HTC Security Flaw Lets Malicious Apps Steal Wi-Fi Passwords

HTC recently acknowledged a security flaw in its handsets that allowed malicious apps to steal Wi-Fi passwords.  This type of flaw could potentially allow for targeted exploitation of a company or residential network.  Luckily, HTC and Google were very responsive and a fix has already been developed and deployed.  It was actually discovered in September 2011, but was kept a secret publicly until Google and HTC had time to address it and provide the appropriate fixes.

According to the U.S. Computer Emergency Readiness Team (US-CERT), the devices affected by the security flaw include the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation Z710e, Sensation 4G, Desire S, EVO 3D and EVO 4G.

This is a prime example of why Apple has such a strict acceptance policy of the apps that are allowed in the iTunes App Store.  They monitor the code and test the apps before releasing them to the public to avoid problems.  That said, there have been apps that mistakingly made their way into the store.

http://www.gadgetbox.msnbc.msn.com/technology/technolog/htc-security-flaw-lets-malicious-apps-steal-wi-fi-passwords-24096

http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html

Advanced Persistent Threats

Advanced Persistent Threat refers to a type of long term attack that is carried out via the internet and that consistently assails the same target. They are usually covert in nature and require high level funding and resources, a characteristic consistent with that of a nation or state-sponsored group. Attacks are typically complex and detailed and target specific systems or information. The vector of attack may include any combination of previously identified vulnerabilities and new zero-day exploits and may be conveyed over many types of medium.

The victims of recent APTs include the U.S. Departments of Defense and Energy, RSA Corp., Google, the Iranian Government, and Lockheed Martin. These attacks successfully compromised systems and information and went undiscovered or unhindered for some time. While there are a handful of actors, China has been responsible, directly or indirectly, for a large amount of attacks that have sought data on a wide spectrum including Google source code and user data; military and defense plans and designs; intelligence data; and economic and financial information. The issue is a sensitive one because although a significant amount of industrial, military, and military data is being compromised the United States can do little diplomatically with China as it lacks comprehensive proof and a means to force China to halt the attacks. Furthermore, China contends that it is also a victim and that any attacks that originate from the country are from criminals. The U.S. Government has, in cooperation with industry, investigated and tracked down the attacks and has found traces and footprints that consistently tie them to China.

The United States and its allies are not just victims of APTs however. While they do not have the same motives and targets as China, Western powers have created and executed attacks such as Stuxnet, the intricate computer worm that ruined and destroyed centrifuges in Iranian nuclear enrichment facilities. It was for this type of operation that the U.S. Government established Cyber Command to conduct the offensive and defensive functions of the nation’s cyberspace. The threat landscape has changed so drastically that cyberspace is now classified as a battlefield and as such as we must be prepared to fight in it.

Advanced Persistent Threats will continue to be an issue in the cyber domain. Due to the their nature they are hard to completely defend against and new vulnerabilities and techniques will allow for more attacks. Preventing these types of attacks requires a system of passive and active defenses that are constantly updated and reviewed for flaws and errors.

Source: http://www.washingtontimes.com/news/2011/dec/14/cyberthefts-of-vital-data-by-china-based-teams-ris/

Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:
http://www.informationweek.com/news/security/vulnerabilities/231902121
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
http://en.wikipedia.org/wiki/Duqu

 

 

 

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Facial recognition on Android 4.0 has some bugs

A new feature of the new Android 4.0, a.k.a. Ice Cream Sandwich, has a new feature that will allow you to unlock the phone using facial recognition. Though if you prefer security over convenience you should try not to use this new feature.

As seen in a video created by a mobile blog, the face unlock feature can be fooled by showing it an image of the face used to set up the locking mechanism.  You can do this by taking a picture with one phone and holding it up to another to try to fool the unlock feature.

A google representative has stated that it is considered a low security and experimental way of locking your phone and the interface warns users the face unlock is less secure than a pattern, pin, or password and that someone who looks similar to you could unlock your phone.

So this poses the question do I use this new feature because of the ease of use and the convenience even though it has been show that it has weakness and vulnerabilities. Good has said that they have started looking into the problem and that because Android 4.0 has not been released yet they are still working out the experimental system.

Android facial recognition unlock

Android 4.0, also named Ice Cream sandwich came out with a new phone unlock feature. Rather than unlocking the phone via a pin or password, the front facing camera uses facial recognition software to unlock the phone when it ‘sees’ the correct face.

However it’s been pointed out that holding up another phone to the camera with a picture of the correct person, the phone can be unlocked.

Seems like a cool feature although it seems like it can be easily bypassed. I think a pin or password is still the better route to go. It would be a nice feature better implemented when the software is smart enough to detect when a picture is being held up.

The full article can be found here: http://news.cnet.com/8301-1009_3-57323508-83/digital-image-can-dupe-android-face-based-lock/?tag=txt;title

 

USB Hardware Keylogger with Wi-Fi

I’ve always known about hardware based keyloggers, but until recently I have not realized how advanced they have become. Upon my surprise, recently I came across a Wi-Fi Premium USB Hardware Keylogger being sold online. It has a somewhat hefty price tag at $169, but it’s amazing what it can do.

Features:

•    2 Gigabytes of internal memory
•    Automatic E-mail reports with recorded keyboard data
•    Background connection to the Internet over a local Access Point
•    Built-in time-stamping module
•    Internal clock and battery with over 7 years lifetime guaranteed!
•    No software or drivers required, Windows, Linux, and Mac compatible
•    On-demand access at any time through TCP/IPWi-Fi
•    Support for WEP, WPA, and WPA-2 encryption
•    Ultra compact and discrete, less than 2 inches (5 cm) long
•    Works with any USB keyboard

Link to the google product page

Just having 2 gigabytes of memory allows for a ton of text to be stored. Probably about 1000 word documents. Scariest thing about this Keylogger is it’s Wi-Fi connectivity. Once deployed, the attacker wouldn’t have to worry about collecting it and has the information they need as soon as they want. I do wonder though if the claim of it working with any USB keyboard is in fact true.

What do you guys think about this new breed of hardware keyloggers?

A reason to keep Windows Updated

Microsoft released a security update yesterday fixing a flaw in Window’s handling of TCP/IP that would allow malicious code to remotely executed through closed ports using special UDP packets.

Affected OSs include Vista, 7, and Server 2008. XP and Server 2003 were not affected by the flaw.

Source: https://technet.microsoft.com/en-us/security/bulletin/ms11-083

Someone shut off the Internet!

Someone shut off the Internet! No I’m not kidding.

Yesterday, November 7th, 2011, the internet briefly ‘died’ for about 30 seconds. This event was witnessed by users and servers all around the U.S. in places ranging from highly populated areas such as Washington D.C., Los Angeles, San Francisco, Raleigh, N.C., Dallas, NYC, and some lesser known locations in the Midwest.

Obviously this affected individuals world wide. Servers and services hosted in the U.S. could no longer be reached by any client, regardless of their location.

Time Warner took responsibility for the massive outage with only a brief statement on their Twitter account.

@TWCableHelp: We appear to be recovering from a large but brief internet outage affecting most of our service areas. Please attempt to connect again.

This raises the question of how easy would it be to actually ‘turn off’ the internet in the event access could be gained to the systems Time Warner controls? Either that, or, how easy would it be to disable the systems preventing Time Warner’s customers from going offline?

Security is a huge issue here, because, if Time Warner has the power to disable the internet and adjacent services, at least the portion they control (which is massive! they had over 36 million subscribers as of 2009), then, potentially, other ISPs might have the same amount of incredible power. Could we be facing a state where a complete shutdown of the internet, ala Egypt or China, is feasible and a real threat to our freedoms as citizens?

What if an unscrupulous individual manages to take control of these systems and have an entire country’s internet at their fingertips? If a merchant like Amazon goes offline for even a few seconds, they potentially lose millions of dollars. Thirty seconds of downtime is a massive outage in any network administrator’s eyes. It is certainly unacceptable for such a large service provider conglomerate.

Sources:

• http://www.businessinsider.com/weird-the-internet-just-died-for-about-30-seconds-around-the-country-2011-11
• http://twitter.com/#!/TWCableHelp/status/133551519311216640
• http://en.wikipedia.org/wiki/Time_Warner_Cable

Ethical Hackers

For those people out there that enjoy hacking but don’t want to worry about the consequences one may have to face because you are doing something unlawful, there’s a job in it for you. An ethical hacker is someone who rather than hacks to, for example, steal, instead hacks when hired to find weaknesses in a company’s security.

Hacking becomes a job, and a job means making money.  As a ethical hacker one has a decent pay grade. Depending on the jobs you take on as well as your experience, a person can make between $60,000 and $100,000 if not more.

In the end, being an ethical hacker is a complete win-win situation. Hacking to your hearts content is now a possibility, plus you earn a steady income and the chances of serving time have been eliminated. If you want to hack being an ethical hacker seems to be the way to go.

info obtained from: http://www.nypost.com/p/news/business/jobs/what_up_with_that_job_73bcepcf42NSN1m1fRsr2I?CMP=OTC-rss&FEEDNAME=