View
7.972
Download
0
Embed Size (px)
DESCRIPTION
null Banglaore Chapter - October 2013 Meet
Citation preview
Security NEWS Bytes RUPAM BHATTACHARYA
iPhone Fingerprint Authentication
Fingerprint authentication is a good balance between
convenience and security for a mobile device.
Your fingerprint isn't a secret; you leave it everywhere you touch.
Fingerprint to be used for AppStore purchases.
"If Apple is right that fingerprints never leave the device, that means
the new iPhones will be sending some sort of authentication token
to Apple servers to verify that the end user has produced a valid
print,"writes Dan Goodin in Ars Technica
If attackers figure out a way to capture and replay users' valid
tokens, it could lead to new ways for criminals to hijack user
accounts
Signed Mac Malware Using Right-
to-Left Override Trick Right-to-left override (RLO) is a special character used in bi-directional text
encoding system to mark the start of text that are to be displayed from right to left.
Here it's simply to hide the real extension.
The malware is written in Python and it uses py2app for distribution.
The malware drops and open a decoy document on execution.
Then it creates a cron job for its launch point and a hidden folder in the home directory of the infected user to store its components.
The malware then continuously takes screen shots and records audio (using a third party software called SoX) and uploads them to the command and control server. It also continuously polls the command and control server for commands to execute.
http://www.f-secure.com/weblog/archives/00002576.html
Femtocell flaw leaves Verizon subscribers' Wi-Fi and mobile wide open
Femtocells are used to boost Wi-Fi and mobile signals within a household.
Security researchers have demonstrated a flaw in femtocells using Verizon Wireless Network Extender that allows them to be used for eavesdropping on cellphone, email, and internet traffic.
Up to 30 other network carriers use systems with software that can be hacked in the same way.
A hacked device could be placed in locales such as a restaurant frequented by high-value targets, and used to monitor data traffic that comes through the femtocell. The information can be stored and relayed back to the attacker using the adapted device, and used for further infiltration later.
Verizon's update fixes the problem.
http://www.theregister.co.uk/2013/07/15/femtocell_flaw_leaves_verizon_customers_wifi_and_mobile_wide_open/
Remote Access Tool Takes Aim with
Android APK Binder Remote Access Tools (RAT) written in Java that are capable of running
on multiple operating systems.
Android OS is the latest target and is not immune to RATs.
Underground economy that caters to the needs of cybercriminals has created the first tools (called “binders”) that easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT, a free Android RAT.
AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.
To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.
http://www.symantec.com/connect/blogs/remote-access-tool-takes-aim-android-apk-binder
New Java feature aims to manage
multiple version problems
Older releases often contain flaws -- patched in later editions -- that
remain susceptible to exploitation by bad actors now.
The problem with running a new version of Java is that some apps
important to a business's operation may not work with it.
Java 7 Update 40 include allowing network administrators to create
a Deployment Rule Set (DRS) that defines which version of Java an app should use.
Such definitions could allow critical internal apps to use older
versions of Java, while forcing external apps -- those more likely to
carry infections that exploit flaws in older editions -- to use the latest
version.
APPLE IMESSAGE OPEN TO MAN IN
THE MIDDLE, SPOOFING ATTACKS
Apple controls the encryption key infrastructure for the system and
therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency.
The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could.
Users’ AppleID passwords also are sent in clear text to the Apple servers.
Because the iMessages go through Apple’s servers, they essentially have a man-in-the-middle position on all of the communications among those devices.
Apple does not use certificate pinning for iMessage, meaning that the system is open to a MiTM attack by outside attackers.
Courtesy – Threatpost
Microsoft Security Bulletin MS13-081
- Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote
Code Execution
An attacker who successfully exploited these vulnerabilities could
take complete control of an affected system.
The security update addresses these vulnerabilities by correcting the
way that Windows handles specially crafted OpenType Font files and specially crafted TrueType Font (TTF) files, and by correcting the
way that Windows handles objects in memory.
http://technet.microsoft.com/en-us/security/bulletin/ms13-081
Snowden: NSA whacks US in the WALLET, slurps millions of contacts books
The National Security Agency is hurting the US economy with its "dragnet" surveillance, says uber-leaker Edward Snowden.
He also alleged, via The Washington Post, that the NSA has been slurping the contents of some 250 million electronic address books a year.
The agency grabs this data as it passes over major internet transit points, so it does not need to slurp it from internal Google or Yahoo! servers and therefore doesn't need to make an official request for the information.
There is evidence the NSA has been trying to smash internet encryption by performing man-in-the-middle attacks using compromised cryptographic certificates.
http://www.theregister.co.uk/2013/10/15/snowden_nsa_snooping_hurts_our_economy/
'Thousands' of North Korea Cyber
Attacks on South: Ministry Data North Korea has staged thousands of cyber attacks against the South in
recent years, causing financial losses of around $805 million, a Seoul lawmaker said citing government data.
"A lot of data related to our national infrastructure, including chemical storage facilities and information relating to personal financial dealings have been stolen," ruling party MP Chung Hee-Soo said.
The attacks included website intrusions, malware deployments and the use of virus-carrying e-mails.
"Our military's cyber warfare ability to fend off such attacks...is incomparable to the North's, which is known to be one of the world's best," Chung said.
http://www.securityweek.com/thousands-north-korea-cyber-attacks-south-ministry-data
FACEBOOK PRIVACY FEATURE
GONE FOR GOOD
Earlier, users could choose who was allowed to search for their
profiles by name: friends only, friends of friends, or everyone (the
default option).
Late last year, the social networking giant removed the feature –
called “Who can look up my Timeline by name?” – for everyone
that wasn’t already using it.
October 10th, Facebook said they will begin removing it for all other
users as well, completely eliminating the functionality within the next
couple of weeks.
Courtesy – Threatpost
Managed security service providers
face $40M liability exposures
Managed security service providers get paid by enterprise customers to stop malware or other kinds of cyberattacks, but if they fail, they face what’s often a multi-million-dollar liability.
If there’s a virus outbreak on the customer’s network, for example, there is a limited timeframe to respond to meet the legal requirements of that SLA. “We have timeframes we have to respond to, perhaps 30 seconds,” said Matthew Gyde, global general manager, security at Dimension Data.
Cisco last month announced that it also wants to expand into the managed security services arena, though the company didn’t specify what approach it will take.
“McAfee has extended their arms in good will to build a MSP program,” said Steve Duncan, vice president of security and strategy at Lumenate.
RESEARCHERS NAB $28K IN MICROSOFT BUG
BOUNTY PROGRAM
As part of its first-ever bounty program, Microsoft has paid out
$28,000 to a small group of researchers who identified and reported
vulnerabilities in Internet Explorer 11.
The IE 11 bounty program only ran for one month during the
summer, but it attracted a number of submissions from well-known
researchers.
Microsoft’s program–outside of the IE 11 reward–is mainly geared
toward paying for innovative attack techniques. The company is
offering as much as $100,000 for offensive techniques that are
capable of bypassing the latest exploit mitigation technologies on the newest version of Windows.
Hacker cracks Vodafone Germany
A hack on a Vodafone Germany server has exposed the personal
details – including banking information – of two million of its
customers.
Hackers accessed names, addresses, bank account numbers and
dates of birth.
It's unclear when the breach took place, but it appears to have involved a successful compromise of an internal server on
Vodafone's network.
This case concerns only Vodafone Germany, other countries are not
affected,
REVAMPED YAHOO BUG BOUNTY PROGRAM ON THE WAY—T-SHIRTS NOT INCLUDED
Yahoo found itself in the throes of a mini scandal this week over two $12.50 Yahoo company store discount codes handed out to one researcher in thanks for turning in a pair of cross-site scripting bugs.
“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means,” Kolochenko, High-Tech Bridge CEO said. “Otherwise, none of Yahoo’s customers can ever feel safe.”
Martinez acknowledged Kolochenko’s distress in previewing the upcoming revised policy, that he said will reward individuals who identify “new, unique and/or high-risk issues” with payouts in the range of $150 to $15,000.
Previously, Martinez had personally acknowledged submissions with a Yahoo T-shirt—which he said he personally paid for—as well as a personal letter to the researcher certifying the find.
PRIVATBANK MOBILE APP
VULNERABLE TO ACCOUNT THEFT
Privat24, the mobile banking application for Ukraine’s largest commercial bank, contains an insufficient validation vulnerability in its iOS, Android, and Windows phone apps that could give an attacker the ability to steal money from user accounts after bypassing its two-factor authentication protection.
Once the application is installed and verified with the initial OTP to a particular device, users can access the application without overcoming that barrier of entry again.
An attacker would need a second attack, perhaps using malware or some sort of phishing scheme, to ascertain a user’s account password before being able to compromise the application and potentially steal money.
PrivatBank confirmed the problem.
Courtesy – Threatpost
GOOGLE TO PAY REWARDS FOR
PATCHES TO OPEN SOURCE PROJECTS
Google, one of the first companies to offer a significant bug bounty
program, is extending its rewards to researchers and developers
who contribute patches to a variety of open source projects and
have an effect on the security of the project.
The new rewards will range from $500 to $3,133.70
In order to qualify for a reward from Google, the patch submission from the developer has to have a “demonstrable, significant, and
proactive impact on the security” of a given component.
Courtesy – Threatpost
Security Events
SANS Bangalore 2013 - 14–26 October 2013
ISACA India Conference 2013 - 27–29 November 2013 - Chennai,
India
IFSEC India 2013 - 5-7 December 2013 at India Expo Centre, Greater
Noida, New Delhi (NCR)
Nullcon Goa 2014 –
CFP Opens: 01st September 2013
1st round of Speaker list Online: 10th October 2013
CFP Closing Date: 20th November 2013
Final speakers List online: 01th December 2013
Training Dates: 12th-13th February 2014
Conference Dates: 14st-15nd February 2014
Secutech India 2014 - February 27-28 - March 01, 2014 – Mumbai