A take on the security news, week 12 2015

Wed 18 March 2015

A take on the security news, week 12 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Yahoo end-to-end email encryption and one-time passwords, The risks of SSL interception, Fake SSL for live.fi domain and Hardware assisted iOS screenlock cracking.


Yahoo end-to-end email encryption plugin

Yahoo has now released a plugin that encrypt the email on the client, thus giving end-to-end encryption capabilites. It seems that the plugin is not 100% done yet because the source code is available on Github and Yahoo is asking for feedback through a bugbounty program. The plugin use PGP so it should be solid, and hopefully easy to use for customers.


Google private whois disclosure

It is discovered that hundred of thousands private whois records have been disclosed when renewed. The information is now private again, but due to the number of whois databases the information will never disappear afrom the Internet. All the domains were registered through Google App using eNom as registrar. The information disclosed included full names, addresses, phone numbers, and email addresses for each domain.



Yahoo experimenting with “On Demand Passwords”

This new service let you leave your phonenumber with yahoo, and instead of entering your password when you want to login, yahoo is sending you a one-time password. Many users know this scheme from different two-factor authentication solutions, but this is without the first factor.

The system makes it convenient in the way that you dont have to remember your password, but since it still will accept your password it is not more secure than it used to be.


The risks of SSL interception

A consise, comprehensive breakdown of the risks of SSL interception is published by cert.org. There is a number of reasons to inspect SSL traffic:

  • corporation have proxies that inspect the traffic to prevent dataleakage
  • web application firewalls (WAF) might want to see if there is any malicious traffic going on
  • loadbalancers wants to inspect traffic to ensure QOS / do traffic shaping
  • … and more

The problem is when the SSL interception is not implemented correctly. The article lists 58 implementations that have done it wrong, along with some common mistakes that you can check to see if your own implementations is good.



Fake SSL certificate for live.fi

An attacker managed to get a certificate for the live.fi (Microsofts finnish version of live.com) domain. Microsoft forgot to block the list of email that could be used for verification, so the attacker created an “admin”@live.fi address and used it to get an SSL certificate issued for the domain live.fi.


Apple update Safari

Version patched are 6, 7 and 8. If you have 8, the new version number is now 8.0.4. The path fix 16 different memory corruption issues that could be used for code execution. It also fix 1 user interface issue.


TLS server scan results

As a consequence of the newly published FREAK vulnerability, researchers did an Internet wide scan for export-grade RSA keys. The scan was carried out rought a week after the FREAK vulnerability was announced.

About 10 % of servers still support export-grade RSA keys. However, they found that some keys were present many times, with one particular key present over 28k times.



Update on live.fi SSL certificate

It seems that the “attack” was carried out by a security researcher that discovered that it was possible to register the email address “hostmaster@live.fi”. He tried to warn Microsoft about this, but got no response. To prove that there was a problem he ordered a live.fi certficate, and noticed Microsoft again. So in this case the certificate was never used to impersonate the live.fi site.

Invisible software on iOS

Software that is not visible to the user through the GUI can pose a security risk. iOS8 get rid of a couple of ways to hide software on non-rooted devices, but apparently there is still ways around it.

If you suspect hidden malware running on your phone, you can hook it up to xcode and look in the device organizer.



Hardware assisted iOS screenlock bruteforcing

A device called IP-box can be used to bruteforce the lockscreen password of an iOS device. The box is hooked to the phoens powercord and will cut the power after each guessing attempts to avoid that the attempt get registered by the phone. This will defeat the “wipe my phone after X failed login attempts” feature.

The box costs about 200GBP and use about 111 hours to bruteforce a 4-digit pin. Lesson to be learned? Go for alphanumeric lockscreen password, and dont loose your phone.


Yosemite update 2015-003

A new OSX 10.10.2 Yosemite security update is now available, only 10 days after the last one (2015-002). This update include iCloud keychan and IOSurface patches. The IOSurface was patched 10 days ago, but only on Mountain Lion and Mavericks, probably someone forgot to include Yosemite back then.