A take on the security news, week 49

Wed 10 December 2014

A take on the security news, week 49 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

Firefox disables SSL3, OpenVPN DoS vulnerability, Scanners lost in translation, Google rolls out new CAPTCHA and Apple Safari update.

  • Monday

Do you plan for the next databreach?

Databreaches can lead to negative public coverage, and the number of databreaches are rising. The survey shows that 68% (of the respondents) dont know how to deal with the negative public coverage after a databreach, and 67% does not know what to do after an databreach has occured.

They also find that the percentage of respondents that have an databreach response plan in 2014 is 73%, compared to 61% in 2013.

http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf

  • Tuesday

Firefox 34.05 update disables SSL3

New version of Mozillas Firefox is out. SSL3 is now disabled by default along with miscellanous secuirty fixes.

https://www.mozilla.org/en-US/firefox/34.0.5/releasenotes/

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

Check your GPG fingerprints

Richard Klafter and Eric Swanson have found collissions for every 32bit keyid in the Web of Trust strong set using GPUs and the tool Scallion.

https://evil32.com

https://github.com/lachesis/scallion

Find bad crypto on your network

A short, great read on how to utilize nmap to find bad ciphers on your network.

https://isc.sans.edu/forums/diary/Flushing+out+the+Crypto+Rats+-+Finding+Bad+Encryption+on+your+Network/19009

  • Wednesday

Vulnerabilities scanners lost in translation

The presentation is looking at a couple of opensource and commercial scanners, including Snort as IDS, and how they behave on non-english websites. The results shows that all tested scanners/ids fails to detect i.e mysql vulnerabilities if error messages are in other language than english.

A lesson we can take from this is: "Use error codes" , both for displaying errors, but also when parsing and looking at logs.

http://www.slideshare.net/spookerlabs/lost-in-translation-blackhat-brazil-2014

OpenVPN DoS vulnerability

The vulnerability allows a tls-authenticated client to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only.

Patched in version 2.3.6 and backported to source-only release 2.2.3.

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

Datawiping malware released after Sony attack

Its reported that malware was released after last weeks attack on Sony. The malware is capable of overwriting data in the master boot record (MBR).

http://www.scmagazine.com/fbi-warns-us-firms-of-data-wiping-malware-following-sony-attack/article/386267/

Unauthenticated remote code execution in IBM Endpoint Manager

RedTeam discovered an unauthenticated remote code execution vulnerability in IBB Endpoint Manager as part of an penetration test.

Affected version is all versions prior to 9.0.60100.

http://seclists.org/fulldisclosure/2014/Dec/3

http://www-01.ibm.com/support/docview.wss?uid=swg21691701

  • Thursday

Apple Safari update

Update to Webkit in Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1 for MountainLion, Mavericks and Yosemite fixed three security issues.

http://lists.apple.com/archives/security-announce/2014/Dec/msg00000.html

Google rolls out new CAPTCHA

The new API, named "No CAPTCHA reCAPTCHA", let you confirm that you are a human by clicking in a box.

The motivation behind this new API is that researchers have discovered that todays AI is able to solve 99.8% of the normal distorted text puzzles.

http://googleonlinesecurity.blogspot.com.es/2014/12/are-you-robot-introducing-no-captcha.html

Hacking PayPal accounts with a single click

In this blogpost the author describes how he bypassed the CSRF protection in PayPal. He also shows an proof of concept attack.

The vulnerability was privately disclosed and has been patched by PayPal.

http://yasserali.com/hacking-paypal-accounts-with-one-click/

  • Friday

Week to Weak report

This report shows some interesting conclusion:

It takes 7.5 days for a vulnerability to be exploited.

Java, Adobe Flash and Internet Explorer produced the greatest number of vulnerabilities/exploits.

The difference between opensource and propriarity software is insignicant, contradicting what someone claims is one of the pro opensource arguments (given enough eyeballs, all bugs are shallow).

Apple products are fastest attacked after an vulnerability is announced. The numbers are small, but time to exploitation is fast. In the other end is MS Office which is surprisingly slow (long time to exploitation).

http://info.recordedfuture.com/Portals/252628/resources/week-to-weak-report.pdf

Smartphones delivered with malware preinstalled

It has been reported that smartphones are delivered with the DeathRing malware preinstalled. DeathRing is a Chinese trojan that has been preinstalled on smartphones in Asia and Africa. It is able to download SMS and WAP content from command & control servers which it can use for malicious purposes.

The main countries of concern are Vietnam, Indonesia, India, Nigeria, Taiwan, and China.

https://blog.lookout.com/blog/2014/12/04/deathring/