Stagefright not causing butterflies anymore

Subject: General Tech | July 29, 2015 - 01:02 PM |
Tagged: google, stagefright, security

The Stagefright media player vulnerability on Android powered Nexus devices which allowed the possibility of running remotely execute code via an MMS containing a specially crafted media file.  It made headlines everywhere even though it is incredibly unlikely the bug was ever used in an attack.  Regardless, you no longer need to worry as Google has crafted a patch and has released it to the carriers.  You should keep an eye out this week and next for the update and if you do not see it apply you should reach out to your carrier.  More at The Inquirer.

stagefright-100598752-primary.idge_.png

"GOOGLE HAS SAID THAT THE STAGEFRIGHT PROBLEM is well in hand, and that it rushed to sort out the Android OS jitters before anything bad happened."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Don't go burning your motherboards but do be aware of this UEFI rootkit

Subject: General Tech | July 15, 2015 - 12:43 PM |
Tagged: uefi, security

Yet another revelation has come from the Hacking Team leak, a UEFI based rootkit which can infect computers and will survive AV scans and even a drive replacement.  The rootkit is designed specifically for the BIOS designed by Insyde which are found primarily in laptops; Dell and HP for example.  TrendMicro suggested to The Register that this rootkit could also infect AMIBIOS designed UEFI, the type you are familiar with from desktop motherboards but that has not been confirmed.  As well Trend Micro intimates that the rootkit could be installed remotely but so far the evidence suggests physical access is required ... as flashing a BIOS tends to do.  Using UEFI SecureFlash, or even flashing to the newest version will also remove the kit, although depending on the solution your motherboard uses you may see error messages about updating an unexpected or corrupt previous version.  Keep safe out there and maybe keep the Flash to your BIOS for now.

logo.jpg

"Hacking Team RCS spyware came pre-loaded with an UEFI (‬Unified Extensible Firmware Interface) ‪BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm.‬"

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register

Hold the phones there Hola, you are making a profit off of my bandwidth?

Subject: General Tech | June 11, 2015 - 01:18 PM |
Tagged: security, vpn, hola, fud

If you are using the free VPN service from Hola you really need to find a different solution.  Not only has it been plagued with security vulnerabilities, some of which they have addressed and some of which even they admit still exist, you will also unwittingly be providing exit nodes and bandwidth for anonymous surfers.  To add insult to injury, those users pay $20/GB to Hola for use of your bandwidth and you will never see a penny of that.  Hola's ILuminati service allows you to surf the net anonymously by directing their traffic over anyone using the free VPN, or as they refer to it an unblocking service, so not only is your bandwidth being used, you have no idea what traffic is actually exiting through your VPN. 

That is pretty much the exact opposite of a private network and depending on what is being done and how well the traffic is monitored you could well find yourself embroiled in an investigation you had no idea you were opening yourself up to.  Check out  more on this story at The Register.

original.jpg

"Embattled "free" VPN provider Hola is facing criticism over its practice of turning its users into exit nodes in a paid-for anonymisation service which can easily be used for nefarious activities. Hola's software is also claimed to include "unpatchable" vulnerabilities allowing takeover of user machines."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

MSE the next generation; Windows 10 Device Guard

Subject: General Tech | April 24, 2015 - 01:55 PM |
Tagged: windows 10, Device Guard, security, microsoft, IOMMU

The Register gleaned some details about Windows 10 Device Guard at RSA but there is still a lot we do not know about it.  It is an optional service that can be enabled by an administrator and it checks every application launched to see if it has been signed by Microsoft as a trusted binary before letting it run.  While certainly good for security it may cause some issues for developers who have not gone through the vetting process to have your app approved for the Microsoft Store.  Device Guard is also separated from the WinX kernel, if your machine does become infected, Device Guard will still not allow unsigned apps to run.  You will need hardware which supports input/output memory management unit (IOMMU) to use Device Guard, thankfully that technology is present on most current PC hardware, though not so prevalent on the mobile front.

index.jpg

"The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Psst, hey buddy I got some nice Android apps for you cheap! They just fell off the back of a truck ya know.

Subject: General Tech | March 25, 2015 - 12:25 PM |
Tagged: Android, security

If you are running a device with Android 4.3 or earlier you should avoid third-party app stores; arguably all users should but there are times when Google Play does not offer what you need.  A security problem with the way that APK files are authenticated during install can allow a seemingly harmless app to be modified, either at the source or while being transmitted, leading to the installation of an app that may not be entirely honest about what it does.  Palo Alto Network's testing shows versions 4.4+ do not suffer from this particular problem nor do the vetted apps at the Google Play store.  It is unlikely you will encounter this problem unless you usually install things from places like Creepy Ice Cream Van Discount Apps and Malware,  but you should be aware of the existence of this issue.  More at The Inquirer.

index.jpg

"A FRESH VULNERABILITY CALLED Android Installer Hijacking is making itself known as a threat to almost half of all Android users."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Since TLS connections mostly ignore OCSP, Firefox is creating yet another solution

Subject: General Tech | March 5, 2015 - 01:46 PM |
Tagged: security, OneCRL, irony, firefox, CRLSet, chrome

It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in.  The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution.  Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains. 

This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack.  At some point we will have to stop referring to standards when referencing networking technology.  Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.

firefox-crset-onecrl.jpg

"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

SIM card maker Gemalto apparently now holds the world's record for fastest security audit?

Subject: General Tech | February 26, 2015 - 01:02 PM |
Tagged: Gemalto, SIM, encryption, fud, security

In just under a week SIM card maker Gemalto claims to have done a complete security audit of their systems in 85 different countries and reports that "its office networks were compromised, the servers holding the SIM card encryption keys weren't."  This is a  record worthy of Guinness as most security audits take months or years to complete and the findings tend to discuss probabilities, not absolute certainties.  As you might expect The Register and security experts everywhere are doubtful of the claims from a company that did not even know if was compromised less than a week ago that the UK based GCHQ and USA based NSA are unable to compromise your SIM cards encryption when they have the keys in hand.  It has not been a good week for anyone who thinks about security.

17225.jpg

"Six days ago Gemalto, the world's largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Roll over Superfish, PrivDog is just as bad but doesn't come directly from Comodo

Subject: General Tech | February 25, 2015 - 12:36 PM |
Tagged: SSL, security, PrivDog, idiots, fud, Comodo

This has been a bad week for the secure socket layer and the news just keeps getting worse.  Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider.  It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default.  Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones.  That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site. 

The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution.  The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.

Update: The Register's article was originally based on research from Hanno Bock who referred to PrivDog as being distributed by Comodo. Comodo does not distribute the standalone desktop version of PrivDog only the browser extension application which was never vulnerable to the TLS interception.

picarddoublefacepalm.jpg

"The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.

Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Your aggregate battery consumption isn't Li-On about your location

Subject: General Tech | February 24, 2015 - 12:56 PM |
Tagged: fud, security, smartphone

Tracking your smartphones location via aggregate battery usage is not the most efficient or accurate method but it can be done and Samsung (and others) have not provided a switch which makes that particular data private.  Researchers have shown that by tracking the battery drain of the 3G cellular radio on the battery one can determine distance from the cellular base station the phone is connected to and a coarse location based on interference environmental factors such as buildings which partially block the signal.  It is only a very coarse locator but does give better information than just the base station the phone is connected to and as we are creatures of habit it allows tracking normal patterns of movement.  This is nowhere near as accurate as GPS tracking and does require a bit of work to pull off but as battery usage and levels are sent by the phone in the clear with no method of preventing that it should cause some privacy concerns for users.  You can read the research paper (in PDF) by following the link from The Inquirer.

index.jpg

"SCIENTISTS have warned of a new smartphone risk after discovering that battery power can be used to track a person's movements."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Just wait, blacklisting dangerous root certificates will lead to a legal battle

Subject: General Tech | February 23, 2015 - 01:35 PM |
Tagged: superfish, mozilla, komodia, security

Firefox can remove any threat that Superfish presents with a simple step and 24 hours; indeed they could prevent any similar issue using a questionable or downright poisonous SSL Certificate simply by blacklisting them.  They specifically quote the ability of OneCRL to block even obfuscated certs before the Network Security Services level if the certs are properly recorded on the blacklist in this Register article.  This would lead to a much more secure web, requiring attackers to invest significantly more effort when attempting to create fake or dangerous SSL certs.  There is a flip side to this, for there are those who may attempt to have valid certs added to the Blacklist and so there must be a way of policing the list and a way to remove certs which should not be on the list due to being placed there in error or because of a change in the software associated with that certificate.  It is also likely that there will be court cases attempting to have the blacklist removed if it does come into being as Superfish is not the only business out there whose business model requires phishing or at least a way around proper SSL certification and best practices which will no longer be viable if we are allowed to block their mutant SSL certs.

images.jpg

"Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register