Daily Archives: June 25, 2016

Blog Post Shout Out: Creating Passwords and Internet Privacy

This blog post shout out will focus on both security and privacy related issues.

While there has recently been a renewed focus to phase out passwords, until that happens we need to continue to manage them.

The following article discusses (among other topics) managing passwords. It focuses on providing security while making it easier for users to remember them. It also raises doubts about the need for changing passwords so often and provides evidence to back this up.

All of this advice may useful if you are trying to create or update your corporate password policy to make it more user friendly while still maintaining security.

How to hack the hackers: The human side of cybercrime by M. Mitchell Waldrop (Nature Journal)

In an effort to preserve your privacy you may be using a VPN (defined) connection when browsing the internet using your computer or mobile devices.

However as noted by F-Secure in this FAQ article, this may not be enough to fully protect your identity since some information (namely your real IP address) can still be leaked via WebRTC traffic. Within that FAQ article they provide advice on how to prevent this leak for the most common web browsers.
Related to the above topic of VPNs, using public Wi-Fi hotspots isn’t a good idea if you want to preserve your privacy as this Kaspersky article demonstrates.

While a VPN can assist with preserving that privacy when using a public Wi-Fi, it isn’t a perfect solution. For example, apps installed on mobile devices can still leak data as discussed in this article.

However, it possible to better control such data leakage on Android and Apple iPhones. A guide to do this for Android is available here.

For an iPhone, you can open Setting -> Mobile data and change the settings according to your preference. However, when you connect to a public Wi-Fi hotspot all the network connections in use by the apps will begin new connections or resume existing connections.

To minimise the amount of data leaked you should use a VPN (as I have already discussed above) for your mobile device. In addition, you should use the Low Power Mode option of your iPhone from Settings -> Battery and change the setting. This setting change will halt background tasks, delete Wi-Fi access point associations, previous new emails being received and automatic downloads. More information on this setting is available from here.

Next, turn on your VPN (Settings -> General -> VPN). A list of popular VPN providers is available here.

Using the above steps will help to minimise the amount of data leaked if you are privacy conscious and use an Android powered device or an iPhone. Full disclosure: as you know I use an Android phone so I haven’t intentionally provided more information/discussion on the iPhone.

I hope that you find the above references useful in maintaining your security and privacy. Many thanks to a colleague (you know who you are) for contributing the advice on using VPNs with mobile devices.

Thank you.

Are Your Mice Vulnerable To MouseJack?

In late May it was brought to my attention by a colleague that a potentially serious security vulnerability was discovered by Internet of Things security firm Bastille. This issue was disclosed earlier this year in February. It’s named MouseJack.

Why Should This Issue Be Considered Important?
While I use the term “issue” MouseJack consists of several vulnerabilities rather than just one. These vulnerabilities could allow an attacker to type commands of their choice into a victim’s computer from up to 100 metres away. The only equipment the attacker would need is a USD $15 USB dongle.

It’s important to point out that the vulnerabilities are within the firmware of a wireless keyboard/mouse USB dongle and not the mouse itself. Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

While the need to encrypt the data travelling between a wireless keyboard and the computer it is connected to was recognised and implemented by many well-known vendors (since keyboards are used to enter passwords and other sensitive data). The same encryption was not applied to the transmission of mouse clicks (and other buttons including scrolling wheels) from the mouse to the computer.

A proof of concept video demonstrating how these vulnerabilities can be used by an attacker was made available on YouTube and illustrates the vulnerabilities very well.

How Can I Protect Myself From These Issues?

I found this CERT security advisory very helpful in terms of next steps to follow.

Since I own a lot of Logitech mice and a keyboard it was fantastic to see that Logitech made available a security update that upgrades the firmware of the USB dongle to resolve these vulnerabilities.

While Lenovo did the same, they don’t allow end-users to install it and you need to contact them to arrange for an exchange of your devices (with Dell providing a similar response). Microsoft on the other hand issued an update for affected devices in a similar manner to Logitech that won’t require you to return your devices to them.

I have provided the links below to some of the vendor’s responses/updates below:

Dell (PDF)

A full list of the affected devices is available here. This page also provides further recommended actions.

All but one of my mice are Logitech Performance MX (which I purchased from 2009 onwards). Every dongle belonging to each of the mice had old vulnerable firmware installed (including a Performance MX purchased in March this year).

My mice had the following vulnerable versions installed:

  • 012.001.00019
  • 012.003.00025 (March 2016 mouse)

I followed the steps within this Logitech forum thread (please see the first post) to very quickly patch each of the USB dongles using one of my Windows systems. The mice continue to work as normal, but without the vulnerabilities.

The firmware versions of all previously affected USB dongles are now 012.005.00028

While my mice are not listed as affected, the Unifying USB dongle is present across almost all of Logitech’s product range making the Performance MX affected by association rather than directly.

For the spare Logitech keyboard and mouse (Logitech MK250) that I have, they are not affected by these issues since they use an older and much larger USB receiver. This receiver doesn’t have the Unifying technology that was vulnerable to these issues.

I verified that the firmware of the receiver was not affected by installing the Logitech Connect Utility v2.0.3.0. This is the equivalent of the newer Unifying software for this keyboard and mouse.

The firmware version was 015.000.00048 which is not in the affected range of the 012.xxx.000xx, 024.xxx.000xx that the Logitech update was designed to address.

I wanted to point this vulnerability out to those who use wireless keyboards and mice; they may also be vulnerable to this issue. For those fortunate enough to use Microsoft and Logitech peripherals you can install the necessary updates quickly and easily.

Many thanks to my colleague (you know who you are) for bringing these vulnerabilities to my attention.

I hope that the above information is helpful. Thank you.

Apple Releases Security Updates May / June 2016

Earlier this week Apple released a firmware (defined) update for its AirPort wireless base stations to resolve a critical vulnerability. Since I haven’t published information on Apple updates in many weeks I will also discuss the large collection of updates released on the 16th of May applying to the following products:

    Apple iOS 9.3.2: For iPhone 4s and later, iPod touch (5th generation) and later, iPad 3 and later
    Apple watchOS 2.2.1: For Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
    Apple tvOS 9.2.1: For Apple TV (4th generation)
    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.5
    Apple Safari 9.1.1: For OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 to v10.11.5
    Apple iTunes 12.4: For Windows 7 and later

    As always, comprehensive details of all of these updates are provided on Apple’s Security Updates page.

    Why Should These Issues Be Considered Important?

    The most important updates to install are the AirPort firmware updates and the OS X security updates.

    The AirPort firmware update is particularly severe since it relates to how the devices within how these devices parse (defined) DNS (defined) data. The possible implications of such a vulnerability are clearly explained in this ComputerWorld article. As that article notes, DNS cannot be easily disabled without affecting functionality providing even more reason to install the necessary firmware updates as soon as possible.

    Apart from the AirPort firmware updates the collection of updates made available on the 16th of May includes fixes for issues such as those detailed below:

    Apple iOS 9.3.2: Resolves 39 CVEs and includes fixes for CommonCrypto, IOAcceleratorFamily, Disk Images, iOS kernel (defined), libc, libxml2, OpenGL, WebKit (and associated components (among others).

    Apple watchOS 2.2.1: Resolves 26 CVEs and includes fixes for CommonCrypto, CorCapture, Disk Images, IOHIDFamily, IOAcceleratorFamily, watchOS kernel, libc, libxml2, libxslt and OpenGL

    Apple tvOS 9.2.1: Addresses 33 CVEs, the most severe present in the following components: CommonCrypto, IOAcceleratorFamily, Disk Images, IOHIDFamily, tvOS kernel (defined), libc, libxml2, libxslt, OpenGL, WebKit (and associated components (among others).

    Apple OS X El Capitan v10.11.5 and Security Update 2016-003: Resolves 70 CVEs the most severe being present in the following: AMD, AppleGraphicsControl, AppleGraphicsPowerManagement, ATS, Audio, CommonCrypto, CoreCapture, CoreStorage, Crash Reporter, Disk Images, Graphic Drivers, Intel Graphics Drivers, OAcceleratorFamily, IOAudioFamily. IOFireWireFamily, IOHIDFamily, OS X kernel, libc, libxml2, libxslt, Nvidia Graphics Drivers, OpenGL, QuickTime, SceneKit (among others).
    Apple Safari 9.1.1: Resolves 7 CVEs the most critical being present in WebKit (the renderer of Safari) and WebKit Canvas.

    Apple iTunes 12.4 for Windows: Resolves 1 critical CVE in the iTunes installer.

    How Can I Protect Myself from These Issues?
    If you own any devices that use Apple AirPort wireless base stations, use Apple iOS, watchOS, tvOS or OS X or you know someone that does, advise them to use the links below to install the most recent security updates.

    As a routine precaution I would recommend backing up the data on any device for which you are installing updates (preferably to an external storage device that can easily be accessed by you) in order to prevent data loss in the rare event that any update causes unexpected issues.

    Please see these links from Apple for advice on backing up your iPhone and iPad. Advice for updating tvOS is available here.

    For advice on how to install updates for Apple devices, please see the steps detailed at the end of this Sophos blog post as well as this link (from my “Protecting Your PC” page).

    Thank you.

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

Wireshark Releases Security Updates June 2016

In early June the Wireshark Foundation made available security updates for their popular open source network packet analyzer Wireshark (v2.0.4; the current branch and v1.12.12; an update to the previous branch).

Version 2.0.4 addresses 9x security issues within 9 security advisories (8x of which were assigned CVEs (defined) that it addresses. Meanwhile version 1.12.11 references 8x security advisories (addressing 8 issues assigned to 7x CVEs).

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

As always, if Wireshark is installed on a critical production system or systems that contain your critical data, please back up your data before installing this update in order to prevent data loss in the rare event that an update causes unexpected issues.

Thank you.

Google Releases Security Update for Chrome (May / June 2016)

Late last week Google released an update for Google Chrome bringing it to version 51.0.2704.103. This updated version resolves 3 security issues assigned to 1x CVE number (defined). No severity level was provided for this CVE.

Since my previous post concerning Google Chrome updates, there have been 2 other updates:

Google Chrome 51.0.2704.63 addressing 42 security issues assigned to 24 CVEs:
The severity levels of these issues are detailed below:
• 9x high severity
• 10x medium severity
• 4x low severity
• 1x uncategorized severity

Google Chrome 51.0.2704.79 addressing 15 security issues assigned to 8 CVEs:
The severity levels of these issues are detailed below:
• 2x high severity
• 5x medium severity
• 1x uncategorized severity

Google Chrome updates automatically and will apply the update the next time Chrome is closed and then re-opened. Chrome can also be updated immediately by clicking the Options button (it looks like 3 stacked small horizontal lines, sometimes called a “hamburger” button) in the upper right corner of the window and choosing “About Google Chrome” from the menu. Follow the prompt to Re-launch Chrome for the update to take effect.

As always full details of the update were made available by Google in blog posts linked to above. If you use Google Chrome as your web browser, please consider updating it as soon as possible.

Thank you.

NTP Project Releases Security Update (June 2016)

In early June the NTP project; the team behind the Network Time Protocol (NTP)(defined) issued a security update to address 5 security issues (more formally known as CVEs (defined)), one of which has been classified as high severity. This update brings NTP to version 4.2.8p8

Why Should These Issues Be Considered Important?
The most severe issue involves a denial of service (defined) vulnerability caused by the processing of Crypto-NAK responses (these responses are sent by NTP servers when a client and server do not agree on a message authentication code (MAC)(defined)).

The other four issues were classified as low severity, one of which relates to the above crypto-NAK vulnerability. That low severity vulnerability if exploited could lead to the demobilization of an association between the server and the client (where mobilization means that an NTP server is cryptographically authenticated to a client).

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the June 2016 entry).

Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

Moreover, please see each of the following NTP bug entries since each contains mitigations (defined) for each vulnerability that may be of assistance to you:

NTP Bug 3042 (low severity)
NTP Bug 3043 (low severity)
NTP Bug 3044 (low severity)
NTP Bug 3045 (low severity)
NTP Bug 3046 (high severity)

Thank you.