Security

Posts filed under Security

2015Tue24Feb

Superfish, https redirects and other security stupidity

Permalink | Shortlink | Comments (0) | TrackbackFiled in SecurityTags: filipio, lenovo, microsft, superfish

First there was a $300m bank heist that was driven out of the news by the NSA (again) snooping on everyone (well, yeah.. this is news?) and then the news broke of one of the most boneheaded tech decisions since Sony’s rootkit laden audio CDs.

With that kind of week, you know the awesome weight of attention turned on one little company’s products,ie.. superfish, was going to turn up more and more fun for us security types. Lo and behold, here’s what’s behind door number 2.

The SSL exploit code has been identified in at least a dozen more apps, several of them marketed as security apps. If that wasn’t enough, it’s been discovered that it also signs invalid or self-signed certificates for you and presents them as valid to the browser. An in depth technical explanation of just how nasty this can be is out at filipo.io who seems to be rapidly becoming the go-to place for info on this debacle.

Microsoft has stepped up to the plate with an update to Windows Defender to help clean up this mess. All I see in Windows Updates is one for IE 11 and an ASLR but in Jscript9.dll. I haven’ t tracked down the details from Microsoft’s site about the Defender update, but The Verge has some good info on it.

So now that the work deployment I’m assisting with (I’m on call.. if it goes bad, I get woken up anyway so might as well be useful, ya know?) is done, I’ll bring this post to a close and leave you all crying in your beer and cursing at your packet dumps. After all, how much worse could it get?

Scott

2015Fri20Feb

Lenovo & Superfish == Sony Rootkit redux?

Permalink | Shortlink | Comments (0) | TrackbackFiled in SecurityTags: adware, lenovo, malware, mitm, superfish

Seems Lenovo got the bright idea that they wanted to be in the adware business and started shipping Superfish adware system that uses a self signed root cert to basically commit a MITM attack and intercept HTTPS connections. Why? To inject adverts, of course, because we all know there aren’t enough advertisements on the net these days.

Ars Technica’s article has a good summary and Errata Securty’s blog goes even deeper into the mess. If you bought a Lenovo laptop any time after October of last year (though some say as early as June) there’s a good chance you have this abomination installed. The Errata Security link above will walk you through testing for and uninstalling it.

This is why we can’t have nice things and why any company that lets marketing make these kinds of decisions deserves the pounding they get from the users and buyers of their products. There is absolutely no excuse for this in 2015. Period.

Lenovo just took themselves off my list of considerations for my new laptop this spring. I’ve been looking for a 4k laptop to replace about 90% of what I use my desktop for and Lenovo had a couple of good prospects. Not any more. Damned shame, really. I love their hardware, at least on the upper end.

Scott

2015Tue17Feb

Equation Group, Stuxnet and the NSA

Permalink | Shortlink | Comments (0) | TrackbackFiled in SecurityTags: banks, equation, flame, kaspersky, malware, nsa, stuxnet

A few links to get you started then I’ll return later today for more analysis.

One of the most impressive bank heists outside Hollywood: Bank Heist Steals Millions
Sophistication that would make even William Gibson envious: Beyond Stuxnet and Flame
And you guessed it, The NSA is involved (maybe): Sources connect NSA spying with hacks reported by Kaspersky.

More later as I have time to read and research. If you have something, post it in the comments.

Scott

2014Thu22May

Ebay hacked. Change your passwords.

Permalink | Shortlink | Comments (0) | TrackbackFiled in SecurityTags: ebay, hack, security

(edit: s/Changed/Change/g)

Maybe I should turn this into a security blog. Seems I can’t go a week or three without a post about yet another major corporation getting hacked. This time it’s Ebay. Took them a couple of months to figure it out too.

What makes this one extra special is that it wasn’t through some SSL bug or other exploit. It was through compromised (week? social engineered?) employee passwords.

They got hacked back in March. and only discovered it a couple of weeks ago and announced it today.

Though no Credit card or bank info was in the compromised database, enough info on there for a good shot at identity theft was:

“The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.”

Ebay’s blog post about it at the link below.
http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords

2014Mon28Apr

And the hits keep on rolling.. AOL hacked; passwords taken.

Permalink | Shortlink | Comments (0) | TrackbackFiled in SecurityTags: AOL, breach, hack

And the Internet Security Trifecta is complete. AOL announced on their blog today that they have “determined that there was unauthorized access to information regarding a significant number of user accounts“. The information access includes “users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions.”

So head on out to AOL and change your passwords and sec questions. Might want to change any passwords for any sites you use AOL email as the security contact for as well.

2014Mon28Apr

And… Another one. This time in Flash.

Permalink | Shortlink | Comments (0) | TrackbackFiled in Linux, Microsoft, OS-X, SecurityTags: exploit, Flash, linux, os-x, security, windows

Look. Another security exploit. This time in that bastion of ultimate security.. er.. hang on.. what’s this? It’s in Flash? This is news? Oh, a *NEW* one in Flash. Got it.

Ok. Where were we? Looks like another security vuln in the wild. This one’s in Flash and effects all three major OSes. Yep, that’s right you penguins.. Linux is included in this one. So get your YUM and APT repos spun up and update those boxen.

Krebs has the details here: Adobe Update Nixes Flash Player Zero Day

So there you have it. Two major web exploitable vulns in two days. Waiting for the other two shoes to drop; Java and Acrobat.

PS: Is it strange that I’m using a terminal window to cut/paste text from websites to strip it of hidden formatting? Yes? It is? Good.

2014Mon28Apr

Code execution flaw in ALL versions of IE since 6.

Permalink | Shortlink | Comments (0) | TrackbackFiled in Microsoft, SecurityTags: 0-day, exploit, IE, internet explorer, microsoft

April has been the month of monumental holes in security on the net. First there was Heartbleed (and as always, XKCD has a great explanation of what the Heartbleed vulnerability is: http://xkcd.com/1353/)

Not to be outdone by a mere open source project, Microsoft has announced a new 0-day vulnerability in all versions of IE since IE 6. How you can call something “0-day” when it’s been there 12 or 13 years I’m still kind of fuzzy on.

As I understand the bug, it allows an attacker to use a specifically crafted html page execute arbitrary code on the user’ machine under the credentials IE was assigned at launch. If you’re running as an administrator (who does that in Windows??), you’re pretty much wide open.

Microsoft released a tech bulletin about the flaw over the weekend that goes into a bit of depth about the flaw and lists what versions of IE are vulnerable. Basically all of them. If you’re running Server 2008 R2 or later, you *should* be ok if you’re still running IE under limited credentials.

The bulletin is here: Microsoft Security Advisory 2963983

Microsoft hasn’t released a patch yet, but I suspect we’ll see something in a day or so as an out-of-band release. I can’t imagine even Microsoft waiting around for this one.