HTC Security Flaw Lets Malicious Apps Steal Wi-Fi Passwords

HTC recently acknowledged a security flaw in its handsets that allowed malicious apps to steal Wi-Fi passwords.  This type of flaw could potentially allow for targeted exploitation of a company or residential network.  Luckily, HTC and Google were very responsive and a fix has already been developed and deployed.  It was actually discovered in September 2011, but was kept a secret publicly until Google and HTC had time to address it and provide the appropriate fixes.

According to the U.S. Computer Emergency Readiness Team (US-CERT), the devices affected by the security flaw include the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation Z710e, Sensation 4G, Desire S, EVO 3D and EVO 4G.

This is a prime example of why Apple has such a strict acceptance policy of the apps that are allowed in the iTunes App Store.  They monitor the code and test the apps before releasing them to the public to avoid problems.  That said, there have been apps that mistakingly made their way into the store.

http://www.gadgetbox.msnbc.msn.com/technology/technolog/htc-security-flaw-lets-malicious-apps-steal-wi-fi-passwords-24096

http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html

Fake Documents

After the Wikileaks scandal, the Department of Defense is using a new software that generates fake documents that send an alert when they are opened. This would allow the DoD to provide misinformation but also to potentially see who opened the file and where they are.

Unfortuneatly, there seems to be a few ways around this techonlogy. You can disconnect your computer from the Internet before you open files, but this can be averted by requireing the document to authenticate and alert before the contents are visible to the user. Once you have access to the contents, you could easily take screenshots of the information and delete the original.

For more info, see: http://www.schneier.com/blog/archives/2011/11/fake_documents.html

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Facial recognition on Android 4.0 has some bugs

A new feature of the new Android 4.0, a.k.a. Ice Cream Sandwich, has a new feature that will allow you to unlock the phone using facial recognition. Though if you prefer security over convenience you should try not to use this new feature.

As seen in a video created by a mobile blog, the face unlock feature can be fooled by showing it an image of the face used to set up the locking mechanism.  You can do this by taking a picture with one phone and holding it up to another to try to fool the unlock feature.

A google representative has stated that it is considered a low security and experimental way of locking your phone and the interface warns users the face unlock is less secure than a pattern, pin, or password and that someone who looks similar to you could unlock your phone.

So this poses the question do I use this new feature because of the ease of use and the convenience even though it has been show that it has weakness and vulnerabilities. Good has said that they have started looking into the problem and that because Android 4.0 has not been released yet they are still working out the experimental system.

New Payment Method in Wal-Mart Stores

I’m sure everyone has gone to a super-market to buy one item, and have to stand in line for a long time just to pay for it. To solve this issue, Wal-Mart may have a solution where customers could buy items directly in the aisle, and skip waiting in lines at the cash register.

Using Apples EasyPay featured on the IPhone 4 and 4S, customers could simply scan the bar code, enter their Apple ID, and walk out with the item. Wal-Mart is also interested in Near Field Communication, which is short range wireless technology that enables communication between certain devices to better enhance their payment feature.

I think with the implementation of a payment system like this would be a neat change, rather than waiting in line to pay for an item. Although its convenience, every new type of technology would carry along new vulnerabilities and exploits. I think it would take some time to work out the bugs with a system like that, not only for the customers but for staff to recognize that a customer had actually paid for an and left with it without going to the cash registers.

Source:
http://www.computerworld.com/s/article/9221758/Walmart_tries_new_tech_with_eye_on_consumers?taxonomyId=133&pageNumber=2

http://www.computerworld.com/s/article/9221758/Walmart_tries_new_tech_with_eye_on_consumers?taxonomyId=133&pageNumber=2

Android facial recognition unlock

Android 4.0, also named Ice Cream sandwich came out with a new phone unlock feature. Rather than unlocking the phone via a pin or password, the front facing camera uses facial recognition software to unlock the phone when it ‘sees’ the correct face.

However it’s been pointed out that holding up another phone to the camera with a picture of the correct person, the phone can be unlocked.

Seems like a cool feature although it seems like it can be easily bypassed. I think a pin or password is still the better route to go. It would be a nice feature better implemented when the software is smart enough to detect when a picture is being held up.

The full article can be found here: http://news.cnet.com/8301-1009_3-57323508-83/digital-image-can-dupe-android-face-based-lock/?tag=txt;title

 

CAPTCHA Defeated!

Have you ever tried to post a comment on your favorite blog or tried to creat an entry on Wikipedia and you had to type in these strange distorted letters? These letters are called CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”

Its an annoying system that most of us have come to hate but had to use to block spam bots that automate tasks like account registration and comment posting.

A team of researcher have defeated the system with a process called segmentation where they were able to separate the letters and through a special process, clear up the image and automate a method of reading them.

The only system that was not defeated was that used by Google. Are we going to look for alternative solutions? Are the new solutions going to be even more annoying? Why do you think?

Bypassing an iPad 2′s Passcode Lock

Only a few weeks ago, someone posted on this blog about the top devices that pose serious security risks to companies.  On that list was Apple’s iPad, and at first I cried bloody murder.  Apple’s application store provides a unique level of security in the device’s market that the android market has yet to provide.

I thought it was ridiculous that some security blog would consider the iPad to be a major security risk (unrooted) just because of the number of corporations that used such devices. Of course, I was wrong.

Above is a video of how to bypass the passcode lock of an iPad 2 using a very simplistic ‘hack’. You only need to bring up the screen asking for the passcode, hold the lock button down until the power off screen is brought up, close the screen, and hit cancel.

Granted, this method only allows you access to the application that was previously open when the device was ‘locked’.  So this could either do no damage to the user if the user had the home screen open, or it could do horrendous damage to the user and company if the email client was open.

Apple will certainly get around to patching this security risk, but how many users won’t update to it?  How many devices could be bricked because of the update?  How many other security flaws aren’t we seeing?

Vulnerabilities Found in German ‘Spying’ Trojan

A German hacker group called ‘Chaos Computer Club’ or CCC for short, recently found a vulnerability in a program that is used by German authorities to lawfully spy on computer activity of suspected criminals.

The program used was developed to spy on IM activity, monitor VOIP activity, take screenshots, and log keystrokes. While working for a client, the CCC found that traffic between the infected computer and the control software on authorities computers was unencrypted. The group therefore makes the conclusion that it would be possible for a hacker with mediocre skills could control the infected computer and upload fake data to the German authorities. Its also believed that the law enforcement’s IT infrastructure could be compromised through the control software.

What do you guys think? Should law enforcement agencies be allowed to lawfully install software on suspected criminals computers? It is my belief that they should be able to, however it also makes them also responsible for any back doors that may be opened. It seems like the software was just poorly written. I’m not sure if law enforcement in the States goes to the extreme of installing trojan software on suspected criminals computers. I would suspect that its done in the same manor but it is my hope that the traffic between the suspects computer and the law enforcements computers are encrypted and in general better implemented. Thoughts?

Original article found here: http://news.cnet.com/8301-1009_3-20118194-83/hackers-say-german-officials-used-backdoor/?tag=txt;title

Evilgrade: Exploiting Automatic Updating

Evilgrade is a framework created by infobytesec that you can download and use to exploit various programs that use online automatic updating insecurely. Essentially what happens is when a program you’re attacking goes to look for an update, you intercept it and send it your own update instead. This could obviously be used to send malicious updates,  Evilgrade provides the framework for making your own updates for various programs.

There are over 60 different modules that you can play around with including:

- Safari
- iTunes
- Quicktime
- APT
- Java
- iTunes
- Mirc
- Adium
- Notepadplus
- Opera
- Bsplayer
- Winamp
- Trillian
- Teamviewer
- Virtualbox
- Vmware
- Winscp
- Winupdate

For each module, there is the proper framework needed to imitate an update from that program.

The reason this works is because many programs don’t bother to use crypted keys for updates that only their program should be accessing. To prevent this, there needs to be proper authentication and validation within the update system. Because these programs don’t have that, they are prime targets for exploitation.

The best guidelines I found for creating a secure updater are from security researcher, Dan Kaminsky. According to him, for an update to succeed, the update package must be:

- Signed.
- Signed by you.
- Signed by you, using the right EKU (Extended Key Usage)
- Signed from an unrevoked signature
- Be the same product
- Be a new version

An updater utilizing all of those security guidelines would be much more secure. Unfortunately, today there are still many security gaps in the programs that we use all the time. So next time your computer asks you is you want to update a program, see if your application updates require some authentication and verification. If they don’t, then be careful.

A video showing exactly how Evilgrade works can be found here.