Car Hacking Exposed – WSWiR Episode 71

Tor Botnets, SIM Hacking, and Pwned Prius

Blackhat and Defcon are only a few days away, so this week’s InfoSec news summary covers previews of some of the research experts plan on disclosing during next week’s security bonanza.

During this week’s episode, learn about the latest Tor-based botnets, hear how hackers can force malware through your phone’s SIM card, and see a couple researchers totally take over a Prius car with a laptop. Watch below, and check the Reference section for other interested security stories.

Show Notes: I had unexpected microphone cable problems during my recording, which I didn’t learn about until after my shoot. It caused some hum and clicks in this week’s video. I apologize for the bad audio, and will be sure to check it next week.

Also, I will be attending Blackhat next week. I still plan to post at least one video, but it may not appear at its regular time.

(Episode Runtime: 10:09)

Direct YouTube Link: https://www.youtube.com/watch?v=Pa3QsIS-TK8

Episode References:

• Security researcher’s hack causes Apple developer site down time – Mac Rumors
• Eset details two new Tor-based botnets – We Live Security blog
• Flaw in cellular SIM card update process allows mobile phone hijacking – SR Labs Blog
• Researchers preview car hacking demo planned for Blackhat – Forbes
• Authorities take down cyber gang responsible for huge financial sector breaches – Washington Post
• Breaking News: Barnaby Jack, the pacemaker hacker, passes away before his Blackhat talk – Chicago Tribune

Extras:

• Ubuntu forum breach results in 1.8 million lost credentials – CBR
• TruCaller database hacked – The Hindu Business Line
  
• Cool visualization of the largest data breaches – Information is Beautiful
• Don’t fall for Royal Baby malware scams –InfoSec Magazine
  
• New Banking trojan called KINS – SC Magazine
• Chinese malware found to leverage Android “Master Key” vulnerability – Engadget

— Corey Nachreiner, CISSP (@SecAdept)

Rogue Femtocell Sniffs Cellular Data – WSWiR Episode 70

Google Glass Hijack, Steganography Backdoor, and Femtocell Hack

After a week missing-in-action due to vacation, I’m back with another news-packed InfoSec summary video for the week. If you’d like to quickly hear the highlights about the latest updates, breaches, and malware, give our weekly video a go.

In this week’s episode I cover some interesting new Mac malware, a Google Glass hijacking vulnerability, how to hide web backdoors in images, and a rogue femtocell. For all that and more, click play below; and don’t forget to check the Reference section for extras.

Have a great weekend, and stay safe online!

(Episode Runtime: 15:18)

Direct YouTube Link: https://www.youtube.com/watch?v=pjWEkd2htzQ

Episode References:

• Chinese researchers fine second APK key vulnerability – Android Police
• Rekey app fixes master key flaw on rooted Androids – Google Play
• Clear text passwords found in iOS Tumbler app; upgrade – Read Write Web
• New Mac malware leverages right-to-left override trick – F-Secure
• Evil Mac Javascript launches ransomware attack – Malware Bytes Blog
• Google Glass QR code hijack – The Washington Post
• The dangers of Google Glass – PC Magazine
• Lookout Google Glass QR flaw video – YouTube
• Security researchers create  rogue Femtocell – Reuters
• Hiding web backdoors in JPG images  – Securi

Extras:

• Another 0day Java flaw disclosed – Full Disclosure list
• Malware targets pinterest – Janne.is
• HD Moore exposes IPMI vulnerabilities – Information Week
• DEFCON asks Feds to stay home –DEFCON
  
• Wall Street to launch cyber attack test – The Boston Globe
• Oracle fixes 89 vulnerabilities with July CPU – WGSC
• HP admits backdoors are in data store products – Info World
• Cheap Android RAT on underground market – Ars Technica
• NASDAQ community forum hacked – Graham Cluley Blog
  

— Corey Nachreiner, CISSP (@SecAdept)

Oracle’s July 2013 CPU Update

This week, Oracle released their quarterly Critical Patch Update (CPU) for July 2013. CPUs are collections of security updates, which fix vulnerabilities in a wide-range of Oracle products. This quarter’s updates fix 89 vulnerabilities in many different Oracle products and suites.

Refer to the table below for more details about the affected products and severity of the flaws:

Product or Suite	Flaws Fixed (CVE)	Max CVSS
Database Server	6	9.0
Fusion Middleware	21	7.5
Enterprise Manager Grid Control	2	4.3
Hyperion	1	3.5
E-Business Suite	7	5.5
Supply Chain Product Suite	4	4.3
MySQL	18	6.8
PeopleSoft Products	10	6.4
iLearning	1	4.3
Policy Automation	1	4.0
Sun Solaris Products	16	7.8
Secure Global Desktop	2	7.5

Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe the general impact of each issue, and share  CVSS severity ratings. While the severity of the 89 vulnerabilities differs greatly, some of them pose a pretty critical risk.

For instance, the update for Oracle Database Server fixes a vulnerability with a CVSS score of 9, which is pretty high. Also, some of these flaws allow remote attackers to potentially gain control of your Oracle database, Fusion Middleware, or MySQL servers. If you manage any of the affected Oracle products, you’ll want to install the corresponding updates as soon as you can. You’ll find more details about these updates in the Patch Availably section of Oracle’s alert. — Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Flash, Shockwave, and ColdFusion; The Usual Suspects

Severity: High

Summary:

• These vulnerabilities affect: Adobe Flash Player, Shockwave Player, and ColdFusion
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
• Impact: Various results; in the worst case, an attacker can gain complete control of your computer
• What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in Flash Player, Shockwave Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

• APSB13-17: Three Flash Player Memory Corruption Flaws
  

Adobe’s bulletin describes three vulnerabilities in Flash Player running on all platforms. More specifically, the flaws consist of various memory corruption flaws, including a buffer overflow and integer overflow flaw. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe assigns these flaws their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

• APSB13-18: Shockwave Player Memory Corruption Vulnerability

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes an unspecified memory corruption vulnerability that affects Shockwave Player running on Windows and Macintosh computers.They don’t share any technical details about the flaw, but do share its scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit the flaw to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this vulnerability to gain full control of their computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

• APSB13-19: Two ColdFusion Vulnerabilities

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from two security vulnerabilities that Adobe does not describe in much technical detail. They describe one flaw as a vulnerability that permits an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets (CVE-2013-3350), and the other as a flaw an attacker could leverage to cause a denial of service (DoS) condition. Other than that, the bulletin shares very little about the scope or impact of these flaws, so we’re unsure how easy or hard it is for attackers to leverage them. They rate the issues as Priority 1 for ColdFusion 10 and Priority 2 for version 9.

Adobe Priority Rating: 1 for version 10 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

• APSB13-17: Upgrade to the latest Flash Player (11.8.800.94 for Windows)
• APSB13-18: Upgrade to the latest Shockwave Player (12.0.3.133)
• APSB13-19: Apply the corresponding ColdFusion hotfix. More details in this Adobe technote.

Keep in mind, if you use Google Chrome you’ll have to update it separately.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Shockwave via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

• Adobe Security Update APSB13-17
• Adobe Security Update APSB13-18
• Adobe Security Update APSB13-19

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Maliciously Crafted Files Can Dork-up Defender

Among today’s more Critical alerts, Microsoft also released a bulletin describing a remote code execution flaw that affects Windows Defender running on Windows 7 and Server 2008 R2.

For those that don’t know, Windows Defender is Microsoft’s free Antivirus program. It ships by default with Windows Vista and 7, and is an optional download for older versions of Windows. According to Microsoft, Defender suffers from something they call an “improper pathname” vulnerability. In short, if an attacker can place a maliciously crafted application in a specific location on your Windows computer, she could leverage this flaw to gain full, SYSTEM-level privileges to your machine.

The good news is an attacker needs valid login credentials, and access to your computer, in order to place this malicious application on the system. This significantly mitigates the risk of this flaw, which is why Microsoft only assigns it an Important severity rating. Nonetheless, remote code execution flaws in security products are no laughing matter, even if they take significant privileges to exploit. If you run Windows Defender, I highly recommend you apply Microsoft’s Defender updates as soon as you can.— Corey Nachreiner, CISSP (@SecAdept)

Cumulative IE Update Corrects a Pile of Memory Corruption Flaws

Severity: High

Summary:

• These vulnerabilities affect: All current versions of Internet Explorer (IE)
• How an attacker exploits them: By enticing one of your users to visit a web page containing malicious content
• Impact: An attacker can execute code on your user’s computer, often gaining complete control of it
• What to do: Install Microsoft’s IE updates immediately, or let Windows Automatic Update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing 17 new security vulnerabilities affecting Internet Explorer (IE). Microsoft describes all but one of these flaws as “memory corruption” vulnerabilities, but they don’t specify the exact type of memory corruption flaw. Regardless of which type of memory corruption flaws these are, they all share the same scope and impact. If an attacker can lure one of your users to a web page containing maliciously crafted HTML, he could exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s privileges. Typically, Windows users have local administrative privileges, in which case the attacker can exploit these flaws to gain complete control of the victim’s computer.

If you’d like more technical detail about these flaws, see the “Vulnerability Information” section of Microsoft’s bulletin. Technicalities aside, all of these remote code execution flaws pose significant risk to IE users, and allow attackers to launch drive-by download attacks. Attackers often hijack legitimate web sites and force them to serve malicious web code in something the industry calls a “watering hole” attack. So these types of flaws may affect you even when visiting legitimate, trusted web sites.

If you use IE, you should download and install Microsoft’s cumulative update immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s July IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the memory corruption vulnerabilities described in Microsoft’s alert:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3152)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3115)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3143)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3144)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3164)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3163)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3145)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3153)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3150)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3148)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3147)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3146)

Your XTM appliance should get this new IPS update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

• MS Security Bulletin MS13-055

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Windows Updates Fix Critical .NET and Kernel-mode Driver Flaws

Severity: High

Summary:

• These vulnerabilities affect: Most current versions of Windows (including 8 and RT), the .NET Framework, and Silverlight 5 (for PC and Mac). Some of these flaws also affect Office and Lync.
• How an attacker exploits them: Multiple vectors of attack, including luring users to malicious web content or running specially crafted programs
• Impact: In the worst case, an attacker can gain complete control of your Windows computer.
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released five security bulletins that describe 18 vulnerabilities in Windows, the .NET Framework, Silverlight, and to some extent, Office and Lync. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS13-053 :  Various Kernel-Mode Driver Code Execution Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from eight local code execution flaws. The flaws differ technically, but most have to do with the kernel-mode driver improperly handling certain objects, which can result in memory corruptions. Smart attackers can leverage memory corruption flaws to execute code. In a nutshell, if a local attacker can run a specially crafted application, he could leverage most of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability. That said, a Google researcher disclosed the details about one of these vulnerabilities to the public awhile ago. There have been reports of attackers already leveraging it in targeted attacks. Therefore, we highly recommend you apply this update immediately.

Microsoft rating: Critical

• MS13-052: .NET Framework and Silverlight Code Execution Flaws

The .NET Framework and Silverlight are both software frameworks used by developers to create rich media web applications. The newer Silverlight framework is also known for being a cross-platform and cross-browser. These frameworks suffer from seven security vulnerabilities. The flaws differ quite a bit technically, but all share the same impact—attackers could exploit them to gain full (SYSTEM-level) control of your computer. The attacker would only have to lure one of your Silverlight or .NET users to a malicious web site (or a legitimate site booby-trapped with malicious code) in order to trigger the flaws. Since two of these vulnerabilities were pre-disclosed publicly, before Microsoft released this patch, we recommend you install the .NET Framework and Silverlight updates as soon as possible.

Microsoft rating: Critical

• MS13-054 :  GDI+ TrueType Font Handling Vulnerability

The Graphics Device Interface (GDI+) is one of the Windows components that handles images, specifically 2D vector graphics. GDI+ suffers from an unspecified remote code execution vulnerability involving its inability to properly handle specially malformed TrueType (TTF) fonts. By luring one of your users into viewing a malicious font, perhaps hosted on a web site, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, the attacker gains full control of their computer. GDI+ ships with Windows; but also with Office, Visual Studio, and Lync. You need to patch all the affected products.

Microsoft rating: Critical

• MS13-056: DirectShow Memory Overwrite Vulnerability

DirectShow (code-named Quartz) is a multimedia component that helps Windows handle various media streams, images, and files. It suffers from a memory overwrite vulnerability having to do with how it handles specially crafted graphics interchange format (GIF) images. By getting your users to view such a malicious image, perhaps via a web site or email, an attacker could leverage this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative privileges, the attacker gains full control of the users’ machines.

Microsoft rating: Critical

• MS13-057 :  Windows WMV Remote Code Execution Vulnerability

Windows ships with various components, such as the Media Format Runtime, to help it process and play media files. The Windows Media Format Runtime suffers from an unspecified code execution vulnerability involving the way it handles Windows Media Video (WMV) media files. By enticing one of your users to download and play a specially crafted WMV file, or by luring them to a website containing such media, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your user has administrative privileges, the attacker gains complete control of that user’s PC.

Microsoft rating: Critical

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

• MS13-052
• MS13-053
• MS13-054
• MS13-056
• MS13-057

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws, attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS13-052
• Microsoft Security Bulletin MS13-053
• Microsoft Security Bulletin MS13-054
• Microsoft Security Bulletin MS13-056
• Microsoft Security Bulletin MS13-057

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

---

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Patch Windows Kernel-mode Driver and .NET First

Microsoft’s July Patch Day is live and ready for download, so go grab those updates. I recommend you work on the Windows Kernel-mode driver and .NET one’s first.

According to their summary post, Microsoft released seven security bulletins today, six of which they rate as Critical. The bulletins include updates to fix 36 vulnerabilities in many popular Microsoft products, including Windows, Internet Explorer (IE), Office, the .NET Framework, Silverlight, and Defender. Attackers are exploiting at least one of these flaws in the wild.

I always recommend you apply Microsoft’s Critical updates as soon as possible, but there are two in particular that you should jump on immediately. The first fixes vulnerabilities in Windows’ kernel-mode driver (MS13-053), which was disclosed awhile ago by a Google researcher. The researcher has already released proof of concept (PoC) code for this flaw, and Microsoft is aware of attackers leveraging it in targeted attacks. Next, you should also apply Microsoft’s .NET Framework and Silverlight patch quickly, since at least two of its flaws were disclosed in detail before today’s updates came out.

That’s not to say you should lax-off on the other updates. I think the IE patch is pretty important too; as are any updates Microsoft rates Critical. So I’d recommend you apply all six of the Critical updates today if you can. Of course, I still recommend you test Microsoft’s updates in a non-production  environment before pushing them to any critical production server. It may be ok to quickly patch client machines without testing, but you don’t want any surprises with your critical servers.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

Summary of July 2013 Microsoft Updates

Major Android Flaw Means More Trojans – WSWiR Episode 69

Snowden’s Hacker CV, Uplay Breach, and Serious Android Vulnerability

Last Thursday, US citizens celebrated our 4th of July, Independence Day holiday, which traditionally means that few workers came into the office on Friday. For that reason, I decided to hold onto last week’s InfoSec summary video until today. What better way to start the week than learning about the latest security news with a hot cup of joe.

In last week’s episode, I cover news of Snowden’s hacking credentials, the latest OS X update, a Ubisoft network breach, and a critical security vulnerability that affects 99% of Android users. For the details on those stories and more, watch our video below.

As an aside, I am taking a bit of time off at the end of the week, so I will either skip this Friday’s video, or post a short one on Monday.

(Episode Runtime: 7:21)

Direct YouTube Link: https://www.youtube.com/watch?v=DTjkmKKy-Gg

Episode References:

• Snowden/NSA/PRISM Updates
  • Authorities think Snowden is on Morales’ plane – The Guardian
  • Snowden’s resume shows hacking credentials– NY Times
  • Many countries deny Snowden asylum – CNN
  • UPDATE: Snowden now getting asylum options – USA Today
    
• Software Updates
  • Apple releases OS X update to fix Quicktime flaws – Apple
  • July’s Microsoft Patch day to include seven security updates – WGSC
• Ubisoft breach results in Uplay account leaks – The Register
• Bluebox Security Team warns of critical, industry-wide Android vulnerability  – Bluebox

Extras:

• Microsoft talks about symbiotic malware – Threat Post
• New RAT affects Middle Eastern organizations – Threat Post
• Security flaw found in encrypted phone call library – Computer World
  
• Story about NSA sites being hacked was FAKE – Info World
• Using Wi-Fi for physical surveillance – Help Net Security

— Corey Nachreiner, CISSP (@SecAdept)

Microsoft to Release Six Critical Updates in July

During the U.S. 4th of July holiday, Microsoft released their normal advanced notification bulletin to warn administrators what software updates to expect this month. According to the notification, you can expect them to release seven security bulletins next Tuesday, fixing vulnerabilities in many of their popular software products, including:

• Windows
• Internet Explorer
• Office
• Visual Studio
• Lync
• .NET Framework and Silverlight
• Microsoft Security Software

While seven bulletins isn’t a record for Microsoft, they rate six of these bulletins as Critical, meaning they pose a significant risk. In most cases, attackers can leverage Critical vulnerabilities to remotely execute code on your computer. So we recommend you jump on these updates as soon as possible next Tuesday. We’ll know more about these bulletins next week, and will publish alerts about them here.

As an aside: For those who watch our weekly InfoSec news summary every week, this week’s US holiday has delayed our production a bit, and I suspect most of our US-based readers are out of town anyway. For those reasons, we are holding our video until Monday. Be sure to check it out with your first cup of joe next week. — Corey Nachreiner, CISSP (@SecAdept)