Warning: Creating default object from empty value in /home/ict-forward/www-apps/wp-svn/wp-includes/ms-load.php on line 138
security news « The FORWARD project blog

Archive for the ‘security news’ Category

a «BEAST» exploiting the (almost) secure web, SSL.

Tuesday, January 10th, 2012

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

By contrast, Duong and Rizzo say they’ve figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPs prefix.

“BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

Instead, BEAST carries out what’s known as a plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. During the encryption process, the protocol scrambles block after block of data using the previous encrypted block. It has long been theorized that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks.

If the attacker’s guess is correct, the block cipher will receive the same input for a new block as for an old block, producing an identical ciphertext.

At the moment, BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of Duong and Rizzo’s claim that this time can be drastically shortened.

In an email sent shortly after this article was published, Rizzo said refinements made over the past few days have reduced the time required to under 10 minutes.

“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it’s a legitimate threat.”




Malicious Android apps double in 6 months

Tuesday, January 10th, 2012

Lookout mobile security has identified 1000 malicious applications in less than six months.
Previously the most of the malicious apps where located on third-party app stores, and alternatives to the official Android Market.
Lookout mentions that the likelihood of an Android user encountering malware increases from 1 to 4 percent yearliy and the U.S. is placed in the middle of mobile malware, compared to other countries.
Another malware action is when Android users are convinced to click on untrusted links that lead to malware and phishing sites.
The global yearly likelihood of an Android user clicking on an unsafe link is much higher and reaches 36 percent (6 percent higher than July 2011) and the likelihood in the U.S. is 40 percent.
Another issue that Lookout detected is “mobile pickpocketing”, which is applications and malware that charges the phone owner without his knowledge.
There are also the RuFraud applications that pretend to be free wallpapers finder and popular games, but hide terms that allow the service to charge the phone owner, without his knowledge.
Lookout believes that many of these incidents will be reported, and also botnets, malware that exploits weaknesses in mobile operating systems, browser-based attacks , malware hiding in mobile advertisements and tools that allow automatic repackaging of legitimate applications to add malware.
Lookout finally suggests to avoid using third-party application stores, avoid clicking on in-app advertisements, and beware when clicking on apps that ask you to click “OK”. Users should first check any reviews before downloading any application, and mainly those related with games, ulitities and porn, which are most likely to contain malware.

Sources :
RuFraud Apps

Spam sinks to lowest level in almost three years, says Symantec

Tuesday, January 10th, 2012

According to the Symantec’s report spam messages have been reduced to a great extent!

Nowadays the global amount of spam messages is 70% compare to 90% that it was in 2009. In this direction they helped the legal actions of Microsoft that reduce the daily amount of spam messages from 52 billion to 33 billion per day. The pharmaceutical spam, which is a special sector of these messages, was decreased to half (32, 5%) ever since Symantec had started tracking it.  Some striking examples in countries are these:

Russia is the most spammed area in the world with the extremely high rate of 76,7 % !The subsequent country is South Arabia which has 76,6%  spam messages!!Last but not least, U.S.A is in a little better situation despite having 69,9 % of  spam e-mails!

Unfortunately, spammers always find a way to get away and in combination with using more targeted malware in order to approach the people, there is not a rapid and determined decline of these messages! The main aim of that junk mail is to deceive the victims or to steal important data of a big company! A prime example of these attacks is the Stuxnet worm is an incredibly large and complex threat.

The Stuxnet worm is a “wake-up call” because of its complexity and its aim at critical infrastructure systems. It can spy on and reprogram industrial control systems and grant hackers control of critical infrastructures. Use four zero-day vulnerabilities; compromise two digital certificates; inject code into industrial control systems and hide the code from operators;

In particular, the malevolent users or programs try to establish a stable access to the main data base of company or of an organization so as to extort information or top secrets. But the problem is getting more and more serious because prompts have been already done in order to destroy the economy of a country or cause a significant damage!

Daily many attacks are reported and blocked through the spam messages. For instance, approximately 94 attacks were blocked by Symantec worldwide each day in November. In addition, in US one attack was blocked every day and in Japan one such attack was blocked every nine days!

In conclusion, some sectors for 2011 totally, which receive targeted attacks daily are:

  • The public sector with about 20 attacks per day.
  • The chemical and pharmaceutical industry sector with 18, 6 each day.
  • The manufacturing (sector) with 13,6 attacks blocked daily.

Relative links:





WPS Design Flaw Revealed

Tuesday, January 10th, 2012

A security technology that is widely used in latest, domestic or small business, modem/routers, is WiFi Protected Setup (WPS). As its name implies, WPS protocol has been designed to aid in the WiFi security configuration process, enhancing devise usability. However in contrast to usability, security issues have been revealed by several researchers, that could easily lead to a DOS attack.

WPS supports both out-of-band configuration over Ethernet/UPnP and in-band configuration over IEEE 802.11/EAP. Since the (wireless) in-band option is most likely to be exploited by in – range potential attackers , it is interesting to examine all the three configuration methods that an in-band configuration over IEEE 802.11/EAP provides.

According to the first security configuration method, a user has to push a button, usually actual, located on both the Access Point and the new wireless client device. This method is commonly referred as PBC (Push Button Connect), and prevents a user form typing a unique security key-code for performing authentication. The second method involves the typing of the client device PIN into the web-interface of the access point, usually referred as PIN internal registrar. The third method is called PIN external registrar, mainly because the user enters the PIN of the access point into a GUI provided by the client device (usually a computer).

The latter method is extremely vulnerable, to a Brute Force Attack, since authentication is not required. If an incorrect PIN is entered the Access Point responds with an EAP-NACK message. An attacker can use the Brute Force technique, by incrementing the PIN number each time an EAP-NACK message is received. Furthermore, the attacker (client) by sending to the access point a handshake message and receiving back an EAP-NACK message, depending on the type of message sent, is capable of determining whether the first half or the second half of the PIN is correct. This observation has an impact on the performance of the Brute Force algorithm used by a potential attacker, since only the first and the second half of the PIN number has to be incremented accordingly until a match is found, decreasing dramatically the time needed to obtain the PIN.

In an attempt to restrict the Brute Force technique, vendors incorporate into their devices lock down mechanisms that introduce delays every time an incorrect PIN is entered. However at least one researcher has showed that such lock down mechanisms are not sufficient to make the attack infeasible. Several factors influence the Maximum Attack Time, depending on whether a lock down scheme is deployed. The lock down time and the number of attempts before lock down, are the most predominant factors that affect Maximum Attack Time. A researchers implementation of a proof of concept Brute Force attack tool, has showed that the Maximum Attack Time could last from 3.97 hours to 2203.97hours, depending on the lock down mitigation mechanism employed by vendors. Apart from vendors, end users could prevent a Brute Force Attack by deactivating WPS. However this may not always be possible.

Another researcher, by implementing an open source tool capable of performing Brute Force Attacks exploiting the WPS vulnerability, has been concluded that by knowing the WPS PIN, the routers encryption pass phrase can be easily revealed. This is true even if multiple radio frequencies are used in the physical layer, with each configured with different WPA key, or even if the pass phrases are altered by the user.

The key point to note is that WPS functionality is likely to have been turned on by default, as a factory setting, or if this is the case the means of turning WPS off may not be available, resulting in a security flaw, even if end users do not benefit WPS facilities. Definitely a long lock down time period, may not be a solution to prevent Brute Force Attacks, since an access point is usually operating for a long time, in the order of several months, that is enough time for an attack to take place. To address this security flaw, a mature solution could be vendors collaboration to develop mitigation techniques with an end user informative campaign to urge them for firmware upgrade and / or WPS deactivation.





SOPA’s latest threat: IP blocking, privacy-busting packet inspection

Monday, November 21st, 2011

According to the Stop Online Piracy Act (SOPA), a network provider can be ordered to prevent access by its US subscribers to allegedly piratical Web sites. That language did not appear in an earlier version, Protect IP Act.

Markham Erickson, head of NetCoalition, mentions that his company would cover IP blocking and it performs deep packet inspection.

Protect IP, on the other hand, doesn’t oblige the ISPs to block their customers from visiting the numeric IP addresses of off-limits web sites and doesn’t perform deep packet inspection.

The head of the Recording Industry Association of America (RIAA) supports the legislation, by suggesting SOPA to be used to force Internet providers to block by IP address and deny access to only the illegal part of a site.

SOPA is designed to respond to the rise of pirate-content  sites and it allows the attorney general to seek a court order against the targeted site that would be served on ISPs , causing the target to disappear.

An aide to the House Judiciary committee stated that IP address blocking and deep packet inspection could be necessary and it would be up to a judge to mark a site as blocked.

Deep packet inspection is the only way to block data from specific pages, and may cause privacy issues as it monitors customers’ browsing.

ISPs aren’t enthusiastic enough about SOPA. Verizon ISP has concerns about the legislation and is working with congressional staff to address them.

AT&T remains supportive of the general framework of the Senate bill (similar to SOPA), but when it comes to SOPA “it is working constructively with Chairman Smith and others toward a similar end in the House.”

Sonic.net says that it’s technically feasible for them to block a list of IP addresses provided by the government, even though it becomes more difficult as the list grows.

On the other hand, Jasper says that deep packet inspection wouldn’t be feasible:
“We have no capability to do this, so it would not be technically feasible, as it would require complete re-engineering and re-deployment of our network”.

According to SOPA, an ISP must take technically feasible and reasonable measures designed to prevent access by its subscribers located within the US to the blocked site that is subject to the order.

The RIAA says that SOPA is much more flexible than Senate bill, as it isn’t such specific. “Instead of setting a particular type of technological response in statue, the bill is flexible to allow an ISP to choose the best method, which today may be DNS blocking. If the ISP feels that any one method may have detrimental effect on the DNS system or on its network, or of technology changes, it is not locked in.”

Unlike SOPA, the Senate bill and Protect IP target DN system providers , financial companies and ad networks and not Internet Connectivity services.

Public Knowlede legal director, Sherwin Siy, stated that the obligations of an ISP receiving those orders are notar enough.

Seth Schoen characterizes as “surprising” the fact that SOPA is much broader than Protect IP.

If all of these apply, SOPA’s blacklists will start to make the US look like more repressive regimes.

Source: http://news.cnet.com/8301-31921_3-57328045-281/sopas-latest-threat-ip-blocking-privacy-busting-packet-inspection/?tag=mncol


How to protect from IP Spoofing?

Friday, January 14th, 2011

How IP Spoofing Works
Without getting too technical, an IP Spoof works something like this. An Internet user types in some address in the address bar of his/her Internet browser. Let’s say, for example, that the user wants to go to a bank’s website to check a checking account balance.

The cracker, who has hijacked the IP address of the bank, redirects the Internet user to another site. Again, this site may contain distasteful content such as nude pictures but often the spoofed site will contain a replica of the bank’s website. The Internet user, not aware that he/she did not arrive at the website he/she intended to visit, innocently types in a user name and password that the cracker may gather from the victim to be used for identity theft purposes.

Protecting Yourself from IP Spoofing
IP Spoofing is difficult to detect but there are a few things you can do to protect yourself. First, many web browsers give a quick “click” whenever the user surfs to a website or the user is redirected to another site. If your browser clicks many times in a row, a cracker may be redirecting you from site to site to cover his/her tracks. If you suspect IP Spoofing, close your browser immediately and contact the owner of the site.

Second, look for clues on a website that give telltale signs that the website you are viewing is not the real one. Look for misspellings, drawn out and nonsense sentences, and any feature of the site that look unprofessional. This is especially true of banks and other financial services websites. Many times the cracker lives in a foreign country and doesn’t have a good grasp of the English language. It’s unlikely that a bank, for example, would display an unprofessional appearance so this is a red flag to alert you to a possible IP Spoof and identity theft attempt.

iPhone Safer from Hackers than Android

Friday, January 14th, 2011

Android-based smartphones are more vulnerable to attacks by hackers and electronic viruses than the iPhone, according to the chairman of the world’s largest provider of security software for corporate servers. The remarks were made less than a week after the company, Trend Micro, released its Mobile Security software for Android devices.

“Android is open source, which means the hacker can also understand the underlying architecture and source code”, Chairman Steve Chang told Bloomberg Businessweek.

“We have to give credit to Apple, because they are very careful about it,” he added. “It’s impossible for certain types of viruses”to operate on the iPhone.”

Google didn’t exactly refute Chang’s claim in its response to Bloomberg. “On all computing devices, users necessarily entrust at least some of their information to the developer of the application they’re using,” it said in an email. “Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer.”

In the iPhone universe, the amount of trust a user must cede to a developer is less than in the Android realm because Apple reviews all apps before it allows them to be sold through its App Store. Although that kind of quality review doesn’t exist in the Android world yet, some vetting of apps will occur when Amazon launches its Android apps store later this year.

As smartphone usage grows in corporations, they’ll become more tempting targets for hackers. “Smartphones are the next PC, and once they’re adopted by enterprises, data loss will be a very key problem,” Chang said.

Trend Micro’s Mobile Security app for Android, which it’s selling for $3.99, will block viruses and malicious viruses, as well as unwanted calls, on smartphones running the operating system. It also installs parental controls on a phone’s web browser. According to the company, the app is the only mobile tool that uses cloud-based security intelligence to protect Android devices from the latest cyber threats.

source: PCWorld

Security Risks When Using VoIP

Friday, January 14th, 2011
Identity and service theft
VoIP services can be phreaked. Phreaking is a type of hacking that steals or uses a service from a service provider on the expenditure of another person. Session initiation protocol (SIP) – an authentication method over VoIP calls, does not commonly use encryption, which results in VoIP services being phreaked.
Hackers steal user names, passwords and phone numbers through eavesdropping to take control over voicemail, billing information and call forwarding. The hackers do not always do this to gain access to a free service, but also to get important information like business data and other sensitive information.
It is another name for VoIP phishing, which involves someone calling you pretending to be a trustworthy organization (e.g. your bank) and requesting personal and sensitive information such as account number, credit card details, etc. The criminals who might phone you already have some information about you, which creates a false sense of security and consequently you give them more sensitive information.
Call tampering
Voice calls can be tampered by the attacker, who can simply flub the quality of the call by injecting noise in the communication stream. The voice call participants can meet long periods of silence during the call when the attacker withholds the transfer of packets.
Viruses and malware
VoIP equipment such as soft phones is vulnerable to malware just like any other internet application. The soft phone application runs on a user system (i.e. PC and PDA) and is easily exposed to malicious code attacks.
DoS (Denial of Service)
VoIP can suffer from DoS (Denial of Service) attacks. It is often achieved by overloading the network, device or consuming all available bandwidth. VoIP calls can be dropped untimely by also flooding the target with unnecessary SIP call-signaling messages, which results in halting of call processing.
SPIT (Spamming over Internet Telephony)
Spamming in VoIP has not become very common as yet but is beginning to be, soon. Like those emails we often receive consisting of online promotion, sales calls, now these messages are also going to VoIP voicemails. Since every VoIP account has an associated IP address, it becomes very easy for spammers to send their voice messages to numerous random IP addresses, which results in voicemails clogging. Spam messages sent to VoIP accounts can also carry malware and spyware with them.

Mac App Store Protection Cracked

Friday, January 14th, 2011

A group of hackers, Hackulous, announced that they developed a program called “Kickback” that can break the protection of applications hosted on the Mac App Store. In order words this means that by installing this software users will be able to pirate any application in the store. More specifically users can run paid applications for free when the copy and paste in a receipt number from a free application.

According to Dissent, member of Hackulous:

We don’t want to release kickback as soon as the [Mac App] Store gets released. I have a few reasons for that.

Most of the applications that go on the Mac App Store [in the first instance] will be decent, they’ll be pretty good. Apple isn’t going to put crap on the App Store as soon as it gets released. It’ll probably take months for the App Store to actually have a bunch of crappy applications and when we feel that it has a lot of crap in it, we’ll probably release Kickback.

So we’re not going to release Kickback until well after the store’s been established, well after developers have gotten their applications up. We don’t want to devalue applications and frustrate developers.

“Anonymous” activities

Friday, January 14th, 2011

Anonymous is a group of individuals, mainly from on-line community,
who share common ideas and act against self agreed goals under
the name “Anonymous”. Their strength lies in their number and
the true anonymity. Anonymous use public communication channels for
their conversation and planning of their activities, like wikis , irc, facebook,forums etc.

A list of activities done by Anonymous

Hal Turner raid
Took down Turner’s website.

Project Chanology
Criticize the Church of Scientology for Internet censorship
and plan a DDOS series of attacks to  the Church’s websites and
street protests wearing masks.

Epilepsy Foundation forum invasion
Anonymous blamed for an attack on Epilepsy Foundation of America
forum/website, using JavaScript code and flashing animations to
provoke seizures in victims.

Defacement of SOHH and AllHipHop websites
Starting from a flooding in forums,then DDoS attacks against the
websites and finaly they deface the site by adding satirical images,
headlines and also stole employess information, using cross-site scripting.

Operation Titstorm
A protest against the Australian Government using DDoS Attacks in
federal websites.

After the worldwide fight from goverments against wikileaks, Anonymous decided to express their support to wikileaks with several Operations/protests.

Operation Payback
When this operations started the main target was websites that did not respond to software takedown notices.The DDoS websites of Law firms, copyright organisations etc. till the target moved to companies that oppose Wikileaks.Some of the targets was Amazon, Paypal, MasterCard, Visa and the Swiss bank PostFinance.

Goverment website taken down due to censorship of wikileaks documents

Operation Tunisia
8 Tynisian gov websites taked down due to censorship of wikileaks.