A take on the security news, week 15 2015

Wed 08 April 2015

A take on the security news, week 15 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Android security report, Skip TLS and Freak, Apple security updates and 3 out of 4 still vulnerable to Heartbleed.

Monday

Google report on Android security

A final report of the security state of Android in 2014. It seems that 0.5% of Android devices are infected with some kind of malware, except in China where about 3% of the devices are infected.

To stay safe you should not install applications from untrusted third-party locations. If you root your device you will also open it up for threats since rooting it will bypass some of the security mechanisms put there by Google.

The report also covers how Google reacted on the threats that emerged on the Android platform in 2014.

https://static.googleusercontent.com/media/source.android.com/en/us/devices/tech/security/reports/Google_Android_Security_2014_Report_Final.pdf

Skip TLS and Freak attacks explained

The Skip TLS is a vulnerability that the attacker can use to bypass important parts of the TLS setup. Several TLS implementations are vulnerable to this problem, and it has been shown that an attacker trick the server into skipping TLS all together if it is a server using the Java implementation shipped with JDK.

https://www.smacktls.com

Tuesday

Deaddrop USB treasure hunt

Deaddrop is an electronic equivavelent of geocaching where you leave files on a usb-stick, instead of treasures in a little box. The usb-stick’s are located all around the world and you might find them fastened in brick walls or in padlocks.

This might be a fun and interesting game, but from a securit standpoint? You should never connect to a deaddrop with a device that you care about.

https://deaddrops.com/

http://boredomtherapy.com/hidden-usb-treasure-hunt/

Free malware analysis

This free service let you upload a infected file which get analyzed for various suspicious API call, outbound traffic etc. The website also let you search trough whats already uploaded by other so that you can find malware similar to the one you are interesting in, i.e what other malware contact the same C & C address that your malware is using.

The tool support PE-files (.exe, .scr, .pif, .dll, .com, etc.), Office-files ( .doc, .docx, .ppt, .pptx, .xls, .xlsx, .rtf), PDF and RTF files.

https://www.hybrid-analysis.com

Wednesday

Firefox update disables oppurtinistic encryption

It was discovered a flaw in the HTTP Alternative Services implementation that an attacker could use to bypass SSL verification for the specified alternate server. The update 37.0.1 is rated critical, so update if you have not already done so.

https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/

Three out of four still vulnerable to heartbleed

A scanning of public facing website of the 2000 largest corporations revealed that 3 / 4 still has servers that are vulnerable to Heartbleed.

https://www.venafi.com/assets/pdf/wp/Hearts-Continue-to-Bleed-Research-Report.pdf

Thursday

Apple security updates

Apple released security updates for Xcode, Apple TV, iOS, Safari and OSX today. For OSX the export-grade ciphers is removed as a result of the FREAK vulnerability. In iOS a vulnerability that allowed an attacker to bruteforce the lockescreen key is patched.

The unofficial sha-1 deprecation faq

Wonder why SSL protected sites start showing with a broken padlock in Chrome? Google wants to deprecate all certificates that is using sha-1 and is start penalizing them visually in Chrome.

If your certificate expires after Dec 2015 and uses sha-1 (or one of the intermediate is using sha-1) you should get your certificate reissued or get a sha-256 version of the intermediate certificate.

https://blog.filippo.io/the-unofficial-chrome-sha1-faq/

https://shaaaaaaaaaaaaa.com

Friday

Hidden backdoor in API in OSX

By using the Admin framework in OSX, an attacker can gain local root priviligies. The problem is patched in 10.10.3, but Apple has stated that the patch will not be ported to 10.8 or 10.9, leaving them with a known, not-going-to-be-patched vulnerability.

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

Backup drives indexed by Google

XSS discovers that millions of personal backup devices has been exposed to the Internet and indexed by search-engines. Some of the archives are dated back to 2004, while the most recent ones are from 2015.

The reason of this seems to be misconfigured backup devices and / or routers. A router which has FTP-server enabled, and a personal backup device attached to it will leak information.

http://www.csoonline.com/article/2906137/cloud-security/lost-in-the-clouds-your-private-data-has-been-indexed-by-google.html

Comments