Citizen Lab and Lookout have uncovered an active threat (called "Trident") of state-sponsored actors using a combination of three zero-days in iOS to essentially perform a stealth jailbreak in a target device and exfiltrate all communication (calls, texts, email, and other app specific data). The entry point is via spear-phishing (email, text), in which the victim clicks on a link that exploits the first vulnerability in WebKit:
CVE-2016-4655: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.Apple has already provided fixes for these, so install iOS 9.3.5 ASAP.
CVE-2016-4656: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
CVE-2016-4657: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: - RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXYThis means that if you send any requests from your web server to a CGI engine such as PHP (php-fpm, mod_php), you might be at risk of data leakage as an attacher could easily rewrite the http_proxy environment variable used by the CGI application to send an internal connection through a malicious server.
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
Fortunately this is easy to patch (simply block the Proxy header) on the web server, e.g:
- NGINX: fastcgi_param HTTP_PROXY "";
- Apache: RequestHeader unset Proxy early
- Others
Yet another OpenSSL vulnerability with a catchy name: DROWN (or "Decrypting RSA using Obsolete and Weakened eNcryption"). DROWN Attack claims up to 33% of all HTTPS servers might be vulnerable to the attack.
If you're running a web server configured to use SSLv2, and particularly one that's running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client to ever make an SSLv2 connection itself, and it isn't a downgrade attack. Instead, it relies on the fact that SSLv2 -- and particularly the legacy "export" ciphersuites it incorporates -- are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.So this essentially means that if you have any services with SSLv2 enabled (e.g. mail server) that share the same private key as other non-SSLv2 enabled services (e.g. web), that can be used to decrypt your TLS traffic. Time to check all services have SSLv2 disabled (this means not just disabling the ciphers, but fully disabling SSLv2 and SSLv3).
A recently discovered vulnerability in glibc would potentially allow an attacker remote code execution by making a victim do a DNS lookup. The code has apparently been around since 2008 and there are some PoCs available.
Full remote code execution has been demonstrated by Google, despite the usual battery of post-exploitation mitigations like ASLR, NX, and so on.Worth noting that many other programming languages and frameworks use the underlying libc functions to resolve domain names (Java, Python, Ruby among others) and are affected by this. Patch now.
Applications in OS X using an older version of the Sparkle Updater framework to pull the app updates might be vulnerable to MITM (Man-in-the-Middle) and RCE (Remote Code Execution). This includes well known and widely used apps such as VLC, Tunnelblick or SequelPro.
The vulnerability exists on applications that do not use HTTPS to retrieve the updates. In case of using plain HTTP, an attacker on the same network can perform a MITM attack to replace the response from the server with either a malicious binary or by sending JavaScript code, can open the user's browser to redirect them to a malicious site, or even perform RCE by exploiting WebKit.
First vulnerability is connected with the default configuration (http) which is unsafe and leads to RCE over MITM attack inside untrusted environment.Check the post for further details and PoC. The solution for now is to block any updates from apps trying to connect via HTTP to the update server (e.g. via Little Snitch) and update manually whenever needed.
The second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component. As a result, if there is a security flaw on the server that allows replacing XML file, it can target all people through the affected application. It's possible even without knowing the private DSA key, without modifying application binary on the server and over https. After that, it doesn't require the MITM attack anymore.
Interesting article about the deprecation of SHA1 certificates due to security reasons, the comparison to MD5 and why is it taking so long for browsers and websites to stop supporting SHA1.
Facebook’s Chief Security Officer reported between 3% to 7% of browsers don’t support SHA-256.In a country breakdown, it's not surprising to see these numbers come from the developing world (interesting to see China with more than 6% of users not supporting SHA256, probably due to their reliance on XP).
Juniper has announced that they have identified code enabling an attacker admin access to their network devices potentially enabling them to decrypt VPN connections. The unauthorized code might have been present since at least 2012.
During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.No comments as to whether the code might have been inadvertently introduced or is the result of a breach. The nature of the access would also allow for an attacker to delete logs of access to the device.
Similarly as to how Lenovo was found earlier this year to include the malicious Superfish root certificate on their new laptops to "enhance" users' experience by providing targeted ads, Dell has now been found to include their very own root cert called eDellRoot.
The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions".While Dell claims that this was provided to provide user support and there is no evidence it is being used to inject ads like in the case of Superfish, this is still a huge security issue as anybody with access to the private key (which has already been extracted and posted online) can now perform MITM attacks on any user with the eDellRoot CA installed.
[...] the attacks can be used to snoop on encrypted traffic or to bypass important security measures such as DNSSEC specification preventing the tampering of domain name system records. The most troubling scenario involves bypassing HTTPS encryption by forcing a computer to accept an expired transport layer security certificate.The NTP attacker could force a client to accept an expired or revoked certificate (e.g. pre-Heartbleed). However, the attack might be limited as the NTP client would not accept time changes of >15 minutes, measure that could be defeated by making the change gradually in several steps, or by resetting the time immediately after a reboot.
Read further: Attacking the Network Time Protocol
DNSCrypt can be an easy way of adding a bit of privacy to your DNS queries as opposed to using big brother's 8.8.8.8 and 8.8.4.4 public DNS. Setting it up is extremely easy, and installers can be downloaded from the DNSCrypt site for most OS, including this one for OS X: DNSCrypt OS X Client
However, if you want to set up DNSCrypt on a small Linux box or router on your LAN, you can use the following easy steps:
apt-get install dnscrypt-proxy dnsmasqEdit /etc/default/dnscrypt-proxy by defining the following constants, DNSCrypt will be listening on our loopback device on port 2053:
DNSCRYPT_PROXY_LOCAL_ADDRESS=127.0.0.2:2053This sets up the DNSCrypt resolver as Cisco (former OpenDNS), but if you prefer, you can choose a different one from here: /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
DNSCRYPT_PROXY_RESOLVER_NAME=cisco
If you use systemd, you also need to edit /etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket to add the following:
[Socket]... and restart DNSCrypt
Listen Stream?=127.0.0.2:2053
Listen Datagram?=127.0.0.2:2053
/etc/init.d/dnscrypt-proxy restartNext, we can use Dnsmasq to cache queries (or Bind if you already have a DNS resolver installed).
For Dnsmasq, edit /etc/dnsmasq.conf (change eth0 to whichever interface faces your LAN, e.g. wlan0):
server=127.0.0.2#2053 interface=eth0For Bind, edit /etc/bind/named.conf.options and simply add the forwarder line:
forwarders { 127.0.0.2 port 2053; };
Palo Alto Networks posted an analysis of XcodeGhost, the first compiler malware in OS X. Its malicious code is located in a Mach-O object file that was repackaged into some versions of Xcode installers.
The primary malicious component in the XcodeGhost infected version is “CoreServices”. XcodeGhost implemented malicious code in its own CoreServices object file, and copies this file to a specific position that is one of Xcode’s default framework search paths. Hence, the code in the malicious CoreServices file will be added into any iOS app compiled with the infected Xcode without the developers’ knowledge.The malware-infected apps then send device information, potentially including credentials to several domains: crash-analytics[.]com, icloud-diagnostics[.]com and icloud-analysis[.]com.
[...] As of this writing, we see 39 iOS apps being infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions of users. This includes the popular WhatsApp clone WeChat.
More than a month after the discovery of multiple critical vulnerabilities in Android’s media library (libstagefright), several exploits are already on the wild, including one from Imperium that results in a reverse shell.
What follows is a python script that generates an MP4 exploiting the ‘stsc’ vulnerability otherwise known as CVE-2015-1538. [...] As detailed in Joshua Drake’s Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.Although this particular exploit does not work on Android 5.0 and later, other exploit developers claim to have successfully managed to bypass ASLR using an information leakage vulnerability in Stagefright.
In July 2013, GCHQ forced journalists at The Guardian to completely obliterate the memory of the computers on which they kept copies of top-secret documents provided to them by former NSA contractor and whistleblower Edward Snowden.
The Guardian’s video reveals editors using angle-grinders, revolving drills, masks that GCHQ ordered them to buy, and a “degausser,” an expensive piece of equipment provided by GCHQ, which destroys magnetic fields and thereby erases data. The procedure eliminated practically every chip in the device, leaving almost no recognizable piece of machinery behind. The whole process lasted over three hours.GCHQ took it several steps further than just destroying the hard drive and instructed Guardian editors to destroy parts of multiple MacBook Airs’ trackpad controllers, power controllers, keyboards, CPUs, inverting converters, USB drives, and more.
The government may have targeted parts of the Apple devices that it “doesn’t trust”. [...] The track pad controller can hold up to 2 megabits of memory. All the different “chips” in your computer — from the part that controls the device’s power to the chips in the keyboard — also have the capacity to store information, like passwords and keys to other data, which can be uploaded through firmware updates.
Labeled as “Certifi-Gate," the vulnerability is caused by insecure versions of remote administration tools installed by the manufacturers and carriers to provide remote customer service—including versions of TeamViewer, CommuniTake Remote Care, and MobileSupport by Rsupport. These carry certificates that give them complete access to the Android operating system and device hardware. The applications are commonly pre-installed on Samsung, LG, and HTC handsets.Check Point has provided a free scanning application to allow individuals to determine if their Android device was vulnerable, and out of the 30,000 users that had opted to provide anonymous scan results, 58% of the Android devices scanned were vulnerable, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices with the vulnerable plug-in was LG with 72%.
... it turned out, the Wi-Fi password for Chrysler’s cars is generated before the actual time and date is set and is based on default system time plus a few seconds during which the head unit boots up.
The multimedia system is not connected to CAN bus directly. This is the thing that all the manufacturers always refer back to when it comes to IT-security of cyber-physical systems: there is an isolation they say, the air gap between connected and physical parts of these systems. As it turned out, this air gap is not that thick, at least in Chrysler’s cars. Despite the fact that multimedia system’s controller itself can’t communicate directly with CAN bus, it actually can communicate with another component which is connected to CAN bus, the V850 controller. He knows a guy, who knows a guy situation, simply put. Researchers discovered an opportunity to change firmware of the V850 controller for their maliciously crafted version through the connection to multimedia system’s controller. This firmware ‘upgrade’ can be done without any checks or authorizations. Even if there was authorization, researchers have found a couple of vulnerabilities that make possible taking control over this V850 controller. And that was it: after this move Miller and Valasek were able to send commands through the CAN bus and make every — every! — component of the car to do whatever they wanted. They were able to control steering wheel, engine, transmission, braking system, not to mention dull things like windscreen wiper, air conditioner, door locks and so on. Moreover, they were able to control all this things completely remotely, over the Sprint cellular network.
... BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. It's feature-richness makes it a great hidden master, it's just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver.
[...] The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.
The 400GB of internal company data include a spreadsheet listing every government client, when they first bought the surveillance software, and how much money they have paid the company to date.Several tweets with first reviews of the data under #hackingteam. Also interesting:
Hacking Team had no exploits for an un-jail-broken iPhone. Seems like the platform of choice if you want to stay secure.
Update on the OPM hack, 14 million people affected by the breach - details from nearly everyone who works for the US government are in the hands of the Chinese government now. Worse is the absolute lack of security controls in their core systems:
- Of the 47 major IT systems at OPM, 22 of them are currently run by contractors.
- While OPM instituted security monitoring of some systems, those tools covered only 80 percent of OPM's systems and did not include contractor-operated systems.
- Seven major systems out of 25 had inadequate documentation of security testing, three out of the 22 contractor-operated systems had not been tested in the last year; the remainder had only been tested once a year.
- None of the agency's 47 major applications required two-factor authentication.
Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.This is a major vulnerability, and knowing the Android update cycle, probably 550 out of the 600 million devices will be left unpatched for a very long time...
If the flaw in the keyboard is exploited, an attacker could remotely: Access sensors and resources like GPS, camera and microphone, secretly install malicious app(s) without the user knowing, tamper with how other apps work or how the phone works, eavesdrop on incoming/outgoing messages or voice calls, attempt to access sensitive personal data like pictures and text messages