Tag Archives: encryption

Blog Post Shout Out: June 2018

A number of varied security issues have come to my attention this week which I wanted to keep you informed of. I will provide a respectable shout out to the following sources:

Apple Encrypted Drive Information Disclosure:
At this time Apple macOS has an information disclosure vulnerability that affects encrypted drives in general (encrypted Apple HFS+ / APFS+ and VeraCrypt) that provide the potential for an attacker to obtain details of the files an encrypted hard drive is storing.

This vulnerability originates from the quick look feature of macOS; which allows a user to preview photos, files and folders quickly without having to open them. This feature stores the thumbnails (defined) of the files centrally in a non-encrypted area of the hard disk. This issue can also occur when a USB memory drive is inserted; the same feature stores thumbnails on the external drive and on the boot drive of the macOS system.

If you use an encrypted hard disk or value your privacy when using external drives, please run the following command documented at the end of the following news article after you have viewed sensitive info and want to clear that history/activity:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives: BleepingComputer by Catalin Cimpanu

This suggestion is a workaround until (and if) Apple patches this.

=================
Yubico WebUSB Bypass:
The two-factor authentication/secure login vendor, Yubico has published a security advisory for the use of their YubiKeys. The vulnerability does not reside within the hardware keys themselves but in the authentication steps a web browser (e.g. Google Chrome) uses to authenticate an individual.

In summary, if you are using Google Chrome, please ensure it is updated to version 67 or later and follow the additional suggestion from Yubico in their security advisory:

Security Advisory 2018-03-02 – WebUSB Bypass of U2F Phishing Protection: Yubico

Windows 10 Persistent Malware:
The security vendor BitDefender have published a 104 page report detailing a spyware (defined) which uses rootkit functionality (defined). This malware is noteworthy due to its longevity (dating back to 2012) and it’s ability to install even on modern versions of Windows e.g. Windows 10:

Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation: BitDefenders Labs

=================
On a side note I am not too surprised this infection can persist on Windows 10. If a user is tricked into running malware e.g. by clicking a link or opening an attachment either of which can be contained in  a phishing (defined) email or an even more convincing spear phishing (defined) email from an organization or colleague you trust; strong defences won’t always keep you from becoming infected.

The BitDefender report can be downloaded from the above link (it does not request any personal information).

=================
The following news article links to 2 detailed but still easy to follow removal guides. If you are experiencing un-wanted adverts showing within websites that don’t usually show them (even though you are using an ad blocker) or are experiencing re-directs namely you wish to visit website A but are actually sent to website B, please follow these guides to remove this malware:

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US: BleepingComputer: by Catalin Cimpanu
=================

Thank you.

Encrypted Linux Systems Affected By Boot Process Vulnerability

Early last week a potentially serious vulnerability (assigned CVE-2016-4484 (defined)) within the Linux boot sequence was disclosed by security researchers at the DeepSec conference in Vienna.

Why Should This Issue Be Considered Important?
This is an elevation of privilege (defined) vulnerability that when exploited can result in an attacker obtaining root (defined) level access over your Linux system. It can be exploited by continually pressing the Enter key at the LUKS (Linux Unified Key Setup) password prompt. According to the researchers Hector Marco & Ismael Ripoll after approximately 70 seconds a new root shell (defined) will appear.

With this shell the attacker can delete all of information on the encrypted disks the LUKS prompt is designed to protect. This could also be used to copy the encrypted information to another location to attempt to brute force (defined) it. This also applies to any unencrypted information on the disk. Finally it could be used to elevate privileges from a standard user by storing an executable file with the SetUID bit enabled.

Interestingly this issue can only occur if the system partition is encrypted. At least Debian and Ubuntu distributions are vulnerable to this issue. Others may be too but the researchers have not exhaustively tested them.

Further details of this issue are provided within the researcher’s blog post.

How Can I Protect Myself From This Issue?
The researchers have provided a workaround and have proposed a more permanent fix within their blog post. It involves editing the cryptroot file so that the computer simply reboots when the number of password guesses reaches the limit.

If you are a Linux system administrator or know someone who is, this issue and it’s fix may be of interest. Thank you.

Are Your Mice Vulnerable To MouseJack?

In late May it was brought to my attention by a colleague that a potentially serious security vulnerability was discovered by Internet of Things security firm Bastille. This issue was disclosed earlier this year in February. It’s named MouseJack.

Why Should This Issue Be Considered Important?
While I use the term “issue” MouseJack consists of several vulnerabilities rather than just one. These vulnerabilities could allow an attacker to type commands of their choice into a victim’s computer from up to 100 metres away. The only equipment the attacker would need is a USD $15 USB dongle.

It’s important to point out that the vulnerabilities are within the firmware of a wireless keyboard/mouse USB dongle and not the mouse itself. Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

While the need to encrypt the data travelling between a wireless keyboard and the computer it is connected to was recognised and implemented by many well-known vendors (since keyboards are used to enter passwords and other sensitive data). The same encryption was not applied to the transmission of mouse clicks (and other buttons including scrolling wheels) from the mouse to the computer.

A proof of concept video demonstrating how these vulnerabilities can be used by an attacker was made available on YouTube and illustrates the vulnerabilities very well.


How Can I Protect Myself From These Issues?

I found this CERT security advisory very helpful in terms of next steps to follow.

Since I own a lot of Logitech mice and a keyboard it was fantastic to see that Logitech made available a security update that upgrades the firmware of the USB dongle to resolve these vulnerabilities.

While Lenovo did the same, they don’t allow end-users to install it and you need to contact them to arrange for an exchange of your devices (with Dell providing a similar response). Microsoft on the other hand issued an update for affected devices in a similar manner to Logitech that won’t require you to return your devices to them.

I have provided the links below to some of the vendor’s responses/updates below:

Lenovo
Dell (PDF)
Microsoft

A full list of the affected devices is available here. This page also provides further recommended actions.

All but one of my mice are Logitech Performance MX (which I purchased from 2009 onwards). Every dongle belonging to each of the mice had old vulnerable firmware installed (including a Performance MX purchased in March this year).

My mice had the following vulnerable versions installed:

  • 012.001.00019
  • 012.003.00025 (March 2016 mouse)

I followed the steps within this Logitech forum thread (please see the first post) to very quickly patch each of the USB dongles using one of my Windows systems. The mice continue to work as normal, but without the vulnerabilities.

The firmware versions of all previously affected USB dongles are now 012.005.00028

While my mice are not listed as affected, the Unifying USB dongle is present across almost all of Logitech’s product range making the Performance MX affected by association rather than directly.

For the spare Logitech keyboard and mouse (Logitech MK250) that I have, they are not affected by these issues since they use an older and much larger USB receiver. This receiver doesn’t have the Unifying technology that was vulnerable to these issues.

I verified that the firmware of the receiver was not affected by installing the Logitech Connect Utility v2.0.3.0. This is the equivalent of the newer Unifying software for this keyboard and mouse.

The firmware version was 015.000.00048 which is not in the affected range of the 012.xxx.000xx, 024.xxx.000xx that the Logitech update was designed to address.

I wanted to point this vulnerability out to those who use wireless keyboards and mice; they may also be vulnerable to this issue. For those fortunate enough to use Microsoft and Logitech peripherals you can install the necessary updates quickly and easily.

Many thanks to my colleague (you know who you are) for bringing these vulnerabilities to my attention.

I hope that the above information is helpful. Thank you.