Vulnerabilities in JSON Web Token Libraries

A vulnerability has been found in numerous JSON web token libraries across multiple languages. The vulnerability allows malicious users to bypass the token’s verification step by manipulating the algorithm and payload fields within the token. By manipulating the algorithm field a user can choose how the server will verify the token. By obtaining the server’s public key and abusing the ability to choose which algorithm is employed to verify a token, a user can ensure that the token they supply will be verified.

The author of the article suggests that libraries should implement an algorithm field in their verification functions. The server knows which algorithm it is using and should only accept tokens using a matching algorithm since there is no reason the user should be supplying which algorithm to use.

-Ryan Bega

Sources:

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

Puush Comes to Shove

On March 29, 2015 between 2:51 and 5:41 PM EST, a counterfeit update for the application Puush was used as a medium for installing malware. Puush, a small-scale service for sharing screenshots, quickly reacted to the issue by shutting down their servers and urging users to halt the program. Within a few hours they had restored service, along with a patch to detect and remove malware from affected machines. They also published a stand-alone cleaner for those who did not wish to reinstall the application.

The investigation is ongoing, but so far it appears that Puush’s main web server was compromised, allowing the attacker to supply the corrupted version to the application’s auto-update service. To the best of their knowledge, the attacker did not disturb any databases or files used by the application. Passwords on the Puush server were stored salted and hashed and should be secure. Analysis of the malware itself shows that it may be able to collect passwords from the local machine, but sandbox testing had not shown any attempts to write to an outside destination. Nonetheless, Puush urges all users to update vital passwords immediately, and are posting more information as it becomes available.

– Jacob Ryder

Sources:

https://twitter.com/puushme

http://puushstatus.tumblr.com/

http://www.zdnet.com/article/puush-calls-for-password-change-after-malware-hit/

Car Manufacturers need to beef up their security

Cars have been improved drastically in a short period of time to assist drivers in dozens of areas as well as add conveniences. As more functions were added electronic systems were developed to control these systems as well as run diagnostics. The system adopted by most manufactures is called CAN (Controller Area Network). Just about every car post 2008 has this installed, some cars having upward of 30+ controllers controlling everything from anti-lock braking systems to windows. The reason it was developed is that is very cheap, but has features of more advanced protocols such as ethernet. Of course with new technology comes new dangers. This network created in cars is a trusted network, meaning if you can get connected to it, you have complete access to all the CAN traffic.

CAN is operated on packets like any other network protocol, the packet is setup as such: 11 or 29 bit identifier, 4 bit data length info, max 8 bytes of data. This simple format can be decoded using CAN databases to intercept and decipher packets information, which can be helpful as it is used to diagnose car’s systems, but can also be used to send messages of your own. This is where the problem arises, being able to send your own message could be extremely dangerous. In the video above the annoyances are demonstrated, such as making the car believe it is in a crash and tightening seatbelts, honking the horn, making the fuel seem empty/full, changing the odometer speed, or making the “service soon” light turn on. It could also be used more dangerously such as making the car believe it is still, and turning on automatic parallel parking which will suddenly jerk the car at high speeds, or disabling the breaks.

The video with the speaker above was published in 2014, but just recently he has developed an open source 60$ piece of equipment that can be plugged into the CAN network and send messages.

As of right now, the risk is low as the network is strictly wired, meaning the attacker would have to be inside your car, but we should take caution with security now as the future may hold more open networks. Insurance companies currently want to implement dongles on cars to see how safe or unsafe their customers are driving, and adjusting their rates accordingly. This dongle could possibly communicate via satellite or other wireless means to tell the insurance companies of the driver’s driving style.

Another note is autonomous cars are in the near future as tesla is about to release a new car on the market capable of driving on inner state highways by itself. This raises a huge concern in security, will these cars talk to other cars? Will the CAN systems now have wireless components, if so will they be secured? The speaker has worked for Tesla and mentioned all Tesla’s firmware was created in house under surveillance by a security team, but will that be enough.

-Steven Masley

Sources: Includes a presentation on CAN, a demo of the attacks, as well as the cheap device created by the speaker.

http://www.forbes.com/sites/thomasbrewster/2015/03/25/hack-a-car-for-60-dollars/

Presentation: https://www.youtube.com/watch?v=qPIscmaIt8U

Demo: https://www.youtube.com/watch?v=oqe6S6m73Zw

http://www.huffingtonpost.com/2015/03/28/tesla-self-driving-cars_n_6961922.html

China Attacks GitHub

The Chinese government has long used a set of Internet filters known as the Great Firewall as a barrier to prevent its citizens from accessing foreign websites that it deems threatening. Though, in recent attacks, it appears as though China is using the Great Firewall as a weapon, diverting the torrents of Internet traffic flow to overload targeted websites.

China is taking advantage of its largest search company, Baidu, by hijacking their ads and analytic traffic and sending that traffic to targeted websites in a distributed denial of service attack (DDOS).

The target of the recent barrage is GitHub, the popular website that acts as a repository of code for programmers alike. While GitHub is a great resource for tech companies in China, it also hosts several libraries that enable users to view sites blocked in China. Because GitHub is fully encrypted, China’s filters can’t distinguish between what GitHub pages they deem useful to programmers and code that violates their strict censorship laws. Their solution; DDOS GitHub until they remove the pages they see as a threat. In this case, two pages, one with code from GreatFire.org – a nonprofit that runs mirrors of blocked sites like Google – and another that hosts links to mirror sites of the Chinese version of The New York Times.

The DDOS attack began last Thursday and it forced GitHub staff to rally and attempt to ease access problems. GitHub said that the attack is the largest they’ve ever seen, and that it featured “sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood GitHub with high levels of traffic.” In particular, because the traffic comes from real users scattered across the globe, it is hard to sort the real traffic from the fake.

The United States has reacted strongly to DDOS attacks by Iran in the past. It will be interesting to see if the Obama administration will increase pressure and enact stricter penalties on China if these acts continue.

David Durst

http://www.cnet.com/news/hackers-hit-hard-at-popular-coding-site-github/

Hackers Use an Android App for Sex Extortion

Trend Micro, a cybersecurity firm based in Texas, has discovered an Android app that hackers are using to extort victims.

The app would essentially turn a victim’s device into a recorder, and intercept all messages and phone calls that went through. First, the hackers would attempt to lure their victims through the use of chatting tools like Skype. They would then fake audio and messaging issues to try and fool a potential victim into downloading a malicious Android app, which has the ability to steal phone numbers, as well as passwords and address books.

plan

Many of the hackers have used the stolen information in an attempt to extort and blackmail victims. Trend Micro traced the email, social media, and bank accounts of the Android app developers to China, and discovered that multiple bank accounts were opened for several extortion campaigns. It is believed that hackers are mostly preying on victims in China and Korea.

maliciouspackage1

maliciouspackage2

Benny Tan


Sources:

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-sextortion-in-the-far-east.pdf

http://bits.blogs.nytimes.com/2015/03/24/hackers-use-an-android-app-for-sex-extortion/?_r=0

http://timesofindia.indiatimes.com/tech/tech-news/Hackers-use-an-Android-app-for-sex-extortion/articleshow/46681750.cms