April 23, 2014

Apple updates OS X, iOS, Apple TV and AirPort

Apple-logoApple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that  the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for  OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

  • Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
  • A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
  • A buffer underflow existed in the handling of fonts in PDF files.
  • A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
  • A buffer overflow issue existed in ImageIO’s handling of JPEG images.
  • A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
  • A set of kernel pointers stored in an IOKit object could be retrieved from userland.
  • A kernel pointer stored in a XNU object could be retrieved from userland.
  • If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
  • An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
  • A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
  • WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.

You can get more information on Apple’s security updates here: http://support.apple.com/kb/HT1222

NSA denies it knew about Heartbleed, says it is in the national interest for it to disclose vulnerabilities

odniIt looks like the ramifications of the Heartbleed bug in OpenSSL will be felt for quite a while to come. While security analysts are asking if the NSA had prior knowledge of the bug, cyber criminals are at work stealing data from sites which haven’t patched their servers and changed their SSL certificates. The Canadian Revenue Agency has said that the Heartbleed bug was the reason why an attacker was able to steal 900 social insurance numbers, and British parenting website Mumsnet said that username and password data used to authenticate users during log in was accessed before the site was able to patch its servers.

As for the NSA, the Director of National Intelligence has issued a statement saying that the NSA was not aware of the Heartbleed vulnerability until it was made public. The statement went on to say that the Federal government relies on OpenSSL the same as everyone else to protect the privacy of users of government websites and other online services.

However, what is even more important is that the statement categorically says that had the NSA, or any other of the agencies and organizations which make up the U.S. intelligence community, found the bug they would have reported it to the OpenSSL project.

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” said the statement issued by the ODNI Public Affairs Office. The statement also said that when Federal agencies discover a new vulnerability “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”

The Office of the Director of National Intelligence also said that in response to the President’s Review Group on Intelligence and Communications Technologies report that it had reinvigorated an interagency process for deciding when to share vulnerabilities.  According to the report, “The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of  encryption technology for data in transit, at rest, in the cloud, and in storage.” Such a statement is important following the accusations that the NSA tried (and succeeded) in weakening certain encryption standards.

The report also says that, “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In  rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”

This “rare” use of zero-day vulnerabilities was reiterated by the ODIN statement. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

Heartbleed bug exposes OpenSSL’s secrets, patches available

heartbleedA serious security bug has been found in the ubiquitous OpenSSL encryption library that allows data to be stolen in its unencrypted form. According to the heartbleed.com website, which was set up expressly to inform system admins about the potential dangers, the Heartbleed bug can be exploited from the Internet and it allows an attacker to read up to 64k of the server’s memory at one time. By reading the memory an attacker can gain access to “the secret keys used to identify the service providers and to encrypt the traffic” along with “the names and passwords of the users and the actual content.” It means that attackers can eavesdrop communications that should have been otherwise encrypted.

A patched version of OpenSSL has already been published. According to the release notes, “a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory” on a connected client or server. The OpenSSL project publicly thanked Neel Mehta of Google Security for discovering this bug and Adam Langley with Bodo Moeller for preparing the fix. It is recommended that all OpenSSL 1.0.1 users should upgrade to OpenSSL 1.0.1g. Those unable to immediately upgrade should recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. OpenSSL 1.0.0 and OpenSSL 0.9.8 are not vulnerable.

Heartbleed isn’t a design flaw in the SSL/TLS protocol specification but rather a bug in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).

Because the bug can expose the keys used for encrypting the connection, attackers are able to decrypt any past and future traffic to the encrypted connection since the primary keys have been exposed. Unfortunately to remedy the problem, not only does the server require patching but all the compromised keys need to be revoked and new keys reissued. It also means that users who have used an encrypted service (say a web mail service, online shopping or cloud service) will need to change their passwords as potentially the connection used to log in was not secure.

One very worrying aspect of this bug is not only the widespread use of OpenSSL, but also that the first vulnerable version was published two years ago. If this bug has been previously found (but not disclosed) by cyber criminals or government run security agencies then the last two years worth of encrypted traffic should be deemed as exposed. Even if it wasn’t found but the traffic was recorded then there are probably lots of state level agencies working right now to siphon off keys from around the net before things are revoked and changed.

Another NSA backdoor found in RSA’s products

rsa-squareAccording to research performed by a group of professors from Johns Hopkins, the University of Wisconsin and the University of Illinois, the security company RSA used a second security tool developed by the NSA which reduced the time needed to crack secure Internet communications.

At the end of last year is was revealed that the NSA paid RSA $10 million to use the Dual Elliptic Curve random number generator in its products. It has since come to light that the Dual Elliptic Curve algorithm had a built-in flaw which made it easier for the NSA to decrypt data that was encrypted with a random number generated by the Dual Elliptic Curve generator.

According to research seen by Reuters, the team of academic researchers have discovered that a second NSA tool, known as the “Extended Random” extension for secure websites, could reduce the time needed to crack a version of RSA’s Dual Elliptic Curve software by tens of thousands of times.

The company is reported to have told Reuters that it had not intentionally weakened security on any product and noted that Extended Random was not widely adopted. RSA also said that the Extended Random functionality has been removed from its software.

“We could have been more skeptical of NSA’s intentions,” said RSA Chief Technologist Sam Curry. “We trusted them because they are charged with security for the U.S. government and U.S. critical infrastructure.”

The researchers were able to demonstrate the weakness of the Dual Elliptic Curve random number generator by decrypting TLS connections made using the RSA Share library in several seconds.

Following the release of documents by former NSA contractor Edward Snowden, a presidential advisory group reported that the NSA’s practice of subverting cryptography standards should stop.

The possibility of a back door in the Dual Elliptic Curve random number generator was first mooted back in 2007. Recent research shows that when the NSA’s default parameters are replaced with new values, the current popular cryptography libraries are still vulnerable. According to the report’s authors, “The RSA BSAFE implementations of TLS make the Dual EC back door particularly easy to exploit compared to the other libraries we analyzed. ”

The research concludes that the Extended Random extension allows a client to request longer TLS random numbers from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000.

Microsoft releases details of zero-day vulnerability in Word

Microsoft has published information about a new zero-day vulnerability in its Word product. There is a real-world exploit for the vulnerability and it is currently being exploited in the wild. Microsoft says it is “aware of limited, targeted attacks directed at Microsoft Word 2010.”

According to Microsoft’s Dustin Childs, the vulnerability can be exploited by an attacker and allow “remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.”

Microsoft-Word-LogoMicrosoft’s immediate response has been to publish a one-click Fix it  which basically disables support for RTF in Microsoft Word. Although Microsoft wants to “encourage all customers using Microsoft Word” to apply the Fix it, disabling RTF support could be troublesome for those who rely on this document format.

The vulnerability, which was reported to Microsoft by members of the Google Security Team, can be exploited via email or via the web. In the email scenario, the attacker sends a specially crafted RTF document as the contents of the message. The vulnerability is exploited when the message is previewed or opened in Outlook where Microsoft Word is the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF document as an attachment. In the web scenario, the attacker would need to trick the user into downloading the document and then opening it.

This remote code execution vulnerability exists because of bugs in the way that Word parses maliciously crafted RTF documents. The bugs cause a memory corruption and give the attacker a way to execute arbitrary code. The vulnerability can also be exploited through Microsoft Outlook if Word is used as the email viewer, which it is by default in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

Microsoft is working on a full fix but it isn’t known if the Redmond company will be able to develop and test the fix by April 8th, the date of the company’s next Patch Tuesday. Patch Tuesday is the name given to Microsoft’s monthly security updates which patch Microsoft’s products to fix security issues.

Interestingly, support for Office 2003 ends April 8th and Microsoft has included Word 2003 Service Pack 3 in its list of affected products. If Microsoft doesn’t manage to release a full patch by April 8th then Office 2003 could remain vulnerable without any hope of a solution. Even if Microsoft does release a patch now, this incident highlights the dangers of using Microsoft products which have reached their end-of-life.

IBM says no NSA backdoors in its products

SP-robert_weber-230x300In an open letter written published on the web, IBM has confirmed that it does not include any NSA “backdoors” in its products. The letter written by Robert C. Weber, an IBM Senior Vice President, is IBM’s latest assurance to its clients following the months of revelations about the US government’s spying activities. As a result of the documents leaked by Edward Snowden, various US technology companies have come under pressure to reveal if they have been working with the NSA.

The IBM letter states that the technology giant has not provided client data to the NSA or any other government agency. Specifically it states that:

  • IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.
  • IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
  • IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.
  • IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.
  • IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

“Given the global discussion about data security and privacy, we wanted to communicate our view on these issues,” wrote Weber. “It has long been our (and our clients’) expectation that if a government did have an interest in our clients’ data, the government would approach that client, not IBM.”

In reiterating its commitment to its customers, the letter states several times that IBM would challenge the any orders served on it by the NSA for data, stored inside or outside the USA, through judicial action or other means.

The letter also calls for the U.S. government to enter into a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected. It also goes on to say that no government should subvert commercial technologies, such as encryption, that are intended to protect business data.

Apple fixes security vulnerabilities with release of iOS 7.1 and Apple TV 6.1

iosApple has released a new version of its popular iOS platform for the iPhone 4 and later, the iPod touch (5th generation) and later, and iPad 2 and later. It has also released a new version of the Apple TV platform for Apple TV 2nd generation units and later.

iOS 7.1 adds a range of new features  but crucially it also fixes a wide variety of security issues including fixes to the WebKit HTML rendering engine used by Safari. In a ironic twist Apple has credited four of the fixes to the evad3rs jailbreak team. According to Apple the following fixes were made to tackle the jailbreakers techniques:

  • A symbolic link in a backup would be restored, allowing subsequent operations during the restore to write to the rest of the filesystem. This issue was addressed by checking for symbolic links during the restore process. CVE-2013-5133 : evad3rs
  • CrashHouseKeeping followed symbolic links while changing permissions on files. This issue was addressed by not following symbolic links when changing permissions on files. CVE-2014-1272 : evad3rs
  • Text relocation instructions in dynamic libraries may be loaded by dyld without code signature validation. This issue was addressed by ignoring text relocation instructions. CVE-2014-1273 : evad3rs
  • An out of bounds memory access issue existed in the ARM ptmx_get_ioctl function. This issue was addressed through improved bounds checking. CVE-2014-1278 : evad3rs

The oldest bug fixed was CVE-2012-2088 which was fixed in OS X in March 2013. Because of a buffer overflow in libtiff’s handling of TIFF images, viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. This issue was fix through additional validation of TIFF images. Other fixed bugs which could lead to arbitrary code execution include: a buffer overflow that existed in the handling of JPEG2000 images in PDF files, CVE-2014-1275 : Felix Groebert of the Google Security Team; a double free issue that existed in the handling of Microsoft Word documents, CVE-2014-1252 : Felix Groebert of the Google Security Team; and a memory corruption issue that existed in the handling of USB messages, CVE-2014-1287 : Andy Davis of NCC Group.

Apple has posted a document online describing the full security content of iOS 7.1.

Apple TV

Simultaneously with the iOS 7.1 release, Apple also released Apple TV 6.1. Many of the same bugs are addressed including three by the evad3rs jailbreak team along with the other arbitrary code execution vulnerabilities. One specific Apple TV vulnerability allowed an attacker with access to an Apple TV to access sensitive user information from the log files. The problem was that this sensitive user information was being logged by the system. This issue was fixed by altering the logging output.

Apple’s website contains more information about the security content of Apple TV 6.1.

300,000 home routers and modems hacked

network leds on routerNew research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.

The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .

The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to and It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.

“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. “We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”

Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.

The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.


Researchers reckon that there could be as many as three major security breaches per month

Processed by: Helicon Filter;As part of the B-Sides San Francisco security conference, Verizon Risk researchers Kevin Thompson and Suzanne Widup have presented findings about the number of major data breaches that could be occurring each month. By “major” the two researchers mean any security breach where more than 1,000,000 records are stolen. If their findings are accurate that means that up to 3 million records are stolen each and every month!

The findings were presented as part of the pair’s “Ripped from the headlines, what the news tells us about information security incidents” talk.  As part of their research Thompson and Widup have been investigating the data breach numbers since May of last year. Using a combination of  Verizon’s Data Breach Investigations Report and the open-source Veris Community Database the pair compiled over 3,000 data sets from sources including news articles, the Attorney General’s website, government breach tools and Freedom of Information Act requests.

Although the data set isn’t perfect and the research is continuing, one thing is clear, the number of major data breaches is much higher than previously thought. The number of three major data breaches per month was reached using data from 2011 to 2013 coupled with Poisson Distribution theory – a mathematical tool which expresses the probability of a given number of events occurring in a fixed interval of time.

At the end of last year Trend Micro predicted that “we will see one major data breach incident each month in 2014.” However the new number is triple that amount. “When I saw Trend Micro’s prediction I thought it was pretty high,” said Thompson. “But the estimate is actually pretty low right now.”

Thompson told SCMagazineUK.com that the actual figure was 3.07 and that 2010 was not included as data breaches were not as widely reported at the time. Verizon’s data is available on Github and the researchers are actively seeking for data to help with the research.

Forbes and Kickstarter breached in separate attacks

forbesHackers have recently breached two high profile sites and user credentials have been stolen. Forbes announced on its Facebook page that it was “targeted in a digital attack” and that the site was “compromised.” The result was that the hackers stole over 1 million account records. At around the same time Kickstarter also posted a blog entry reporting “that hackers had sought and gained unauthorized access” to some of its customers’ data.

The attack on Forbes.com seems to have been carried out by the Syrian Electronic Army (SEA). The hacktivists subsequently published a database of email addresses and passwords for 1,071,963 accounts. Forbes says that the passwords were encrypted, however the site “strongly encourage Forbes.com readers to change their passwords.” The disclosure notification went on to say, “The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks.”

Kickstarter found out about the breach to its systems when law enforcement officials contacted it and pointed out what the hackers had been doing. According to Kickstarter, “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”

However user account information including usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords were accessed. Kickstarter doesn’t actually say if it used a salt for its password encryption, however it does state that users should change their password as it is possible that “a malicious person with enough computing power” could guess and crack an encrypted password, particularly a weak or obvious one.

It looks as Forbes.com may have used the Portable PHP password hashing framework (phpass) and according to Sophos that means the passwords where hashed using a 6 byte random salt and 8192 iterations of the MD5 hash. The repeated use of the MD5 hash is there intentionally to stretch out the computation time needed for a brute force attack.

As is the norm, both sites are sorry and apologize for what happened and everyone is promising to tighten up security.