Monday, November 17, 2014

Justification for Your Paranoia

October and November have been a bad couple of months for computer security. Flaws in Drupal, SSL, iOS, and everything else seem to have come even more regularly than usual these months. Top it off with last week's Windows SChannel vulnerability (note: if you are running any version of Windows and have not patched in the last week DO IT NOW!) and I bet a lot of security and operations guys are missing a lot of sleep lately.

Here is the latest small collection of bits and bobs from my professional world...

1) Cell-snooping Spy Planes?
Stories about the US Marshals Service using small aircraft equipped with so called 'dirtboxes' (Boeing DRT) to intercept cell-phone signals and locate people have been all over the news this past week. The 'dirtboxes' work by imitating cell phone towers and tricking telephones into connecting to them, which in turns provides the location of the phone user. The devices are even capable of collecting call and data information from the phones, Yet another wonderful example of the U.S.'s over-reaching dragnet style mass surveillance.
What the news has not mentioned this week, is that there does exist some small, niche protection from such snooping attempts... 
German company GSMK has patented a Cellphone Firewall which lets people know when a rogue cell tower is attempting to connect to their phone and turn off the movile network's standard encryption. The firewall, which is currently only available on GSMK's CryptoPhone 500 (which sadly costs $3K per phone and is mostly only available for enterprise customers)...
The CryptoPhone firewall monitors all connections to the phone’s baseband. It checks whether a particular cell tower lacks an ID like its neighboring towers—for example a name that identifies it as an AT&T or Verizon tower—whether it has a different signal strength, and whether the tower is operating as expected or trying to manipulate phones. It will also alert you when the mobile network’s encryption has been turned off or when the phone has suddenly switched from using a 3G or 4G to a 2G network—a less secure network that doesn’t authenticate cell towers and makes it easier to decrypt communication. IMSI catchers will often jam 3G and 4G signals to force a phone to use the less secure 2G network, and the CryptoPhone firewall will alert users when this occurs.
There is some talk, but no actual plan yet, for a consumer-level app with similar functionality to the CryptoPhone Firewall that could be used on other Android devices (though likely with only alerting of rogue towers, without the additional countermeasures). Until such a thing is available, if these stories really bother you, you can at least rest assured that it is not bothering the one or two people out there who have enough cash to lay down three grand for a phone.
2) WireLurker for Windows. Boring, but it's there...
Last time, I mentioned the WireLurker trojan infecting iOS devices. Unsurprisingly, that same malware has been discovered on Windows devices, only a day after the iOS news came out. The Windows version is designed with the intent of infecting your iOS phone or tablet when it is plugged into your Windows PC (such as to sync your iTunes or charge it).
The C&C servers used by WireLurker are currently inactive, and Apple has taken steps to ensure that its users are protected, including the revocation of the stolen code signing certificates used by the malware creators to run the malicious iOS apps on non-jailbroken devices.
3) Et tu Pidgin? Not quite.
I know tons of people who use the universal chat client, Pidgin. Well, Cisco reported three new vulnerabilities in the client this month. Which is not that unusual or surprising. One however, stands out as mildly hilarious...you can embed malicious code in "Smileys" (aka emoticons).
The smiley and theme packages, which are installed by users via drag-and-drop, are TAR files. On Linux, where TAR is a standard format and an unpacking application exists by default, Pidgin automatically extracts the TAR files to the folder for themes and smileys. However, on Windows, because the unpacking utility is not included, the developers of Pidgin have included special code for the operation. The problem is that in Windows the files can be extracted to an arbitrary location, allowing an attacker to write or overwrite any file depending on the targeted user's permissions. 
What makes the Pidgin team awesome though, is that these flaws which were publicized by a third party on Nov 7th, were already fixed in v2.10.10, which was released on Oct 22nd. At least one group of developers are on top of things...
Go Pidgin!
 4) News Flash! Hotel networks are still un-secure...
Back in July I mentioned a report about hotel business center computers being compromised with keyloggers. Well, a new APT called 'Darkhotel' is preying on business travelers connecting to the WI-FI network of a hotel (s)he is staying at. After the guest enters the last name and room number to establish a connection to the hotel network, the attack tricks the victim into downloading the Darkhotel backdoor masquerading as a software update for popular software tools. The attack team then uses the backdoor to assess the victim's job role to push additional pieces of information-stealing malware on to the computer.
The majority of Darkhotel-infected networks appear to be located in Japan, Taiwan, China, Russia and Korea, but there are plenty of victims in other countries such as Germany, the United States, Indonesia, India, and Ireland, according to a report published by Kaspersky. Targets have included corporate chief executives, senior vice presidents, sales and marketing directors and top research staff at companies in the electronics, defense manufacturing, finance, automotive and pharmaceutical industries, among others. Some law enforcement, military and non-governmental officials have also been targeted.
"The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims whereabouts, including name and place of stay," the researchers wrote. "This paints a dark, dangerous web in which unsuspecting travelers can easily fall." 
All the usual caveats for traveling and public networks apply and help here, such as using VPN tunnels when accessing public or semi-public WiFi networks at hotels and similar places, maintaining and regularly updating all system software, and when traveling, consider all update prompts as suspicious.