October 22, 2014

Apple release iOS 8.1 and Apple TV 7.0.1 with new security patches

Apple-logo(LiveHacking.Com) – Apple has released iOS 8.1, primarily to activate Apple Pay, but also to patch five CVE-listed vulnerabilities including fixes for a Bluetooth flaw and  a fix for the infamous SSL 3.0 POODLE security vulnerability.

POODLE (Padding Oracle On Downgraded Legacy Encryption) is the moniker given to a flaw in the SSL 3.0 protocol. SSL 3.0 is considered old and obsolete. It has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2. However many system still support SSL 3.0 for compatibility reasons. Many systems retry failed secure connections with older protocol versions, including SSL 3.0. This means that a hacker can trigger the use of SSL 3.0 and try to exploit POODLE.

The vulnerability only exists when the SSL 3.0 cipher suite uses a block cipher in CBC mode. As a result, Apple has disabled CBC cipher suites when TLS connection attempts fail in iOS 8.1.

Apple also fixed a flaw would could allow a malicious Bluetooth device to bypass pairing. According to Apple, “unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If an iOS device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections.”

With the recent spate of leaked celebrity photos, Apple’s iCloud service has remained under the spotlight. According to Apple a flaw has been fixed which could allow an attacker in a privileged network position to force iCloud data access clients to leak sensitive information. The problem is connected with a TLS certificate validation vulnerability that existed in the iCloud data access clients on previous versions of iOS.

Apple TV 7.0.1

The update to Apple TV is smaller than the changes to iOS, however just as significant. Like the iOS 8.1 release, Apple TV 7.0.1 denies unencrypted HID connections to block malicious Bluetooth input devices that try to bypass pairing. iOS 8.1 also disables CBC cipher suites when TLS connection attempts fail, this is needed to stop hackers trying to exploit the POODLE flaw in SSL 3.0.

Apple TV will periodically check for software updates and will install the update on the next check. However if you want to manually check for software updates go to “Settings -> General -> Update Software”.

Alleged Dropbox hack underlines danger of reusing passwords

Dropbox(LiveHacking.Com) – News broke yesterday of an alleged hack on Dropbox that could have potentially leaked the passwords of millions of users. An anonymous hacker posted a few hundred usernames and passwords on Pastebin and claimed that they were for Dropbox accounts. The leaked list is for accounts with email addresses starting with the letter “b”. The opening text stated that Dropbox had been hacked and that the hacker had access to some 6,937,081 credentials. The hacker then asked for Bitcoin donations in exchange for more leaked passwords.

Dropbox was swift to reply to the allegations and said that recent news articles claiming that it was hacked weren’t true. “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox,” wrote Anton Mityagin from Dropbox.

In a further update Dropbox said it had also checked a subsequent list of usernames and passwords that had been posted online, and that the second list was also not associated with Dropbox accounts.

If Dropbox is telling the whole truth, then it seems likely that the hackers have generated a list of user names and passwords from previous security breaches on non-Dropbox related sites and have tried their luck to see which users are using the same password on multiple sites. “Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services,” added Mityagin.

Dropbox users who have used the same password on their Dropbox account and on another websites should change their Dropbox password immediately. For an added layer of security, Dropbox users can also enable 2 step verification.

Source code for BadUSB vulnerability posted on GitHub

usb-flash-drive(LiveHacking.Com) – Back in August, security researchers  Karsten Nohl and Jakob Lell demonstrated how a USB device can be reprogrammed and used to infect a computer without the user’s knowledge. Dubbed BadUSB, the pair published their findings during the Black Hat conference, however they did not publish the source code or the reversed engineered firmware needed to perform the attack. Nohl and Lell said they did not release code in order to give firms making USB-controller firmware time to work out how to combat the problem.

Now two other researchers, Adam Caudill and Brandon Wilson have done their own research on BadUSB and produced code that can be used to exploit it. The source-code can be found on Github. Unlike Nohl and Lell, Caudill and Wilson think it is in the public’s interest to release the source code for public consumption.

“We’re releasing everything we’ve done here, nothing is being held back,” said Mr Wilson during his presentation at DerbyCon. “We believe that this information should not be limited to a select few as others have treated it. It needs to be available to the public.”

The BBC contacted Karsten Nohl about the new release, he said that “full disclosure” can motivate USB device makers to improve the security on their devices. However he also noted that the problem with BadUSB is not one particular device but rather, “the standard itself is what enables the attack and no single vendor is in a position to change that.” He added that, “it is unclear who would feel pressured to improve their products by the recent release.”

According to the GitHub page for the new source-code the following devices can be reprogrammed and used as attack vectors:

  • Patriot 8GB Supersonic Xpress
  • Kingston DataTraveler 3.0 T111 8GB
  • Silicon power marvel M60 64GB
  • Toshiba TransMemory-MX™ Black 16 GB
  • Patriot Stellar 64 Gb Phison

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

Apple releases iOS 8 with 56 security patches

ios8-logo(LiveHacking.Com) – Along side the release of the iPhone 6 and iPhone 6 Plus Apple has also released a new version of its mobile operating system. iOS 8 includes improvements to Siri and the ability for third parties to add widgets to the notification area. Apple are calling it “huge for developers,  massive for everyone else.” iOS 8 also includes some important security fixes. Overall Apple addressed 56 unique CVEs in this release.

Among the changes are fixes for bugs which could allow an attacker with access to an iOS device to access sensitive user information from logs, allow a local attacker to escalate privileges and install unverified applications, and fixes for bugs that allow some kernel hardening measures may be bypassed.

Other fixes include a patch to stop maliciously crafted PDF files that can allow an attacker to run arbitrary code, and a patch to stop malicious applications executing arbitrary code with system privileges. Most of these issues revolve around NULL pointer dereferencing and bounds checking. For example an out-of-bounds read issue existed in the handling of an IOHIDFamily function. As a result, a malicious application may be able to read kernel pointers and then bypass kernel address space layout randomization. According to Apple’s release notes, “this issue was addressed through improved bounds checking.” A phrase that is found several times in Apple’s document that describes the security content of iOS 8.

Webkit, the open source HTML rendering engine used by Apple, also received a lot of patches (12 in total). According to Apple visiting a maliciously crafted website in previous versions of iOS may lead to an unexpected application termination or arbitrary code execution. This was because of multiple memory corruption issues in WebKit. These issues were addressed through improved memory handling.

As well as releasing iOS 8, Apple also released new versions of OS X, OS X Server, Safari, and Apple TV. These are all maintenance releases which fix bug and patch security vulnerabilities. The full list of updates including links to the relevant security information follows:

LinkedIn can be tricked into revealing personal email addresses

linkedin(LiveHacking.Com) – Benjamin Caudill and Bryan Seely, founders of Rhino Security, have discovered an unintentional side effect of LinkedIn’s obsession with making sure you are “linked” with just about everyone you have had contact with. According to the new research, which was published in part by Brian Krebs, it is possible to troll LinkedIn and discover the email addresses of public figures including leading CEOs, celebrities and company executives.

On a normal day LinkedIn will only let you connect with users that you claim to know professionally or personally. If you don’t know some you can get an introduction via a common third party. To ensure that you are linked to everyone you know LinkedIn will optionally trawl through your Google/Yahoo/Hotmail address book to see if anyone in your address book is already using LinkedIn. Sounds great, very helpful.

The problem is that if you start to create fake email addresses in your list of contacts then LinkedIn will helpfully show you the profiles of users with addresses that match your address book. This is because LinkedIn assumes that if you have their email address then you must know the person.

Now all you need to do is populate your address book with hundreds of combinations of email addresses based on people’s names, and then add @gmail.com or @yahoo.com etc on to the end.

When you import the list of names then LinkedIn will not only show you the profiles which match the addresses, it will also tell you which addresses don’t match any known profiles. If you got lucky and found the address of a high profile user then you just need to use a process of elimination to whittle down the list of emails that didn’t match a profile and you can discover the private email address of the target LinkedIn user.

To prove their point Cludill and Seely discovered the email address of Mark Cuban, the owner of the Dallas Mavericks. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out of ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

According to LinkedIn the company will be implementing a couple of changes over the next few weeks to alter the way the service handles email addresses.

Apple patches ‘Find My iPhone’ vulnerability that could have responsible for celeb photo leaks

apple-icloud(LiveHacking.Com) – Reports are starting to emerge that Apple has patched a weakness in its ‘Find My iPhone’ service that could have been used by hackers to steal private photos of nearly 100 Hollywood celebrities. Over the weekend an anonymous hacker posted revealing pictures of nearly 100 celebrities including Oscar-winning Hunger Games actress Jennifer Lawrence, as well as personal photos belonging to Kim Kardashian, Kate Upton, Kirsten Dunst and many others. It is thought that the hacker stole the photos from Apple’s iCloud storage system.

The breach is being linked with a new hacking tool which was recently uploaded to GitHub called “ibrute.” The tool relied on the fact that Apple did not use any brute force protection in its ‘Find My iPhone’ service API. This meant that a script (like ibrute) could be used to try and crack Apple passwords by brute force (i.e. by trying thousands of passwords in rapid succession). The ibrute tool used the top 500 passwords from the RockYou leaked passwords. The RockYou list includes passwords which satisfy Apple’s password policy.

Apple requires its users to create passwords with a minimum of 8 characters that do not contain more than 3 consecutive identical letters, and include a number, an uppercase letter, and a lowercase letter. The top passwords from the RockYou list which satisfies these conditions are: Password1, Princess1, P@ssw0rd, Passw0rd and Michael1.

iCloud is part of Apple’s ecosystem that automatically uploads photos taken with an iPhone to the cloud. From here the photos can be seen on other Apple devices owned by the account holder. iCloud also acts as a form of backup so if a device is lost or broken the photos are still available. The problem is that some people don’t realize that their photos are being sent automatically to Apple’s servers and the only thing stopping others from viewing those photos is their password, which isn’t much protection at all if the user has set a password like Password1 and so on.

Google Safe Browsing to be expanded to detect even more suspicious downloads

Chrome-logo-2011-03-16(LiveHacking.Com) – One of the important security features that Google provides for users of its Chrome browser, as well as users of other software that call the related APIs, is its Safe Browsing service. Since Google are constantly trawling the Internet for its search engine, the company also looks at the pages it reads and checks to see if the website is serving malware or running any kind of suspicious JavaScript that can cause harm to a PC. If a user visits one of these sites and starts a download (either manually or via some malicious script) then Chrome will warn the user that the download is potentially harmful.

According to a recent blog post, Google is currently showing over three million download warnings per week! In total Chrome, along with the other browsers which use this service, are protecting over 1.1 billion people from mistakenly downloading malware on their computers.

Google has now announced that it will be expanding the Safe Browsing service to include protection against other kinds of deceptive software including programs disguised as helpful downloads that actually make unexpected and unwanted changes to your computer. As an example, Google cites applications which switch your homepage or default search engine to ones you don’t want.

“You should be able to use the web safely, without fear that malware could take control of your computer, or that you could be tricked into giving up personal information in a phishing scam,” wrote Moheeb Abu Rajab, Staff Engineer, Google Security.

When a users attempts to download these malicious software installers, Chrome will display a warning and halt the download. For those users who insist on downloading the package, it can still be accessed from the Downloads list.

It is always important to be watchful when downloading software from the Internet. Make sure you trust the source of the download and make sure your malware protection is current. Google has published a set of tips to help you stay safe on the web.

Presentation on how to break Tor removed from Black Hat schedule

Tor project logo(LiveHacking.Com) – A highly anticipated briefing about a low-cost technique for de-anonymising Tor users has been removed from the Black Hat 2014 talk schedule for as-yet unknown reasons. The talk, which would have presented a method on how to identify Tor users, was cancelled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers.

The spokesperson for the conference, which is running in Las Vegas on August 6-7, said that a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the material he would reveal has not been approved for public release by the university or by the Software Engineering Institute (SEI).

The Onion Router (TOR) Project network was originally developed with the US Naval Research Laboratory as part of an investigation into privacy and cryptography on the Internet. Tor re-directs Internet traffic through a set of encrypted relays to conceal a user’s location or usage from anyone monitoring their network traffic. Using Tor makes it more difficult for online activity to be traced including “visits to Web sites, online posts, instant messages, and other communication forms.”

According to Roger Dingledine, one of the original Tor developers, the project did not “ask Black Hat or CERT to cancel the talk. We did (and still
do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.” He went on to say that the project encourages research on the Tor network along with responsible disclosure of all new and interesting attacks. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with,” he added.

Security researcher Alexander Volynkin was scheduled to give the talk titled ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ at the Black Hat conference. It would have outlined ways that individuals can try to find the original source of Tor traffic without the need for large amounts of computing power.

Oracle fixes 113 security vulnerabilities, 20 just in Java

Oracle_ai(LiveHacking.Com) – Oracle has released a mammoth set of patches to address 113 security related problems across a wide range of its products. The patch release, which Oracle refers to as a Critical Patch Update (CPU), contains 113 new security fixes for a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

Although all of the patches from Oracle should be considered important, the set that will get the most attention are the latest patches for Java. Oracle patched 20 vulnerabilities in Java. Eight of the 20 vulnerabilities could allow a hacker to completely compromise a target client. These vulnerabilities are described as being remote exploits which don’t require authentication. In total the CPU provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle also points out that Windows XP users should upgrade to a new operating system. The security advisory says that “running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.”

This CPU also includes 5 fixes for the Oracle Database, 29 new security fixes for Oracle Fusion Middleware, 5 fixes for Oracle E-Business Suite, and 3 for the Oracle Sun Systems Products Suite. According to the United States Computer Emergency Readiness Team (US-CERT), the update also include 15 patches for Oracle Virtualization products, and 10 fixes for MySQL.

“Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” wrote Eric Maurice on Oracle’s security blog.

Oracle releases Critical Patch Updates the Tuesday closest to the 17th day of January, April, July and October. The next CPU is due on 14 October 2014.