Tag Archives: hack

Bluetooth under attack

I have heard of Ubertooth for a while now and it seems it use to attack bluetooth devices keep growing. Once recent attack described HERE can leverage the Ubertooth sniffing capability to crack the encryption algorithm used by the Bluetooth Low Energy (BLE) standard. BLE is also referred to as Bluetooth Smart.

 

Sure, BLE/Bluetooth Smart is different from Bluetooth, but it is supported by most recent mobile devices (i.e.: the latest iPads and iPhone as well as some Android devices), and will be increasingly used in “smart” appliances, from toothbrushes to fridge if you believe this ARTICLE.

Nonetheless, if you were not convinced before that Ubertooth was a very useful piece of kit, you should reconsider it. Bluetooth is a technology that hasn’t seen much successful attacks until now, mainly because the attack vectors were limited to expensive kit or dark magic knowledge. This, may be about to change and it is as much a good think for driving better security, as it is worrying for  the integrity of all our accessories and smart devices we use every day.

Old tricks will always work…

There is something about deception, it can bypass a lot of security controls through a very basic principle, to make you believe about something that isn’t there. It is a bit like magic.

Like this WEBSITE, where you can see an example of what the new HTML5 fullscreen function could make you believe. That you are on a bank website, where in fact you are on a phishing site. The previous link is harmless and only serves as an example, one I would advise you to try yourself (you can’t enter any details anyway in case you haven’t understood it isn’t really a Bank of America website).

Basically, they use the HTML5 Fullscreen function to recreate your browser TABS and URL. If you are not used to browse the internet in full screen mode then you would see the trick straight away. However, if you are following the trend to browse in full screen mode, especially on mobile phones or on MACs where apple has fully integrated it with the latest OS X (10.8), then it is something to watch out for. Very often, the most crude and simple hacks are what work best.

Wipe out/Factory Reset some Android’s phones

According to this FRENCH WEBSITE, a major security vulnerability has been disclosed at the Ekoparty 2012 Security Conference  which affects some android handsets. It it is possible to reset those affected handsets to factory default settings and in the process wipe out all data. This vulnerability exploits a “secret” code that can be used to trigger the factory reset automatically, without asking any confirmation from the user. That code is: *2767*3855#

There are different methods known to date to push that code onto those handsets:

– SMS in Wap Push mode (where the user would have to click on a link)

– QR Code

– NFC Protocol

Or… if users go to some websites where either

<frame src="tel:*2767*3855%23" />

or

<script>document.location="tel:*2767*3855%23";</script>

is contained in the HTML page.
So far, it has been confirmed to work against the Samsung Galaxy S3, the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II and some HTC devices.
As Korben wrote on his blog, there might be some interesting browsing experience in store for those handsets owners in the coming days.

Apple in Denial

Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.

The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.

Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB) was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan (OSX/Flashback.A) was found by Intego using a similar exploit mechanism  but with a different payload, this time it was more complex and disabling some security settings on the infected systems as well as attempting to inject some code in running processes to ultimately leak personal information.

Both Trojans had a relatively low success rate, as it relied either on the user to download a file and run it, or… for an attacker to adapt some kind of “EvilGrade” attacks where DNS MIT attacks could be leveraged to intercept legitimate software update requests and replace the update status answers with the need to upload the Mac Trojans.

However, a few days ago another variant surfaced. As mentioned by Intego, this latest threat to Mac Users is more of a “drive-by-download” threat than a “Trojan”. What it means is that malware can be pushed onto a Mac computer just by visiting a compromised site, it does not require for the user to take any actions such as entering their passwords or confirming for a new software to be installed. The compromise happens silently!

As a result, the infection rate is much stronger: More than half a million Mac users! and the impact is much worse: it will leave the victim’s computer vulnerable to be remotely commanded as part of a Botnet.

To check if your mac has been infected you can follow those STEPS.

It could be considered as the first major security crisis to affect the Mac OSX, one that will have the first major exposure in the media (BBC, CNN,  FORBES, etc) and one, I hope, that will pave the way for Apple to rethink their security strategy (although I have very little hope!). The fact this Java vulnerability was known a couple of months ago and that Oracle had provided a patch since the 14th of February does not play in Apple’s favor. By wanting to control everything (including Java updates) Apple is playing with fire when it comes to IT Security. This is hardly surprising, although I am very tempted to say “I told you so, HERE and HERE“, I will just echo the ZDnet article I mentioned at the beginning, this security mess is the result of Apple being in denial with the IT security landscape and the threats that every computer and user faces regardless of the Operating System they are on.

This state of denial is also exploited by the “Trojan” itself as it will apparently not install if it finds some software that could be used to analyse it and therefore not target a computer belonging a user that may be aware that there is more to security than a slogan “I am a Mac, I am secure”


YouTube Direkt

 

Another iPhone hack, this time with a paperclip!

There is a new vulnerability with iOS5 powered device with a SIM card. I have tried it and it works.
You need to know the number of your victim and by combining a missed called, removing the SIM card, putting it back in and swiping the missed call alert it is possible to bypass the lock screen and access the phone.

Look at the video from the weirdly named group called iPhoneIslam, you need to get the timing right!

YouTube Direkt

Most websites are vulnerable to a hash collision DOS attack

By websites, I should really have said Web Applications, but the end result is the same: A server which is serving pages on the Internet could see its CPU usage increasing to a level making that server unusable for a few minutes or more. All that from a relatively small specially crafted malicious HTTP request.

This vulnerability exists in most languages used to develop web applications: PHP, ASP.Net, Java, Python, Ruby, etc. And it has been known to exist in theory since 2003!

Last week, Alexander Klink and Julian Wälde explained at the 28th Chaos Communication Congress in Germany how exactly the theory became reality and the impact on the different web application languages were affected.

The core of the issue is the way hash lists have been implemented in those languages. By “Hash” they both refer to a specific type of data structure and the cryptographic function. A Hash list is a type of data structure that is very popular because it stores and accesses data in a list very quickly. Before an object is inserted into a hash list, it is first hashed using a hash function to provide a “unique” hash reference which is then used to access and store the object in the list. To simplify, it replaces the usual [i] of a standard list with a [hash reference]. (“i” being an integer).

In reality those hash references are not so unique and collisions do occur. When it happens the objects with the same hash reference are daisy chained. The longer the chain and the least efficient hash lists become. Under normal operation it does not happen often and this is not a problem.

But as first highlighted by Scott Crosby and Dan Wallach in 2003, data/object stored into hash lists can be manipulated so collisions do happen more often. So much more in fact, it can degenerate the hash list resulting into the server’s CPU going overdrive and bringing the server to its knee in the process.

Alexander and Julian explained at 28c3, as shown in this video, that for Perl the issue was located in how the DJBX33A (PHP5) and DJBX33X (PHP4) functions were generating hashes. Other languages were also vulnerable because they were using very similar functions to generate their hashes.

With the help of CERT they communicated an advanced advisory to the relevant vendors and organisations in early November 2011, after they successfully implemented an attack for most of the languages used by Web Applications. They received different responses, some more satisfactory than others…

Ruby reacted very quickly and has a patch ready, Microsoft has issued a temporary work around for ASP.Net by limiting the number of parameters, PHP and Python needs more time and Oracle, although they have provided a patch for Tomcat and will in a near future do the same for Glassfish, stated that it isn’t an issue for Java. If you watch the 28c3 video you can easily understand they are wrong (clue for Oracle, go to the 32d minute or so). Therefore we should expect a Java patch for the HashTable and HashMap functions soon, albeit too late.

To conclude, this is a serious issue that has now a practical and known way to exploit it, with a global scope and high performance impact. Microsoft in a Technet article has provided a snort signature to detect this type of attack against ASP.Net, it should be fairly easy to adapt for other languages.

The recommendation is to both monitor for a patch related to your web applications (and implement it quickly when available) and to also monitor your network for such attacks (and try to block its source IP if not coming from a distributed attack). You should be reviewing what are the versions of the languages used by your Internet facing web applications and probably also ask your 3rd party partners what they plan to do about it!

A nice summary is also available on Arstechnica.

PS: Thanks to Thierry for pointing the story to me in the first place!

iOS 5 Vulnerabilities for iPad2 and iPhone 4S

Two vulnerabilities in iOS5 have recently been discovered, one is affecting the iPad2 and the other the new iPhone 4S. In both cases it allows anyone to bypass any lock/passcode to gain unauthorised access to the device.

1) iPad 2 + iOS5 + SmartCover = Anyone can unlock your iPAD
This only affects iPad2 with iOS5 and the smart cover set to automatically lock the device.
With a locked iPad2, keep pressing the power button until you see the screen telling you to swipe to turn off, close the smart cover, reopen it and push the CANCEL button.
This will give you access to the latest application that was used. It means that if you were on the application listing screen you will be able to see all the applications installed on the iPad, but you will not be able to open any other applications. This is because you are in the “finder”/”Explorer” application.
But it also means that if before you closed your smart cover to lock your device you were in the mail application, using this technique would give you full access to the mail app and your emails.

To fix the issue you need to disable the smartcover autolock feature, until Apple fixes this bug.

2) iPhone 4S + SIRI
With SIRI enabled, even if you have locked your phone with a passcode, you can hold the HOME button and SIRI will be activated allowing you to speak commands such as call someone, send a text or an email, etc.
Although you cannot open applications this way, you can still do unauthorised actions as mentioned above.

To fix this issue you need to disable SIRI, until Apple fixes this bug.

What is somewhat surprising is that it is taking so long for Apple to fix these issues, They have been know for more than a week…

Attack on Quantum Cryptography

There is a recent BBC article on a new attack against a key component of Quantum Cryptography: Key Transportation.

There are 3 main components to a cryptographic system:
– The strength of the algorithms used (close/open, random generator, collision, etc)
– The integrity of the system (implementation, key storage, devices security, etc)
– The transportation of keys (no full or partial interception of the keys, etc)

Quantum Cryptography has for some been seen as the future for ensuring the integrity and detection of any interception attempts during key transportation.

I am not a Quantum Physic expert, but what I understand is that key transportation is done through light, where photons of light are sent to the receiver who will inspect the states of those photons to reconstruct the key. It is similar of sending a stream of bits which make the key, apart from the fact that in Quantum Physics a photon has not just a binary state (0/1 or -/+) but multiple values at the same time.
One of the key Quantum property useful for cryptography is that once a stream of photons is inspected, it is “destroyed” or changed. Therefore if someone was trying to evesdrop the receiver would know.

As a side comment, there are a few things that still puzzle me how this can only be a good thing. What about repeaters? you would need those to exchange keys to very far distances? So even if you can guarantee the key hasn’t been intercepted you cannot apply the same “quantum” guarantees to the repeaters (ref Integrity of the System). Furthermore, this could lead to a Denial of Service attack, I don’t see how Quantum Physic Key Exchange infrastructure could be as resilient as today’s internet. You would need specific “light tunnels”, if it gets damaged or if someone tries to intercept the key exchange even in the sole goal of disrupting the exchange process, then keys cannot be exchanged and the communication cannot take place…

Anyway, I would hope they must have thought about all this and have an answer. But what a team of scientists has just done, is to prove they could intercept the key and “blind” both ends into believing the exchange had been successful.

However some scientists have replied it was just a “configuration” problem with the system implementation and that it was possible to detect that attack after all.

Nonetheless, this adds weight to those who believe Quantum Cryptography is not the Saint Graal some claim it is, and that similar implementation issues there are today in “standard” cryptography also exist in “Quantum” Cryptography.

The BBC Article (Summary)
The Norwegian University Article where the paper came from (Original Article)
The Quantum Hacking Group responsible for the discovery (More info)

Below is a great video from the Quantum Hacking Group Website explaining the attack:


YouTube Direkt

What could be the impact of the RSA breach

In the past few months there seems to have been a rise in what is called Advance Persistant Threats (APT).
Wikipedia actually has a short but comprehensive description of what it means HERE.

An article on SC Magazine describes what seems to have been an APT against RSA affecting the security of their two factor authentication products.
It is not clear exactly what has been stolen at the moment, but RSA has admited that some sensitive information has been leaked/downloaded.

By reading some of the security community reactions (Help net security article) there seems to be 3 main concerns:
1. Security breach related to their pseudo random number generation, their product security would then be reduced to the security of the user’s passcode. Usually a simple 4 digits PIN.
2. The extend of their customer data that was stolen, could some of that data have an adverse effect of their customers (i.e.: password, name, addresses, etc)
3. What could be the security impact on the RSA 2 factor product users

The first concern is another example that security through secret is never good, and I am surprised RSA would only rely on some “secret fixed seeds” for their token code generation.

The second concern is typical of any data breach from a reseller/vendor who keeps large volume of customers data. The nature of the data and how it was protected will be of importance for RSA’s reputation.

Finally, the 3rd concern is what is of most significance. The common security community message seems to be: no need to panic.
Although I agree, I would add “but do not ignore it”.

It is important to remember that 2 factor authentication are used to improve the access security controls.
If the level of security it provides is reduced to a single factor authentication then there is an increased security risk towards what you were trying to protect in the first place.
This is even worse if that 2 factor authentication was the sole authentication method, as compromised tokens codes would then leave you with a very small 4 pin passwords.

Also, with todays popularity of “in the cloud” services many companies have replaced the physical security element where access was only accessible while on premises or from the company network, with a 2 factor authentication security control:
The “somewhere you are” requirement being replaced with a “something you have” requirement.

A compromised of the RSA token codes generation could have a very negative security impact on companies who are using RSA tokens to protect access to their cloud services.
They would indeed end up with portal accesses only protected by a userid and a 4 pin digits.
Now, if that is the case, this would be something to worry about and act upon.

Do what I say not what I do

Below is a very good article describing the recent battle between the Anonymous Hacking group and the HBGary company.

In a nutshell, a security company, “HBGary”, who is also working for the US government was about to release what they think were the identity of a hacking group called “Anonymous” who conducted some high profile hacks against large organisations who were against the wikileaks website. The hacking group response was swift and brutal, they hacked the HBGary websites, defaced them, hacked into the owner’s email account and grabbed lot of user personal information from one of the company’s related website, rootkit.com

It provides a good example of the old adage “do what I say not what I do” but this time in the world of IT Security. Of course you can almost never get IT Security 100% right, but in that case it would seem some of the security weaknesses that were exploited should have never been there or possible in the first place!

To add to what is already disccused in the article below, I think there was also a very basic security control missing in how that company operates/operated, the lack of a sensitive Information management process (email of both userid/password, no challenge response, etc).

Although this could act as a good reminder of “walking the talk” (another cliche!), I think it is unfortunately unlikely to change any company’s security agenda because in a corporate world where budget cuts, work load preassure, fast delivery is on the increase those kind of security practise shortcuts will remain, and so will the potential related attacks.
You could also argue there is a psychological aspect to this issue:
– The desire of doing favours for key people in the organisation, leading you to bypass procedures.
– Being over confident or expert in a field may drive you to neglect or being in deny of some basic issues.
– The need for trust in a working relationship may blind you to some questionable activities.

To get security right, one would need to be able to both take a step back, review and fix existing security issues while also moving forward with new technologies, changing IT landscape and fixing new security issues.

As this hacking incident illustrated, it is a very difficult balance to get right.

ARSTECHNICA Article on Anonymous vs HBGary

Update from the 1st of March:
It has costed HBGary Federal CEO’s role:
https://threatpost.com/en_us/blogs/hbgary-federal-ceo-aaron-barr-steps-down-022811