A take on the security news, week 15 2015
Monday
Google report on Android security
A final report of the security state of Android in 2014. It seems that 0.5% of
Android devices are infected with some kind of malware, except in China where
about 3% of the devices are infected.
To stay safe you should not install applications from untrusted third-party
locations. If you root your device you will also open it up for threats since
rooting it will bypass some of the security mechanisms put there by Google.
The report also covers how Google reacted on the threats that emerged on the
Android platform in 2014.
Skip TLS and Freak attacks explained
The Skip TLS is a vulnerability that the attacker can use to bypass important parts of the TLS setup. Several TLS implementations are vulnerable to this problem, and it has been shown that an attacker trick the server into skipping TLS all together if it is a server using the Java implementation shipped with JDK.
Tuesday
Deaddrop USB treasure hunt
Deaddrop is an electronic equivavelent of geocaching where you leave files on
a usb-stick, instead of treasures in a little box. The usb-stick's are located
all around the world and you might find them fastened in brick walls or in
padlocks.
This might be a fun and interesting game, but from a securit standpoint? You
should never connect to a deaddrop with a device that you care about.
http://boredomtherapy.com/hidden-usb-treasure-hunt/
Free malware analysis
This free service let you upload a infected file which get analyzed for various
suspicious API call, outbound traffic etc.
The website also let you search trough whats already uploaded by other so that
you can find malware similar to the one you are interesting in, i.e what other
malware contact the same C & C address that your malware is using.
The tool support PE-files (.exe, .scr, .pif, .dll, .com, etc.), Office-files (
.doc, .docx, .ppt, .pptx, .xls, .xlsx, .rtf), PDF and RTF files.
https://www.hybrid-analysis.com
Wednesday
Firefox update disables oppurtinistic encryption
It was discovered a flaw in the HTTP Alternative Services implementation that an attacker could use to bypass SSL verification for the specified alternate server. The update 37.0.1 is rated critical, so update if you have not already done so.
https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/
Three out of four still vulnerable to heartbleed
A scanning of public facing website of the 2000 largest corporations revealed that 3 / 4 still has servers that are vulnerable to Heartbleed.
https://www.venafi.com/assets/pdf/wp/Hearts-Continue-to-Bleed-Research-Report.pdf
Thursday
Apple security updates
Apple released security updates for Xcode, Apple TV, iOS, Safari and OSX today. For OSX the export-grade ciphers is removed as a result of the FREAK vulnerability. In iOS a vulnerability that allowed an attacker to bruteforce the lockescreen key is patched.
The unofficial sha-1 deprecation faq
Wonder why SSL protected sites start showing with a broken padlock in Chrome?
Google wants to deprecate all certificates that is using sha-1 and is start
penalizing them visually in Chrome.
If your certificate expires after Dec 2015 and uses sha-1 (or one of the intermediate
is using sha-1) you should get your certificate reissued or get a sha-256 version
of the intermediate certificate.
https://blog.filippo.io/the-unofficial-chrome-sha1-faq/
Friday
Hidden backdoor in API in OSX
By using the Admin framework in OSX, an attacker can gain local root priviligies. The problem is patched in 10.10.3, but Apple has stated that the patch will not be ported to 10.8 or 10.9, leaving them with a known, not-going-to-be-patched vulnerability.
https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/
Backup drives indexed by Google
XSS discovers that millions of personal backup devices has been exposed to the
Internet and indexed by search-engines.
Some of the archives are dated back to 2004, while the most recent ones are
from 2015.
The reason of this seems to be misconfigured backup devices and / or routers.
A router which has FTP-server enabled, and a personal backup device attached to
it will leak information.