A take on the security news, week 42

A take on the security news, week 42

Tue 14 October 2014

A take on the security news, week 42 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

  • Monday

HP signs malware with valid certificate

HP is revoking an old certificate from 2010 because its been used to sign a trojan horse. Investigation found that the problem origins from a HP developer's machine being infected.

The impact of this certificate revokation is small but can cause some problem for users with older HP systems trying to reinstall their drivers from 2010.

http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/

Snapchat snaps stolen by hackers

A third-party service that allows user to "save snaps" have been compromised and hundreds of thousands of pictures are stolen. The hackers say they will make the pictures available and searchable by Snapchat userid.

https://gigaom.com/2014/10/10/thousands-of-snapchat-images-may-have-been-hacked-via-a-third-party-image-saving-service/

  • Tuesday

Cyanogenmod vulnerable to man-in-the-middle SSL attacks

The Cyanogenmod developers used example code from Oracles Java 1.5 certificate handling code and implemented in the project. It seems that this example code is vulnerable in the part that checks for hostnames.

Cyanogenmod is not the first developers that copy & pasted this flawed code from Oracle into their project.

http://www.theregister.co.uk/2014/10/13/androids_cyanogenmod_open_to_mitm_attacks/

https://docs.google.com/document/pub?id=1roBIeSJsYq3Ntpf6N0PIeeAAvu4ddn7mGo6Qb7aL7ew

Decrypting Android Snapchat Images

A good writeup on how Snapchat is encrypting / decrypting images on your Android device. There is also proof-of-concept code.

https://github.com/programa-stic/snapchat-decrypt

  • Wednesday

Yet another SSL vulnerability with a fancy name, POODLE

The vulnerability is related to the design of SSL 3.0 and its somehow similar to the BEAST attack when it comes to impact and the fact that it would not be patched. The solution is to stop using SSL 3.0 which is nearly 18 years old.

Most modern browsers support newer versions than SSL 3.0 so there is no need to support it anymore. The only consideration is IE6 on Windows XP, which does not support might cause problem if you stop supporting SSL 3.0.

Test your server: https://ssltest.com/

Test your client: https://www.poodletest.com/

http://googleonlinesecurity.blogspot.no/2014/10/this-poodle-bites-exploiting-ssl-30.html

https://technet.microsoft.com/en-us/library/security/3009008.aspx

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

  • Thursday

OS X Leaves Indexes With Private Data on USB Drives

F-Secure have discovered that your spotlight index can be saved to USB drives without you knowing about it. This is nothing new, but the problem is that the index might contain indexing of information that is not on your USB drive, but present somewhere else on your system. So if your mail is indexed it might be copied to an USB drive you plug in to your machine.

They have reproduced the issue and reported it to Apple which is "aware of the issue and investigates further".

There is no quickfix for this issue, but you can turn of spotlight indexing, or choose which folders it should index (i.e you can exclude your mail folder).

http://www.f-secure.com/weblog/archives/00002752.html

Drupal patches higly critical SQL-injection vulnerability

The SQL-injection flaw which can be found in Drupal 7.x can allow for arbitrary remote code execution. Patch as soon as possible. Versions affected is Drupal core 7.x prior to Drupal core 7.32

http://threatpost.com/drupal-fixes-highly-critical-sql-injection-flaw/108861

https://www.drupal.org/SA-CORE-2014-005

  • Friday

How to log SSL information from your webserver

Its time to start planning for the next big SSL vulnerability. While you are waiting you can start logging information about SSL use on your server so that you can react accordingly when needed.

The article shows how you can log relevant information in Apache and Nginx

https://isc.sans.edu/forums/diary/Logging+SSL/18847

Ebola phishing scams

US-CERT warn users about email scams and campagins that are using the Ebola virus as a theme. Its nothing new that scammers try to use global disasters as an way to trick people to click links (and thus get infected).

https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns

Remote execution vulnerability in Oracle Forms 10g

There is a critical vulnerability in Oracle Forms 10g which allows remote execution. An attacker can craft malicious parameters and add them to the URL to open a remote shell on the system.

Oracle Forms 10g is a discontinued product, and you should upgrade to version 11. If upgrade is not an option you should create a whitelist of allowed characters or removing support for JSP files on the remote web server.

https://www.netspi.com/blog/entryid/243/advisory-oracle-forms-10g-unauthenticated-remote-code-execution-cve-2014-4278