Tag Archives: apple

Pwn2Own 2019 Results

TL DR: With popular products such as the Tesla Model 3, Apple Safari, Mozilla Firefox, Oracle VirtualBox, VMware Workstation Pro and Microsoft Edge being successfully exploited; please install the necessary updates when they become available.

The annual white hat hacking contest known as Pwn2Own took place last week. Detailed results from all 3 days are available from this link.

Day 3 saw initially two teams attempting to exploit a Tesla Model 3 before one withdrew. The team Fluoroacetate made up of both Richard Zhu and Amat Cama successfully exploited the infotainment system of the Tesla earning them a further $35,000 and the car itself. They earned $375k in total and became the Master of Pwn for 2019. The contest overall distributed $545k for 19 vulnerabilities.

In contrast to previous years the researchers have targeted vulnerabilities other than those within the operating system kernel (defined) to obtain a total system compromise. Only 3 times were exploits on the OS kernel used this year (one exploit was used in conjunction when exploiting each of the web browsers Apple Safari, Microsoft Edge and Mozilla Firefox).

We can expect updates for each of the exploited products over the coming weeks and months (the vendors have up to 120 days to resolve the vulnerabilities before public disclosure). Mozilla released Firefox 66.0.1 and 60.6.1 to resolve the 2 Firefox CVEs (defined) disclosed during the contest.

If you use the affected products, please keep current with the necessary updates. Thank you.

Blog Post Shout Out March 2019

TL DR: If a device that stores your personal information has reached the end of it’s life, please strongly consider erasing it correctly before recycling or disposing of it.

A security researcher from Rapid7 purchased 85 used pieces of technology to check them for data left behind by their previous owners. 80 of the devices had data still remaining on them.

He was able to uncover the following:

  • 214,019 images, 3,406 documents and 148,903 email messages
  • 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit-card numbers, six driver’s license numbers and two passport numbers.

For these reasons I wanted to provide a respectful shout out to the following blog post by Josh Frantz of Rapid7:

https://blog.rapid7.com/2019/03/19/buy-one-device-get-data-free-private-information-remains-on-donated-devices/

When our devices have reached the end of their useful life we need to become better at removing our data from them. Please find below recommended guides for Apple iPhones, Google Android device and hard disks (both RAID and simple disk set ups). My thanks to Mr. Josh Frantz for collecting these links within his post.

Thank you.

====================
Apple iPhone:
https://support.apple.com/en-us/HT201351

Google Android:
https://www.greenbot.com/article/2451612/how-to-properly-and-securely-erase-your-android-device.html

Hard disks (typically how they are set up):
https://www.lifewire.com/how-to-erase-a-hard-drive-using-dban-2619148

Hard disks (when used in a RAID configuration):
https://linhost.info/2010/06/parted-magic-erase-a-hard-drive/
====================

Apple KeyChain Vulnerability Disclosed

Last week a security researcher publicly disclosed a vulnerability within Apple macOS’ Keychain (Apple’s password management system). The exact proof of concept code has not been released.

TL DR:  This vulnerability is currently unpatched by Apple. Be cautious of the links you click on, email attachments and applications you download/open. Keep your system current with already released updates. Watch for updates from Apple in the near future.

Why should this vulnerability be considered important?
This vulnerability affects all versions of Apple macOS up to the most recent 10.14.3 (Mojave). Apple Keychain is used to store passwords for application, websites and servers. This information is encrypted by default blocking access via other means without your permission.

However; the exploit allows an attacker to access this information from a standard user account (thus not requiring root (defined)(privileged) access) without generating a password prompt. The keychain must first be unlocked but it is when you are logged into the system. The System keychain which contains (among other items) is not affected. Thus, if the attacker can persuade you to run an application of their choice (e.g. substituting an app that looks like an app you regularly download manually); they could obtain your passwords/sensitive information. A YouTube video demonstrating the custom application designed to exploit this is provided below:

https://youtu.be/nYTBZ9iPqsU

How can I protect myself?
Please see the TL DR above. You should also consider manually locking your keychain or setting a keychain specific password (further details below).

===========

Lock your Keychain:
Open Keychain Access in the Applications: Utilities folder. Select your keychain (usually your user name) in the drawer (click on Show Keychains in the toolbar if it’s not visible). Then choose Edit: Change Settings For Keychain keychain name. Select Lock After 5 Minutes Of Inactivity (or lower according to your preference).

Password Protect Your Keychain:
Open the Keychain Access application, and select your keychain in the drawer. Select Edit: Change Password For Keychain keychain name, and then enter a new password.

With thanks to MacWorld:

===========

Why did the researcher not disclose this to Apple privately?
The researcher, Linus Henze chose not to privately disclose this to Apple since while Apple have a bug bounty for iOS which is by invite only; they don’t have such a program for macOS. The researcher wishes to highlight this omission. A quote from the researcher is included below (my thanks to Sergiu Gatlan of BleepingComputer.com) for this:

“Please note that even if it looks like I’m doing this just for the money, this is not my motivation at all in this case. My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers. I really love Apple products and I want to make them more secure. And the best way to make them more secure would be, in my opinion, if Apple creates a bug bounty program (like other big companies already have)”

Separately he is not the only researcher to be criticising Apple’s approach to vulnerability remediation. Ian Beer of Google Project Zero publicly criticised Apple last August for simply fixing vulnerabilities rather than thinking of them in an exploit context namely “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could have found [the bug] earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”

Thank you.

Linux and Windows Address Page Cache Vulnerabilities

In early January security researchers located further vulnerabilities in how Windows and Linux operating systems use a memory page cache.

How severe are these vulnerabilities and what is their impact?
One of the co-authors of the academic paper disclosing these vulnerabilities described the work as mostly “a matter of academic interest” meaning that attackers are less likely to take advantage of these vulnerabilities.

Local attacks:
For the localised rather than remote variant of utilizing these vulnerabilities; the attacker must already have gained access to the victim system to read the target memory page. The attacker could do this by “[having a] malicious process on the operating system or when processes run in sandboxes that have shared files”.

Other actions an attacker could potentially carry out are:

• Cloning an open window and replacing the legitimate application window
• Gathering the root (Linux) or administrator (Windows) password

Remote attack:
To exploit the vulnerabilities remotely; the researchers leveraged “timing differences between memory and disk access, measured on a remote system, as a proxy for the required local information”. This was achieved by measuring the times when soft page faults (the page is erroneously mapped, with the help of a process that runs on a remote server) occurred. The researchers were successful in sending data covertly from an unprivileged malicious process within the victim system to a remote server fulfilling the role of a web server. They used a technique from previous research namely the NetSpectre attack to distinguish cache hits and misses over a network connection. This was successful on systems with mechanical hard drives (HDDs) and solid-state disks (SSDs). SSDs were more complex since the timing differences were smaller but the researchers compensated by using larger files to distinguish between cache hits and misses.

How can I protect my organization/myself from these vulnerabilities?
Since these vulnerabilities are more academic in nature; attackers are less likely to exploit them. Linus Torvalds has explained that the code to resolve this vulnerability has been checked in and is undergoing testing before being more widely rolled out. For Windows; Build 18305 of the upcoming Windows 19H1 (otherwise known as Version 1903) due for release in April 2019 contains fixes for these vulnerabilities. It is anticipated Microsoft will back-port this patch to earlier Windows versions.

In addition; the mitigations for the Spectre vulnerabilities from last year should address the remote attack vector using the NetSpectre attack method.

Why are there so many timing attacks being disclosed lately?
Since modern systems rely on timing for almost every component e.g. the CPU (internal caches and registers respond in nanoseconds (ns)), the memory/RAM (e.g. CAS latency), HDDs (measured in milliseconds (ms) e.g. 8.9 ms), SSDs (e.g. 0.05 ms , much faster) we are likely to continue to see further vulnerabilities disclosed as further scrutiny is applied to devices and architectures that have been in use for many years.

E.g. the affected code from Linux was timestamped in 2000 and stated that further revision should be carried out when more information was known. 19 years later we know more and are revising that code. It’s a similar situation with Windows where the revised code works to ensure low privilege processes can no longer access page cache information or shared cache information. As The Register points out; “something complex that’s just working can remain untouched for a very long time, lest someone breaks it” and is more likely to contain vulnerabilities since nobody has taken the time to look for what has been there for years.

Thank you.

Blog Post Shout Out: June 2018

A number of varied security issues have come to my attention this week which I wanted to keep you informed of. I will provide a respectable shout out to the following sources:

Apple Encrypted Drive Information Disclosure:
At this time Apple macOS has an information disclosure vulnerability that affects encrypted drives in general (encrypted Apple HFS+ / APFS+ and VeraCrypt) that provide the potential for an attacker to obtain details of the files an encrypted hard drive is storing.

This vulnerability originates from the quick look feature of macOS; which allows a user to preview photos, files and folders quickly without having to open them. This feature stores the thumbnails (defined) of the files centrally in a non-encrypted area of the hard disk. This issue can also occur when a USB memory drive is inserted; the same feature stores thumbnails on the external drive and on the boot drive of the macOS system.

If you use an encrypted hard disk or value your privacy when using external drives, please run the following command documented at the end of the following news article after you have viewed sensitive info and want to clear that history/activity:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives: BleepingComputer by Catalin Cimpanu

This suggestion is a workaround until (and if) Apple patches this.

=================
Yubico WebUSB Bypass:
The two-factor authentication/secure login vendor, Yubico has published a security advisory for the use of their YubiKeys. The vulnerability does not reside within the hardware keys themselves but in the authentication steps a web browser (e.g. Google Chrome) uses to authenticate an individual.

In summary, if you are using Google Chrome, please ensure it is updated to version 67 or later and follow the additional suggestion from Yubico in their security advisory:

Security Advisory 2018-03-02 – WebUSB Bypass of U2F Phishing Protection: Yubico

Windows 10 Persistent Malware:
The security vendor BitDefender have published a 104 page report detailing a spyware (defined) which uses rootkit functionality (defined). This malware is noteworthy due to its longevity (dating back to 2012) and it’s ability to install even on modern versions of Windows e.g. Windows 10:

Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation: BitDefenders Labs

=================
On a side note I am not too surprised this infection can persist on Windows 10. If a user is tricked into running malware e.g. by clicking a link or opening an attachment either of which can be contained in  a phishing (defined) email or an even more convincing spear phishing (defined) email from an organization or colleague you trust; strong defences won’t always keep you from becoming infected.

The BitDefender report can be downloaded from the above link (it does not request any personal information).

=================
The following news article links to 2 detailed but still easy to follow removal guides. If you are experiencing un-wanted adverts showing within websites that don’t usually show them (even though you are using an ad blocker) or are experiencing re-directs namely you wish to visit website A but are actually sent to website B, please follow these guides to remove this malware:

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US: BleepingComputer: by Catalin Cimpanu
=================

Thank you.

Intel Lazy Floating Point Vulnerability: What you need to know

====================
Update: 24th July 2018:
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 6:
https://access.redhat.com/errata/RHSA-2018:2164

Red Hat Enterprise Linux 5 and 7:
https://access.redhat.com/solutions/3485131

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-June/022923.html

====================

On Wednesday of last week, a further vulnerability affecting Intel CPUs (defined) was disclosed.

TL;DR: Keep your operating system up to date and you should be fine.

What makes this vulnerability noteworthy?
According to Intel’s security advisory; this is an information disclosure issue. Similar to Spectre/Meltdown the flaw is the result of a performance optimization (used when saving and restoring the current state of applications as a system switches from one application to another). A feature known as Lazy Floating Point (defined) Unit (FPU) is used to save and restore registers (defined) within the CPU used to store floating point numbers (non-integers numbers, namely decimal numbers).

The issue is that these registers may be accessed by another application on the same system. If the registers are storing for example results of performing cryptographic equations for a key you have just created or used to decrypt data, the attacker could use this data to infer what the actual key is. The same applies for any type of data the registers store; that data can be used to infer what the previous contents were via a speculative execution side channel.

This vulnerability has been rated as moderate since it is difficult to exploit via a web browser (in contrast to Spectre) and the updates will be a software update only; no microcode (defined) and/or firmware (defined) updates will be necessary. With exploitation via a web browser being difficult; this vulnerability will likely instead be exploited from the victim system (at attacker will need to have already compromised your system).

How can I protect myself from this vulnerability?
Please note; AMD CPUs are NOT affected by this vulnerability.

The following vendors have responded to this vulnerability with software updates now in progress. Separately Red Hat has completed their updates for Red Hat Linux 5, 6 and 7 (with further applicable updates still in progress).

Other vendors responses are listed below. Thank you:

Amazon Web Services

Apple (currently release notes for an update to macOS to resolve the vulnerability)

DragonFlyBSD

Intel’s Security Advisory

Linux

Microsoft Windows

OpenBSD

Xen Project

Increasing the privacy and security of virtual assistants

With the growing number of consumers choosing to add smart speakers to the devices within their home; attackers will likely begin to leverage this trend for their own nefarious purposes. Moreover, there has recently been an example of how these devices can inadvertently breach your privacy. Adding to this; security researchers have already demonstrated vulnerabilities showing that unintended actions are possible.

Researchers from Indiana University in Bloomington, the University of Virginia and the Chinese Academy of Sciences recently demonstrated the following vulnerabilities and their affects leading to Amazon and Google evaluating possible fixes or working on ways to mitigating them:

Scenario 1: Smart speaker has a 3rd party app “skill” installed which accepts an activation phrase (“Alexa” [follow by your choice of words]) very similar to other legitimate apps. It has the potential to hijack the connection

Scenario 2: Using a rogue skill; an attacker can eavesdrop on conversations and simulate returning control to a legitimate skill but instead carry on to gather further sensitive information from the user. Recent research carried out has had about 50% success with impersonating legitimate skills.

Scenario 3: Previous research back in April involved creating a skill that purposely fails to terminate after hearing the activation phrase

What steps can I take to make these attacks more difficult?
The advice below will not only make your device more secure but will also safeguard your privacy by ensuring data is not stored by the smart speaker vendor over a long period of time:

Amazon Echo Devices:
https://www.amazon.com/gp/help/customer/display.html?nodeId=202168870

Google Home Firmware Versions:
https://support.google.com/googlehome/answer/7365257?hl=en&ref_topic=7071995

Apple HomePod:
https://www.imore.com/how-install-software-updates-your-homepod

====================
Update: 14th August 2019
====================
Amazon have introduced a privacy setting to allow people to opt-out of their Amazon Echo “Alex” recording being reviewed by human listeners:

Accessible from “Settings”, click on the Alexa Privacy link, and choose “Manage How Your Data Improves Alexa”.

The following guide details how to delete past Amazon Echo recordings:
https://www.tomsguide.com/us/how-to-see-erase-alexa-recordings,news-24094.html

References:
Apple HomePod List of Privacy Features

Data security & privacy on Google Home

Some tips to guard your privacy while using the Amazon Echo

Some further steps to take to better secure your Amazon Echo

Apple releases its first HomePod software update, but no AirPlay 2 or pairing

Amazon Echo: Complete list of commands