A take on the security news, week 39

A take on the security news, week 39

Sat 27 September 2014

A take on the security news, week 39 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

Monday

OS X Keychain Extraction Tool

A new tool for analysing the OS X keychain. One of the issues exploited is the fact that the masterpassword is stored in memory (to avoid user to enter their password every time). If you have root access to the osx machine the tool will dump the memory, scan for memory used by the keychain and try to find interesting data.

Lots of details on how the osx keychain works in this paper.

http://forensic.n0fate.com/wp-content/uploads/2012/12/Keychain-Analysis-with-Mac-OS-X-Memory-Forensics.pdf

Internet of things security, Heatmiser WiFi thermostat vulnerabilitites

As more and more devices in our home are connected to the Internet, I want to focus on Internet of things security.

This appliance in this article has vulnerabilities which is possible to exploit remotely, but there is no way to update the appliance from the net. So exploiting is easy, patching is hard. You have to connect a programmer to the appliance to upload the patched firmware. If you see scan on port 8068 it might be someone looking for a vulenable thermostat.

The articles list a lot of issue with this appliances, like open to csfr attacks, default web credentials, in browser santising of inputs and more.

http://cybergibbons.com/security-2/heatmiser-wifi-thermostat-vulnerabilities/

Tuesday

October is the 2014 Cybersecurity month

For this October the community pinpointed on the agenda the following weekly NIS topics:

1st week: Training employees, targeting public and private organizations;
2nd week: PC and mobile security protection and updates, targeting all digital users;
3rd week: Coding, targeting students
4th week: Cyber security exercises, targeting technical expertise;
5th week: ePrivacy, targeting all digital users

http://cybersecuritymonth.eu

iOS 7 Exploit released

The exploit comes in the form of a malformed PDF, which would usually be delivered as an image inside an HTML page. The exploit triggers an memory corruption which can lead to remote code execution. Upgrade to iOS 8 if you have the possibility to do so.

https://isc.sans.edu/forums/diary/iOS+7+1+x+Exploit+Released+CVE-2014-4377+/18693

Wednesday

jQuery.com Malware attack

Credential stealing malware was detected as a drive-by-download from jquery.com. This is problematic due to the fact that it iss many enterprise webadministrators and developers visiting jquery.com. This is people which often have priviliged access to servers and services. Lesson to be learned: Keep your normal account separated from your priviliged administrator account.

Another aspect of this attack is that many sites relies on jQuery by linking to the library that is hosted on jquery.com (instead of download and link it locally). This make sites vulnerable to an attack on the jquery.com hosted version of the libraries (which is not proven to be the case in this attack). Lesson to be learned: Dont rely on remotely hosted code, but create a copy and host the bits & pieces yourself.

http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-enterprise-it-accounts-risk#.VChkoitRWcg

Microsoft Expanding Bug Bounty

A lot of online services are now subject to bug bounty submissions.

http://technet.microsoft.com/en-US/security/dn800983

iPhone 6 Fingerprint Sensor as (in)secure as the previous one

https://blog.lookout.com/blog/2014/09/23/iphone-6-touchid-hack/

Thursday

Critical update for bash

If a attacker can set an environment variable, he can use this to execute code. For the exploit to work you need to access to the server, so its not a big deal for most normal bash users. The biggest problem here is all the webservers that runs cgi-bin scripts.

This bug affects bash on most platforms (Linux, OSX, FreeBSD +++).

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271

jQuery 2nd compromise

A new attack was launched against jQuery's site today. This attack seems to be unrelated to the first one, and was trying to deface the website. Lesson learned: Its now time to start hosting your jQuery libraries instead of downloading them from their content delivery network.

http://blog.jquery.com/2014/09/24/update-on-jquery-com-compromises/

Friday

An update on the bash bug, now named shellshock

The first patch issued was not complete, but hopefully the second patch did the job. The proof-of-concept exploit is at least patched now. It is also discovered that attackers can use DHCP servers as an attack vector.

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709/1#32107

Critical NSS update from Mozilla

Mozilla has issued an update to the Network Security Services (NSS). It was discovered that NSS is vulnerable to a signature forgery attack previously published by Daniel Bleichenbacher. This means that a user can connect to a site with a forged RSA SSL certificate without being warned.

The bug affects: Firefox, Firefox ESR, Thunderbird, Seamonkey and NSS.

https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

Tagged as : security