Dozens of rogue self-signed SSL certificates used to impersonate high-profile sites

Dozens of self-signed SSL certificates created to impersonate banking, e-commerce and social networking websites have been found on the Web. The certificates don’t pose a big threat to browser users, but could be used to launch man-in-the-middle attacks against users of many mobile apps, according to researchers from Internet services firm Netcraft who found the certificates.

“The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g. www.facebook.com),” the Netcraft researchers said Wednesday in a blog post. “As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.”

Among the self-signed certificates found by Netcraft were certificates for domain names belonging to Facebook, Google, Apple, Russian bank Svyaznoy and  large Russian payment services provider Qiwi.ru.

If an application doesn’t properly validate the authenticity of certificates it encounters, attackers can use self-signed certificates that are not issued by legitimate certificate authorities (CAs) to launch man-in-the-middle attacks against that application’s users.

Such attacks involve intercepting the connections between targeted users and SSL-enabled services and re-encrypting the traffic with fake or forged certificates. Unless victims manually check the certificate details, which is not easy to do in mobile apps, they would have no idea that they’re not communicating directly with the intended site.

In order to pull-off man-in-the-middle attacks, hackers need to gain a position that would allow them to intercept traffic. This is relatively easy to do on wireless networks using techniques like ARP spoofing, but can also be done by compromising a router or by hijacking the victim’s DNS settings.

Source:
http://www.networkworld.com/news/2014/021314-dozens-of-rogue-self-signed-ssl-278753.html?source=nww_rss

Posted in Internet, Mobile, Privacy, Security | No Comments

Anti-theft Software Could Be Attackers’ Conduit to Millions of PCs

A useful cyber-defensive utility can be turned into a powerful tool for cyber-attackers in the form of full access to millions of users’ computers, according to research from Kaspersky Lab regarding an element of Absolute Software’s anti-theft software.

The focus of the Kaspersky research was the Absolute Computrace agent that resides in the firmware, or PC ROM Basic Input/Output Systems (BIOS), of modern laptops and desktops. It’s a key part of the ability to trace endpoints in case of loss or theft by products like Absolute’s LoJack offering. But the firm decided to look into it after the Computrace agent was found running on several private computers of Kaspersky Lab’s researchers and corporate computers without prior authorization.

While Computrace is a legitimate product developed by Absolute Software, signs point to a bad actor potentially using it to infiltrate a wide range of systems. Some owners of those systems examined by Kaspersky claimed that they had never installed, activated or had ever known about this software on their machines.

The software has traits that would be attractive to hackers, Kaspersky said. For instance, while most traditional pre-installed software packages can be permanently removed or disabled by the user, Computrace is designed to survive professional system cleanup and even hard disk replacement. It also has a bag of tricks that are also popular in modern malware – for example, anti-debugging and anti-reverse engineering techniques, injection into memory of other processes, establishment of secret communications, patching system files on disk, keeping configuration files encrypted and dropping a Windows executable right from the BIOS/firmware.

Source:
http://www.infosecurity-magazine.com/view/36915/antitheft-software-could-be-attackers-conduit-to-millions-of-pcs/

Posted in Hardware, Internet, Privacy, Security | No Comments

New IE Zero-Day Found in Watering Hole Attack

FireEye Labs has identified a new Internet Explorer (IE) zero-day exploit hosted on a breached website based in the U.S. It’s a brand new zero-day that targets IE 10 users visiting the compromised website–a classic drive-by download attack. Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it.

This post was intended to serve as a warning to the general public. We are collaborating with the Microsoft Security team on research activities. We will continue to update this blog as new information about this threat is found.

Source:
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html

Posted in Internet, Security, Windows | No Comments

Private photos exposed in Instagram hack

Private profiles of Instagram users could be made public as a result of a vulnerability that took almost six months to fix.

The flaw would have enabled hackers to change privacy settings within user profiles to expose potentially sensitive photos to the internet, or to lock down popular pages by marking them as private.

The attack was launched by a malicious phishing link that exploited a Cross Site Request Forgery (CSRF) flaw, a common vulnerability described as “the worst kind of vulnerability [because they are] very easy to exploit by attackers, yet not so intuitively easy to understand for software developers”.

The flaws occur when websites fail to check that sensitive actions – like changing Instagram privacy settings – were actually sent from the authenticated user; instead, most websites just check that the action came from the user’s browser.

The approach is risky because browsers can run code from multiple sites, opening the possibility that an action could have been quietly made from a second website and not the user.

Such a case occured with Instagram’s mobile app version, white hat hacker Christian Lopez Martin found. “A successful CSRF exploitation could compromise end user data (photos and personal information) by making public [their] Instagram profile,” Martin said in a blog.

“It is important to mention that the vulnerability was completely effective in a real scenario [because] Instagram didn’t implement either CSRF security tokens or the checks that detect if the user-agent came from the mobile app.”

Source:
http://www.itnews.com.au/News/372002,private-photos-exposed-in-instagram-hack.aspx

Posted in Coding, Internet, Privacy, Security | No Comments

Cybercriminals compromise home routers to attack online banking users

Attacks recently observed in Poland involved cybercriminals hacking into home routers and changing their DNS settings so they can intercept user connections to online banking sites.

Researchers from the Polish Computer Emergency Response Team (CERT Polska) believe attackers will likely target users from other countries as well in the future using similar techniques.

“The attack is possible due to several vulnerabilities in home routers that make DNS configuration susceptible to unauthorized remote modifications,” the Polish CERT researchers said Thursday in a blog post. “In the resulting man-in-the-middle attack content of several e-banking websites was altered to include JavaScript injects that tricked users into giving up their usernames, passwords and TANs [transaction authentication numbers]. Effectively, money is stolen from users’ bank accounts.”

Unless intentionally configured otherwise, devices connected to a local network will typically use the DNS server provided by the network’s router to resolve domain names to IP (Internet Protocol) addresses. If attackers compromise the router and configure it to use a DNS server under their control, they can respond with rogue IP addresses to DNS queries for the domain names they wish to target.

In the recent attacks in Poland, the hackers used a DNS server that responded with rogue IP addresses for the domain names of five Polish banks. Those IP addresses corresponded to a server that acted as a proxy, providing attackers with a man-in-the-middle position to intercept, inspect and modify traffic between users and the online banking websites they wanted to target.

The problem for the hackers was that those sites used HTTPS — HTTP with SSL encryption — making it impossible to impersonate them without a valid digital certificate issued by a certificate authority. Because of this, they decided to use a less sophisticated technique known as SSL stripping.

Source:
http://www.csoonline.com/article/747957/cybercriminals-compromise-home-routers-to-attack-online-banking-users?source=rss_news

Posted in Internet, Privacy, Security | No Comments