The document contains summaries of several security news articles. The articles discuss issues like vulnerabilities in iPhone fingerprint authentication and signed Mac malware, flaws in Verizon femtocells allowing eavesdropping, a remote access tool targeting Android devices, and vulnerabilities in a Ukrainian bank's mobile app allowing account theft. The document also mentions several upcoming security events in India.
2. iPhone Fingerprint Authentication
Fingerprint authentication is a good balance between
convenience and security for a mobile device.
Your fingerprint isn't a secret; you leave it everywhere you touch.
Fingerprint to be used for AppStore purchases.
"If Apple is right that fingerprints never leave the device, that means
the new iPhones will be sending some sort of authentication token
to Apple servers to verify that the end user has produced a valid
print,"writes Dan Goodin in Ars Technica
If attackers figure out a way to capture and replay users' valid
tokens, it could lead to new ways for criminals to hijack user
accounts
3. Signed Mac Malware Using Rightto-Left Override Trick
Right-to-left override (RLO) is a special character used in bi-directional text
encoding system to mark the start of text that are to be displayed from right to
left.
Here it's simply to hide the real extension.
The malware is written in Python and it uses py2app for distribution.
The malware drops and open a decoy document on execution.
Then it creates a cron job for its launch point and a hidden folder in the home
directory of the infected user to store its components.
The malware then continuously takes screen shots and records audio (using a
third party software called SoX) and uploads them to the command and control
server. It also continuously polls the command and control server for commands
to execute.
http://www.f-secure.com/weblog/archives/00002576.html
4. Femtocell flaw leaves Verizon
subscribers' Wi-Fi and mobile wide open
Femtocells are used to boost Wi-Fi and mobile signals within a household.
Security researchers have demonstrated a flaw in femtocells using Verizon
Wireless Network Extender that allows them to be used for eavesdropping on
cellphone, email, and internet traffic.
Up to 30 other network carriers use systems with software that can be hacked in
the same way.
A hacked device could be placed in locales such as a restaurant frequented
by high-value targets, and used to monitor data traffic that comes through the
femtocell. The information can be stored and relayed back to the attacker
using the adapted device, and used for further infiltration later.
Verizon's update fixes the problem.
http://www.theregister.co.uk/2013/07/15/femtocell_flaw_leaves_verizon_custom
ers_wifi_and_mobile_wide_open/
5. Remote Access Tool Takes Aim with
Android APK Binder
Remote Access Tools (RAT) written in Java that are capable of running
on multiple operating systems.
Android OS is the latest target and is not immune to RATs.
Underground economy that caters to the needs of cybercriminals has
created the first tools (called “binders”) that easily allow users to
repackage and Trojanize legitimate Android applications with
AndroRAT, a free Android RAT.
AndroRAT can monitor and make phone calls and SMS messages, get
the device’s GPS coordinates, activate and use the camera and
microphone and access files stored on the device.
To date, Symantec has counted 23 cases of popular legitimate apps
being Trojanized in the wild with AndroRAT.
http://www.symantec.com/connect/blogs/remote-access-tool-takesaim-android-apk-binder
6. New Java feature aims to manage
multiple version problems
Older releases often contain flaws -- patched in later editions -- that
remain susceptible to exploitation by bad actors now.
The problem with running a new version of Java is that some apps
important to a business's operation may not work with it.
Java 7 Update 40 include allowing network administrators to create
a Deployment Rule Set (DRS) that defines which version of Java an
app should use.
Such definitions could allow critical internal apps to use older
versions of Java, while forcing external apps -- those more likely to
carry infections that exploit flaws in older editions -- to use the latest
version.
7. APPLE IMESSAGE OPEN TO MAN IN
THE MIDDLE, SPOOFING ATTACKS
Apple controls the encryption key infrastructure for the system and
therefore has the ability to read users’ text messages–or decrypt them
and hand them over at the order of a government agency.
The researchers who looked at iMessage, known as Pod2g and GG,
said that there is no evidence that Apple is in fact reading users’
iMessages, but it’s possible that the company could.
Users’ AppleID passwords also are sent in clear text to the Apple servers.
Because the iMessages go through Apple’s servers, they essentially
have a man-in-the-middle position on all of the communications
among those devices.
Apple does not use certificate pinning for iMessage, meaning that the
system is open to a MiTM attack by outside attackers.
Courtesy – Threatpost
8. Microsoft Security Bulletin MS13-081
- Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote
Code Execution
An attacker who successfully exploited these vulnerabilities could
take complete control of an affected system.
The security update addresses these vulnerabilities by correcting the
way that Windows handles specially crafted OpenType Font files
and specially crafted TrueType Font (TTF) files, and by correcting the
way that Windows handles objects in memory.
http://technet.microsoft.com/en-us/security/bulletin/ms13-081
9. Snowden: NSA whacks US in the WALLET,
slurps millions of contacts books
The National Security Agency is hurting the US economy with its
"dragnet" surveillance, says uber-leaker Edward Snowden.
He also alleged, via The Washington Post, that the NSA has been
slurping the contents of some 250 million electronic address books a
year.
The agency grabs this data as it passes over major internet transit
points, so it does not need to slurp it from internal Google or
Yahoo! servers and therefore doesn't need to make an official request
for the information.
There is evidence the NSA has been trying to smash internet encryption
by performing man-in-the-middle attacks using compromised
cryptographic certificates.
http://www.theregister.co.uk/2013/10/15/snowden_nsa_snooping_hurts
_our_economy/
10. 'Thousands' of North Korea Cyber
Attacks on South: Ministry Data
North Korea has staged thousands of cyber attacks against the South in
recent years, causing financial losses of around $805 million, a Seoul
lawmaker said citing government data.
"A lot of data related to our national infrastructure, including chemical
storage facilities and information relating to personal financial dealings
have been stolen," ruling party MP Chung Hee-Soo said.
The attacks included website intrusions, malware deployments and the
use of virus-carrying e-mails.
"Our military's cyber warfare ability to fend off such attacks...is
incomparable to the North's, which is known to be one of the world's
best," Chung said.
http://www.securityweek.com/thousands-north-korea-cyber-attackssouth-ministry-data
11. FACEBOOK PRIVACY FEATURE
GONE FOR GOOD
Earlier, users could choose who was allowed to search for their
profiles by name: friends only, friends of friends, or everyone (the
default option).
Late last year, the social networking giant removed the feature –
called “Who can look up my Timeline by name?” – for everyone
that wasn’t already using it.
October 10th, Facebook said they will begin removing it for all other
users as well, completely eliminating the functionality within the next
couple of weeks.
Courtesy – Threatpost
12. Managed security service providers
face $40M liability exposures
Managed security service providers get paid by enterprise customers to
stop malware or other kinds of cyberattacks, but if they fail, they face
what’s often a multi-million-dollar liability.
If there’s a virus outbreak on the customer’s network, for example, there
is a limited timeframe to respond to meet the legal requirements of that
SLA. “We have timeframes we have to respond to, perhaps 30
seconds,” said Matthew Gyde, global general manager, security at
Dimension Data.
Cisco last month announced that it also wants to expand into the
managed security services arena, though the company didn’t specify
what approach it will take.
“McAfee has extended their arms in good will to build a MSP program,”
said Steve Duncan, vice president of security and strategy at
Lumenate.
13. RESEARCHERS NAB $28K IN MICROSOFT BUG
BOUNTY PROGRAM
As part of its first-ever bounty program, Microsoft has paid out
$28,000 to a small group of researchers who identified and reported
vulnerabilities in Internet Explorer 11.
The IE 11 bounty program only ran for one month during the
summer, but it attracted a number of submissions from well-known
researchers.
Microsoft’s program–outside of the IE 11 reward–is mainly geared
toward paying for innovative attack techniques. The company is
offering as much as $100,000 for offensive techniques that are
capable of bypassing the latest exploit mitigation technologies on
the newest version of Windows.
14. Hacker cracks Vodafone Germany
A hack on a Vodafone Germany server has exposed the personal
details – including banking information – of two million of its
customers.
Hackers accessed names, addresses, bank account numbers and
dates of birth.
It's unclear when the breach took place, but it appears to have
involved a successful compromise of an internal server on
Vodafone's network.
This case concerns only Vodafone Germany, other countries are not
affected,
15. REVAMPED YAHOO BUG BOUNTY PROGRAM
ON THE WAY—T-SHIRTS NOT INCLUDED
Yahoo found itself in the throes of a mini scandal this week over two
$12.50 Yahoo company store discount codes handed out to one
researcher in thanks for turning in a pair of cross-site scripting bugs.
“If Yahoo cannot afford to spend money on its corporate security, it
should at least try to attract security researchers by other means,”
Kolochenko, High-Tech Bridge CEO said. “Otherwise, none of Yahoo’s
customers can ever feel safe.”
Martinez acknowledged Kolochenko’s distress in previewing the
upcoming revised policy, that he said will reward individuals who
identify “new, unique and/or high-risk issues” with payouts in the range
of $150 to $15,000.
Previously, Martinez had personally acknowledged submissions with a
Yahoo T-shirt—which he said he personally paid for—as well as a
personal letter to the researcher certifying the find.
16. PRIVATBANK MOBILE APP
VULNERABLE TO ACCOUNT THEFT
Privat24, the mobile banking application for Ukraine’s largest
commercial bank, contains an insufficient validation vulnerability in its
iOS, Android, and Windows phone apps that could give an attacker the
ability to steal money from user accounts after bypassing its two-factor
authentication protection.
Once the application is installed and verified with the initial OTP to a
particular device, users can access the application without overcoming
that barrier of entry again.
An attacker would need a second attack, perhaps using malware or
some sort of phishing scheme, to ascertain a user’s account password
before being able to compromise the application and potentially steal
money.
PrivatBank confirmed the problem.
Courtesy – Threatpost
17. GOOGLE TO PAY REWARDS FOR
PATCHES TO OPEN SOURCE PROJECTS
Google, one of the first companies to offer a significant bug bounty
program, is extending its rewards to researchers and developers
who contribute patches to a variety of open source projects and
have an effect on the security of the project.
The new rewards will range from $500 to $3,133.70
In order to qualify for a reward from Google, the patch submission
from the developer has to have a “demonstrable, significant, and
proactive impact on the security” of a given component.
Courtesy – Threatpost
18. Security Events
SANS Bangalore 2013 - 14–26 October 2013
ISACA India Conference 2013 - 27–29 November 2013 - Chennai,
India
IFSEC India 2013 - 5-7 December 2013 at India Expo Centre, Greater
Noida, New Delhi (NCR)
Nullcon Goa 2014 –
CFP Opens: 01st September 2013
1st round of Speaker list Online: 10th October 2013
CFP Closing Date: 20th November 2013
Final speakers List online: 01th December 2013
Training Dates: 12th-13th February 2014
Conference Dates: 14st-15nd February 2014
Secutech India 2014 - February 27-28 - March 01, 2014 – Mumbai