To My Conscience

Your being with me is a blessing,

For you are so friendly and so caring.

                             In my despair

                             You give me solace,

                             And in my happiness

                             You smile with me.

Your guide me whenever

I need your advice any ill will

Warn me against any ill will

Unmindful of which I may be.

                                                     You always remain

                             With me in my strife,

                             Stand by me through all

                             The ups and downs of my life.

Thanks to you.

For you have kept me alive,

You are the only one,

For whom I really strive.

Courtesy by Shalini Jalali Koul

The Dead Flower

The Dead flower has lost

its fragrance

which it was having once

when it was blooming

to its full,

with great joy

and enthusiasm,

spreading its aroma

all around

and giving out a radiant smile,

but little was he knowing

that his days are numbered.

                                                Couldn’t save himself

                                                from the cruel

                                                hands of nature

                                                and was dispersed

            on the ground,

            as he had to bow

            his head

            before the power,

            much more

            stronger than him.

The withered petals,

lying,

were soon driven off

by the heartless wind

as he couldn’t tolerate

seeing them together.

                                                Separated, they kept

                                                on saying

                                                that even if they

                                                live a short life

                                                but much more

                                                dignified

                                                and full of ecstasy.

Courtesy by Shalini Jalali Koul

Research Shows Serious Problems With Android App SSL Implementations

There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. Researchers from a pair of German universities conducted a detailed analysis of thousands of Android apps and found that better than 15 percent of those apps had weak or bad SSL implementations.

The researchers conducted a detailed study of 13,500 of the more popular free apps on Google Play, the official Android app store, looking at the SSL/TLS implementations in them and trying to determine how complete and effective those implementations are. What they found is that more than 1,000 of the apps have serious problems with their SSL implementations that make them vulnerable to MITM attacks, a common technique used by attackers to intercept wireless data traffic. In its research, the team was able to intercept sensitive user data from these apps, including credit card numbers, bank account information, PayPal credentials and social network credentials.

The team also built a proof-of-concept tool called MalloDroid that was designed to find the potentially exploitable SSL bugs in Android apps, which they then investigated further to determine whether an attack was in fact possible. In a lot of cases--1,074, to be exact--it was.

"These 1,074 apps represent 17.0% of the apps that contain HTTPS URLs. To evaluate the real threat of such potential vulnerabilities, we have manually mounted MITM attacks against 100 selected apps from that set. This manual audit has revealed widespread and serious vulnerabilities. We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts. We have succesfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize

 

the protection or even to remove arbitrary apps, including the anti-virus program itself. It was possible to remotely inject and execute code in an app created by a vulnerable app-building framework," the authors wrote in their paper, "Why Eve and Mallory Love Android: An Analysis of Android (In)Security". 

Security researcher Jon Oberheide of Duo Security, who has worked extensively on Android security, said that it's important to realize that the presence of problematic code in an app doesn't mean that it's ever actually used during operation.

"The presence of such code in an app doesn't necessarily mean the app is vulnerable to MITM. Many apps may contain the code, but it might not be in use at runtime. For example, many developers will have an option to disable SSL cert validation when the app is in debug mode, but that code path won't be taken when the app is running for real," Oberheide said. 

The researchers discovered several separate classes of vulnerabilities, including apps that accepted any certificate; allowing all hostnames; trusting a huge number of certificate authorities by default; and apps using mixed-mode or no SSL. Their MalloDroid app evaluates target apps in a number of different ways, looking at the permissions they request, what network connections they use, how the apps use HTTP and HTTPS and how SSL certificates are handled. 

 

Once they'd use their tool to weed out the apps with potential MITM vulnerabilities, the researchers set up a test environment to execute sample attacks against the apps, which they did manually.

"For the manual app auditing, we used a Samsung Galaxy Nexus smartphone with Android 4.0 Ice Cream Sandwich. We installed the potentially vulnerable apps on the phone and set up a WiFi access point with a MITM SSL proxy. Depending on the vulnerability to be examined, we equipped the SSL proxy either with a self-signed certi ficate or with one that was signed by a trusted CA, but for an unrelated hostname," the researchers said in the paper.

"Of the 100 apps selected for manual audit, 41 apps proved to have exploitable vulnerabilities. We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."

The research, which was done by teams from Leibniz University in Hanover and Philipps University of Hamburg, shows that app developers, like many Web developers, have trouble implementing SSL correctly. The researchers said that while Android's default browser does a good job with SSL connections and gives users useful warnings when a certificate problem arises, there are a number of areas ripe for improvement. They suggest implementing an Android-specific version of the HTTPS Everywhere plugin, which automatically uses SSL when it's available. They also say that using something such as MalloDroid with app installers would help find potentially vulnerable apps and implementing the tool in the app market could help, as well.

"The fi ndings of our investigation suggest several areas of future work. We intend to provide a MalloDroid Web App and will make it available to Android users. Moreover, there seems to be a need for more education and simpler tools to enable easy and secure development of Android apps. But most importantly, research is needed to study which countermeasures o er the right combination of usability for developers and users, security bene ts and economic incentives to be deployed on a large scale," the researchers said.

Oberheide of Duo Security said that there are lessons in the paper both for developers and users.

"The fact that Android and other mobile platforms provide proper HTTPS routines as part of the core platform is important though. There will always be incompetent developers who shoot themselves in the foot security-wise and there's only so much the mobile platform can do to prevent that without hampering legitimate cases," he said.

"As far as users go, I think the biggest lesson to be learned is that downloading third-party unofficial apps can be risky (eg.  downloading an unofficial banking app instead of the one actually released by your bank) for a number of reasons including poor coding practices."

Courtesy by Dennis Fisher

Exploit Code Released Targeting Firefox 16 Vulnerability

It’s been an interesting couple of days for Firefox users. First Mozilla released version 16 of the popular browser on Wednesday, then quickly pulled it back yesterday after a serious security vulnerability was found in the new version. Less than 12 hours later, Mozilla had repaired the problem and re-released the updated browser, but not before exploit code was released.

The attack exploits an issue where Firefox was exposing URL information across Web domains by not restricting Javascript’s location method. Mozilla director of security assurance Michael Coates said the vulnerability could allow a malicious website to determine which websites a user had surfed to and would leak URL information.

Eight lines of exploit code then appeared on a UK Javascript blog. The author discovered a problem where an undefined value was converted to a string inside a native function, a condition that could be abused, the author surmised. The author decided to test his short Javascript proof-of-concept on Twitter to determine if he could identify the user’s Twitter handle.

Imperva, meanwhile, explained how the exploit would be carried out. A user would have to land on the attacker’s site. The attacker would then open a new browser window in Twitter; if the victim is signed in, they would be redirected to a URL that contains a personal Twitter ID. The attacker would then be able to query the new window and grab the victim’s Twitter ID, Imperva said.

 

Coates’ initial post on the Firefox blog indicated Mozilla had no indication the vulnerability was being exploited in the wild.

Courtesy by Michael Mimoso

New Android Malware App Turns Phone into Surveillance Device

Mobile malware has largely been limited to Trojans buried inside a malicious app targeting sensitive data stored on the phone such as email, contact information and SMS messages. A new proof-of-concept piece of malicious software, however, expands the scope of mobile malware and essentially turns an Android device into a surveillance tool, bringing a while new range of security and privacy implications into the equation.

Researchers from the Naval Surface Warfare Center and Indiana University’s School of Informatics and Computing introduced PlaceRaider late last week, putting a new spin on burglary and espionage while coining the term visual malware. PlaceRaider exploits innate weaknesses in Android to use the phone’s camera to surreptitiously take photographs, and send that data off to a command and control server where an attacker could build a 3D model of the victim’s environment.

“Remote burglars can thus download the physical space, study the environment carefully and steal virtual objects from the environment such as as financial documents, information on computer monitors and personally identifiable information,” the researchers wrote in a paper published last week.

The attack is relatively low-tech, requiring a user to install a malicious camera application infected with PlaceRaider. Once the data is uploaded to the C&C server, the attacker can use a variety of available open source viewer and modeling software to reconstruct the space in question. This research ups the ante on previous mobile attacks where attackers could remotely turn on a device’s microphone and listen on conversations or monitor the device.

With PlaceRaider, Robert Templeman, Zahid Rahman, David Crandall and Apu Kapadia have brought remote capabilities to such visual attacks; past attacks have required the attacker to be within visual range of the target.

“We show how PlaceRaider allows remote hackers to reconstruct rich three-dimensional models of the smartphone owner’s personal indoor spaces through completely opportunistic use of the camera,” they wrote.

A victim would have to download a malicious camera application to initiate the exploit. PlaceRaider not only collects images, but data from the device’s accelerometer, gyroscope and magnetometer, giving the attacker orientation readings for each piece of data. The app runs in the background on the device and can be configured to take pictures at particular intervals without the user’s knowledge. The researchers are counting on the user to give the application permission to access the camera, write to external storage and connect to the Internet, something most camera apps require, thus are not likely to raise any suspicion.

PlaceRaider also requires root access to change audio settings in order to mute the audible shutter sound cameras emit when photos are snapped. It also disables the photo preview feature on the device, another would-be hint to the user that the phone would be compromised. Again, most users, the researchers said, would disregard any permission warnings and grant the app what it wanted. As for access to sensor data from accelerometer, gyroscope and magnetometer? None are required by Android.

PlaceRaider also weeds out “redundant and uninformative images” before sending data to the C&C server by analyzing sensor data and applying a set of algorithms to determine which images are likely useful to an attacker. The analysis sets a threshold for images, and discards any that fall below in order to lessen the burden on the phone for transmission and power consumption.

Next the researchers used a toolkit known as Bundler that specializes in Structure from Motion (SfM) which is a process of building a 3D model from two-dimensional images, along with Patch-based Multiview Stereo software and a custom plug-in built for the open source MeshLab open source viewer to render the 3D model of the target’s environment.

The paper details a test scenario with 20 users equipped with an HTC Amaze device running Android 2.3.3. in a typical academic setting staged with objects such as personal checks, calendars, barcodes, computer screens and more. The phone was configured to take 1 megapixel photos every two seconds. Once the data was collected, 30 percent of the models scored better than average on a subjective scale established by the researchers, the paper said.

“These results suggest that faithful 3D models of a space can often be generated from opportunistically captured images,” the researchers wrote. “This is a somewhat surprising result because most Structure from Motion approaches were designed for use with deliberately composed images.”

This particular attack could have consequences beyond home burglaries, for example, and could put sensitive business and military installations at risk. The effects of the attack could worsen if future versions if the malware could identify pre-defined objects, for example.

Prevention, however, largely remains on the user especially when it comes to arbitrarily granting permissions that grant the malware access to the camera and audio settings. Android, and iOS, meanwhile require no permissions to access sensors on the phone which are used to reduce the image data transmitted to attacker.

The researchers suggest that the operating system could be adjusted to allow images only when a physical button is pressed, preventing surreptitious capture, the paper said.

Courtesy By Michael Mimoso

The Rise of Data-Driven Security

The phrase "you're doing it wrong" is a common refrain in the security community these days as people wander around in various states of disillusionment with the technology and processes that have led to what many perceive as a systemic failure. But that refrain usually is not followed by any useful discussion of what's going wrong or what can be done about it. To researcher Claudio Guarnieri, one of the major problems is obvious: we're completely backward in the way we prioritize protection.

On any given day, the headlines are full of dire warnings about new zero-days, another bug discovered in Android or a new flaw in a major database. Inside enterprise IT departments, those bugs are simply added to the already massive pile they'll eventually get around to patching when they have time. And often, that patching plan will be based upon one or another of the myriad vulnerability scoring systems that have emerged in the last 10 years or so.

Therein lies the problem, according to Guarnieri. Which bugs to fix first and how quickly to patch them should not be based on a CVSS score or criticality rating, but rather on how likely it is that an attacker is going to try and exploit any given vulnerability.

"We tend to be too flat and don't take into account whether vulnerabilities are actually being exploited in the wild," Guarnieri, a researcher at Rapid7, said in a recent interview. "It's not efficient because there's no context. We need to understand how bugs are being used by the bad guys. There needs to be a connection between bugs, attacks and threats. People need to understand that this kind of vulnerability is being used by this kind of attacker for this kind of attack. So then I can walk it up the chain as a high priority."

 

There are thousands and thousands of vulnerabilities discovered each year now, but the vast majority of those don't end up being used in attacks. They're the bench players, the guys who are kept around to fill out the roster and take a beating from the big boys in practice. They just sort of hang out, like Rudy waiting for the coach to call his name, hoping that one day they'll get in the game. But, unless it's one of the stars--say a nice ASLR and DEP bypass bug in Internet Explorer 10--then it's probably going to stay in the shadows and never get much run.

The CVSS (Common Vulnerability Scoring System) is a system designed to score each vulnerability based on a number of factors.

Even flaws with critical ratings may not be of much use to an attacker if they're not in a widely deployed application. That's one of the reasons Guarnieri believes there needs to be a major shift in the way that the industry looks at vulnerabilities in general and their place in the security chain in particular. Bringing the probability of exploitation into the equation is one step in that direction.

"Right now we're relying on the CVSS score and broken metrics. They're purely technical evaluations of the vulnerabilities and don't you any absolute measurements of the likelihood of exploitation," Guarnieri said. "For cybercriminals, Java is the main thing. It's used for targeted attacks, but targeted intrusions come down to Office in a lot of cases. Java is the bad animal in the play for cybercrime. Knowing this gives you a lot of context and advantage when counteracting. Critical bugs are really only fifty percent of what's being used. The rest are low and medium severity. If you filter the CVE collection down to the ones that are actually being weaponized and used, it's a much smaller number."

Guarnieri estimates that there are roughly 100 vulnerabilities being used or sold on the underground at any given time, and the tens of thousands of others are mostly background noise.

"That gives you a very limited context of what's likely to happen when it comes to exploitation and helps with prioritization," he said. "Right now, we always base security on what might possibly happen, not on what's likely to happen."

Guarnieri, the creator of the Cuckoo Sandbox malware analysis tool, advocates a data- and intelligence-driven approach to vulnerability analysis and security, something that's also been espoused by others in the industry, including Dan Guido of Trail of Bits. That approach takes into account the relevance of a particular vulnerability to your specific organization, how likely it is to be exploited and what the effect would be on your organization if it was exploited. 

"People are too systematic about their security," he said. "We're being so exposed, it's a disaster. Data-driven security should be the next thing. Collect and analyze the data from the wild and provide a realistic assessment of what's going on."

Courtesy by Dennis Fisher

Analysis Shows Some URL Shorteners Often Point to Untrusted Websites

In an analysis of 1.7 billion shortened URLs, researchers at Web of Trust found that 8.7 percent of TinyURLs and five percent of Bit.ly URLs lead to sites that received poor ratings for ‘trustworthiness’ and ‘child protection.’

“Certainly the URL shortening services don’t intend to point people to malicious websites,” said Web of trust CEO, Markus Suomi, “but perhaps they can do more to proactively protect their services from being exploited.”

Suomi explains that the companies responsible for URL shortening services should be able to limit their malicious use by automatically screening for compromise websites and warning users if the sites they are attempting to access are suspicious.

In addition to these findings, Web of Trust measured the overall trustworthiness of various top level domains. They determined that 2.5 percent of sites within the .com TLD are rated poorly in terms of trustworthiness and 3.6 percent were rated poorly on child protection. In the .info TLD, 10.7 percent of sites were rated poorly, 9.6 percent received poor ratings in the .net TLD, and 9.5 percent of .biz domains were poorly rated.

Web of Trust goes on to point out that many countries' TLDs through which link shortening services route traffic are loosely regulated and return suspicious ratings for as many as 90% of the websites under their top level domains. The most suspicious TLDs, according to Web of Trust are the Acension Island’s .ac domain, in which 91 percent of sites are poorly rated, Montserrat’s .ms, with 46 percent of its sites rated poorly, and Puerto Rico’s .pr, where 46 percent received poor ratings.

The analysis was based upon data from TinyURL (from its inception in 2002 until December 2011) and Bit.ly (from its founding in 2008 to December 2011).

Web of Trust is a Finnish company that runs a community-powered safe-surfing tool. The site ratings are partially crowd-sourced by Web of Trust’s 45.5 million users. People who download Web of Trust’s browser plugin can rate the trustworthiness of the sites they visit based on their own experience. In addition to this, the ratings are also partially based on ‘information from selected technical data services.’

You can view Web of Trust's analysis here.

 

Courtesy By Brian Donohue