A take on the security news, week 09 2015
Monday
Lenovo apologize about Superfish
Lenovo apologize that they preload their products with the malware-like product
called Superfish.
Superfish is serving unwanted ads to customers using the machine, but worse,
its doing an mitm-attack. Superfish uses a third party library from a company
named Komodia to modify the Windows networking stack and install a new root
Certificate Authority (CA), allowing Superfish to impersonate any SSL-enabled
site.
http://uk.businessinsider.com/lenovo-were-sorry-about-superfish-2015-2?r=US
https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339
RC4 removed from TLS
A new RFC was recently published by the IETF removing RC4 as a acceptable cipher for TLS. RC4 has been considered weak for a while now.
https://tools.ietf.org/html/rfc7465
Your carwasher is online
In the never ending series of hackable devices, this week I present you with
a carwasher. In the Internet of Things hype every manufacturer urge to get their
stuff online.
The carwasher mentioned in the article below is online, can be accessed trough
Telnet, and is secured by an default 5 characters long username / password combo.
http://threatpost.com/yes-your-car-wash-is-on-facebook/111148
Tuesday
Using the battery usage to track phones
Two researchers have found that they can track a mobilephone's movement by
measuring the voltage and current status on the phone. If an attacker maps an
attack area beforehand, he can position the victim inside the target area based
upon battery usage.
This is an interesting sidechannel attack, and over hundred applications on the
Play store can access the needed data.
http://arxiv.org/pdf/1502.03182v1.pdf
Trace users with fonts
The Wordpress community just refreshed their backend system with new look and
new fonts. Among those new shiny fonts they have "Open Sans" family of fonts
which is served from the Google Webfonts API.
This raise some privacy concern and the remedy is a plugin called "Disable
Google Fonts" which does what it says in the tin.
http://fontfeed.com/archives/google-webfonts-the-spy-inside/
Wednesday
Samba vulnerability
A vulerability is found in the smbd file server daemon. It can be exploited by
a malicious Samba client, by sending specially-crafted packets to the Samba
server. No authentication is required to exploit this flaw. It can result in
remotely controlled execution of arbitrary code as root.
Apply patches for your server if you have samba servers running.
https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/
Another MITM ad-ware product fails
Just a week after Lenovo's Superfish SSL intercepting "malware" we have a new
product that is leaving the customers more vulnerable. This time its PrivDog, a
part of Comodo's network security suite.
PrivDog acts as a proxy intercepting all the traffic (so it can inspect it).
To do this it installs its own CA-Certificate and terminates all your SSL
connection. The big problem is that the PrivDog software is not checking the SSL
connection it has for valid certificates. Meaning that any site can spoof their
ID with a bad certificate, and PrivDog will happily accept it. The user will never
see this because it only sees PrivDog's own certificate.
Comodo have issued a patch, but if you dont use PrivDog, you should just uninstall
it.
http://www.kb.cert.org/vuls/id/366544
Thursday
Lenovo domain taken down by hackers
As a response to the latest Superfish news, attackers hijacked lenovo.com, pointing
it to another website controlled by the attackers. It seems that no malicious
content was served from the attackers website, so this was a goold old defacement.
The attackers gained access to the lenovo.com domain through their registrar
webnic.cc.
http://www.theregister.co.uk/2015/02/25/lenovo_hacked_lizard_squad/
Ramnit botnet taken down by Europol
Europol has taken down the Ramnit botnet. Control & Command servers were shutdown and redirecting domainnames used for control to sinkholes. There were about 300 domainnames involved in this particular case, with servers spread across multiple countries.
Gemalto claims SIM-card encryption keys not leaked
Gemalto presents the result of investigations after the claim that NSA and GCHQ
compromised their network and stole SIM-card encryption keys.
The short version is that they detected abnormalities in the given period, but
only office networks were attacked. The encryption keys were stored in a
separate network.
Tracking hacked website with shodan
By searching shodan for the string "hacked by" John Matherly gained quite interesting statistics about hacked websites. It should not be a surprise that most of the hacked websites were running http (80). What came as a surprise was that 25% of the "hacked by" websites were hosted on the same hosting provider.
https://blog.shodan.io/tracking-hacked-websites/
Friday
Firefox 36 with full support for HTTP2
The new release of Firefox now supports HTTP2, fixing bugs and abandon 1024bit certificates. HTTP2 is a bit of a change, so maybe I will make an own post on it soon.
https://www.mozilla.org/en-US/firefox/36.0/releasenotes/
https://tools.ietf.org/html/draft-ietf-httpbis-http2-17
2014 vulnerabilites compared by operatingsystems
GFI has looked at the National vulnerability database and gained statistic for
certain key parameters like which operatingsystem, severity, impact and so on.
OSX and iOS were rated first and second place in number of vulnerabilities patched
in 2014, which came as a surprise on many. But if you look at the application
vulnerabilities, Internet Explorer is outranking all competition when it comes
to number of patched vulnerabilites.
http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/