Gg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Latest Java Update Fixes 40 Vulnerabilities (For Apple Too)

Severity: High

Summary:

  • These vulnerabilities affect: Oracle Java Runtime Environment (JRE) and Java Development Kit (JDK) 7 Update 21 and earlier, on all platforms
  • How an attacker exploits them: Typically by luring your users to a malicious web page containing specially crafted Java
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install JRE and JDK 7 Update 25 (or Apple’s OS X update)

Exposure:

Java is a programming language (first implemented by Sun Microsystems) used most often to enhance web pages. Oracle’s Java Runtime Environment (JRE) is one of the most popular Java interpreters currently used.

Today, Oracle released a Java update to fix 40 vulnerabilities in the popular web plugin. Oracle doesn’t describe these flaws in much technical detail, but they do share a Risk Matrix, which describes the severity and impact of each flaw. In a nutshell, most of the flaws are remote code execution issues. Furthermore, Oracle assigns a dozen of them with the maxium CVSS score of ten. By enticing you to a web site with malicious content, attackers can leverage many of these flaws to execute code on your computer, with your privileges. If you are an administrator, it’s game over.

Java is very dangerous right now. Attackers are currently leveraging many Java vulnerabilities in the wild. Cyber criminals are even selling Java exploit kits on the underground market. In short, we highly recommend you apply Oracle’s Java update immediately. In fact, if you can do without Java, I suggest you remove it from your computer.

In related news, Apple has also released a Java update for OS X. Mac users should update Java as well.

Solution Path:

Oracle has released JRE and JDK Update 25 to correct these issues (as well as some legacy version updates). If you use Java, download and deploy the appropriate update immediately, or let Java’s automatic update do it for you. You’ll find more information on where to get the  updates in the Patch Table section of Oracle’s alert.

Remember, attackers have heavily targeted Java lately. If you do not need Java in your organization, I suggest you remove it.

For All WatchGuard Users:

WatchGuard XTM appliances can often help protect you from these sorts of Java vulnerability in a number of ways:

  • If you like, you can leverage our proxy policies to block Java applets. Keep in mind, this will block legitimate Java applets as well.
  • WatchGuard constantly develops AV signatures to catch wild Java exploits. If you use our Gateway AntiViris (GAV) service, it can protect you from some of these attacks.
  • WatchGuard’s IPS signature writers also develop generic Java signatures, which can block some variants of this attack.
  • WebBlocker and WatchGuard’s Reputation Enabled Defense (RED) service both can prevent you from visiting the malicious drive-by download sites that leverage this sort of vulnerability.

Despite the XTM appliance’s many protections, we still recommend you download and install the Java update to completely protect yourself from these flaws. Better yet, don’t install Java if you don’t need it.

Status:

Oracle has issued updates to correct these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at lsseditor@watchguard.com.

Need help with the jargon? Try the LiveSecurity Online Glossary.

Time to Polish Your Apple: OS X & Safari Updates

Severity: High

Summary:

  • These vulnerabilities affect: Apple OS X 10.6.x-10.8.x and Safari 6.0.4 and below
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users into opening specially crafted files (often multimedia files), or visiting malicious websites
  • Impact: Various results; in the worst case, an attacker can execute code with your privileges
  • What to do: Install the appropriate OS X and Safari, or let Apple’s Software updater do it for you.

Exposure:

Yesterday, Apple released two security updates to fix many vulnerabilities in OS X and Safari (Mac version only). If you use Mac computers, you should apply these significant updates quickly. I summarize Apple’s alerts below:

Apple released an update to fix vulnerabilities in all current versions of OS X. The update patches about 33 (number based on CVE-IDs) security issues in 11 of the components that ship as part of OS X, including QuickTime, OpenSSL, and Ruby. The flaws differ in scope and impact, but the worst allow attackers to execute code with your privileges simply by enticing you into viewing a malicious file. Most of these file handling issue involve multimedia files, such as movies and pictures. If you use a Mac, you should install the update as quickly as you can. See Apple’s alert for more detail on each flaw.

WatchGuard rating: Critical

Apple also released an update to fix about 26 security flaws in Safari for Mac (Apple seems to have discontinued supporting Safari for Windows). The majority of these are memory corruption issues that attackers could exploit to run arbitrary code on your Mac, with your privileges. Of course, they’d have to lure you to a web site with malicious code in order to trigger the attack. Many of these vulnerabilities are ideal for drive-by download attacks. Again, if you have a Mac, I recommend you patch Safari, even if you don’t use it as your primary browser. See Apple’s alert for more detail.

WatchGuard rating: Critical

Solution Path:

Apple has released update for all these products. If you use Mac computers, you should download and install the updates as soon as you can, or let Apple’s Software Updater do it for you. That said, the OS X update is rather large, and will require a reboot, so plan that update accordingly.

Personally, I have not had any problems with Apple’s automatic updates, so I recommend you use the Automatic Updater to download and remind you of patches regularly, at least on your client machines (you may need to plan your OS X server updates more carefully).

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM appliance can help mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Apple’s updates are your best solution.

Status:

Apple has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.
More alerts and articles: Log into the LiveSecurity Archive.

Follow

Get every new post delivered to your Inbox.

Join 7,376 other followers

%d bloggers like this: