December 18, 2014

Microsoft fixes 24 security vulnerabilities in December’s Patch Tuesday

Windows-Vista-command-prompt(LiveHacking.Com) – As part of December’s Patch Tuesday, Microsoft has released seven security updates, three of which Microsoft has rated Critical, while the other four are rated Important in severity. These seven patches to address 24 security vulnerabilities in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

The first of the Critical patches is a cumulative update for IE. The patch resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. The update applies to IE 6 to IE 11, on Windows Server 2003 to Windows 81, depending on the version of IE.

The second Critical patch applies to Microsoft Word and Microsoft Office Web Apps, to fix two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user opens or previews a specially crafted Microsoft Word file in an affected version of Microsoft Office software.

The Critical patch resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website.

Microsoft has also re-released and updated two security bulletins related to Internet Explorer. The first, MS14-065, is a cumulative security update for Microsoft’s default browser, while the second relates to the browser’s built-in version of Flash. Adobe also released  a security update for Adobe Flash Player for Windows.

Sony hack shows that the company kept passwords stored in a folder called “Password”

SONY PICTURES LOGO(LiveHacking.Com) – Sony Pictures Entertainment has been hacked and it has been hacked hard. Over 40GB of data has been released on the Internet. The trove of data includes scripts and documents about salaries and film budgets. It is being described as “probably the worst corporate hack in history.” A group called Guardians of Peace, which may be affiliated with North Korea, has claimed responsibility for the cyber attack. It is thought that North Korea is upset at Sony Pictures’ new movie The Interview, which satirizes the country’s dictator Kim Jong Un.

As experts and journalists are continuing to pour over the data, one bizarre item has been found. According to Buzzfeed, the latest data dump included a folder called “Password.” In it there were 139 Word documents, Excel spreadsheets, zip files, and PDFs containing thousands of login credentials for Sony Pictures’ internal computers, social media accounts, and web services accounts. The files used very convenient naming conventions like “password list.xls” or “YouTube login passwords.xlsx.”

Among the passwords were details of SPE’s social media accounts including Facebook, YouTube, and Twitter. One thing is for sure, SPE is going to need to change a lot of passwords, and it needs to do it fast! There are also documents which contain passwords for a variety of other services including Amazon, FedEx, Lexis/Nexis, and Bloomberg.

The situation could get worse for Sony over the next few days. The hackers have indicated that this latest dump is only the start of a series of planned data dumps to the Internet. The hackers claim to have taken over 100TB of data from SPE, of which we have only seen a fraction so far.

The seriously troubling thing about this latest hack is that it isn’t the first time that Sony has been targeted. Sony Pictures Entertainment websites were breached in 2011 by a group known as LulzSec. As a result of the breach LulzSec published the names, birth dates, addresses, emails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony. That breach occurred only a few weeks after Sony confirmed a breach to its PlayStation Network that exposed millions of personal user records. Then last, but not least, in 2012 hackers claimed to have accessed Sony’s servers and downloaded Michael Jackson’s entire back catalog, worth some $253 million.

Apple patches security flaws in iOS 8, OS X 10.10 and Apple TV 7

Apple-logo(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

  • iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)
  • iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)
  • iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)
  • iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)
  • iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

  • In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)
  • The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)
  • A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

  • The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

More information about all these patches can be found on Apple’s Security Updates web site: http://support.apple.com/kb/HT1222

Email addresses stolen from CurrentC

currentc-logo(LiveHacking.Com) – CurrentC has notified its users about a security breach which enabled hackers to steal the email addresses of some of its pilot program participants. According to a statement released by the company, “many of these email addresses are dummy accounts used for testing purposes only.” It went on to say that, “the CurrentC app itself was not affected.”

CurrentC is a mobile wallet rival to Apple’s new mobile payment system. It is a free downloadable app that lets customers securely save, earn participating merchant loyalty rewards and pay across a growing network of merchants which includes Target, Walmart, Old Navy, Shell, and Best Buy.

The Merchant Customer Exchange (MCX), the alliance of retailers behind CurrentC, said it had notified its merchant partners about the incident and directly communicated with each of the individuals whose email addresses were involved. It then went on to offer the normal platitudes, “we take the security of our users’ information extremely seriously. MCX is continuing to investigate this situation and will provide updates as necessary.”

The problem is that such a incident can severely damage the reputation of a company which is supposed to be offering a secure payment system. The thinking of many consumers will be, “if CurrentC can’t look after my email address, how can I trust it with my bank details!”

According to iTnews, some experts are trying to play down the incident. “The service was hacked and emails were lost. That distinction is important as a breach contains access to financial data and this hack contains mostly just personal information,” Chris Morales, practice manager of architecture and infrastructure at NSS Labs, said in a statement.

Time will tell if consumers agree with Morales or not.

Apple release iOS 8.1 and Apple TV 7.0.1 with new security patches

Apple-logo(LiveHacking.Com) – Apple has released iOS 8.1, primarily to activate Apple Pay, but also to patch five CVE-listed vulnerabilities including fixes for a Bluetooth flaw and  a fix for the infamous SSL 3.0 POODLE security vulnerability.

POODLE (Padding Oracle On Downgraded Legacy Encryption) is the moniker given to a flaw in the SSL 3.0 protocol. SSL 3.0 is considered old and obsolete. It has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2. However many system still support SSL 3.0 for compatibility reasons. Many systems retry failed secure connections with older protocol versions, including SSL 3.0. This means that a hacker can trigger the use of SSL 3.0 and try to exploit POODLE.

The vulnerability only exists when the SSL 3.0 cipher suite uses a block cipher in CBC mode. As a result, Apple has disabled CBC cipher suites when TLS connection attempts fail in iOS 8.1.

Apple also fixed a flaw would could allow a malicious Bluetooth device to bypass pairing. According to Apple, “unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections.”

With the recent spate of leaked celebrity photos, Apple’s iCloud service has remained under the spotlight. According to Apple a flaw has been fixed which could allow an attacker in a privileged network position to force iCloud data access clients to leak sensitive information. The problem is connected with a TLS certificate validation vulnerability that existed in the iCloud data access clients on previous versions of iOS.

Apple TV 7.0.1

The update to Apple TV is smaller than the changes to iOS, however just as significant. Like the iOS 8.1 release, Apple TV 7.0.1 denies unencrypted HID connections to block malicious Bluetooth input devices that try to bypass pairing. iOS 8.1 also disables CBC cipher suites when TLS connection attempts fail, this is needed to stop hackers trying to exploit the POODLE flaw in SSL 3.0.

Apple TV will periodically check for software updates and will install the update on the next check. However if you want to manually check for software updates go to “Settings -> General -> Update Software”.

Alleged Dropbox hack underlines danger of reusing passwords

Dropbox(LiveHacking.Com) – News broke yesterday of an alleged hack on Dropbox that could have potentially leaked the passwords of millions of users. An anonymous hacker posted a few hundred usernames and passwords on Pastebin and claimed that they were for Dropbox accounts. The leaked list is for accounts with email addresses starting with the letter “b”. The opening text stated that Dropbox had been hacked and that the hacker had access to some 6,937,081 credentials. The hacker then asked for Bitcoin donations in exchange for more leaked passwords.

Dropbox was swift to reply to the allegations and said that recent news articles claiming that it was hacked weren’t true. “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox,” wrote Anton Mityagin from Dropbox.

In a further update Dropbox said it had also checked a subsequent list of usernames and passwords that had been posted online, and that the second list was also not associated with Dropbox accounts.

If Dropbox is telling the whole truth, then it seems likely that the hackers have generated a list of user names and passwords from previous security breaches on non-Dropbox related sites and have tried their luck to see which users are using the same password on multiple sites. “Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services,” added Mityagin.

Dropbox users who have used the same password on their Dropbox account and on another websites should change their Dropbox password immediately. For an added layer of security, Dropbox users can also enable 2 step verification.

Source code for BadUSB vulnerability posted on GitHub

usb-flash-drive(LiveHacking.Com) – Back in August, security researchers  Karsten Nohl and Jakob Lell demonstrated how a USB device can be reprogrammed and used to infect a computer without the user’s knowledge. Dubbed BadUSB, the pair published their findings during the Black Hat conference, however they did not publish the source code or the reversed engineered firmware needed to perform the attack. Nohl and Lell said they did not release code in order to give firms making USB-controller firmware time to work out how to combat the problem.

Now two other researchers, Adam Caudill and Brandon Wilson have done their own research on BadUSB and produced code that can be used to exploit it. The source-code can be found on Github. Unlike Nohl and Lell, Caudill and Wilson think it is in the public’s interest to release the source code for public consumption.

“We’re releasing everything we’ve done here, nothing is being held back,” said Mr Wilson during his presentation at DerbyCon. “We believe that this information should not be limited to a select few as others have treated it. It needs to be available to the public.”

The BBC contacted Karsten Nohl about the new release, he said that “full disclosure” can motivate USB device makers to improve the security on their devices. However he also noted that the problem with BadUSB is not one particular device but rather, “the standard itself is what enables the attack and no single vendor is in a position to change that.” He added that, “it is unclear who would feel pressured to improve their products by the recent release.”

According to the GitHub page for the new source-code the following devices can be reprogrammed and used as attack vectors:

  • Patriot 8GB Supersonic Xpress
  • Kingston DataTraveler 3.0 T111 8GB
  • Silicon power marvel M60 64GB
  • Toshiba TransMemory-MX™ Black 16 GB
  • Patriot Stellar 64 Gb Phison

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

Apple releases iOS 8 with 56 security patches

ios8-logo(LiveHacking.Com) – Along side the release of the iPhone 6 and iPhone 6 Plus Apple has also released a new version of its mobile operating system. iOS 8 includes improvements to Siri and the ability for third parties to add widgets to the notification area. Apple are calling it “huge for developers,  massive for everyone else.” iOS 8 also includes some important security fixes. Overall Apple addressed 56 unique CVEs in this release.

Among the changes are fixes for bugs which could allow an attacker with access to an iOS device to access sensitive user information from logs, allow a local attacker to escalate privileges and install unverified applications, and fixes for bugs that allow some kernel hardening measures may be bypassed.

Other fixes include a patch to stop maliciously crafted PDF files that can allow an attacker to run arbitrary code, and a patch to stop malicious applications executing arbitrary code with system privileges. Most of these issues revolve around NULL pointer dereferencing and bounds checking. For example an out-of-bounds read issue existed in the handling of an IOHIDFamily function. As a result, a malicious application may be able to read kernel pointers and then bypass kernel address space layout randomization. According to Apple’s release notes, “this issue was addressed through improved bounds checking.” A phrase that is found several times in Apple’s document that describes the security content of iOS 8.

Webkit, the open source HTML rendering engine used by Apple, also received a lot of patches (12 in total). According to Apple visiting a maliciously crafted website in previous versions of iOS may lead to an unexpected application termination or arbitrary code execution. This was because of multiple memory corruption issues in WebKit. These issues were addressed through improved memory handling.

As well as releasing iOS 8, Apple also released new versions of OS X, OS X Server, Safari, and Apple TV. These are all maintenance releases which fix bug and patch security vulnerabilities. The full list of updates including links to the relevant security information follows:

LinkedIn can be tricked into revealing personal email addresses

linkedin(LiveHacking.Com) – Benjamin Caudill and Bryan Seely, founders of Rhino Security, have discovered an unintentional side effect of LinkedIn’s obsession with making sure you are “linked” with just about everyone you have had contact with. According to the new research, which was published in part by Brian Krebs, it is possible to troll LinkedIn and discover the email addresses of public figures including leading CEOs, celebrities and company executives.

On a normal day LinkedIn will only let you connect with users that you claim to know professionally or personally. If you don’t know some you can get an introduction via a common third party. To ensure that you are linked to everyone you know LinkedIn will optionally trawl through your Google/Yahoo/Hotmail address book to see if anyone in your address book is already using LinkedIn. Sounds great, very helpful.

The problem is that if you start to create fake email addresses in your list of contacts then LinkedIn will helpfully show you the profiles of users with addresses that match your address book. This is because LinkedIn assumes that if you have their email address then you must know the person.

Now all you need to do is populate your address book with hundreds of combinations of email addresses based on people’s names, and then add @gmail.com or @yahoo.com etc on to the end.

When you import the list of names then LinkedIn will not only show you the profiles which match the addresses, it will also tell you which addresses don’t match any known profiles. If you got lucky and found the address of a high profile user then you just need to use a process of elimination to whittle down the list of emails that didn’t match a profile and you can discover the private email address of the target LinkedIn user.

To prove their point Cludill and Seely discovered the email address of Mark Cuban, the owner of the Dallas Mavericks. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out of ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

According to LinkedIn the company will be implementing a couple of changes over the next few weeks to alter the way the service handles email addresses.