Security News bytes October 2013

8,502 views

Published on

null Banglaore Chapter - October 2013 Meet

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,502
On SlideShare
0
From Embeds
0
Number of Embeds
440
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security News bytes October 2013

  1. 1. Security NEWS Bytes RUPAM BHATTACHARYA
  2. 2. iPhone Fingerprint Authentication  Fingerprint authentication is a good balance between convenience and security for a mobile device.  Your fingerprint isn't a secret; you leave it everywhere you touch.  Fingerprint to be used for AppStore purchases.  "If Apple is right that fingerprints never leave the device, that means the new iPhones will be sending some sort of authentication token to Apple servers to verify that the end user has produced a valid print,"writes Dan Goodin in Ars Technica  If attackers figure out a way to capture and replay users' valid tokens, it could lead to new ways for criminals to hijack user accounts
  3. 3. Signed Mac Malware Using Rightto-Left Override Trick  Right-to-left override (RLO) is a special character used in bi-directional text encoding system to mark the start of text that are to be displayed from right to left.  Here it's simply to hide the real extension.  The malware is written in Python and it uses py2app for distribution.  The malware drops and open a decoy document on execution.  Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.  The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.  http://www.f-secure.com/weblog/archives/00002576.html
  4. 4. Femtocell flaw leaves Verizon subscribers' Wi-Fi and mobile wide open  Femtocells are used to boost Wi-Fi and mobile signals within a household.  Security researchers have demonstrated a flaw in femtocells using Verizon Wireless Network Extender that allows them to be used for eavesdropping on cellphone, email, and internet traffic.  Up to 30 other network carriers use systems with software that can be hacked in the same way.  A hacked device could be placed in locales such as a restaurant frequented by high-value targets, and used to monitor data traffic that comes through the femtocell. The information can be stored and relayed back to the attacker using the adapted device, and used for further infiltration later.  Verizon's update fixes the problem.  http://www.theregister.co.uk/2013/07/15/femtocell_flaw_leaves_verizon_custom ers_wifi_and_mobile_wide_open/
  5. 5. Remote Access Tool Takes Aim with Android APK Binder       Remote Access Tools (RAT) written in Java that are capable of running on multiple operating systems. Android OS is the latest target and is not immune to RATs. Underground economy that caters to the needs of cybercriminals has created the first tools (called “binders”) that easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT, a free Android RAT. AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device. To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT. http://www.symantec.com/connect/blogs/remote-access-tool-takesaim-android-apk-binder
  6. 6. New Java feature aims to manage multiple version problems  Older releases often contain flaws -- patched in later editions -- that remain susceptible to exploitation by bad actors now.  The problem with running a new version of Java is that some apps important to a business's operation may not work with it.  Java 7 Update 40 include allowing network administrators to create a Deployment Rule Set (DRS) that defines which version of Java an app should use.  Such definitions could allow critical internal apps to use older versions of Java, while forcing external apps -- those more likely to carry infections that exploit flaws in older editions -- to use the latest version.
  7. 7. APPLE IMESSAGE OPEN TO MAN IN THE MIDDLE, SPOOFING ATTACKS  Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency.  The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could.  Users’ AppleID passwords also are sent in clear text to the Apple servers.  Because the iMessages go through Apple’s servers, they essentially have a man-in-the-middle position on all of the communications among those devices.  Apple does not use certificate pinning for iMessage, meaning that the system is open to a MiTM attack by outside attackers.  Courtesy – Threatpost
  8. 8. Microsoft Security Bulletin MS13-081 - Critical  Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution  An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.  The security update addresses these vulnerabilities by correcting the way that Windows handles specially crafted OpenType Font files and specially crafted TrueType Font (TTF) files, and by correcting the way that Windows handles objects in memory.  http://technet.microsoft.com/en-us/security/bulletin/ms13-081
  9. 9. Snowden: NSA whacks US in the WALLET, slurps millions of contacts books      The National Security Agency is hurting the US economy with its "dragnet" surveillance, says uber-leaker Edward Snowden. He also alleged, via The Washington Post, that the NSA has been slurping the contents of some 250 million electronic address books a year. The agency grabs this data as it passes over major internet transit points, so it does not need to slurp it from internal Google or Yahoo! servers and therefore doesn't need to make an official request for the information. There is evidence the NSA has been trying to smash internet encryption by performing man-in-the-middle attacks using compromised cryptographic certificates. http://www.theregister.co.uk/2013/10/15/snowden_nsa_snooping_hurts _our_economy/
  10. 10. 'Thousands' of North Korea Cyber Attacks on South: Ministry Data  North Korea has staged thousands of cyber attacks against the South in recent years, causing financial losses of around $805 million, a Seoul lawmaker said citing government data.  "A lot of data related to our national infrastructure, including chemical storage facilities and information relating to personal financial dealings have been stolen," ruling party MP Chung Hee-Soo said.  The attacks included website intrusions, malware deployments and the use of virus-carrying e-mails.  "Our military's cyber warfare ability to fend off such attacks...is incomparable to the North's, which is known to be one of the world's best," Chung said.  http://www.securityweek.com/thousands-north-korea-cyber-attackssouth-ministry-data
  11. 11. FACEBOOK PRIVACY FEATURE GONE FOR GOOD  Earlier, users could choose who was allowed to search for their profiles by name: friends only, friends of friends, or everyone (the default option).  Late last year, the social networking giant removed the feature – called “Who can look up my Timeline by name?” – for everyone that wasn’t already using it.  October 10th, Facebook said they will begin removing it for all other users as well, completely eliminating the functionality within the next couple of weeks.  Courtesy – Threatpost
  12. 12. Managed security service providers face $40M liability exposures  Managed security service providers get paid by enterprise customers to stop malware or other kinds of cyberattacks, but if they fail, they face what’s often a multi-million-dollar liability.  If there’s a virus outbreak on the customer’s network, for example, there is a limited timeframe to respond to meet the legal requirements of that SLA. “We have timeframes we have to respond to, perhaps 30 seconds,” said Matthew Gyde, global general manager, security at Dimension Data.  Cisco last month announced that it also wants to expand into the managed security services arena, though the company didn’t specify what approach it will take.  “McAfee has extended their arms in good will to build a MSP program,” said Steve Duncan, vice president of security and strategy at Lumenate.
  13. 13. RESEARCHERS NAB $28K IN MICROSOFT BUG BOUNTY PROGRAM  As part of its first-ever bounty program, Microsoft has paid out $28,000 to a small group of researchers who identified and reported vulnerabilities in Internet Explorer 11.  The IE 11 bounty program only ran for one month during the summer, but it attracted a number of submissions from well-known researchers.  Microsoft’s program–outside of the IE 11 reward–is mainly geared toward paying for innovative attack techniques. The company is offering as much as $100,000 for offensive techniques that are capable of bypassing the latest exploit mitigation technologies on the newest version of Windows.
  14. 14. Hacker cracks Vodafone Germany  A hack on a Vodafone Germany server has exposed the personal details – including banking information – of two million of its customers.  Hackers accessed names, addresses, bank account numbers and dates of birth.  It's unclear when the breach took place, but it appears to have involved a successful compromise of an internal server on Vodafone's network.  This case concerns only Vodafone Germany, other countries are not affected,
  15. 15. REVAMPED YAHOO BUG BOUNTY PROGRAM ON THE WAY—T-SHIRTS NOT INCLUDED  Yahoo found itself in the throes of a mini scandal this week over two $12.50 Yahoo company store discount codes handed out to one researcher in thanks for turning in a pair of cross-site scripting bugs.  “If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means,” Kolochenko, High-Tech Bridge CEO said. “Otherwise, none of Yahoo’s customers can ever feel safe.”  Martinez acknowledged Kolochenko’s distress in previewing the upcoming revised policy, that he said will reward individuals who identify “new, unique and/or high-risk issues” with payouts in the range of $150 to $15,000.  Previously, Martinez had personally acknowledged submissions with a Yahoo T-shirt—which he said he personally paid for—as well as a personal letter to the researcher certifying the find.
  16. 16. PRIVATBANK MOBILE APP VULNERABLE TO ACCOUNT THEFT      Privat24, the mobile banking application for Ukraine’s largest commercial bank, contains an insufficient validation vulnerability in its iOS, Android, and Windows phone apps that could give an attacker the ability to steal money from user accounts after bypassing its two-factor authentication protection. Once the application is installed and verified with the initial OTP to a particular device, users can access the application without overcoming that barrier of entry again. An attacker would need a second attack, perhaps using malware or some sort of phishing scheme, to ascertain a user’s account password before being able to compromise the application and potentially steal money. PrivatBank confirmed the problem. Courtesy – Threatpost
  17. 17. GOOGLE TO PAY REWARDS FOR PATCHES TO OPEN SOURCE PROJECTS  Google, one of the first companies to offer a significant bug bounty program, is extending its rewards to researchers and developers who contribute patches to a variety of open source projects and have an effect on the security of the project.  The new rewards will range from $500 to $3,133.70  In order to qualify for a reward from Google, the patch submission from the developer has to have a “demonstrable, significant, and proactive impact on the security” of a given component.  Courtesy – Threatpost
  18. 18. Security Events  SANS Bangalore 2013 - 14–26 October 2013  ISACA India Conference 2013 - 27–29 November 2013 - Chennai, India  IFSEC India 2013 - 5-7 December 2013 at India Expo Centre, Greater Noida, New Delhi (NCR)  Nullcon Goa 2014 –   CFP Opens: 01st September 2013 1st round of Speaker list Online: 10th October 2013 CFP Closing Date: 20th November 2013 Final speakers List online: 01th December 2013 Training Dates: 12th-13th February 2014 Conference Dates: 14st-15nd February 2014 Secutech India 2014 - February 27-28 - March 01, 2014 – Mumbai

×