HTC Security Flaw Lets Malicious Apps Steal Wi-Fi Passwords

HTC recently acknowledged a security flaw in its handsets that allowed malicious apps to steal Wi-Fi passwords.  This type of flaw could potentially allow for targeted exploitation of a company or residential network.  Luckily, HTC and Google were very responsive and a fix has already been developed and deployed.  It was actually discovered in September 2011, but was kept a secret publicly until Google and HTC had time to address it and provide the appropriate fixes.

According to the U.S. Computer Emergency Readiness Team (US-CERT), the devices affected by the security flaw include the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation Z710e, Sensation 4G, Desire S, EVO 3D and EVO 4G.

This is a prime example of why Apple has such a strict acceptance policy of the apps that are allowed in the iTunes App Store.  They monitor the code and test the apps before releasing them to the public to avoid problems.  That said, there have been apps that mistakingly made their way into the store.

http://www.gadgetbox.msnbc.msn.com/technology/technolog/htc-security-flaw-lets-malicious-apps-steal-wi-fi-passwords-24096

http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html

Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Is the App store really safe?

Most people who lifted their shiny iPhones and pressed upgrade to iOS5 button, were looking for a better battery life that can get them more rounds of Angry Birds. The reality is that Apple’s latest updated was dealing with something a lot more important.

A week ago Accuvant LABS computer security researcher Charlie Miller uncovered a major security flaw that gives hackers a way to build apps that look and act legit but then downloads unproved code to your phone. Apple have always been known for having a tight grip on their app store and such incident shows that no system is fully secure from hackers attacks.

Miller even demonstrated by creating his own app that does that and got it fully approved by Apple and then did a video of what the app can do. His app have been now removed and his license revoked.

Anti-anti virus malware

The FBI has arrested six eastern European hackers for infecting numerous computers across the world with a sophisticated form on malware. The group known as The Rove Group, was actually hired and paid by advertising companies to increase traffic to specific sites. They did this by using a class of malware called DNSChanger which redirected traffic from legitimate sites to bogus sites instead. Some of the websites were iTunes, Netflix And even NASA and the IRS. The malware worked by redirecting a user that would click on a legitimate link to a site like iTunes to a site that pretended to sell Apple software or music.  Much like an online phishing attack except they would not steal your identity but rather the customer would pay them directly. Sometimes the customer would receive black-market good or pirated software and often they would get nothing at all. The scheme was discovered and brought down by a FBI investigation known as Operation Ghost but not before making 14 million dollars over four years. The rest of the story is here…

http://www.fbi.gov/news/stories/2011/november/malware

Android facial recognition unlock

Android 4.0, also named Ice Cream sandwich came out with a new phone unlock feature. Rather than unlocking the phone via a pin or password, the front facing camera uses facial recognition software to unlock the phone when it ‘sees’ the correct face.

However it’s been pointed out that holding up another phone to the camera with a picture of the correct person, the phone can be unlocked.

Seems like a cool feature although it seems like it can be easily bypassed. I think a pin or password is still the better route to go. It would be a nice feature better implemented when the software is smart enough to detect when a picture is being held up.

The full article can be found here: http://news.cnet.com/8301-1009_3-57323508-83/digital-image-can-dupe-android-face-based-lock/?tag=txt;title

 

A reason to keep Windows Updated

Microsoft released a security update yesterday fixing a flaw in Window’s handling of TCP/IP that would allow malicious code to remotely executed through closed ports using special UDP packets.

Affected OSs include Vista, 7, and Server 2008. XP and Server 2003 were not affected by the flaw.

Source: https://technet.microsoft.com/en-us/security/bulletin/ms11-083

The hackivist group Anonymous

The hackivist group Anonymous is described by Wikipedia as “an international hacking group, spread through the Internet, initiating active civil disobedience, while attempting to maintain anonymity”.

Recently, they have been attributed as the source of denial of service attacks against the Oregon Tea Party, Sony, and the Irish political party Fine Gael.  They have also employed attacks against the governments of Australia, Egypt, and Libya.

The group has also provided websites and support for social-political efforts like Occupy Wall Street, the Green Party movement in Iran, and the Arab Spring efforts in Egypt and Syria.  Additionally, Anonymous recently took down 40 child porn websites and published the names of 1500 people who often visited the illegal websites.

In October, parts of Anonymous have taken on the Los Zetas drug cartel in Mexico.  The drug cartel had kidnapped a member of Anonymous.  In response, Anonymous has threatened to release the names of police and political officials who are illegally collaborating with the Los Zetas drug cartel.  We will see how Anonymous fairs in this battle since more is at stake than just lawsuits and prison time.  Los Zetas has been known to kill whistle-blowers and hacktivists in the past.

So what role do you see hacktivists playing in society?  Do they act as modern-day Robin Hoods to correct social injustices, or are they disruptive elements like Tyler Durden in “Fight Club”?

In my readings about them, it looks to me like Anonymous is more of a brand that can be placed on a hacking attack.  There does not appear to be any hierarchy or centralized managing authority, which makes it easy nearly anyone to say that they are part of the group.  If a hacker attack is popular and successful, then the event is publicized.  Case-in-point is the fact that parts of Anonymous were active both for and against the war in Libya.  Anonymous members were also divided over the Westboro Baptist Church and its claim to free speech while protesting at military funerals.

Thoughts?

http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous

America will not provoke war!

This article ( http://www.wfaa.com/news/politics/Cyber-weaknesses-should-deter-US-from-waging-war–133493833.html ) explains that America is so weak to cyber attack that it would be too risky to initiate war. Many countries could hit us over the internet, a new tool of war, and have devastating effects. Even a battlefield can be harmed! If equipment just stops working then things would turn out pretty badly. It is simply too risky for us to go to war, and we are at huge risk of being attacked. Until we can fix our internet problem, we will be at a severe disadvantage to any opposing forces.

The good news is that now the network is becoming more secure. If we manage to make our internet infrastructure more secure then we might actually transition into a position of advantage over other weaker networks. But for now, we are in a no – attacking position and if we weren’t at such a risk for being attacked (like an unfair cold war) then I would feel pretty happy about our forced pacifism.