issue infosec times october · measures designed to reassure custom-ers wary of government prying....
TRANSCRIPT
Abu Dhabi Polytechnics’ Weekly Newsletter on Information Security Issues
InfoSEC Times
Its Your Newsletter !
Welcome to the Fifth edi-
tion of our new newsletter
from
Abudhabi Polytechnic.
This is the First Edition of
the Academic year.
We would like to encourage
and invite our readers in
contributing to the develop-
ment of this newsletter so
that we may keep everyone
informed with the current
issues that may affect us all
in the ever increasing world
of computers and technol-
ogy.
Bash "Shellshock" bug: Who needs to worry?
Right now, security professionals are scrambling to fix a
security flaw some are calling Shellshock. It's a major
vulnerability related to Bash, a computer program that's
installed on millions of computers around the world.
There's been a lot of confusion in mainstream media
accounts about how the bug works, who's vulnerable,
and what users can do about it.
Who is vulnerable?
Bash is installed on many computers running operating sys-
tems derived from an ancient operating system called Unix.
That includes Macs, as well as a lot of web servers running
operating systems such as Linux.
Whether these computers are actually vulnerable depends on
whether they invoke Bash in an unsafe way. We already
know that this is true of many web servers, and it's believed
that other types of network services could also be vulnerable.
But it'll take a while for security experts to audit various
pieces of software to check for vulnerabilities
What should I do to protect myself?
Unfortunately, there isn't a ton you can do in the short run.
Presumably, Apple will release updated versions of their
software soon. So keep an eye out for that on your plat-
form's software update service, and install it as soon as it's
available.
There has also been some speculation that a service called
DHCP might be vulnerable, though this is looking increas-
ingly doubtful. This is a service that allows laptops, tablets,
and smartphones to automatically configure themselves
when they log into a wifi network. A malicious wifi router
could use the bug to hack into users' laptops and mobile
devices. So if you're a Mac user, it might be prudent to
avoid logging into untrusted wifi networks — for example,
at coffee shops — until Apple has released a security up-
date.
But for the most part, the vulnerability affects servers more
than users' own computers. So most of the heavy lifting
needs to be done by security professionals, not the rest of us
this issue
Bash "Shellshock" bug: Who needs to worry? P.1
FBI Head Criticizes Apple, Google Over Data Encryption P.2
Malvertising Could Replace Exploit Kits: Researchers P.3
This Simple tip will protect you from Identity Thieves with Ther-
mal cameras P.4
In Cyberspace, Anonymity and Privacy are Not the SameP.5
Security is hard – technicaleducation.cisco.com vulnerable to
XSS P.5
I S S U E
O c t o b e r 2 0 1 4
05
What could attackers do
with this vulnerability?
The bug can be used to hack into vulner-
able servers. Once inside, attackers could
deface websites, steal user data, and
engage in other forms of mischief.
There's a good chance that hackers will
use the vulnerability to create a worm
that automatically spreads from vulnera-
ble machine to vulnerable machine. The
result would be a botnet, a network of
thousands of compromised machines
that operate under the control of a single
hacker. These botnets — which are often
created in the wake of major vulnerabili-
ties — can be used to send spam, partici-
pate in denial-of-service attacks on
websites or to steal confidential data.
Security professionals are racing to
update their server software before the
bad guys have time to attack it.
FBI Head Criticizes Ap-
ple, Google Over Data
Encryption
Federal Bureau of Investigation direc-
tor James Comey hit out at Apple and
Google over new data-security
measures designed to reassure custom-
ers wary of government prying.
Google and Apple this month an-
nounced they are hardening encryption
tactics on devices powered by their
mobile operating systems.
The move should mean that even if law
enforcement agencies have court-
issued search warrants, they will be
blocked from getting hold of pictures,
messages and other personal data
stored on newer Android or Apple
smartphones and tablets.
"I am a huge believer in the rule of law,"
Comey told journalists.
"But I also believe that no one in this
country is beyond the law. What con-
cerns me about this is companies mar-
keting something expressly to allow
people to place themselves beyond the
law."
Comey said the FBI had had initial
discussions with Apple and Google
about the new security measures. He
said law enforcement, with a search
warrant, must have access to data on
criminals' smartphones..In a reference
to US intelligence leaker Edward
Snowden, the FBI head said that in a
"post-Snowden world... this is an indi-
cation (some corporations) go too far.
Source: www.businessinsider.com
How hard will it be to fix the
problem?
From a technical perspective, the fix
shouldn't be too difficult. A partial fix has
already been made available, and a full fix
should be released soon.
The tricky thing will be that, as with
the Heartbleed vulnerability earlier this
year, Bash is embedded in a huge number of
different devices, and it will take a long
time to find and fix them
all.
For example, many home
wifi routers run web
servers to enable users to
configure them using a
web browser. Some of
these devices may be
vulnerable to a Bash-related attack. And
unfortunately, these devices may not have
an automatic or straightforward mechanism
for upgrading their software. So old IT
devices might have lingering vulnerabilities
for many years.
As expected, attackers have begun exploit-
ing the GNU Bash "Shellshock" remote code
execution bug (CVE-2014-6271) to
compromise systems and infect them
with malware.
After the disclosure of its existence,
Alien Vault has begun running a new
module in their honeypots and waiting
for attackers aiming to exploit this vul-
nerability.
"We have had several
hits. Most of them are
systems trying to de-
tect if the system is
vulnerable and they
simple send a ping
command back to the
attacker’s machine," shared researcher
Jaime Blasco. "Apart from those hits we
have found to attackers that are using
the vulnerability to install two different
pieces of malware on the victims."
Source : www.net-security.org, www.vox.com
There's a good chance hack-
ers will use the vulnerability
to create a worm that spreads
automatically
Over the past months, there have
been numerous reports from securi-
ty companies on successful malver-
tising campaigns. Through malicious
advertisements distributed via
popular ad networks, cybercriminals
reached the visitors of several high-
profile websites such as Amazon,
YouTube, Yahoo, Java.com, Devi-
antArt and many others.
"Drive-by download" is one of the
most efficient malware distribution
methods. In these operations, the
attacker uses spam or compromised
sites to redirect victims to a page
hosting an exploit kit. The exploit
kit then leverages vulnerabilities in
the software running on the victim's
machine to serve malware.In fact,
the experts believe advertising
networks could become the next
primary attack vector as they might
turn out to be even more efficient
than exploit kits.
One important advantage of using
ad networks for distributing mal-
ware is that the attacker can specify
the targeted audience. For example,
Google subsidiary DoubleClick,
which was recently involved in a
major malvertising operation, allows
advertisers to select the users they
are targeting based on parameters
such as language, country, operating
system, browser, device and search
topics.
In fact, the experts believe advertising
networks could become the next primary
attack vector as they might turn out to be
even more efficient than exploit kits.
One important advantage of using ad
networks for distributing malware is that
the attacker can specify the targeted audi-
ence. For example, Google subsidiary
DoubleClick, which was recent-
ly involved in a major malvertising opera-
tion, allows advertisers to select the users
they are targeting based on parameters
such as language, country, operating sys-
tem, browser, device and search topics.
"Similar functionality is usually imple-
mented in exploit kits, but in this case it is
completely handled by the advertising
network. Setting operating system to
Windows XP and browser to Internet
Explorer allows an attacker to use old
exploits that are publicly available and
proven effective. With this configuration
they don’t need to worry about such de-
fenses as ASLR, EMET etc," Kashyap and
Kotov explained in their paper. "Language
and country parameters allow at attacker
to focus on a specific geographical location.
is handy if an attacker has a working
scheme of monetizing stolen bank cards or
victim personal data in a particular coun-
try."
Malvertising usually goes hand in hand
with exploit kits. However, because of the
opportunities offered by Flash, cybercrimi-
nals could soon start launching at-
tacks from the banner itself. The ex-
perts believe Flash banners are the
most dangerous type of ads from a
security standpoint. That's because
they're highly prevalent, they're not
actually malicious so they're more
difficult to detect and block, and the
ActionScript scripting language for
Flash is powerful enough, the re-
searchers said.
Malvertising attacks that leverage
Flash banners are not uncommon.
Bromium analyzed one such attack in
February, and Malwarebytes observed
a campaign back in June. The Flash
banners either redirect users to a
malicious page after they're clicked, or
they add a stealthy redirect to the page
in the form of an iframe. However,
experts believe the banners themselves
could soon incorporate exploit kits.
"The problem with attacking from the
Flash banner directly is there are size
constraints defined by the ad network
and it is usually up to 200K. The ban-
ner must look normal and should not
contain any suspicious elements such
as a huge chunk of high entropy data.
This constraint could be overcome
though by deploying steganography
and hiding malicious code in the im-
age," the researchers said.
Source: www.securityweek.com
Malvertising Could Replace Exploit
This Simple tip will protect you from Identity Thieves with Thermal cameras
With the continued rapid advancement of technology, new soft-
ware and devices are coming out all the time that better your
camera phone and allow you to take unique and high quality pho-
tos. There are apps that can take long exposures, create panora-
mas, edit photos, and so on. There are detachable camera phone
lenses ranging from macro to telephoto, fancy camera mounts, and
flexible tripods. The list goes on. But, with all the good, comes the
bad.
There is a new product, using old technology, that allows iPhones
to take pictures in infrared. Sounds cool—and it is in in many
ways—but the thermal cameras have the ability to capture very
important personal info—specifically banking PIN codes
Here’s how to avoid your PIN getting stolen
Mark Rober explains how you can protect yourself from identity
thieves who use infrared camera phone technology to take pictures
of banking PIN codes. There is a new device that has just hit the
market that clips onto the back of an iPhone and displays infrared.
This means the phone can now photograph heat—your thermal
signature
Every time you touch something, you leave behind
your thermal signature, including when you
punch your PIN into a keypad. Each time you
press a button, the heat from your finger transfers
to that button. As soon as you’ve finished your
purchase, the thief just needs to get to the keypad
before the heat fades and briefly hover their phone
over the keypad long enough to snap a shot.
With the thermal camera, they can easily see
which buttons you pressed, and even worse, the
order in which you pressed them. This is because
the first numbers pressed will start to lose heat as
you continue and the last number in the code will
be hotter than the rest, which shows up as orange
or red.
How to prevent PIN theft
One very simple way to prevent this from happening to
you is to just rest your fingers on the keypad and unused
numbers as you punch in your code. This will spread
your heat all over the keypad, making it almost impossi-
ble to tell which numbers were used.
Now, the means in which theses thieves steal the rest of
your card info, like the absolutely necessary number, can
vary—skimmer devices, taking a snapshot of the front of
the card as you use it, physically robbing you. There are
many ways experienced and crafty identity thieves can
obtain your card number, but we’re just talking about
the PIN here So, as much as you think the PIN is useless
without the actual card, isn’t it best just to cover all your
bases and stay
Source:www.picturecorrect.com
Security is hard tech-
nicaleducation.cisco.com
vulnerable to XSS
On 21 of August 2014 the security researcher
reported to XSSposed (XSS
ex-
posed) that technicaleducation.cisco.com has
an XSS (Cross-Site Scripting) vulner
abiity which currently has 2
vulnerabilities in total reported by
security researchers.
Cross-Site Scripting (XSS) inserts specially
crafted data into existing applications
through Web sites. XSS attacks occur when
an attacker uses a web application to send
malicious code, generally in the form of
a modification to a browser script, to a
different end user. XSS attacks often lead to
bypass of access controls, unauthorized
access, and disclosure of privileged or
co nf ide nt ial inf o rm at io n. C ro s s -
site scripting attacks are listed as the number
three vulnerability on the OWASP Top 10
list for 2013. XSS attacks are becoming more
and more sophisticated these days and are
being used in pair with spear phishing, social
engineering and drive-by attacks.
The vulnerability is still unpatched putting
technicaleducation.cisco.com users, visitors
and administrators at risk of being
compromised by malicious hackers. Theft of
cookies, personal data, authentication
credentials and browser history are probably
the less dangerous consequences of XSS
attacks.
Source:www.infosecnews.org
The Misconception that Internet
Privacy Equals Anonymity Must be
Dispelled if Cyberspace is to be a
Secure and Safe Place...
In July 2014, a bill sponsored by Senator
Dianne Feinstein of California, S.2588 –
The Cybersecurity Information Sharing Act of
2014, was placed on the Senate’s legisla-
tive calendar. S.2588 requires that a
number of Federal agencies, including
the Office of the Director of National
Intelligence and the Departments of
Homeland Security (DHS), Defense and
Justice develop procedures for the real-
time sharing of classified and unclassi-
fied cyber threat indicators with private
entities as well as non-federal govern-
ment agencies and state, tribal, or local
governments and also provides for mak-
ing unclassified indicators publicly
available.
S.2588 is in good company. A bill from
the House of Representatives, sponsored
by Representative Michael McCaul of
Texas, H.R. 3696 – The National Cybersecuri-
ty and Critical Infrastructure Protection Act of
2014, requires the Secretary of Homeland
Security to, among other things, share
cyber situational awareness among
federal entities and to ensure that DHS
policies and procedures enable private
sector critical infrastructure owners and
operators to receive appropriate and
timely cyber threat information. Addi-
tionally, the bill includes language speci-
fying that the legislation does not pro-
vide DHS with any new regulatory au-
thoriy.
Unsurprisingly, security, which is neces-
sarily focused on maintaining a high degree
of environmental and situational aware-
ness, immediately runs afoul of concerns
arising from the “privanymity” conflation.
This collision is both unfortunate, as it
prevents both industry and government
from implementing effective cybersecurity
measures, and based on a misperception of
how anonymity and privacy interact.
There aren’t many who would argue that
information sharing with respect to the
looming, and growing, cyber threat is a
good thing. Shared situational awareness
has the benefit of amplifying the effects of
mitigation efforts and may allow many
targets to avoid the impact of the threat
entirely. So why are these two bills stalled
in the legislature?
Part of the answer can be found in commu-
nications from constituents and organiza-
tions opposing the bills. A few notable
quotes:
“The collection of data and
potential prosecution of
civilians would bolster the
distrust and resentment of
the American people to-
wards their government.”
“You won't like what happens if you try to ruin our
open and free Internet… You're here to govern the
United States from your district as elected, the
Internet isn't yours to regulate.”
“CISA presents many of the same problems as the failed
Cybersecurity Information Sharing and Protection Act
(CISPA) of 2012, which contained significant privacy
concerns and other shortcomings. Privacy experts have
pointed out how CISA would damage the privacy and
civil liberties of users. Language in CISA, like CISPA,
enables the automatic and simultaneous transfer of
cybersecurity information to U.S. intelligence agencies
like the National Security Agency.”
In a nutshell, there’s strong, bipartisan grass-
roots opposition to the idea of the Federal gov-
ernment collecting and disseminating data in an
effort to enhance cybersecurity. Much, if not
most, of this opposition stems from concerns
about privacy and its protection. It’s both easy
and tempting to jump on this bandwagon.
Unfortunately, many of the privacy grievances
stem from the frequent conflation of privacy
with anonymity. The two are qualitatively, and
legally, different, but confusion about this likely
comes from the Internet’s original architecture,
which placed great value on the reliability and
robustness of communications, but less empha-
sis on identity management and security.
Source: www.securityweek.com
In Cyberspace, Anonymity and Privacy are Not the Same
InfoSEC Times Issue
Abu Dhabi Polytechnic, Mohammed Bin Zayed City, PO BOX 111499, Abu Dhabi, UAE
For information and to get involved in the next issue contact :
Dr. Jamal Al-Karaki at:
Phone: +971 2-6951047
Upcoming Events
The Smart Devices Security and
Privacy Contest
Smart devices such as smart phones (IPhone, Android, BlackBerry and Windows devices) are becoming
an integral part of our daily life. Studies show that they are one of the fastest spreading technologies in
human history. This motivated the UAE federal government to develop mobile applications that can serve
better the community as part of the UAE vision 2021 and Abu Dhabi vision 2030 and in line with the
creation of smart government. Such a transition requires good attention to security and privacy related
problems which require the creation and development of secure and reliable applications that can ensure
the security of users and entities. Such a challenge can be considered by organizing a new smart devices
security and privacy competition that can increase the mobile security awareness among the UAE com-
munity.
This competition will be a great opportunity for professionals and students that are working and/or
majoring in the domain of information security and related subjects to measure their skills in smart device
security, and to acquire valuable experience. The competition will allow participants to interact with
other students and professionals from different institutes where they will have the opportunity to test
their security skills and knowledge. For more information visit www.smartsec.ae