Wednesday, May 20, 2015

Vulnerability in Safari Allows Attackers to Spoof Websites

A security firm has discovered a vulnerability in Apple’s Safari Browser that allows attackers to spoof legitimate websites and phish for user credentials.

Security firm Deusen reveals that the flaw works by using a short script to force Safari into loading one page while still displaying the URL of another page. This script is provided below:

function f()

Deusen has published a demonstration of the vulnerability here.

The code is very simple: webpage reloads every 10 milliseconds using the setInterval() function, just before the browser can get the real page and so the user sees the ‘real’ web address instead of the fake one,” comments Manuel Humberto Santander Peláez, Handler at SANS Internet Storm Center.
The bug works on fully patched versions of iOS and OSX. Even so, the demo code is not perfect.

safariStaff members at Ars Technica tested the vulnerability, and while the demo code worked flawlessly with a MacBook Pro, the address bar on an iPad Mini periodically refreshed as the page appeared to reload.

Similarly, Help Net Security experienced some problems when testing the bug. The demo code appeared to work only until a user switched tabs, and even then, it reasoned that savvy users would notice a flickering in the loading progress bar of the address bar.

Despite the demo code’s flaws, less experienced users might not notice this behavior. Attackers could subsequently target unaware users by redirecting them to a malicious website where they could attempt to infect visitors with malware or steal their login credentials.

This vulnerability was discovered by the same group of researchers who discovered a Universal Cross Site Scripting (XSS) vulnerability in the latest versions of Microsoft’s Internet Explorer back in February of this year. That flaw also put web users’ login credentials and sensitive information at risk.

Users are encouraged to watch out for spoofing attacks that redirect them to phishing schemes.

Wednesday, April 22, 2015

Apple 'Rootpipe' security vulnerability still prevalent following patch

Apple issued an OS X Yosemite update earlier this month which remedied a flaw known as Rootpipe. First discovered last October by security researcher Emil Kvarnhammar (yet having existed since at least 2011), the flaw allows bad actors to gain root access to a system through a backdoor in the system preferences app.
A second security researcher, Patrick Wardle, attempted to exploit the vulnerability on a patched machine and was apparently able to pull it off.
In a post on Objective-See, Wardle said he was on a return flight from a conference when he stumbled upon what he describes as a novel, yet trivial way for any local user to re-abuse Rootpipe. Wardle didn’t provide the technical details of the attack in the spirit of responsible disclosure (except to Apple, of course) but wanted other OS X users to be aware of the risk.
In an e-mailed statement to Forbes, Wardle said he was tempted to walk into an Apple store and try the exploit on a display model but stuck to testing it on his personal laptop.
Wardle, currently the director of research and development at security firm Synack, has made a name for himself in the security community by presenting at conferences including DefCon, VirusBulletin, ShmooCon and CanSecW.
Apple could have its hands full with Rootpipe. Another security researcher, Pedro Vilaça, told the publication that the original fix was doomed since its release because there are so many ways to bypass it “due to the wrong fix design.”
Apple has also been criticized for only issuing a patch for OS X Yosemite, effectively leaving a large number of Mac users vulnerable.

Monday, February 23, 2015

Most vulnerable operating systems and applications in 2014


An average of 19 vulnerabilities per day were reported in 2014, according to the data from the National Vulnerability Database (NVD). The NVD provides a comprehensive list of software security vulnerabilities. In this article, I look at some of the trends and key findings for 2014 based on the NVD’s database.

Some of the questions asked are:

-       What are the latest vulnerability trends? Are we seeing an increase or a decrease in the number of vulnerabilities?

-       What percentage of these vulnerabilities are rated as critical? (e.g. high security impact – like allowing remote code execution – and thus easy to exploit)

-       In which areas do we see the most vulnerabilities? Are operating systems, third-party applications or network devices such as routers, switches, access points or printers most at risk?

-       Which operating systems and applications are listed with most vulnerabilities? This data is important because the products which are on top get the most frequent security updates. To maintain an IT infrastructure secure, sysadmins need to continually monitor these operating systems and applications for the latest updates and ensure they are always fully patched.

7,038 new security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.

24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has increased compared to last year.
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.

It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple with OS X and iOS is at the top, followed by Linux kernel.

2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.

The applications listed here are pretty much the same as in 2013. Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.

To keep systems secure, it is critical that they are fully patched. IT admins should focus on (patch them first):

Wednesday, January 7, 2015

World’s first (known) bootkit for OS X can permanently backdoor Macs

Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011.

Once installed, the bootkit—that is, malware that replaces the firmware that is normally used to boot Macs—can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either.

The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key.

Enter evil maid

While the hack requires an attacker to have brief physical access to a targeted machine, that prerequisite isn't prohibitively steep in many situations. For example, so-called "evil maid" scenarios—in which a rogue hotel housekeeper tampers with a computer—or an agent at an international border crossing both routinely have access to computers, often while unsupervised. Documents leaked by former National Security Agency subcontractor Edward Snowden also exposed how agents intercept hardware being shipped to organizations targeted for surveillance and covertly install modified firmware onto them before they’re delivered.

All any of these attackers would need to do to carry out a Thunderstrike-style attack is to reboot a Mac with a previously weaponized Thunderbolt device attached. If the machine is turned on but locked, the attacker need only press the power button for a few seconds to hard-reboot the machine. Firmware passwords, disk encryption passwords, and user passwords won't thwart the attack since the Option ROMs are loaded before any of those protections are checked.

Thunderstrike made its debut in late December, at the Chaos Communication Congress. The vulnerability was discovered by Trammell Hudson, an employee of a high-tech hedge fund in New York City called Two Sigma Investments, while trying to secure the firm's MacBooks. A self-described reverse engineering hobbyist, Hudson was previously known for creating Magic Lantern, an open source programming environment for Canon digital SLR cameras.

Thunderstrike builds on a similar attack as demonstrated at the 2012 Blackhat conference that bypasses OS X FileVault protections to install a rootkit. Like Thunderstrike, the 2012 exploit used Thunderbolt ports to inject the malicious payload into the boot process, but the earlier attack wasn't able to modify the boot ROM itself. To work around that limitation, the researcher—who works under the hacking moniker snare—wrote the bootkit to the EFI system partition.


One of the breakthroughs of Thunderstrike is its ability to get the boot ROM firmware volumes validated. Hudson figured out how to do this after discovering an undocumented CRC32 cyclic redundancy check routine carried out during the normal validation process. A second breakthrough involved the discovery that Option ROMs are loaded during a recovery mode boot. That allowed Hudson to figure out how to replace Apple's existing EFI code.

Thunderstrike was just one of at least two EFI-based attacks that were demonstrated at December's Chaos Communication Congress. A separate talk delved into the Unified Extensible Firmware Interface, a similar mechanism that's used to boot some Windows and Linux machines. Hudson said an attack technique known as Dark Jedi that was outlined during the talk could possibly be adapted to make his exploit work remotely, so the attacker wouldn't require physical access. Earlier this week, the US CERT issued three advisories warning of vulnerabilities in widely used UEFI chips. A researcher from security firm Bromium also has this brief writeup on the UEFI talk.

Hudson said Apple is in the process of partially patching the vulnerabilities that make Thunderstrike possible. The remedy involves not allowing Option ROMs to load during firmware updates, a measure that Hudson said is effective against his current proof of concept. Apple already has begun rolling out the upgrade to Mac Mini's and iMac Retina 5ks and plans to make it more widely available soon.

"However... it is not a complete fix," he warned in a blog post detailing Thunderstrike. "Option ROMs are still loaded on normal boots, allowing snare's 2012 attack to continue working. Older Macs are subject to downgrade attacks by 'updating' to a vulnerable firmware version."

Until there's a complete fix from Apple, there aren't a lot of viable options for preventing Thunderstrike-type attacks. Pouring a liberal amount of epoxy glue in a Thunderbolt port will certainly make the exploit harder, since it would force an attacker to take apart the casing to access the underlying flash ROM chip, but it would come at the cost of disabling key functionality. The other obvious solution is for people to keep their machines on their person at all times, but that isn't always practical, either. Hotel safes and locked and sealed storage boxes are also only partially effective, since both measures are vulnerable to cracking and picking.

Thursday, November 6, 2014

Malware Discovered In China Could Herald ‘New Era’ Of iOS And Mac Threats

Conventional wisdom suggests that the vast majority of mobile malware cases impact Android devices. Or at least that those who do not jailbreak their iPhones are safe from most threats — even Apple CEO Tim Cook has bashed Android for “dominating” the mobile malware market. Yet a new virus found in China by U.S.-based researchers could herald the first serious security threat to Apple devices.

A report from Palo Alto Networks (hat tip The Verge) claims that a new family of malware is getting past Apple’s settings to potentially infect secure (i.e. not jailbroken) iOS devices using infected software for Macs. Dubbed “WireLurker,” it was found in the wild in the Maiyadi App Store, a third-party Mac store in China, where it is said to have infected 467 apps. Infected versions of these programs have been downloaded more than 350,000 times and are likely to have affected “hundreds of thousands” of users, according to Palo Alto Networks. [Update: Apple tells us that it has blocked infected apps from working -- the company's full statement is at the bottom of this post.]

The malware works by repacking legitimate Mac applications. Once downloaded to a Mac, that software will then install malicious and third-party applications on any iOS device that is connected to the infected machine using a USB cable. What’s most interesting — or, indeed, worrying for Apple customers — is that once on an iOS device, WireLurker reportedly uses a range of sophisticated techniques to modify existing apps for malicious purposes.

While the aim of its creators is not clear yet, Palo Alto Networks reports, WireLurker has been found to steal “a variety of information” from inside rewritten apps. Since it surfaced in China, it is targeting Alibaba’s hugely popular Taobao shopping and AliPay payment apps — where a phone owner’s credit card and bank details are retained — but the security firm says the way it operates could usher in a “new era” of malware for Apple devices.

In particular, Palo Alto Networks says it is “the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.”

The security firm recommends its own product to help prevent WireLurker, but — as ever — the best pieces of advice are to avoid downloading apps from third-party sources, and use officially approved USB cables. The former is more difficult in China, where third-party app store are well established and hugely popular — though that’s more the case for Android than Mac or iOS.

The full report from Palo Alto Networks has additional advice for Apple customers in the enterprise space who could be most at risk given WireLurker’s characteristics.

Wednesday, October 22, 2014

China Attack Aims at iCloud, Apple’s Service for Storage

HONG KONG — For Apple in China, trouble seems to be the
new normal.

Cybersecurity monitoring groups and security experts said on Monday that people trying to use Apple’s online data storage service, known as iCloud, were the target of a new attack that sought to steal users’ passwords and then spy on their activities.

Starting over the weekend, when many users across China tried to sign into their iCloud accounts, they may have been giving away login information to a third party, in what is called a man-in-the-middle attack.

“You think you are getting information directly from Apple, but in fact the authorities are passing information between you and Apple, and snooping on it the whole way,” said a spokesman for an independent censorship-monitoring website, GreatFire, who declined to be named because of fear of reprisal.

The back-end I.P. address targeted by the attack was changed Tuesday by Apple, according to a tweet from GreatFire.

News of the vulnerability came just as the new iPhone 6 arrived in Chinese stores after a monthlong regulatory delay tied, in part, to concerns about the phone’s security.

Activists and security experts say they believe the attacks are backed by the Chinese government because they are hosted from servers to which only the government and state-run telecommunications companies have access, according to GreatFire. They are also similar to recent attacks on Google, Yahoo and Microsoft aimed at monitoring what users were retrieving on the sites.

“All signs point to the Chinese government’s involvement,” said Michael Sutton, vice president for threat research at Zscaler, a San Jose, Calif., security company. “Evidence suggests this attack originated in the core backbone of the Chinese Internet and would be hard to pull off if it was not done by a central authority like the Chinese government.”

The targeting also potentially reveals a new Chinese government effort to adapt to initiatives by Internet companies — most notably new encryption techniques — to protect user data from government spying.

“The Chinese government could no longer sniff traffic, so they intercepted that traffic between the browser and the iCloud server,” Mr. Sutton said.

Chinese officials could not immediately be reached for comment.

Many web browsers, like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox, flashed a warning to users that a so-called encryption certificate that is supposed to identify who is on the other end of a web session should not be trusted. That indicated that users were inadvertently communicating with the attackers, rather than iCloud. In effect, the hackers stepped into the middle of the online conversation.

Mr. Sutton noted that Qihoo, a browser offered by the Qihoo 360 Technology Company that is popular in China, did not flash a warning to users.

“As more sites move to encryption by default — which prevents the censorship authorities from selectively blocking access to content — the Chinese authorities will grow increasingly frustrated with their ability to censor that content,” said the GreatFire spokesman.

“In some ways their hands are being forced. They can attempt these man-in-the-middle attacks or choose to outright block access to these sites. The more sites they block, the more they cut off the Chinese populace from the global Internet,” he added.

The timing of the attack, aligned with the release of the new iPhone in China, is a potential indicator that the government is trying to harvest sign-in data from a large number of users who are switching over to the iPhone 6. The new phone comes with better encryption to protect against government snooping.

In September, Apple, based in Cupertino, Calif., said its latest operating system, iOS 8, included protections that made it impossible for the company to comply with government warrants asking for customer information like photos, emails and call history.

The change prompted the Federal Bureau of Investigation director, James B. Comey, to say in a recent speech that new encryption by Apple and others “will have very serious consequences for law enforcement and national security agencies at all levels.”

“Sophisticated criminals will come to count on these means of evading detection,” Mr. Comey said.

In August, Apple began storing data for iCloud on servers in China in a move it said was intended to enhance performance of the service there. The company said the state-owned service provider China Telecom, which owns the servers where the data is stored, did not have access to the content.

But security experts say it appears that Beijing has found a workaround, by coordinating man-in-the-middle attacks on a mass scale.

Apple on Tuesday acknowledged a network attack, but clarified that its iCloud servers were not breached. On a security webpage, it implied that man-in-the-middle attacks were being used to direct people to fake connections of, making their user names and passwords vulnerable to theft.

On the webpage, Apple explained how people could distinguish an authentic site from a fake one. Basically, users will receive warnings when the browser detects a fake certificate or an untrusted connection. Apple advised people to heed those warnings and avoid signing in.

“Apple is deeply committed to protecting our customers’ privacy and security,” said Trudy Muller, an Apple spokeswoman. “We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously.”

Ms. Muller declined to comment on whether Apple had identified the Chinese government as the source of the attacks.

Security experts said users should not visit websites if they receive a browser warning. Mr. Sutton also advised users to turn on two-factor authentication whenever possible, a procedure in which a user is prompted to enter a second one-time password that has been texted to the user’s phone. That way, he said, even if an attacker intercepts a password, they cannot use it to log into a site without the second password. “Users should treat this seriously,” Mr. Sutton said.

Friday, October 10, 2014

Phishers Find Apple Most Tasty Target


"Follow the money" isn't just the war cry of journalistic bloodhounds hot on the trail of political corruption. It's the mantra of Web predators, too. That's why PayPal consistently has been the top brand targeted by phishers -- although that appears to have changed.

Apple now has the dubious distinction of most-phished brand, according to the latest report from the Anti-Phishing Work Group.
For the first half of this year, 17.7 percent of all phishing attacks were aimed at Apple -- a first for the brand -- followed by PayPal (14.4 percent) and Chinese shopping site (13.2 percent), the APWG reported.

Have phishers suddenly become more interested in stocking their music libraries from iTunes than siphoning money from PayPal? Not quite.

"We're seeing a lot of account takeover types of stuff, and your Apple ID is tied into everything," report coauthor Rod Rasmussen told TechNewsWorld.

Target Churn

Phishers can get into all kinds of mischief with an Apple ID, suggested Rasmussen, who also is president and CTO of IID.

"I'm betting some of the naked celebrity photos were stolen with the use of Apple IDs," he said.

"They can be also used to lock a user out of their phone and ransom it back to them for money," Rasmussen continued. "There are lots of different attack vectors, which adds up to why Apple is being phished as heavily as it is."

A greater variety of institutions now are being targeted by phishers, compared to the past, the APWG report notes. For example, in the first half of this year, the group found 756 unique institutions targeted by phishers. Almost half those targets -- 347 -- hadn't been phished in the previous six-month period.

"This amount of churn, or turnover, shows phishers trying out new targets," APWG reported. "They are looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing."

Behavioral Defenses

If the mammoth data breaches in recent months illustrate anything, it's that perimeter defenses alone aren't adequate to keep attackers at bay. Defenders need to accept the fact that their systems will be penetrated and deploy defensive strategies to deal with that inevitability.

One strategy is to combine behaviorial analysis with big data to identify those internal threats.

Intruders that have penetrated a system can be very difficult to identify without some kind of machine assistance.

"Once they're inside, they'll look like regular employees, because they've hijacked an employee's credentials," Idan Tendler, CEO of Fortscale, told TechNewsWorld.

Intruders eventually engage in behaviors that give away their masquerade, though.

"The only way to identify these suspicious users is by profiling their behavior, by analyzing system logs that document their behavior," Tendler said.

The profiles can be used to establish a normal behavior pattern, and "from that, you can automatically spot abnormal behavior by users," he explained.

Profiling Misbehavior

An added benefit of identifying intruders who've compromised an employee's credentials is that potential malware attacks also can be identified. For example, a large proportion of Advanced Persistent Threats -- 76 percent by some estimates -- eventually end up stealing credentials on a system.

"Why?" asked Tendler. "Once the malware infiltrates the enterprise, it hijacks credentials to be used for reconnaissance and exfiltration of information from the system."

Behavioral analysis also can be used to make perimeter defenses stronger.

"If you have a website that's public-facing, or a mobile app, you want to understand who your customer is -- because, as we've seen, passwords are becoming less and less effective," said NuData Security Director Of Customer Success Ryan Wilk.

"You need better ways to find these anomalies to give a customer better insight into who is touching their website and how it's being used," he told TechNewsWorld, "so when an account or transaction is created, you can know if that account or transaction is valid."

Behavioral analysis can be a way for system defenders to see the bad trees in the forest of data moving through their networks every day.

"Bad behaviors will stand out drastically from good behaviors," Wilk said. "It's very easy to identify these artifacts when you're pulling together all this data, creating behavioral profiles and seeing what the anomalies are."