April 23, 2014

Apple updates OS X, iOS, Apple TV and AirPort

Apple-logoApple has released a slew of updates for several of its key platforms to fix a range of security issues including some related to the OpenSSL HeartBleed bug. According to the release notes for AirPort Base Station Firmware Update 7.7.3, the new software contains a fix for an out-of-bounds memory issue in the OpenSSL library when handling TLS heartbeat extension packets (i.e. the HeartBleed bug). Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected.

For iOS, Apple TV and OS X, Apple also released a set of patches one of which also applies to sessions protected by SSL. Known as a “triple handshake” attack, it was possible for an attacker to create two connections using the same keys and handshake. As a result an attacker could insert data into one connection and renegotiate so that the connections are forwarded to each other. To work around this scenario Apple has changed the SSL renegotiation code so that  the same server certificate needs to be presented as in the original connection.

The update to OS X is called Security Update 2014-002 and has various changes for  OS X 10.7 Lion, OS X 10.8 Mountain Lion and OS X 10.9 Mavericks. The changes are as follows:

  • Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie.
  • A format string issue existed in the CoreServicesUIAgent’s handling of URLs.
  • A buffer underflow existed in the handling of fonts in PDF files.
  • A reachable abort existed in the Heimdal Kerberos’ handling of ASN.1 data. This meant that a remote attacker could cause a denial of service.
  • A buffer overflow issue existed in ImageIO’s handling of JPEG images.
  • A validation issue existed in the Intel Graphics Driver’s handling of a pointer from userspace. As a result a malicious application could take control of the system.
  • A set of kernel pointers stored in an IOKit object could be retrieved from userland.
  • A kernel pointer stored in a XNU object could be retrieved from userland.
  • If a key was pressed or the trackpad touched just after the lid was closed, the system might have tried to wake up while going to sleep, which would have caused the screen to be unlocked. This issue was addressed by ignoring keypresses while going to sleep.
  • An integer overflow issue existed in LibYAML’s handling of YAML tags as used by Ruby.
  • A heap-based buffer overflow issue existed in Ruby when converting a string to a floating point value.
  • WindowServer sessions could be created by sandboxed applications.

Apple has also updated iOS 7 with the release of iOS 7.1.1. It patches the same Set-Cookie HTTP headers bug as found in OS X plus it updates WebKit (the HTML rendering engine used by mobile Safari) to fix a number of issues, many of which were found by Google (for its Chrome browser). The new Apple TV 6.1.1 firmware has the same changes as iOS 7.1.1 and addresses the Set-Cookie HTTP headers bug and also patches WebKit.

You can get more information on Apple’s security updates here: http://support.apple.com/kb/HT1222

NSA denies it knew about Heartbleed, says it is in the national interest for it to disclose vulnerabilities

odniIt looks like the ramifications of the Heartbleed bug in OpenSSL will be felt for quite a while to come. While security analysts are asking if the NSA had prior knowledge of the bug, cyber criminals are at work stealing data from sites which haven’t patched their servers and changed their SSL certificates. The Canadian Revenue Agency has said that the Heartbleed bug was the reason why an attacker was able to steal 900 social insurance numbers, and British parenting website Mumsnet said that username and password data used to authenticate users during log in was accessed before the site was able to patch its servers.

As for the NSA, the Director of National Intelligence has issued a statement saying that the NSA was not aware of the Heartbleed vulnerability until it was made public. The statement went on to say that the Federal government relies on OpenSSL the same as everyone else to protect the privacy of users of government websites and other online services.

However, what is even more important is that the statement categorically says that had the NSA, or any other of the agencies and organizations which make up the U.S. intelligence community, found the bug they would have reported it to the OpenSSL project.

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” said the statement issued by the ODNI Public Affairs Office. The statement also said that when Federal agencies discover a new vulnerability “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”

The Office of the Director of National Intelligence also said that in response to the President’s Review Group on Intelligence and Communications Technologies report that it had reinvigorated an interagency process for deciding when to share vulnerabilities.  According to the report, “The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of  encryption technology for data in transit, at rest, in the cloud, and in storage.” Such a statement is important following the accusations that the NSA tried (and succeeded) in weakening certain encryption standards.

The report also says that, “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In  rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”

This “rare” use of zero-day vulnerabilities was reiterated by the ODIN statement. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

Heartbleed bug exposes OpenSSL’s secrets, patches available

heartbleedA serious security bug has been found in the ubiquitous OpenSSL encryption library that allows data to be stolen in its unencrypted form. According to the heartbleed.com website, which was set up expressly to inform system admins about the potential dangers, the Heartbleed bug can be exploited from the Internet and it allows an attacker to read up to 64k of the server’s memory at one time. By reading the memory an attacker can gain access to “the secret keys used to identify the service providers and to encrypt the traffic” along with “the names and passwords of the users and the actual content.” It means that attackers can eavesdrop communications that should have been otherwise encrypted.

A patched version of OpenSSL has already been published. According to the release notes, “a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory” on a connected client or server. The OpenSSL project publicly thanked Neel Mehta of Google Security for discovering this bug and Adam Langley with Bodo Moeller for preparing the fix. It is recommended that all OpenSSL 1.0.1 users should upgrade to OpenSSL 1.0.1g. Those unable to immediately upgrade should recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. OpenSSL 1.0.0 and OpenSSL 0.9.8 are not vulnerable.

Heartbleed isn’t a design flaw in the SSL/TLS protocol specification but rather a bug in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).

Because the bug can expose the keys used for encrypting the connection, attackers are able to decrypt any past and future traffic to the encrypted connection since the primary keys have been exposed. Unfortunately to remedy the problem, not only does the server require patching but all the compromised keys need to be revoked and new keys reissued. It also means that users who have used an encrypted service (say a web mail service, online shopping or cloud service) will need to change their passwords as potentially the connection used to log in was not secure.

One very worrying aspect of this bug is not only the widespread use of OpenSSL, but also that the first vulnerable version was published two years ago. If this bug has been previously found (but not disclosed) by cyber criminals or government run security agencies then the last two years worth of encrypted traffic should be deemed as exposed. Even if it wasn’t found but the traffic was recorded then there are probably lots of state level agencies working right now to siphon off keys from around the net before things are revoked and changed.

IBM says no NSA backdoors in its products

SP-robert_weber-230x300In an open letter written published on the web, IBM has confirmed that it does not include any NSA “backdoors” in its products. The letter written by Robert C. Weber, an IBM Senior Vice President, is IBM’s latest assurance to its clients following the months of revelations about the US government’s spying activities. As a result of the documents leaked by Edward Snowden, various US technology companies have come under pressure to reveal if they have been working with the NSA.

The IBM letter states that the technology giant has not provided client data to the NSA or any other government agency. Specifically it states that:

  • IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.
  • IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
  • IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.
  • IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.
  • IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

“Given the global discussion about data security and privacy, we wanted to communicate our view on these issues,” wrote Weber. “It has long been our (and our clients’) expectation that if a government did have an interest in our clients’ data, the government would approach that client, not IBM.”

In reiterating its commitment to its customers, the letter states several times that IBM would challenge the any orders served on it by the NSA for data, stored inside or outside the USA, through judicial action or other means.

The letter also calls for the U.S. government to enter into a robust debate on surveillance reforms, including new transparency provisions that would allow the public to better understand the scope of intelligence programs and the data collected. It also goes on to say that no government should subvert commercial technologies, such as encryption, that are intended to protect business data.

Snapchat hack results in 4.6 million accounts being posted online

snapchat-logoSnapchat, the popular  photo messaging mobile service, has been hacked and as a result the details of 4.6 million user accounts have been posted online.

A website called SnapchatDB released the data with the intention of raising the public awareness about Snapchat’s vulnerabilities. SnapchatDB said it “censored the last two digits of the phone numbers” in order to “minimize spam and abuse,” however it is still possible that the full data could be released including millions of phone numbers. Although the website is now down, the data has been downloaded and is probably available if you look in the right places.

The story starts with a set of disclosures made by Gibson Security (GibsonSec) which were largely ignored by Snapchat. According to a blog post made by Snapchat a few days ago the disclosure by GibsonSec contains “allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.” The post went on to say that the disclosure was theoretical but the company did agree that “if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”

Those allegations and theories seem to have become very real. According to comments made to TechCrunch by the founders of SnapchatDB, the hackers used a modified version of GibsonSec’s exploit/method. The hackers added that “Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t.”

SnapchatDB added that the motivation behind the exposure was to raise the awareness of security issues as “you wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.”

Gibson Security tweeted that it knows “nothing about SnapchatDB” by added that “it was a matter of time till something like that happened.”  According to the hackers, Snapchat did make some changes once the scraping started but that it “is still possible to scrape this data on a large scale” as the changes are not hard to circumvent. GibsonSec, which is run by students, also said that the exploit still works with minor fixes.

Huawei still banned from bidding on Australia’s National Broadband Network

huawei-logoAustralia’s recently formed government has maintained the existing ban which stops the Chinese telecoms giant Huawei from bidding on contracts to build Australia’s National Broadband Network (NBN). The new government, which took power on 18 September 2013, has listened to advise from it security agencies and upheld the ban placed by its predecessors.

Huawei is currently considered a security risk by several different nations including the USA. Its bad image stems from the fact that the company was founded by Ren Zhengfei, a former officer of the People’s Liberation Army and its perceived links to the Chinese State.  The USA, like Australia, has banned Huawei and a government committee reported last year that “the risks associated with Huawei and ZTE’s provision of equipment to US critical infrastructure could undermine core US national-security interests.”

The Australian Attorney-General George Brandis said the government had no plans to relax its stance on Huawei adding that “the decision of the previous government not to permit Huawei to tender for the NBN was made on advice from the national security agencies.”

“Since the election the new government has had further briefings from the national security agencies. No decision has been made by the new government to change the existing policy,” Brandis told the AFP.

Huawei had previously run an intense lobbying campaign in Canberra for the ban to be removed. According to the Australian Financial Review, the Attorney-General overruled a move by some within the new government to relax the ban on Huawei. However some members of the cabinet were reportedly against changing the previous government’s policy and had expressed concerns that allowing Huawei to bid on the NBN could be seen as a problem by the USA.

Huawei has denied having close connections to the Chinese government and has stressed that the company is 98.6% owned by its employees.

Belgium’s largest telecommunications company victim to a nation-state sponsored spying campaign

belgium_flag_mapThe Belgium government has revealed that a foreign state has been spying on its largest telecommunications company Belgacom. The company, which is a top tier carrier for voice traffic in Africa and the Middle East, was hacked by an intruder with significant financial and logistic means.

According to the Belgian daily newspaper De Standaard, the NSA is responsible for the attack and the agency has been monitoring international telephone traffic through Belgacom for two years. It is thought that the NSA was primarily interested in Belgacom’s subsidiary BICS, which provides international phone lines for Africa and the Middle East.

“This fact, combined with the technical complexity of the hacking and the scale on which it occurred, points towards international state-sponsored cyber espionage,” Federal prosecutors said in a statement.

The government of Belgium, which has a majority stake in Belgacom, condemned the intrusion but did not actually accuse the USA directly. The hack was performed using malware with advanced encryption techniques. Belgacom has now removed the unknown malware from its internal systems.

These latest accusations come in the midst of further revelations about the NSA’s actvities thanks to documents released by Edward Snowden. According to the Brazilian television network Globo, the NSA has been spying using the computer systems of companies including Google Inc. and the Brazilian state oil firm Petroleo Brasileiro. It is also alleged that the NSA hacked into France’s Foreign Ministry and has been snooping through international financial transactions made via the Belgian-based international banking cooperative SWIFT.

Third time’s a charm for Microsoft’s recent security patches

microsoft logo(LiveHacking.Com) – Just under two weeks ago Microsoft released its regular set of patches for Windows and other Microsoft products to fix the current security vulnerabilities. Some of these patches were deemed as Critical because the vulnerabilities could allow a hacker to execute arbitrary code on an affected PC and gain remote access to the machine.

Among the original updates was MS13-066, a patch rated as Important which fixed a vulnerability in the Active Directory Federation Services. The original vulnerability could allow information disclosure. Unfortunately after its release, Microsoft discovered that the patch could cause the AD FS to stop working. As a result Microsoft removed the update. Then last week Microsoft re-released the bulletin with a fix for the fix. It turns out that systems without the RU3 rollup QFE installed experienced the problems. The new patch should work with or without RU3.

That was strike one.

August’s Patch Tuesday also contained MS13-061 a Critical patch to fix vulnerabilities in Microsoft’s Exchange Server. If exploited these vulnerabilities could allow remote code execution. Like for MS13-066, after the release of the patch Microsoft discovered some problems. Specifically that after the update Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 would stop indexing mail. Today Microsoft released MS13-061 to fix the bug that stopped the indexing of messages.

That was strike two.

The next (and last?) patch that caused trouble for Microsoft was MS13-057, a Critical patch from July which addressed a vulnerability in the Windows Media Format Runtime. The vulnerability could allow remote code execution if a user opens a specially crafted media file. Just before August’s Patch Tuesday Microsoft re-released it to address an application compatibility issue in which WMV encoded video could fail to properly render during playback. Originally this only affected Windows 7 and Windows Server 2008 R2. Today Microsoft released the patch (third time’s a charm – we hope) for Windows XP, Windows Server 2003 and Windows Vista to address the same WMV playback error.

And that was strike three? Any more swings at the ball Microsoft???

UK government to investigate Huawei’s involvement in the Cyber Security Evaluations Centre

Huawei-Logo-300x300The Intelligence and Security Committee, a group established by the British government to examine the extent of foreign involvement in the UK’s Critical National Infrastructure and its implication for national security, has raised questions about the independence of staff employed at the Cyber Security Evaluations Centre, or the Cell as it is commonly called.

Part of the work at the cell is to test equipment from Huawei for security vulnerabilities and ensure that the equipment doesn’t have any back-doors or easily exploitable weaknesses.

According to the report the Cell was formed due to a big contract win for Huawei from British Telecom (BT). The UK government engaged directly with Huawei UK and suggested the establishment of the evaluation center to increase confidence in the security of Huawei products.

Although staffed by security cleared UK personnel, the Cell is funded entirely by Huawei and remains under Huawei’s control. The report questions whether the staff, 34 who are paid and employed by Huawei, are sufficiently independent of Huawei to provide the necessary level of assurance about the company’s activities.

The Cell tests all updates to Huawei’s hardware and software for high-risk components before they are deployed on UK networks, however the center was only due to become fully operational at the end of 2011 (six years after Huawei won the BT contract). But now in 2013 the center is working at a reduced capacity, both in terms of staffing and remit, and witnesses have conceded that it is too soon to tell how effective it is.

Huawei’s trouble stem from the fact that the company was founded by Ren Zhengfei, a former officer of the People’s Liberation Army. Most of the concerns surrounding Huawei relate to its perceived links to the Chinese State. Due to these concerns a government committee in the US published a harsh assessment of Huawei’s reliability. The report concluded that “the risks associated with Huawei and ZTE’s provision of equipment to US critical infrastructure could undermine core US national-security interests”. In Australia the Government decided to exclude Huawei from any involvement in their National Broadband Network on national security grounds.

Huawei has denied having close connections to the Chinese government and has stressed that the company is 98.6% owned by its employees.

Sky hacked by the Syrian Electronic Army

logos of sky android apps(LiveHacking.Com) – Several apps belonging to British Sky Broadcasting (Sky) have been removed from Google’s official Android app store following an attack on Sky by the Syrian Electronic Army. The SEA also hacked into one of Sky’s Twitter accounts where it urged readers to download the new defaced apps. The SEA aligns itself with Syrian President Bashar al-Assad, but denies they operate under the orders of his government.

As part of the hack six of Sky’s Android apps where defaced by having their logos replaced with the SEA logo. Also the descriptions of the apps, which included the company’s Sky News, Sky Sports News, Sky Sports Football, Sky WiFi, Sky+ and Sky Go apps, were altered to read: “Syrian Electronic Army Was Here”. The screenshots for the apps were also replaced.

The attack of a Google Play account is something new for the SEA which until now  focused on breaching social media accounts of various media companies and western politicians. Normally once an account was hacked the SEA would publish false information. Last month the SEA launched an attack on AP’s twitter account and published a false tweet about the White House being bombed and President Barack Obama being injured. The tweet led to a multi-million dollar drop in the Dow.

According to another Sky account: “Due to a security breach Twitter has locked down @skyhelpteam & we are currently unable to tweet from it.” A Sky spokesman told the BBC it was working to reinstate its apps now that they have been taken offline.

Over the weekend, it was also reported by the Israeli press that the SEA had mounted a failed attempt to disrupt the water supply in the port city of Haifa. The Jerusalem Post said that the chairman of the Science Ministry’s National Council for Research and Development - Prof Yitzhak Ben Yisrael –  revealed that earlier this month the hackers tried to damage the computers controlling the city’s infrastructure .