Personal Security?

We pride ourselves on our approach to security here at RJS and have been keenly interested in the goings on with the NSA and the PRISM program and all the third parties that seem to have no problem coughing up your personal info, corporate giants such as Google, Facebook, Microsoft, etc.

Here’s a new one to add to the list: Motorola.

Ben Lincoln posted on his blog today some interesting facts he happened to stumble upon when troubleshooting an Exchange Active-sync setup with his Motorola Droid X2 cell phone. Turns out that Motorola is gathering ALL his log on credentials for third party sites/services and photos he’s taken with his phone, and passing quite a bit of that data unencrypted over HTTP.

In layman’s terms: all that data is interceptable by third parties, in fact, that’s how Lincoln initially discovered it.

We talked quite a bit about a similar issue with HTC and “Carrier IQ” being pushed to all their phones through an over-the-air update. Fortunately, Trevor Eckhart discovered that little gem and put in a lot of valuable time and effort into making it known: Eckhart pointed it out to the XDA ROM modding community and swift steps were taken to purge it from all custom ROMs. The resulting backlash against HTC was huge to the point that their stock and market share tumbled during 2012 and in 2013.

When you break the trust of your customer’s it is really hard to recover.

HTC licked their wounds and released out the HTC One, which has been aptly named since it’s their one last effort to salvage the company. I picked up the One this spring on vacation, rooted it a day later and installed a custom ROM that I know has been stripped of any carrier and manufacturer bloat and spyware.

Do I feel any more secure? Not really since the NSA is digging through all my email and phone traffic regardless of personal security steps I take.

Maybe it’s time to take a Jack Reacher approach and just unplug from everything and step entirely off of the grid …

 

The Insidiousness of Cellphone Malware

Hackers and cyber criminals continue to get more sophisticated, especially when it comes to fooling people via less traditional attack vectors. For example, I got an interesting text on my work cell phone earlier this week …

“heyy liveurpic.com that’s what I was telling you you should join.

The message came from a local Twin Cities telephone number that I didn’t recognize. So, being the suspicious type that I am, I “Googled” the phone number and found that the same number was spamming local numbers here in the Twin Cities and that there are several complaints about it already.

Taking this a step further, I fired up a clean VM with antivirus on it that goes through our Sophos WS1000 web security appliance and pulled up the URL in Google Chrome.  Sure enough, the site was blocked and classified as “High Risk” and that “Mal/HTMLGen-A” has been found on the site.

Sophos warning

Sophos classifies malware by its behavior, and Mal/HTMLGen-A happens to be a very commonly used browser payload delivery mechanism that affects Windows, Mac OS X, and Linux.

After doing a little more digging, I found that the URL that was sent resolves to 46.102.246.15, which has some really interesting history to it. This particular IP range was in Volgograd, Russia back in 2010, and is now owned by a Romanian internet hosting company parked in Schiphol, Netherlands.

A few companies I’ve worked at in the past IP block Romania at the firewall since there is a high amount of fraud and scam traffic that originates from there, so it makes sense that they would host from another country to get around geo location-based IP blocking.

And finally, we arrive at the nature of the attack itself.

Cell based text messaging. Both my phones run a variant of Linux, one being Apple iOS (work cell) and the other Android (personal cell). If an attack is highly sophisticated, it will include some sort of detection routine so it knows which payload to push onto the phone such as iOS JailBreak code or Android rooting scripts/programs – something that will allow the attacker to access your dialer without you knowing about it to make premium calls or text messages. Sure, you’ll figure it out once you get your next phone bill, but by then it’ll be too late.

If the attack is low-tech, then it may be as simple as trying to get you to share you URLs (like Chrome does) with a far more vulnerable Windows OS and use some canned Blackhole Exploit Kit scripts that were purchased to farm some bank info.

I’d love to take the time to pull the payload code apart to see what it’s trying to do, but from the poor English used in the text message itself, I’m betting its low tech.  If the attacker can’t be bothered to try to make the message look legit, you can more than likely bet they bought their malware off the shelf.

Moral of the story: your cellphone is as at as much risk as your computer. Be wary, be vigilant.

Holding your phone wrong is … right?

A big joke in the cellphone industry was the excuse Apple gave for the “antennagate” issue upon introduction of the iPhone 4: “you’re holding it wrong.”  Funny enough, holding it wrong may be the way to go in the future.

You’ve probably seen published lists of the most commonly used PIN numbers, including such creative numerology as 1111 or 5683 (spells out LOVE). Security experts look at those lists and shake our heads wondering what people were thinking when they hit “1” four times and thought their phone was secure.

Of course, at least they’re using a PIN of some sort in an effort to protect their phone. Even if the PIN is considered “weak,” the stark reality is most people don’t use one simply because PIN codes are inconvenient and take time to enter. In fact, most people don’t use any means of data protection at all.

Thank goodness you’re not one of those PIN-less cellphone users, right?

Well, what if I told you your PIN, no matter how cleverly created, is now trivial to hack?  And that nifty complicated thumb sliding lock pattern you came up with that would require the hacker to be double-jointed to pull off?  Even easier.

There’s a new PIN and lock pattern proof-of-concept hack from Dr. Adam Aviv and his team of researchers at the University of Pennsylvania that uses the accelerometer in your phone to detect how it moves in space specifically during the unlock process.  As you move your thumb to hit the PIN numbers or trace the unlock pattern, this hack track the accelerometer data and matches it against its database of known patterns. They’ve been working on this attack vector for a few years now. Their previous approach utilized the gyroscopic sensors which lead to very imprecise measurements, but this new approach uses the accelerometer sensor in a “high bandwidth” mode and the results are pretty spectacular. In controlled settings with the subject seated they were able to guess the PIN number used 43% of the time and the unlock pattern 73% of the time.  When the subject was walking, the accuracy dropped greatly due to the additional movement noise introduced to the sensors that resulted in only 20% of PINs and 40% of patterns guessed.  They also mention the possibility of utilizing machine learning to determine text-based passwords as well, but mention no collected data against it.

I suspect long key presses for alternate characters may be difficult to decipher from the accelerometer data, but they do briefly mention key permutations (each key having multiple values from long presses), which increases the number of guesses required to get a four number PIN combination. If one were to use a very complicated password or random characters you could make it highly unlikely to guess your password using this method. Of course, you would also be spending the bulk of your time on your Smartphone entering an unlock password.

Another possible solution is to change the orientation of your phone (i.e. holding it wrong). Since Dr. Aviv’s team is only reading the accelerometer values and not the gyroscope values, which track pitch and roll of your phone, one could throw their data off. If they accounted for this circumstance and polled the gyroscope to determine orientation values while polling the accelerometer, the data sets would be much more complex as a result.

So clearly the best response to this type of attack method is to boogie down, run, jump, etc. while unlocking your phone. Personally, I’m working on some sick dubstep and James Brown moves to go along with my android unlock pattern that should make it near unreadable.

 

In the News

Here are three security articles we found rather interesting this week.

Researcher Wows Black Hat with NFC-based Smartphone Hacking Demo (CIO)

Accuvant Labs researcher Charlie Miller has figured out how to break into the Google/Samsung Nexus S and the Nokia 9 smartphones by using Near Field Communication (NFC).

I can read all the files, said Miller about how he managed to break into the Nokia 9 when his home-made NFC-based device is in very close proximity to the targeted smartphone. I can make phone calls, too. Vulnerabilities he identified in the Android-powered Nexus S were located in the browser surface, he said.


The truth behind those Nigerian 419 scammers
 (TechRepublic)

419 Advanced Fee Fraud (also known as the Nigerian 419 scam) is still being used quite frequently to steal money from gullible victims via fraudulent emails. But are these emails really coming from Nigeria, or are they perpetrated by attackers from other countries?

Researchers from the University of Ibadan found the following IP locations within 400 scam emails tested:

The Wisconsin Department of Revenue: A Bargain for the Identity Theft Collective (The Huffington Post)

Adam Levin of Credit.com wrote an interesting story documenting Wisconsin’s complete inability to secure public information.

Last week, the Wisconsin Department of Revenue revealed that it had accidentally made public 110,795 Social Security numbers and tax ID numbers of Wisconsin residents. The numbers were mistakenly embedded in a real estate report and posted to the department’s website for almost three months before being removed.

This is the fourth time since 2006 that Wisconsin state agencies have been involved in the public release of Social Security numbers.

 

May Updates and Patch Report: Part 2

It’s interesting how you can go through an entire week of work and think that nothing significant happened in the security world. Now that I am trying to write these updates on a weekly basis, I’m paying a bit closer attention. While we won’t have huge patch-focused updates unless it’s the same week as a patch release, it doesn’t mean nothing has been going on. So, without further ado here are this week’s updates and patch report. If you missed last week’s, read it here.

 

Microsoft

EMET 3.0 has been released. What is EMET you ask?

EMET stands for “Enhanced Mitigation Experience Toolkit” and is basically a tool that allows you to protect Windows applications from attack. We’re used to applying patches for things like this, but sometimes a problem is more complex than people think and patches are a long time coming. EMET allows you to shift from a reactive to a proactive stance. This is a different way of protecting your systems and will take some work to get started. However, if your operational guidelines have matured to the point you have identified allowed applications and are either using application control or imaging, this can provide a nice additional layer of protection. With this new version, you can also identify attempts to exploit vulnerabilities, which can give you preliminary warnings of attack.

 

Google

Google has released a new version of Chrome. This new version adds a few features and patches several security bugs. If you are running Chrome, it should have automatically updated. If you want to verify the update has gone through, go to Tools->About and make sure you’re running version 19 or higher.

 

Apple

Apple has released a new version of QuickTime. This version patches seventeen problems and affects the application on both Windows and OSX. If you use it, patch it.  Details are here.

 

Android

Trail of Bits published an interesting article on the relative security merits of Android versus iOS. The heart of their argument is Android phones aren’t updated as often as the iPhone and the Android marketplace is more flexible and this brings additional malware risk.

While this is true, it is also true the reduction of controls allows for faster development. Additionally, the deployment of Android updates is the job of the carrier, not of Google. Blaming Google for the carriers’ unwillingness to deploy updates to older phones is, I think, unfair. The real problem is carriers make more money when people buy new phones, so the longer they support the old phones, the less money they make. Apple has embraced this economic reality by convincing people to throw away their devices and buy new ones every year or so.

So here’s the truth.  If you are concerned about malware you have three options:

1) Use iOS and trust Apple to protect you. Do not jailbreak anything and live with what you get.

2) Use Android and run an anti-malware agent. I like Sophos Mobile Security (beta) and Lookout. On my phone, at least, they even seem to play well together. Don’t install apps willy-nilly.

3) Use Android, run an anti-malware agent (as above), root it and install firewall and adblockers. This makes you more vulnerable to malware, but gives you additional protection to (somewhat) make up for it. Optionally install your own ROM.

You do have to be more vigilant, but if that’s not a problem for you, you can actually get a more secure device than you can with IOS, as you are in charge of your updates and you don’t have to wait for it to fit within a company’s lifecycle.

 

sudo

A very interesting bug in sudo was discovered. There’s no point in my describing it here, as they did such a good job on Sophos Naked Security. Definitely go there and read about it.

 

RealPlayer

RealPlayer has a brand new update. It patches three vulnerabilities in different levels of the product. However, the fourth vulnerability “why are people still using RealPlayer?” remains unpatched. :)

Apply the fix or remove the software.  The latter is generally a better choice.

 

HULK

A new denial of service tool is out. Known as the HTTP Unbearable Load King or “HULK,” it is different in that it takes greater care to make sure requests are unique. With a traditional DDoS tool, you can often find a traffic pattern to filter out and mitigate the attack. However, the more different each request is from one another, the harder this is to do. This tool raises the bar for DDoS protection.

If you are running a DDoS protection tool, take a look at the tool and check it against your protection system.  If it bypasses it, complain to your vendor so they fix the problem.

If you are not running a DDoS protection tool and are comfortable accepting the DDoS risk, just sit back and chuckle over the fact the most stealthy DDoS tool is known as The HULK.

 

That’s it for this week.  If you have any questions, please drop us a note.