Daily Archives: April 9, 2015

Apple Releases Security Updates

Yesterday Apple released security updates for Apple Safari, OS X Yosemite (10.10), OS X Mavericks (10.9) and OS X Mountain Lion (10.8), Apple iPad (2nd generation and later), Apple iPhone (4S and later), Apple iPod (iPod Touch 5th generation and later), Apple TV (3rd generation and later), Apple Safari and finally Xcode for OS X Mavericks and later.

Full details on all updates are available on Apple’s Security Updates page. The updates to prioritize in my opinion are the updates for:

Apple TV:includes fixes for WebKit
Apple iOS: includes fixes for WebKit, the iOS kernel and 2 lockscreen bypasses
OS X (10.10, 10.9 and 10.8): includes fixes for Apache, OS X kernel, NTP, OpenSSL and PHP
Apple Safari: since it address 5 critical memory corruption flaws (as well as 5 other CVEs)

If you use any of the above software, please install the appropriate updates as soon as possible. As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues. Thank you.

How To Protect Against Ad Injectors (Updated)

Late last week I read about a particular form of adware that Google is continuing to work to prevent it from interfering with search engine results or obscuring your view of a popular website.

These ad injectors display pop up dialog boxes on your screen obscuring the website that you wish to view and instead offer tech support scams. They can also place ads that they wish to promote over the genuine search results that you have just requested from Google (or another search engine). For more signs/symptoms to look for, this blog post provides more details.

These ad injectors come to be installed on your computer from browser extensions/plugins as well as more traditional advertising toolbars.

In order to remove and prevent such ad injectors from disrupting your browsing experience I would recommend running a quick scan with your preferred anti-malware software (run a full scan if anything is detected). If you are still seeing annoying pop up dialogs or unwanted ads (that overlay the genuine search engine results) you could also try a free scan with one or all of the tools mentioned below (that I also mentioned on my Tools and Resources page).

In addition, before installing any free browser extension, check/read the reviews of it before downloading it and research it online a little before installing it. If you begin to see unwanted ads just after installing a new browser extension, uninstall that extension. To be even more careful, consider running the scans that I mention above after installing the extension just to ensure the legitimacy of what you have just downloaded.

Please consider supporting the future development of these free scanning tools by donating via their websites (especially if they find and remove any adware for you):

Adwcleaner:
http://general-changelog-team.fr/en/tools/15-adwcleaner

Junkware Removal Tool:
http://thisisudax.org/

RogueKiller:
http://www.adlice.com/softwares/roguekiller/

Note: For the Junkware Removal Tool, I would recommend backing up your data to another external destination (e.g. an external hard drive or offsite backup, don’t have the backup accessible on your computer when running the tool) before running this tool. This is because it can delete any application installer that includes advertising toolbars as part of its installation (even if such toolbars are optional). You may not be expecting such installers e.g. Oracle Java to be deleted (without any prompts) and having a backup reduces the inconvenience of such application installers being deleted.

Update: 6th May 2015:

Since this post was originally posted Google have since provided more details on their findings from a research study detailing the extent of the ad injector ecosystem.

Google have worked to remove extensions from the Chrome Web Store that were deceptive and their Safe Browsing API continues to protect users from downloading software that is not what it appears to be. In addition changes to their AdWords policies have seen the number of Safe Browsing warnings being presented to users drop by 95% (i.e. users are no longer being manipulated into attempting to download dubious software/ad injectors and thus the warnings are not necessary).

The advice that I provided above still remains valid; however Google have since released a software removal tool to remove existing ad injector software. If you suspect that you may have such an ad injector installed, please consider running this tool. I have used this tool and it’s scan takes less than five seconds to complete (for me the scan showed no malicious results and thus no action was required).

=======================
Update: 25th September 2015:
Earlier in September Google mentioned that they have made adjustments to their online advertising system so that ads that appear as a result of the ad injectors mentioned in this post are no longer bid on and thus no revenue is generated.

Google acknowledges that this measure won’t stop all of these ads from appearing but it makes it much less profitable for those who create these unwanted ads.

Thank you.
=======================
I hope that the above page is useful to you in keeping your computer free from unwanted adware and ensuring a safe and predictable online browsing experience.

Thank you.

The Benefits of the Pwn2Own Contest and Security Vulnerability Disclosure

With the CanSecWest Pwn2Own security vulnerability discovery contest ending almost 3 weeks ago an interesting question was raised on the Sophos security blog, should this competition continue since some consider that it is over dramatizing the nature of security vulnerabilities?

I thoroughly believe this competition should continue since over the years it has been responsible for valuable progress being made in security defences. Since this competition follows a responsible disclosure model, I believe this is another reason that it should continue.

Re-quoting my full explanation within the comments section of the above blog post:

—————-
I voted Positive for this. I think Pwn2Own is worth every cent/penny. While I acknowledge there is a certain amount of drama/spectacle about the event, the work the security researchers are doing is invaluable. The vendors are essentially having penetration testing carried out and since it’s being done by outsiders it can be more objective than an internal audit (please don’t misunderstand me, internal audits are still worthwhile).

The researchers are putting in the effort, expertize and time into creating these exploits just like a malicious hacker would. While any vendor would state their product is as secure as possible and meets all of their quality assurance checks the researchers can still exploit/pwn them. I believe that the vendors are having flaws found that would not otherwise be found or worse are exploited maliciously before a patch is available i.e. a zero day flaw (alternative definition).

For example in 2013; 2 particularly noteworthy flaws were an exploit for Internet Explorer that raised the exploits integrity level (its permission level or authority level) from low to medium and the LDRHotpatch ASLR/DEP bypass. This latter exploit used an undocumented API call to carry out its malicious intent. This exploit lead to the later development and inclusion of the Banned Functions mitigation into Microsoft EMET. Microsoft even mentioned (in an SRD blog post) how novel/unheard of these exploits really were and how correcting them was far from trivial.

I believe this particular flaw may have been eventually exploited as a zero day flaw rather than being disclosed responsibly. This is the real benefit I see from Pwn2Own. The security researchers think outside of the box in that they come up with exploit methods that the vendors never even thought of or even knew were possible and exploit them. Since they are being disclosed responsibly we all benefit from the experience/knowledge the vendors obtain from the researchers.

I consider this event pivotal to the development/enhancement of security for us all since vendors can and do become complacent in their development practices. It’s only when they are shown how badly a product can be exploited and how vulnerable it really is, only then will the vendor take notice and make the necessary changes and possible improvements to their quality assurance process to protect it, otherwise the product would stay as it is.

I realize many people would not agree with me but I think it is in all of our interests that this competition/event continues. Thank you.
—————-

One point that was not raised within the wider online IT security press coverage of Pwn2Own 2015 was that Microsoft EMET was used to harden each of the devices running Windows. While all of the products within the contest were compromised at least once this does not mean that EMET is of little benefit. Simply that the exploits were sophisticated enough to avoid/bypass EMET to carry out their intended purpose. Moreover, these are not the only examples of exploits being able to successfully bypass EMET, the following 3 links are demonstrate this (for EMET 5.2).

Example 1
Example 2
Example 3

For these reasons it will be interesting to see how Microsoft enhance EMET in the future for EMET version 5.3 or 6.0

When I mention responsible disclosure (above), what exactly is meant by this and how does it differ from the more controversial (but still very important) public/full disclosure and why does the difference between these two matter?

Responsible disclosure occurs when a security researcher discovers a security vulnerability and reports it to the software vendor (the company that commercially produces the software product in question). If after a certain duration of time (e.g. 90 days) the vendor does not respond to the security researcher who reported the flaw to them, the researcher can then fully/publically disclose the flaw to the wider security community.

Responsible disclosure has advantages to the vendor since they have a window of opportunity to resolve the flaw during the duration of time before full disclosure (this duration of time can vary), which protects the vendors customers from ever being exposed to the flaw. In addition, the researcher will very likely be acknowledged by the vendor for taking the time and effort to report the flaw to the vendor. Responsible disclosure is usually preferred since it minimizes the exposure of the vendors customers to security risks. With bug bounty programs becoming more prevalent responsible disclosure remains very popular.

Full/public disclosure reports the discovery of a security flaw to the wider security community (along with information of which versions of the vendors products are affected by this flaw) without first contacting the affected vendor.

Usually the publication of the information concerning this flaw will contain information on how to reduce your exposure to (mitigate) this flaw e.g. changing a setting within the software, not using a certain aspect of the software or not opening suspicious files of a specific file type etc. This is a potential advantage since it allows anyone vulnerable to the flaw to protect themselves before a patch (software fix) is available.

I use the word “potential” above since it is possible that with the details published by the security researcher a person with malicious intent could write the code of an exploit to be used by anyone e.g. malware creators to infect peoples devices using the affected software before a patch is available.

Full disclosure has the potential advantage of motivating the software vendor into quickly resolving the security flaw rather than risk any bad reputation that may develop should some of its customers become compromised because of this security flaw before that vendor has a chance to resolve it.

Since the Pwn2Own contest follows a model of responsible disclosure the security researchers benefit from the prize money, winning the devices they exploit/pwn and being credited with a successful exploit. The software vendors also benefit since they can examine how the exploit was built and create a patch to prevent the exploit having the desired effect in the future as well as having the opportunity to harden the software in other to prevent similar exploits in the future. Such flaws are also unlikely to become zero day flaws. This matters to everyone since the products within the contest are very widely used and being able to strengthen a product that we use each day is always beneficial. Thank you.

Taking The Effort Out Of Password Management (Updated)

In today’s connected world the management of passwords can be a time consuming chore that is unfortunately a necessary evil. Creating and using strong passwords is a recommended best practice to protect any online account from falling into the wrong hands. With the many data breaches that occurred in 2014 e.g. Target, Home Depot, and Ebay (among others) protecting your online identity remains very important.

In order to assist with managing your passwords and online accounts, I would recommend using a password manager e.g. LastPass, Roboform among others to reduce the number of passwords that you need to remember to only one master password (which should be extremely strong) since it protects your entire online identity.

But how do you create strong passwords before you place them in the password manager? First use a random password generator and then test the strength of the password. How strong should a password be? That depends on what account that password protects, the more sensitive/important the account, the stronger the password should be. Most passwords should take from a few weeks to a few months to crack so that other passwords will be uncovered before yours should your password be stolen along with a large collection of hashed passwords.

Popular and effective password generators are the following:

LastPass

Norton Password Generator

While password strength meters can be weak and can provide a false sense of security, I have found this password strength tester to work incredibly well.

=======================
Update: 6th May 2015:
I have found that the above mentioned password strength tester is now limited to testing passwords of 50 characters (or shorter) in length.

Further advice on generating strong passwords without using a password generator and best practice advice on password management is discussed in the following two short YouTube videos from Sophos:

How to pick a proper password
https://www.youtube.com/watch?v=pMPhBEoVulQ

How to choose a strong password – simple tips for better security
https://www.youtube.com/watch?v=VYzguTdOmmU

Aside: While I realize that I often mention Sophos blog posts and videos in general, this is simply because I have found their posts or videos very informative yet concise. I try to link to various sources and I do not endorse Sophos’ products or advice over any other source/company.

For Microsoft Active Directory (Domain Joined systems):
For corporate systems/Microsoft Active Directory joined PCs, Microsoft’s updated its Local Administrator Password Solution (LAPS) tool in order to make domain joined systems more secure by randomizing the Local Administrator password used for each system (rather than having them all set to the same values or managed manually by your IT staff).

More information on the tool is available here. In addition, a short deployment guide is available here. Other advantages to this tool are (among others) that encrypted (using AES) passwords are transmitted to the Active Directory rather than in plaintext or hashed formats. This tool will also help to mitigate Pass-the-Hash (PtH) attacks.

=======================

Going Further Than A Password
Whenever possible you should also use 2 factor authentication. However with 2 factor authentication you should ensure that the online account that supports this type of authentication has the appropriate means of recovering access to your account should you lose your second factor of authentication e.g. your cell phone.

Apple, Google and WordPress are examples of such accounts that offer recovery codes that you can print or save in a secure location to use to access your account should you lose your second factor of authentication. I find such recovery codes ideal since they offer the extra protection of using a second authentication factor while significantly reducing the possibility of locking yourself out of your account should you lose your cell phone. An excellent article detailing the advantages and disadvantages of 2 factor authentication is this Sophos blog post.

As time progresses we may finally obtain some relief from the constant maintenance of our passwords (namely changing the more frequently used or important passwords more often). This should come in the form of the introduction of new and more widely standardized authentication tokens e.g. the USB FIDO tokens that can be used to log into your Google account.

The announcement earlier this year that Microsoft intends to support such tokens for logging into the forthcoming Windows 10 offers a lot of promise for an easier and more standardized means of using a second factor of authentication. In addition, Windows Hello will add biometric authentication (face recognition and fingerprint identification) to Windows 10 which will ease the logon process by removing the need for a password. Biometrics are also more secure than passwords.

With the wider adoption of such technologies and as they become more developed/refined perhaps within the next 5 years we might be able to finally say goodbye to the dreaded practice/topic of password management.

Thank you.