Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
Basically, this means you are open to a man-in-the-middle (MITM) attack. Engineers at CrowdStrike (see this post) describe the vulnerability and the attack method.
To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).
This has NOT been patched for OS X, which also has this vulnerability, so Mac users are still at risk until Apple issues a patch.
You can check gotofail.com to see if your device is vulnerable. I checked my MacBook Pro with both Safari and Google Chrome. Safari is vulnerable, Chrome is not, so I suggest you not use Safari on your Mac until after Apple issues the patch.
This update covers vulnerabilities numbered CVE-2014-0498, CVE-2014-0499 and CVE-2014-0502 if you care to look them up. The last one is known to have been exploited in the wild and the other two are being patched as a precautionary measure. Adobe’s next update isn’t due until April.
In all fairness, it’s not just Adobe who frustrates me; any software company who puts out a product full of holes is responsible. The current production model:
- Slap together a product
- Run superficial testing
- Release to the public (and hackers) for real-world testing
- Fix the vulnerabilities they should have caught in the lab
This just doesn’t work anymore if, in fact, it ever did.
C’mon, people. ALL of you get your acts together.
My hacking skill challenges are still very popular posts, particularly Hacking Skills Challenge – Level 7, so I’m going to pick them back up. Since I have previously presented all 11 of the basic challenges from HackThisSite.org, let’s move on to some realistic ones. Here’s the description from the site for the first Realistic Challenge:
Uncle Arnold’s Local Band Review
Your friend is being cheated out of hundreds of dollars. Help him make things even again! Difficulty rating: Easy.
The challenge is for you to hack a band review site and move your friend’s band, Raging Inferno to the top of the list.
Hints: 1. You’re going to need some way to edit the page “live;” and, 2. There are some numerical values you will need to change.
Give it a try and post your results in the comments. I’ll present the solution in a future post.
This will be short and sweet.
It’s bad, you know.
I’m fed up. Through with it. Officially done. Permanently withdrawn.
Don’t try to talk me out of this because it won’t work; don’t try to talk me into something else, either, because that won’t work…um, either. Neither will I be seduced by the lure of unlimited knowledge that I will supposedly be abandoning.
If I listen to all the pundits, everything I think, do or say is monitored by the NSA, FBI, CIA, IRS, local police, my wife, children and the next-door neighbor–and probably anyone with that nifty little program that turns my laptop camera and microphone on without my knowledge.
I can have no secrets. Even that blemish I’m picking at as I stare in my bathroom mirror is probably being broken down into packets, transmitted around the world and filed in multiple redundant databases just waiting for the day when I am busted for possession of galena crystals and used paper towel rolls (these can be used to build clandestine radio receivers, you know).
I can hear the neighbors now: “He was so nice. I never thought he was capable of such things. But, he had a blemish, you know!”
I can’t take it anymore, this steady stream of bad news about surveillance states and how we have no privacy. I’m disconnecting from the bad news. Every site that publishes such bad news goes on my black list.
That’s it! No more! I quit!
[Until I change my mind]
Well, it’s not getting any better out there. People are still using idiotic, easy-to-guess passwords despite the advice of every security wonk out there, including me. But “password” is no longer the top most idiotic password: It has been replaced by “123456.”
SplashData, which makes password management applications, has released its 2013 list of the 25 worst passwords based on files containing millions of stolen passwords posted online in the last year. “123456″ now tops “password,” which normally leads the round-up. (Read more: Worst Passwords Top 25 of 2013 | TIME.com http://newsfeed.time.com/2014/01/20/the-25-worst-passwords-of-2013/#ixzz2rWcFRY6r)
Here’s the list:
From Sophos (full Press Release here):
Cybercriminals are smarter, and malware is stealthier and more dangerous than ever before. We currently see more than 250,000 unique samples of malware every day. The bad guys are constantly moving. Can you keep up?
Our Security Threat Report 2014 explains how the threats are changing, and shows you how Sophos is working to stay ahead of them. Download the report today to get the best threat intelligence in the industry from our SophosLabs experts. You’ll be smarter, and better prepared for the threats of tomorrow.
Highly recommended. Download the report here.
One of the latest tricks in the cyber-criminals’ bags is an email with the subject (it varies), “Death and Funeral Announcement.” Now, what normal person would see that and NOT open it? I know I did. What I DIDN’T do, of course was click the link which pointed to a site <domain name>.be. Here’s the text:
For this unprecedented event, we offer our deepest prayers of condolence and invite to you to be present at the celebration of your friends [sic] life service on Thursday, January 22, 2014 that will take place at Eubank Funeral Home at 11:00 a.m. Please find invitation and more detailed information about the farewell ceremony here . Best wishes and prayers, Funeral home receptionist, William Mccarty
After a few seconds of oh-my-god-who-died, I re-read the email and spotted the obvious bad grammar and realized this was a scan. Researching led me to discover that the link target delivers a Trojan. I also looked at the headers and found the originator was at IP address 18.104.22.168 (lookup tool) which has these attributes:
And that is enough to confirm that I certainly don’t want whatever they have!
In How to stay (relatively) secure with XP at the end of support – Part 1, I recommended that you ditch IE 8 for Chrome or Firefox for web surfing and promised to provide even more advice. In this post, I give you several more ways to operate with Windows XP in a relatively safe manner after the end of support.
Microsoft has extended its anti-malware protection for Windows XP until July 15, 2015: Anti-malware protection for Windows XP extended to July, 2015 and Malwarebytes Anti-malware is likely to support Windows XP for several years to come. So, the first thing to do is make sure you keep both of these programs updated. Windows Secrets has this to say:
Keeping your antivirus software up to date is always important, but even more so with Windows XP. My preferred AV setup is a combination of Microsoft Security Essentials (site) and Malwarebytes’ Anti-Malware (site)
It’s also a good idea to run periodic scans using an offline rescue disk such as Sophos’ Bootable Anti Virus to detect and remove rootkits and stealthy malware.
Naturally, you’ll want to make sure that your XP box is sitting behind a NAT router and make sure your Windows Firewall is active and properly configured.
While you’re at it, why not just disable web browsing entirely? You can still keep your XP box accessible to your local network and use it for file sharing and those special apps, it just won’t be able to reach the internet. Here’s how:
Adding the OpenDNS settings to your router extends Web filtering to all devices on the local net. The process is relatively simple: open the router’s admin menu system and enter 22.214.171.124 and 126.96.36.199 (these are OpenDNS’s IP addresses) into the router’s DNS section.
And finally, keep any third party applications that continue to support XP up to date. Many vendors will probably move on, but there will be those who continue to support XP well into the future. Take advantage of their efforts by applying patches as they become available.
With the Windows XP end of support date of April 8, 2014 looming on the horizon, many of us have wondered what would happen with anti-malware software. The good news is that Microsoft recently announced they have extended their anti-malware protection for XP: “To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.”
What does this mean, exactly?
For enterprise customers, this applies to System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP. For consumers, this applies to Microsoft Security Essentials.
So, despite no more security patches after April 8, we’ll still have some protection; we won’t be running naked. Still, that doesn’t mean we can just go on whistling past the graveyard. Microsoft warns:
Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.
Microsoft recommends best practices to protect your PC such as:
- Using modern software that has advanced security technologies and is supported with regular security updates,
- Regularly applying security updates for all software installed,
- Running up-to-date anti-virus software.
By the way, my other favorite product, Malwarebytes Anti-malware, will continue to support XP indefinitely: “MBAM 1.75 supports XP (obviously :P) and 2.0 which is currently in testing also supports XP. Our other tools and products like MBAR, MBAE etc. also support XP and we have no plans on changing that. We know that a lot of people will continue to use XP for some time so we’ll continue to offer products and tools to help secure those systems for as long as we can.”
Thanks to everyone who read my ruminations here in 2013. May you Flourish and Prosper in 2014.