A take on the security news, week 09 2015

A take on the security news, week 09 2015

Fri 27 February 2015

A take on the security news, week 09 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
More Superfish news, RC4 removed from TLS, Samba vulnerability, Lenovo domain hijacked and Firefox 36 with full support for HTTP2.


Lenovo apologize about Superfish

Lenovo apologize that they preload their products with the malware-like product called Superfish.

Superfish is serving unwanted ads to customers using the machine, but worse, its doing an mitm-attack. Superfish uses a third party library from a company named Komodia to modify the Windows networking stack and install a new root Certificate Authority (CA), allowing Superfish to impersonate any SSL-enabled site.



RC4 removed from TLS

A new RFC was recently published by the IETF removing RC4 as a acceptable cipher for TLS. RC4 has been considered weak for a while now.


Your carwasher is online

In the never ending series of hackable devices, this week I present you with a carwasher. In the Internet of Things hype every manufacturer urge to get their stuff online.

The carwasher mentioned in the article below is online, can be accessed trough Telnet, and is secured by an default 5 characters long username / password combo.



Using the battery usage to track phones

Two researchers have found that they can track a mobilephone's movement by measuring the voltage and current status on the phone. If an attacker maps an attack area beforehand, he can position the victim inside the target area based upon battery usage.
This is an interesting sidechannel attack, and over hundred applications on the Play store can access the needed data.


Trace users with fonts

The Wordpress community just refreshed their backend system with new look and new fonts. Among those new shiny fonts they have "Open Sans" family of fonts which is served from the Google Webfonts API.

This raise some privacy concern and the remedy is a plugin called "Disable Google Fonts" which does what it says in the tin.



Samba vulnerability

A vulerability is found in the smbd file server daemon. It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server. No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root.

Apply patches for your server if you have samba servers running.


Another MITM ad-ware product fails

Just a week after Lenovo's Superfish SSL intercepting "malware" we have a new product that is leaving the customers more vulnerable. This time its PrivDog, a part of Comodo's network security suite.
PrivDog acts as a proxy intercepting all the traffic (so it can inspect it). To do this it installs its own CA-Certificate and terminates all your SSL connection. The big problem is that the PrivDog software is not checking the SSL connection it has for valid certificates. Meaning that any site can spoof their ID with a bad certificate, and PrivDog will happily accept it. The user will never see this because it only sees PrivDog's own certificate.

Comodo have issued a patch, but if you dont use PrivDog, you should just uninstall it.



Lenovo domain taken down by hackers

As a response to the latest Superfish news, attackers hijacked lenovo.com, pointing it to another website controlled by the attackers. It seems that no malicious content was served from the attackers website, so this was a goold old defacement.

The attackers gained access to the lenovo.com domain through their registrar webnic.cc.


Ramnit botnet taken down by Europol

Europol has taken down the Ramnit botnet. Control & Command servers were shutdown and redirecting domainnames used for control to sinkholes. There were about 300 domainnames involved in this particular case, with servers spread across multiple countries.


Gemalto claims SIM-card encryption keys not leaked

Gemalto presents the result of investigations after the claim that NSA and GCHQ compromised their network and stole SIM-card encryption keys.

The short version is that they detected abnormalities in the given period, but only office networks were attacked. The encryption keys were stored in a separate network.


Tracking hacked website with shodan

By searching shodan for the string "hacked by" John Matherly gained quite interesting statistics about hacked websites. It should not be a surprise that most of the hacked websites were running http (80). What came as a surprise was that 25% of the "hacked by" websites were hosted on the same hosting provider.



Firefox 36 with full support for HTTP2

The new release of Firefox now supports HTTP2, fixing bugs and abandon 1024bit certificates. HTTP2 is a bit of a change, so maybe I will make an own post on it soon.



2014 vulnerabilites compared by operatingsystems

GFI has looked at the National vulnerability database and gained statistic for certain key parameters like which operatingsystem, severity, impact and so on.

OSX and iOS were rated first and second place in number of vulnerabilities patched in 2014, which came as a surprise on many. But if you look at the application vulnerabilities, Internet Explorer is outranking all competition when it comes to number of patched vulnerabilites.


Tagged as : security