September 1, 2014

Google Safe Browsing to be expanded to detect even more suspicious downloads

Chrome-logo-2011-03-16(LiveHacking.Com) – One of the important security features that Google provides for users of its Chrome browser, as well as users of other software that call the related APIs, is its Safe Browsing service. Since Google are constantly trawling the Internet for its search engine, the company also looks at the pages it reads and checks to see if the website is serving malware or running any kind of suspicious JavaScript that can cause harm to a PC. If a user visits one of these sites and starts a download (either manually or via some malicious script) then Chrome will warn the user that the download is potentially harmful.

According to a recent blog post, Google is currently showing over three million download warnings per week! In total Chrome, along with the other browsers which use this service, are protecting over 1.1 billion people from mistakenly downloading malware on their computers.

Google has now announced that it will be expanding the Safe Browsing service to include protection against other kinds of deceptive software including programs disguised as helpful downloads that actually make unexpected and unwanted changes to your computer. As an example, Google cites applications which switch your homepage or default search engine to ones you don’t want.

“You should be able to use the web safely, without fear that malware could take control of your computer, or that you could be tricked into giving up personal information in a phishing scam,” wrote Moheeb Abu Rajab, Staff Engineer, Google Security.

When a users attempts to download these malicious software installers, Chrome will display a warning and halt the download. For those users who insist on downloading the package, it can still be accessed from the Downloads list.

It is always important to be watchful when downloading software from the Internet. Make sure you trust the source of the download and make sure your malware protection is current. Google has published a set of tips to help you stay safe on the web.

Presentation on how to break Tor removed from Black Hat schedule

Tor project logo(LiveHacking.Com) – A highly anticipated briefing about a low-cost technique for de-anonymising Tor users has been removed from the Black Hat 2014 talk schedule for as-yet unknown reasons. The talk, which would have presented a method on how to identify Tor users, was cancelled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers.

The spokesperson for the conference, which is running in Las Vegas on August 6-7, said that a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the material he would reveal has not been approved for public release by the university or by the Software Engineering Institute (SEI).

The Onion Router (TOR) Project network was originally developed with the US Naval Research Laboratory as part of an investigation into privacy and cryptography on the Internet. Tor re-directs Internet traffic through a set of encrypted relays to conceal a user’s location or usage from anyone monitoring their network traffic. Using Tor makes it more difficult for online activity to be traced including “visits to Web sites, online posts, instant messages, and other communication forms.”

According to Roger Dingledine, one of the original Tor developers, the project did not “ask Black Hat or CERT to cancel the talk. We did (and still
do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.” He went on to say that the project encourages research on the Tor network along with responsible disclosure of all new and interesting attacks. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with,” he added.

Security researcher Alexander Volynkin was scheduled to give the talk titled ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ at the Black Hat conference. It would have outlined ways that individuals can try to find the original source of Tor traffic without the need for large amounts of computing power.

Oracle fixes 113 security vulnerabilities, 20 just in Java

Oracle_ai(LiveHacking.Com) – Oracle has released a mammoth set of patches to address 113 security related problems across a wide range of its products. The patch release, which Oracle refers to as a Critical Patch Update (CPU), contains 113 new security fixes for a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

Although all of the patches from Oracle should be considered important, the set that will get the most attention are the latest patches for Java. Oracle patched 20 vulnerabilities in Java. Eight of the 20 vulnerabilities could allow a hacker to completely compromise a target client. These vulnerabilities are described as being remote exploits which don’t require authentication. In total the CPU provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle also points out that Windows XP users should upgrade to a new operating system. The security advisory says that “running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.”

This CPU also includes 5 fixes for the Oracle Database, 29 new security fixes for Oracle Fusion Middleware, 5 fixes for Oracle E-Business Suite, and 3 for the Oracle Sun Systems Products Suite. According to the United States Computer Emergency Readiness Team (US-CERT), the update also include 15 patches for Oracle Virtualization products, and 10 fixes for MySQL.

“Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” wrote Eric Maurice on Oracle’s security blog.

Oracle releases Critical Patch Updates the Tuesday closest to the 17th day of January, April, July and October. The next CPU is due on 14 October 2014.

Microsoft, Adobe release security patches plus high profile domains rush to fix XSS vulnerability

(LiveHacking.Com) – The last few days have seen lots of security related activity from some of the world’s leading software vendors. Both Microsoft and Adobe have released patches for some of their key software while almost simultaneously a Google engineer has released details of an obscure cross-scripting request forgery bug that left several high profile domains scrambling to protect themselves over the weekend.

Microsoft

microsoft logoMicrosoft has released six new security bulletins, to tackle 29 different vulnerabilities in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, while the rest are either rated as Important or Moderate.

The first of the two Critical level bulletins (MS14-037) is a cumulative security update for Internet Explorer. The update fixes one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Microsoft’s web browser. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using IE. This security update is rated Critical for IE 6 through to IE 11 on Microsoft Windows desktop operating systems. For the server versions of Windows the update is rated as Moderate.

The other Critical level update (MS14-038) fixes a remote code execution vulnerability that exists because of the way that Windows Journal parses specially crafted files. The vulnerability could be exploited if a user opens a specially crafted Journal file. The fix is rated Critical for all supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2 (excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

The other bulletins release by Microsoft are:

  • MS14-039 - Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
  • MS14-040 - Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application.
  • MS14-041 - Vulnerability in DirectShow Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user.
  • MS14-042Vulnerability in Microsoft Service Bus Could Allow Denial of Service. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system.

Adobe

adobe-logoAdobe has released security updates for Adobe Flash Player on Windows, OS X and Linux. The updates patch vulnerabilities that could potentially allow a remote attacker to take control of the affected system. The affected software versions are:

  • Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.378 and earlier versions for Linux
  • Adobe AIR 14.0.0.110 SDK and earlier versions
  • Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
  • Adobe AIR 14.0.0.110 and earlier versions for Android

As well as fixing two, as yet undisclosed, security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539), the update also includes additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).

XSS

rosettaflash_convertAs mentioned above, the update to Adobe Flasher Player includes additional validation checks for an obscure cross-scripting request forgery bug that was disclosed by Google’s information security engineer Michele Spagnuolo over the weekend. In his blog “Abusing JSONP with Rosetta Flash,” Michele details how his tool Rosetta Flash can convert Adobe SFW files from binary to text. Attackers can then upload the “weaponised” SWF file to a domain where they will be loaded by a victim’s browser and executed by Adobe Flash Player.

Several high-profile websites were vulnerable, including most Google domains, Instagram, Tumblr and eBay. Many of these sites have worked over the weekend to protect themselves against the vulnerability.

Because of the sensitivity of this vulnerability, Spagnuolo first disclosed it internally to Google, and then privately to Adobe. He also told Twitter, eBay, Tumblr and Instagram before going public with his findings.

Apple fixes 44 security bugs in iOS

Apple-logo(LiveHacking.Com) – Apple has released a new point release of iOS 7 to address 44 different security issues with Apple’s mobile operating system. Among the patches are bug fixes for vulnerabilities in the iOS kernel, and fixes for errors in “launchd,” which could allow a malicious application to execute arbitrary code with system privileges. There are also lots of fixes for WebKit, the HTML rendering engine used by Safari.

The kernel vulnerability, which could cause an iOS device to unexpectedly restart, exists because of a null pointer de-reference in the handling of IOKit API arguments. This problem was addressed through additional validation of IOKit API arguments.

launchd has been patched quite extensively in this release. The program is responsible for starting, stopping and managing back ground processes and apps on iOS. According to Apple’s security notice for iOS 7.1.2, launchd has several different vulnerabilities including a heap buffer overflow in the handling of IPC messages, a heap buffer overflow in the handling of log messages, and some unspecified integer overflow/underflow issues. All of these could possibly allow a malicious application to execute arbitrary code with system privileges.

The WebKit HTML rendering engine was also heavily patched with 28 unique bugs being squashed. Many of the bugs were discovered either by Google’s Chrome Security Team or by renowned security researchers like “miaubiz” who were participating in Google’s Vulnerability Rewards Program for Chromium. However Apple did find several bugs on its own. In total, the discovery of 12 of the 28 vulnerabilities is attributed (or co-attributed) to Apple. The result of the “multiple memory corruption issues” in WebKit was that a user visiting a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution.

Two other WebKit vulnerabilities were also found by Erling Ellingsen of Facebook. The first was an encoding issue that existed in the handling of unicode characters in URLs. The result was that a malicious site could send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. The other problem was a spoofing issue that existed in the handling of URLs.

Another interesting issue fixed in this version of iOS was a problem with Siri and lock codes. If a Siri request referred to one of several possible contacts, Siri displayed a list of choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list.

iOS 7.1.2 is available now for the iPhone 4 and later, the iPod touch (5th generation) and later, and the iPad 2 and later.

Microsoft Malware Protection Engine can be disabled via a specially crafted file

microsoft logo(LiveHacking.Com) – Microsoft has released a security advisory about a denial of service vulnerability with its Malware Protection Engine. According to Microsoft, if the Malware Protection Engine scans a specially crafted file then it can cause a denial of service condition. This means that an attacker who manages to exploit the vulnerability could stop the Microsoft Malware Protection Engine from monitoring the filesystem, until the specially crafted file is manually deleted and the service is restarted. During this time the PC is susceptible to infection by other malware.

To exploit the vulnerability an attacker would need to place a specially crafted file on the target PC. This could be achieved in one of several different ways including via a website, via email message, or in an Instant Messenger message. If the affected anti-malware software has real-time protection turned on (which is the default), then the Microsoft Malware Protection Engine will scan the file automatically, leading to exploitation of the vulnerability.

The Malware Protection Engine is used by a variety of Microsoft products including Windows Security Essentials and Windows Defender. Microsoft has rated the vulnerability as “Important,” but not “Critical.”

Microsoft has fixed the vulnerability and the engine will be updated automatically when your PC next updates its malware definitions. Because the fix is part of the “normal” malware updates then Microsoft won’t be issuing a Security Bulletin about the problem, nor will it feature in a future Patch Tuesday. Microsoft estimates that the built-in update mechanisms will apply the fix within 48 hours of the release, however the exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Phishing and cyber-attacks likely to rise during the World Cup

World-Cup-2014-logo(LiveHacking.Com) – As is often the case with large, well known events, cyber-criminals and spammers will be using the World Cup as a chance to steal more personal information and disrupt services in “cyber protests.”

According to TrendLabs phishing campaigns have intensified and are evening targeting Brazilian nationals in a attempt to steal from them during the fervor of the World Cup. Typical campaigns try to solicit information like credit card numbers or personal identifiable information (including name, date of birth and even national identity numbers), from unsuspecting victims. This data is later sold on the black market.

The example given by TrendLabs was for a $2.2 million lottery. As with legitimate lotteries you need to pay to enter. Since the lottery is a scam the credit details entered are harvested for sale. TrendLabs has  identified more than 80,000 people whose credentials have been stolen. Of those 83% had email address from providers with domain names in the .br top-level domain.

But it isn’t only phishing that will be increasing during the World Cup. According to reports by Reuters, the hacker group Anonymous is preparing cyber-attacks on the corporate sponsors of the World Cup.

“We have already conducted late-night tests to see which of the sites are more vulnerable,” said the hacker who operates under the alias of Che Commodore. “We have a plan of attack.”

The threats by Anonymous and the increased amount of phishing are just another problem for the Brazilian government. The event has been marred by delays in the building of the stadiums and widespread discontent among Brazilians over the excessive cost of hosting the event in a country.

Recently Anonymous attacked the Brazil’s Foreign Ministry computer networks and leaked dozens of confidential emails. In what is a massive security breach, Anonymous posted 333 Foreign Ministry documents including documents about the briefing of talks between Brazilian officials and U.S. Vice President Joe Biden, and a list of sport ministers that plan to attend the World Cup.

The World Cup 2014 kicks off on 12 June with a game between hosts Brazil and Croatia. The event continues until Sunday 13 July when the final will be held in Rio de Janeiro.

GameOver Zeus botnet disrupted by FBI, Microsoft and multi-national agencies

GameOver_Zeus_Scope(LiveHacking.Com) – A multi-national team of security experts and law enforcement agencies including the U.S. Department of Justice, the FBI, Europol, and the UK’s National Cyber Crime Unit have successfully disrupted  the GameOver Zeus botnet. The malware, which is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing trojan, is thought to be responsible for the theft of millions of dollars from businesses and consumers all around the world.

Also known as P2P Zeus or GO Zeus, the malware uses a decentralized network system of compromised PCs and web servers to execute command-and-control. Its peer-to-peer nature meant that command instructions could come from any of the infected computers, and made the take down of the botnet more difficult.

The FBI took down portions of the command-and-control infrastructure by seizing domain names used by the malware. Microsoft helped the FBI by providing an analysis of the P2P network and by developing a cleaning solution. According to Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.”

GameOver Zeus is primarily used by cybercriminals to harvest banking information including login credentials. Once a PC is infected it can be used by the cybercriminals to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The malware has also been linked to the CryptoLocker ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files.

Andy Archibald, a Deputy Director at the UK’s National Crime Agency (NCA), said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.” Mr Archibald continues: “Those committing cybercrime impacting the UK are often highly-skilled and operating from abroad. The NCA and its partners are alive to the threat, and pursuing new and collaborative ways to tackle and disrupt the perpetrators.”

At the same time as the botnet was being disrupted  a federal grand jury in Pittsburgh unsealed a 14-count indictment against the GameOver Zeus ringleader. Evgeniy Mikhailovich Bogachev, of Anapa, Russian Federation, is charged with with conspiracy, computer hacking, wire fraud,  bank fraud and money laundering. In a separate civil injunction, Bogachev was identified as the ringleader of the gang responsible for the development and operation of the Cryptolocker scheme.

LulzSec Hacker Sabu helps stop over 300 cyber attacks

LulzSec(LiveHacking.Com) – Hector Xavier Monsegur, a.k.a. the hacker “Sabu,” the former “leader” of hacking group LulzSec has been helping the FBI prevent cyber attacks since his 2011 arrest. As a result the court has been petitioned to have his sentence greatly reduced.

According to court documents filed by prosecutors in the Southern District of New York, the work of Hector Xavier Monsegur has helped to prevent losses of millions of dollars. Under current sentencing guidelines Sabu could face prison time of up to 26 years for hacking companies like Fox Television, PBS, Sony, and Nintendo.

In addition to Sabu’s direct involvement in criminal hacking activities, he also had knowledge of other major criminal hacking activities, including hacks into the computer servers of the Irish political party Fine Gael and the Sony PlayStation Network.

Sabu was arrested in June 2011 and pleaded guilty, as part of a co-operation agreement with the US government. As part of that co-operation Sabu “proactively cooperated with ongoing Government investigations” and sometimes worked “literally around the clock.” The court documents also say that Sabu’s “cooperation was complex and sophisticated, and the investigations in which he participated required close and precise coordination with law enforcement officers in several locations.”

The FBI estimates that with Sabu’s help it was able to disrupt or prevent at least 300 separate computer hacks. The victims included divisions of the United States Government such as the United States Armed Forces, the United States Congress, the United States Courts, and NASA. Although difficult to quantify, it is likely that Sabu’s help prevented at least millions of dollars in loss to these victims.

Because of the extent of his help Sabu has received threats which meant the FBI needed to relocate the hacker and some members of his family, presumably under some form of witness protection scheme.

The court filings note that Sabu was repeatedly “approached on the street and threatened or menaced about his cooperation once it became publicly known. Monsegur was also harassed by individuals who incorrectly concluded that he participated in the Government’s prosecution of the operators of the Silk Road website.”

He is due to be sentenced on Tuesday.

Chip and PIN bank cards have serious vulnerabilities

chip-and-pin(LiveHacking.Com) – A new research paper [PDF], by a group of security experts from the University of Cambridge, has proven that current implementations of the EMV protocol (named after its original developers, Europay, MasterCard and Visa), which is more commonly known as “Chip and PIN”, has serious vulnerabilities. These weaknesses might leave customers at risk of fraud. The most devastating aspect of the new research is that it reveals vulnerabilities which make it possible to create clone chip cards which look like the real thing to the bank.

“Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card,” wrote Steven J. Murdoch.

If the terminal, which is processing a Chip and PIN transaction, has a bad random number generator or the communications back to the bank can be modified, then an attacker can use a cloned card rather than the original. Both of these weaknesses (bad random numbers and modified communications) have been seen in the wild.

As part of the research, the team identified a weak random number generator in an ATM which was made up of  a 17 bit fixed value where the lower 15 bits were simply a counter that is incremented every few milliseconds, cycling every three minutes. This was back in 2012. The team followed a responsible disclosure policy and informed bank industry organisations so that the ATM software could be patched. Only now are they able to reveal the results of their research.

According to the paper, “The first flaw is that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce. This exposes them to a “pre-play” attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically. Card cloning is the very type of fraud that EMV was supposed to prevent.”

The good news is that because of the research the banks have started working on a certification program for random number generators in Chip and PIN terminals. However the bad news is that attacks that tamper with the random number generators or communications are harder to prevent and have yet to be addressed.