Information security round-up

Software

Linux. Many distributions will benefit from the recent update to NetworkManager. The second update this year, taking the current version up to 1.2, provides many security enhancements over previous releases, including improvements to Wi-Fi, privacy control and software devices amongst the numerous improvements.

Canonical released several patches for Ubuntu operating systems during April, fixing a handful of vulnerabilities, including the one discovered by Venkatesh Pottem in the kernel driver, CXGB3, in 2015.

Microsoft gave us 13 security bulletins during the April Patch Tuesday, six of which were classed by the company as critical. Critical vulnerabilities are addressed in:

• MS16-037 – Internet Explorer has flawsaddressed under this cumulative fix.
• MS16-038 rolls up security updates for Microsoft’s Edge browser.
• MS16-039 addresses vulnerabilities in the .NET framework, Office, Skype for Business and Lync.
• MS16-040 deals with Microsoft XML core services.
• MS16-042 fixes four vulnerabilities in Office.
• MS16-050 closes holes in Adobe Flash Player, more on that later.

These are just the critical updates. The remaining seven important updates in MS16-041, 044, 045, 046, 047, 048 and 049 should also be addressed as soon as possible.

Apple launched iOS 9.3.1 early in April to address a number of security flaws in iOS 9.3. The release of 9.3.1, whilst fixing issues in prior versions of iOS, introduced a brand new threat to users. Both fingerprint and PIN security in the lock screen could be bypassed through Siri, allowing access to contacts and photos. Apple quickly fixed the issue through some server-side patching so no further iOS update is required by users.

If any of you still have QuickTime on your Windows PCs, now is the time to remove it. Apple issued the very last update in January, essentially limiting the damage that could be suffered by those who are still using the unsupported software, but no further support for the software will be available from Apple.

Adobe. Regular readers of this section will note that every edition of this column for the past year has contained information on critical updates to Adobe’s Flash suite of products. This edition is no different with a number of critical vulnerabilities to Flash Player being identified during April. For those of you that have not yet done so, my strong recommendation to you would be to give up on this technology and stop using it (disable the plugin) rather than run the continuous gauntlet of risk from continuing with the product.

Network and hardware

Cisco’s new range of FirePOWER firewalls and ASA firewalls with FirePOWER Services were found to be vulnerable to attackers bypassing malicious file detection or blocking policies using crafted fields in HTTP headers, allowing malware to pass through the system undetected. Cisco has software updates for the affected systems as well as an update for its Snort IDS, which also suffers from the same problem. More information on the vulnerability and also the updates can be found via CVE-2016-1345.

Further vulnerabilities were also disclosed in ASA software version 9.4.1. The vulnerability in the DHCPv6 replay feature of the firewalls could lead to a denial-of-service attack on the devices, not a great thing to happen within the security perimeter of your organisation.

Cisco has also released patches fixing a number of vulnerabilities in its Wireless LAN Controller (WLC) Software, the most serious of which would allow an attacker to remotely take down the devices through a buffer overflow attack via HTTP, potentially even gaining root access to the devices. Fixes to flaws in the way the devices manage traffic through Bonjour task manager and the management interface of the devices have also been addressed by the software update.

Juniper has completed a code review of its Junos OS after a backdoor was found in the switching, routing and security device operating system in December last year. The code review has confirmed that no further backdoors are in the operating system, and has unearthed a number of bugs and further vulnerabilities across a broad range of its product suite. Patches are available for all issues that have been discovered and really should be applied by your system administrators as soon as possible.

DDoS

Many companies in the iGaming sector will use the services of cloud-based security providers for DNS redirection services in an attempt to protect their sites against distributed denial-of-service attacks. By following the strategy of ‘security through obscurity’, the concept is to hide from DDoS attacks by masking the IP address of critical publicly facing servers through DNS redirection. DNS redirection is commonly implemented by companies through renting the service from third party cloud-based providers, a strategy that has been reasonably successful as part of a multifaceted approach to defeating the threat of a DDoS attack.

For companies that use DNS redirection as the sole protection against attacks, it may be time to rethink that strategy. A new tool, CloudPiercer, has been developed following a paper released by researchers Thomas Vissers, Tom Van Goethem, Wouter Joosen and Nick Nikiforakis of Stony Brook University’s Department of Computer Science. CloudPiercer is able to find the real IP address of over 70% of all sites tested. The tool is free to use by both your sys admins, and also any potential attacker, so my advice would be to both test your sites and also your strategy if DNS redirect is your sole or primary protection against DDoS attacks.

Malware

TeslaCrypt has received an update to version 4.1A. The latest version of this rapidly evolving piece of ransomware makes detection and removal of the malware more difficult with ‘improvements’ in the way the code provides against malware detection, obfuscation, as well as enhanced anti-evasion, anti-monitoring and antidebugging
features.

GozNym is a new and deadly fusion of the Gozi ISFB and Nymaim Trojans. Combining the online banking Trojan functionality of Gozi ISFB and the ransomware features of the Nymaim Trojan. GozNym is wreaking havoc largely amon  North American users. The hybrid Trojan can be picked up through falling victim to phishing attacks as well as through infected advertisements placed on high-traffic websites.

Jigsaw. Another in the latest run on ransomware attacks was unleashed into the wild at the end of March. Although not a sophisticated piece of malware, written in .net, it ups the ante on other ransomware attacks by threatening to delete an increasing amount of files as the clock ticks down on the payment of the bitcoin ransom.

HummingBad, the Android rootkit discovered earlier this year, has been rapidly infecting Android mobile devices and now features. According to a recent release by Check Point, HummingBad now features in the top ten most common malware attacks.

In the news

The Investigatory Powers Bill got its second outing on 1st March, progressing it through the political process ahead of a vote likely to happen before the end of April. Tech companies from all quarters remain highly critical of the proposed Bill, both in terms of its wide-ranging powers and impracticality in managing the harvesting of data required by the Bill. Although the Bill includes some 83 amendments since its last outing in late 2015, the industry’s broad reaction to the changes is that they are largely cosmetic and do not address the fears surrounding the bulk collection of data.

Data Protection rules have been given final approval by the EU. Member states will have two years to implement the major overhaul to the current 1995 data protection provisions. All the well-documented features – including the right to be forgotten, fines of up to 4% of global turnover if in breach and the need for a Data Protection Officer for firms over a certain size – have made it into the final draft of the EU-wide legislation (see p15 for more detail).

Interestingly, the European Parliament press release includes the line: “Due to UK and Ireland’s special status regarding justice and home affairs legislation, the directive’s provisions will only apply in these countries to a limited extent”. We will have to see which elements of the law apply to the UK and Ireland. Similarly, the recently agreed EU-U.S. Privacy Shield, the successor to the Safe Harbor agreement, may need to be reviewed in the context of the new Data Protection framework.

Apple appears to have been let off the hook by the FBI, who have dropped their case forcing them to provide a backdoor to the San Bernardino shooting suspect’s phone. The FBI claim a third party have provided them a method to access information on the phone, bypassing Apple security. In a similar case involving a drug dealer’s phone in New York, the government have dropped the case against Apple, claiming that ‘a third party’ has provided them with the passcode to the suspect’s iPhone 5s.

This is not a problem that is going to go away, however, as various agencies have well over 1,000 iPhones that have been seized as evidence.

Google’s Android is facing similar EU scrutiny to Microsoft’s antitrust cases brought by the EU over the last decade and a half. The EU complaint focuses on the basis that Google favours its own apps such as Google Maps, and indeed its own search engine, on the Android mobile ecosystem. With Android being the OS of choice for some 80% of the European smartphone market, the EU is claiming that Google is acting in an anticompetitive manner by suggesting to mobile manufactures that these features, along with the Google Play store, are installed by default on their devices.

The U.S. has threatened to follow Europe in its stance against the software giant, with the FTC looking at similar antitrust measures. On the plus side for Google, Microsoft have withdrawn their regulatory complaints against the company in the EU, and indeed the rest of the world.

Keep safe, apply patches and update your software, always!