Information security round-up
iGaming Business’ Technical Editor Justin Bellinger looks at new powers relating to government security and a potential “gotcha” for iPhone users, as well as rounding up the latest software, network, DDoS and malware exploits and patches.
Software
Linux. Perception Point have discovered a new zero-day exploit that can allow a user to escalate privileges to root access on both Linux boxes and Android phones. The exploit allows attackers to delete files and install software. Affecting Android KitKat and Linux Kernel 3.8 and higher, threat actors have not yet been detected using the exploit, However that’s the value in a zero-day exploit, so keep your eyes peeled for updates for your devices and servers.
A more present threat exists in Linux DNS, specifically the DNS Client Resolver, glibc versions 2.9 and higher. DNS clientside resolvers using this library may be exploited by remote attackers, allowing them to execute code on the target device.
Again, the threat may well extend to mobile phones and tablets as well as other UNIXbased systems. Many major distributions have already released a patch fixing the vulnerability, so please check.
Microsoft has issued a critical Security Bulletin – MS16-009 – addressing vulnerabilities in Internet Explorer. If a user is logged on with administrative user rights, an attacker exploiting this vulnerability could take full control of the user’s system.
This update is rated as critical for versions of Internet Explorer 9 and 11 running on client PCs.
Apple. OS X El Capitan 10.11.3 has been released, addressing nine flaws in the new OS. Six of these are shared with iOS, which the update to 9.2.1 addressed with another further seven issues within the mobile OS.
Both updates largely centred on memory corruption issues in WebKit that could allow attackers to execute arbitrary code if the victim visited a maliciously crafted website.
An update to Safari, 9.0.3 also addressing issues in WebKit was released at the same time.
Adobe has released patches for Acrobat and Acrobat Reader addressing critical security flaws that could allow code to be executed after a user opens a specifically altered PDF document. The updates cover Acrobat and Reader versions XI and all DC versions. Older versions of the software are no longer supported, so upgrade to the latest version is advised.
Google has also announced that, from June, it will no longer accept adverts written in Flash. Google aims to totally remove support for Flash adverts by 2017.
Presumably this also goes for Animate CC, Adobe’s new name for Flash, or at least the non-HTML 5 elements designed in Animate CC.
Network and Hardware
Cisco Adaptive Security Appliances (ASAs) had a vulnerability exposed by Exodus Intelligence that could allow a remote attacker to both reload the system (effectively disabling the device) and execute code remotely. The hole in the key exchange (IKE) mechanism of the VPN can be exploited by an attacker sending a specifically crafted UDP packet to the device. For many users, Cisco ASAs form an integral (and sometimes sole) part of their cybersecurity defence strategy, so essential to get this fixed ASAP.
An update can be found under CVE-2016-1287.
DDoS
Thankfully, no real newsworthy developments from the attackers on the denial of service front. As well as the usual, and constant, attacks on our sector, the Xbox Live service was taken down briefly on 14 Feb. Coincidentally, there were reports of a number of online florists receiving ransom notes on the run-up to Valentine’s Day. Presumably these did not come from the notorious DDoS For Bitcoin group, as a leading member of DD4BC was arrested and several other members of the gang detained by police working on Operation Pleiades during January.
Malware
Android. The latest Trojan threat for Android phone users is a particularly nasty and pervasive piece of malware called MazarBot. The user is presented with a SMS or MMS message with a link to the piece of malware, specifically an “.apk” file carrying the payload. Once installed, this malware is capable of completely owing the phone, with full root access. The attack broke in Denmark and rapidly spread throughout Europe and the rest of the world, apart from on Android phones that use the Russian alphabet. Heimdal Security also found after analysing the Trojan that as part of the payload, MazarBot sends a text to an Iranian number that contains the geographic location of the compromised phone.
IOS. Not strictly malware but nonetheless a serious problem if you fall foul of a prank doing the rounds for iPhone, iPod and iPad users at the moment. If the user manually sets the date back to Jan 1, 1970, the phone will refuse to power on after the next reboot – quite a serious flaw Apple has yet to address. Pranksters are fooling unsuspecting victims into activating the bug through the promise of unlocking a retro-themed Easter egg if the date is set back to the start of the 70s. There is no easy fix until Apple release an iOS update, so if you are unlucky enough to have fallen for the trick your only option is to contact Apple support.
Microsoft’s enhanced mitigation toolkit (EMET) has been updated with support for Windows 10. The EMET update will prove useful to sysadmins as there have been several enhancements to functionality in controlling clients. As Microsoft has been steadily embedding EMET functionality in the core OS since Windows Vista, the average user need not be concerned with this update.
Linux. Fysbis: in new researched released by Palo Alto Networks we discovered that the modular Trojan does not always require root access to gain access to sensitive information, increasing the chances of installation through a larger number of accounts available whilst reducing chances of detection. Although Fybis is not the most sophisticated in its construction, Palto Alto researchers warn us that: “Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries”. They also highlight that Linux security has not reached the maturity of other operating systems, a point of note to the many organisations who prefer the cost benefits that open source software provides.
In the news
Once again we hear of further powers being extended to the US and UK governments. In the wake of the San Bernardino tragedy, the FBI is putting Apple under pressure. In the UK, GCHQ have had their long suspected hacking powers ratified by tribunal.
The Investigatory Powers Tribunal has given GCHQ the green light to continue hacking into computers, phones and IoT devices. Privacy International lost its challenge against GCHQ claiming that the powers extended by the body are too intrusive and break the European Convention on Human Rights. There are no further avenues for Privacy International to explore in UK courts, only leaving recourse to EU courts.
Privacy International graphically highlight the extent of GCHQ’s potential powers, under warrant being allowed to use both ‘non-persistent’ one-time hacks and ‘persistent’ hacks, where the implanted software is allowed to reside for an extended period of time. Additionally the IPT has ruled that thematic warrants are another tool GCHQ can use. Privacy International commented: “The IPT has decided that GCHQ can use ‘thematic warrants’, which means GCHQ can hack an entire class of property or persons, such as ‘all phones in Birmingham’. In doing so, it has upended a longstanding English common law principle that such general warrants are unlawful.”
Apple’s plea against US government attempts to provide a backdoor into iOS devices have been backed up by Google and WhatsApp. Following an order by the FBI for Apple to assist in evidence gathering against one of the San Bernardino shooting suspects, a federal magistrate gave Apple until 26th February to either appeal to a higher court or provide a backdoor to the device (and iOS itself) by removing the feature that automatically wipes the phone after 10 failed password attempts.
Apple CEO Tim Cook has come out strongly against the “… overreach by the U.S. government” in a public letter voicing concerns on the FBI request. He wrote:
“Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority”.
The government would have us remove security features and add new capabilities to the operating system, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by ‘brute force’, trying thousands or millions of combinations with the speed of a modern computer.
“The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.”
Although not unanimous, Tim Cook’s letter has received support from important industry figures. Google Chief Executive Sundar Pichai and Twitter’s Jack Dorsey both tweeted support, while WhatsApp co-founder Jan Koum posted support on Facebook, with further support for Apple being voiced by Edward Snowden and John McAfee.
It seems as though even without the Snooper’s Charter or US equivalent, user privacy remains very much under threat from governments on both sides of the Atlantic.
Keep safe, apply patches and update your software, always!