Security NEWS Bytes RUPAM BHATTACHARYA

iPhone Fingerprint Authentication

Fingerprint authentication is a good balance between

convenience and security for a mobile device.

Your fingerprint isn't a secret; you leave it everywhere you touch.

Fingerprint to be used for AppStore purchases.

"If Apple is right that fingerprints never leave the device, that means

the new iPhones will be sending some sort of authentication token

to Apple servers to verify that the end user has produced a valid

print,"writes Dan Goodin in Ars Technica

If attackers figure out a way to capture and replay users' valid

tokens, it could lead to new ways for criminals to hijack user

accounts

Signed Mac Malware Using Right-

to-Left Override Trick Right-to-left override (RLO) is a special character used in bi-directional text

encoding system to mark the start of text that are to be displayed from right to left.

Here it's simply to hide the real extension.

The malware is written in Python and it uses py2app for distribution.

The malware drops and open a decoy document on execution.

Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.

The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.

http://www.f-secure.com/weblog/archives/00002576.html

Femtocell flaw leaves Verizon subscribers' Wi-Fi and mobile wide open

Femtocells are used to boost Wi-Fi and mobile signals within a household.

Security researchers have demonstrated a flaw in femtocells using Verizon Wireless Network Extender that allows them to be used for eavesdropping on cellphone, email, and internet traffic.

Up to 30 other network carriers use systems with software that can be hacked in the same way.

A hacked device could be placed in locales such as a restaurant frequented by high-value targets, and used to monitor data traffic that comes through the femtocell. The information can be stored and relayed back to the attacker using the adapted device, and used for further infiltration later.

Verizon's update fixes the problem.

http://www.theregister.co.uk/2013/07/15/femtocell_flaw_leaves_verizon_customers_wifi_and_mobile_wide_open/

Remote Access Tool Takes Aim with

Android APK Binder Remote Access Tools (RAT) written in Java that are capable of running

on multiple operating systems.

Android OS is the latest target and is not immune to RATs.

Underground economy that caters to the needs of cybercriminals has created the first tools (called “binders”) that easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT, a free Android RAT.

AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.

To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.

http://www.symantec.com/connect/blogs/remote-access-tool-takes-aim-android-apk-binder

New Java feature aims to manage

multiple version problems

Older releases often contain flaws -- patched in later editions -- that

remain susceptible to exploitation by bad actors now.

The problem with running a new version of Java is that some apps

important to a business's operation may not work with it.

Java 7 Update 40 include allowing network administrators to create

a Deployment Rule Set (DRS) that defines which version of Java an app should use.

Such definitions could allow critical internal apps to use older

versions of Java, while forcing external apps -- those more likely to

carry infections that exploit flaws in older editions -- to use the latest

version.

APPLE IMESSAGE OPEN TO MAN IN

THE MIDDLE, SPOOFING ATTACKS

Apple controls the encryption key infrastructure for the system and

therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency.

The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could.

Users’ AppleID passwords also are sent in clear text to the Apple servers.

Because the iMessages go through Apple’s servers, they essentially have a man-in-the-middle position on all of the communications among those devices.

Apple does not use certificate pinning for iMessage, meaning that the system is open to a MiTM attack by outside attackers.

Courtesy – Threatpost

Microsoft Security Bulletin MS13-081

- Critical

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote

Code Execution

An attacker who successfully exploited these vulnerabilities could

take complete control of an affected system.

The security update addresses these vulnerabilities by correcting the

way that Windows handles specially crafted OpenType Font files and specially crafted TrueType Font (TTF) files, and by correcting the

way that Windows handles objects in memory.

http://technet.microsoft.com/en-us/security/bulletin/ms13-081

Snowden: NSA whacks US in the WALLET, slurps millions of contacts books

The National Security Agency is hurting the US economy with its "dragnet" surveillance, says uber-leaker Edward Snowden.

He also alleged, via The Washington Post, that the NSA has been slurping the contents of some 250 million electronic address books a year.

The agency grabs this data as it passes over major internet transit points, so it does not need to slurp it from internal Google or Yahoo! servers and therefore doesn't need to make an official request for the information.

There is evidence the NSA has been trying to smash internet encryption by performing man-in-the-middle attacks using compromised cryptographic certificates.

http://www.theregister.co.uk/2013/10/15/snowden_nsa_snooping_hurts_our_economy/

'Thousands' of North Korea Cyber

Attacks on South: Ministry Data North Korea has staged thousands of cyber attacks against the South in

recent years, causing financial losses of around $805 million, a Seoul lawmaker said citing government data.

"A lot of data related to our national infrastructure, including chemical storage facilities and information relating to personal financial dealings have been stolen," ruling party MP Chung Hee-Soo said.

The attacks included website intrusions, malware deployments and the use of virus-carrying e-mails.

"Our military's cyber warfare ability to fend off such attacks...is incomparable to the North's, which is known to be one of the world's best," Chung said.

http://www.securityweek.com/thousands-north-korea-cyber-attacks-south-ministry-data

FACEBOOK PRIVACY FEATURE

GONE FOR GOOD

Earlier, users could choose who was allowed to search for their

profiles by name: friends only, friends of friends, or everyone (the

default option).

Late last year, the social networking giant removed the feature –

called “Who can look up my Timeline by name?” – for everyone

that wasn’t already using it.

October 10th, Facebook said they will begin removing it for all other

users as well, completely eliminating the functionality within the next

couple of weeks.

Courtesy – Threatpost

Managed security service providers

face $40M liability exposures

Managed security service providers get paid by enterprise customers to stop malware or other kinds of cyberattacks, but if they fail, they face what’s often a multi-million-dollar liability.

If there’s a virus outbreak on the customer’s network, for example, there is a limited timeframe to respond to meet the legal requirements of that SLA. “We have timeframes we have to respond to, perhaps 30 seconds,” said Matthew Gyde, global general manager, security at Dimension Data.

Cisco last month announced that it also wants to expand into the managed security services arena, though the company didn’t specify what approach it will take.

“McAfee has extended their arms in good will to build a MSP program,” said Steve Duncan, vice president of security and strategy at Lumenate.

RESEARCHERS NAB $28K IN MICROSOFT BUG

BOUNTY PROGRAM

As part of its first-ever bounty program, Microsoft has paid out

$28,000 to a small group of researchers who identified and reported

vulnerabilities in Internet Explorer 11.

The IE 11 bounty program only ran for one month during the

summer, but it attracted a number of submissions from well-known

researchers.

Microsoft’s program–outside of the IE 11 reward–is mainly geared

toward paying for innovative attack techniques. The company is

offering as much as $100,000 for offensive techniques that are

capable of bypassing the latest exploit mitigation technologies on the newest version of Windows.

Hacker cracks Vodafone Germany

A hack on a Vodafone Germany server has exposed the personal

details – including banking information – of two million of its

customers.

Hackers accessed names, addresses, bank account numbers and

dates of birth.

It's unclear when the breach took place, but it appears to have involved a successful compromise of an internal server on

Vodafone's network.

This case concerns only Vodafone Germany, other countries are not

affected,

REVAMPED YAHOO BUG BOUNTY PROGRAM ON THE WAY—T-SHIRTS NOT INCLUDED

Yahoo found itself in the throes of a mini scandal this week over two $12.50 Yahoo company store discount codes handed out to one researcher in thanks for turning in a pair of cross-site scripting bugs.

“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means,” Kolochenko, High-Tech Bridge CEO said. “Otherwise, none of Yahoo’s customers can ever feel safe.”

Martinez acknowledged Kolochenko’s distress in previewing the upcoming revised policy, that he said will reward individuals who identify “new, unique and/or high-risk issues” with payouts in the range of $150 to $15,000.

Previously, Martinez had personally acknowledged submissions with a Yahoo T-shirt—which he said he personally paid for—as well as a personal letter to the researcher certifying the find.

PRIVATBANK MOBILE APP

VULNERABLE TO ACCOUNT THEFT

Privat24, the mobile banking application for Ukraine’s largest commercial bank, contains an insufficient validation vulnerability in its iOS, Android, and Windows phone apps that could give an attacker the ability to steal money from user accounts after bypassing its two-factor authentication protection.

Once the application is installed and verified with the initial OTP to a particular device, users can access the application without overcoming that barrier of entry again.

An attacker would need a second attack, perhaps using malware or some sort of phishing scheme, to ascertain a user’s account password before being able to compromise the application and potentially steal money.

PrivatBank confirmed the problem.

Courtesy – Threatpost

GOOGLE TO PAY REWARDS FOR

PATCHES TO OPEN SOURCE PROJECTS

Google, one of the first companies to offer a significant bug bounty

program, is extending its rewards to researchers and developers

who contribute patches to a variety of open source projects and

have an effect on the security of the project.

The new rewards will range from $500 to $3,133.70

In order to qualify for a reward from Google, the patch submission from the developer has to have a “demonstrable, significant, and

proactive impact on the security” of a given component.

Courtesy – Threatpost

Security Events

SANS Bangalore 2013 - 14–26 October 2013

ISACA India Conference 2013 - 27–29 November 2013 - Chennai,

India

IFSEC India 2013 - 5-7 December 2013 at India Expo Centre, Greater

Noida, New Delhi (NCR)

Nullcon Goa 2014 –

CFP Opens: 01st September 2013

1st round of Speaker list Online: 10th October 2013

CFP Closing Date: 20th November 2013

Final speakers List online: 01th December 2013

Training Dates: 12th-13th February 2014

Conference Dates: 14st-15nd February 2014

Secutech India 2014 - February 27-28 - March 01, 2014 – Mumbai