Cars which are capable of receiving instructions via the internet (such as software updates) are potentially more at risk of being hacked or meddled with than those which don’t.
The post 433,000 Ford cars to be recalled because of software bug – would you have preferred an internet update? appeared first on We Live Security.
Hacker Mateusz Jurczyk from Google’s Project Zero disclosed 15 remote execution vulnerabilities, most of them for Windows and the Adobe Type Manager Font Driver. He presented his findings at the Recon security conference and aptly named his research “One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation”.
According to his blog the most serious and interesting security issue he discovered so far was a really reliable BLEND instruction exploit. Jurczyk writes that “the extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
He also shared two videos in which he shows how he successfully exploits the Adobe Reader 11.0.10 using the BLEND vulnerability (CVE-2015-3052), accompanied by sandbox escapes via ATMFD.DLL in the Windows Kernel as well as a “Registry Object” vulnerability on x64 builds (CVE-2015-0090).
Jurczyk reported all of his discoveres to Microsoft and Adobe which fixed the bugs in security bulletins MS15-021 (March), APSB15-10(May) and MS15-044 (May).
The post Time to Patch: Loads of Security Issues in Adobe Reader and Microsoft Windows appeared first on Avira Blog.
You might have heard of the security issue with Galaxy phones that was everywhere in the media this week. If not, let me fill you in:
Samsung phones come preinstalled with SwiftKey, a very popular alternative keyboard for Android and iOS. Security researchers from NowSecure discovered a vulnerability in the update mechanism for the customized version the company uses and which is being distributed on most of the Galaxy phone models.
According to NowSecure „a remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. This can be exploited in a a manner that requires no user interaction — a user does not have to explicitly choose to download a languagePack update to be exploited.“
Samsung itself played the issue down and stated that a “very specific set of conditions” needs to be met in order for the attack to be successful. Nonetheless a patch will be made available soon – after all more than 600 million Samsung Galaxy phones are affected. The drawback is that only devices that have Samsung’s Knox security platform installed will profit from the updates. “For the devices that don’t come with KNOX by default, we are currently working on an expedited firmware update that will be available upon completion of all testing and approvals” the company says in their statement.
The post Fix for 600 Million Galaxy Phones Available Soon appeared first on Avira Blog.
Six university researchers discovered high-impact “zero-day” security weaknesses in iOS and Mac, which can be abused by getting a malicious app approved by the Apple app store – something they managed to do without any issues. Through this app they were able to access sensitive data from other apps – with dire consequences. The researchers state that “our sandboxed app successfully retrieved from the system’s keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome […]”
It does sound unbelievable, doesn’t it? Just take a look at the below video to see a malicious sandboxes app on OS X steal all private notes in the Evernote app:
Or how about a look at how it is able to steal any websites’ passwords:
According to their research 88.6% of the apps they tested were found to be completely exposed to the XARA attacks. This includes popular apps like Evernote, WeChat, and 1Password: “In our study, we downloaded 1,612 free apps from the MAC App Store. These apps cover all 21 categories of the store, including social networking, finance, business, and others. In each category, we picked up all the free apps when less than 100 of them are there, and top 100 otherwise. Also from the iOS App Store, we collected 200 most popular apps, 40 each from “All Categories”, “Finance”, “Business”, “Social Networking” and “Productivity”, after removing duplications.”
The researcher informed Apple about the issues in October 2014, a fix seems to be still outstanding.
Take a look at the research paper to read all about the issue.
The post XARA – With This Exploit Hackers Can Steal Your Passwords appeared first on Avira Blog.
The flaw lies in the Mail.app, Apples default e-mail program for iOS. According to security researcher Jan Sourcek “this bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.“ To reduce suspicion the code even detects if someone has already visited the page in the past by using cookies. If this was the case it stops displaying the password prompt.
This means that hackers could easily create phishing mails which show a form that looks exactly like the iCloud login pop-up window everyone knows. The user would be asked for their username and password, which – once entered – would then be transmitted to the cybercriminals. Just take a look at the below concept-of-proof video to see how easy it would be to trick the unsuspecting user!
Sourcek discovered the flaw in January 2015 and informed Apple immediately. Since then no action has been taken in order to fix said vulnerability. In the hope that it will make Apple take the bug more seriously, the security researcher has now published his findings together with a proof-of-concept video and the corresponding code.
Feel free to follow this link in order to find out more about the issue.
The post Flaw in Mail.app Can Be Used to Hijack iCloud Password appeared first on Avira Blog.
I sure have one! It’s a nice little TP-Link, that’s doing what it’s supposed to do. Until now I felt pretty good and also kind of secure. Recently my feeling have changed though.
The Hungarian company Seach-Lab and some Spanish students, who are working at their master thesis, disclosed that there are quite a few SOHO routers (Small Office, Home Office routers) out there which are basically inviting cybercriminals to drop by and take a look at your data due to their vulnerabilities.
Search-Lab discovered 53 unique vulnerabilities on only 4 different D-Link devices, all running the latest firmware. According to their report “several vulnerabilities can be used by a remote attacker to execute arbitrary code and gain full control over the device”. They listed a few of the most critical findings’ problem areas in it as well so take a look at their paper if you want to know more.
The students published their findings on Full Disclosure and they lost more than 40 vulnerabilities in 22 different SOHO router models. The issues range from persistent and unauthenticated cross site scripting vulnerabilities and information leaks to Universal Plug and Play related vulnerabilities.
Routers which made it on the list are: Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; Sagem LiveBox Pro 2 SP and Fast 1201; Huawei HG553 and HG556a; Amper Xavi 7968, 7968+ and ASL-26555; D-Link DSL-2750B and DIR-600; Belkin F5D7632-4; Linksys WRT54GL; Astoria ARV7510; Netgear CG3100D and Zyxel P 660HW-B1A.
Really, it doesn’t look good for SOHO router vendors. They either do not care or (even worse) do not know that their firmware is that insecure.
The post Are SOHO Routers A Hopeless Case? appeared first on Avira Blog.
Just last month we talked about how the “Unicode of Death” crashes your iPhones and Apple Watches, how easily Apple Safari can be manipulated via URL-Spoofing and the Ex-NSA guy who pointed to Mac security flaws.
Now Pedro Vilaca, a security expert who is deep into Mac OS X and iOS security, found another not so great looking vulnerability. Take a look at what he wrote on his blog: “Well, Apple’s S3 suspend-resume implementation is so f*cked up that they will leave the flash protections unlocked after a suspend-resume cycle. !?#$&#%&!#%&!#.
And you ask, what the hell does this mean? It means that you can overwrite the contents of your BIOS from userland and rootkit EFI without any other trick other than a suspend-resume cycle, a kernel extension, flashrom, and root access.”
Wow. So basically it is possible to install a rootkit on a Mac without much of an effort. Just wait until the machine enters sleep mode for at least 30 seconds or more so the Flash locks are removed. Once gone the device is yours. With the Flash locks gone you can play around with the UEFI code and well … for example install a rootkit. The only way to protect yourself from it is to never let your Apple device go into sleep mode.
Luckily not all devices seem to be affected. Vilaca tested the issue against a MacBook Pro Retina, a MacBook Pro 8,2, and a MacBook Air, all running the latest EFI firmware available. All of them were vulnerable. There is a shimmer of hope though: The latest MacBooks might have been silently fixed by Apple, since the security expert was not able to replicate the vulnerability there.
The post Don’t Let Your Mac Fall Asleep: It Might Dream Up A Rootkit appeared first on Avira Blog.
Risk analysis is the first step towards managing risks, particularly when it comes to cyber risks. This recorded webinar introduces and explains key concepts, with links to several useful risk assessment tools.
The post Cyber risk analysis, assessment, and management: an introduction appeared first on We Live Security.
The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.
“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.
According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.
This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.
Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.
As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.
Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.
Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.
More information on LogJam can be found on the dedicated page.
The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.
The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.
“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.
According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.
This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.
Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.
As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.
Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.
Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.
More information on LogJam can be found on the dedicated page.
The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.