Abu Dhabi Polytechnics’ Weekly Newsletter on Information Security Issues

InfoSEC Times

Its Your Newsletter !

Welcome to the Fifth edi-

tion of our new newsletter

from

Abudhabi Polytechnic.

This is the First Edition of

the Academic year.

We would like to encourage

and invite our readers in

contributing to the develop-

ment of this newsletter so

that we may keep everyone

informed with the current

issues that may affect us all

in the ever increasing world

of computers and technol-

ogy.

Bash "Shellshock" bug: Who needs to worry?

Right now, security professionals are scrambling to fix a

security flaw some are calling Shellshock. It's a major

vulnerability related to Bash, a computer program that's

installed on millions of computers around the world.

There's been a lot of confusion in mainstream media

accounts about how the bug works, who's vulnerable,

and what users can do about it.

Who is vulnerable?

Bash is installed on many computers running operating sys-

tems derived from an ancient operating system called Unix.

That includes Macs, as well as a lot of web servers running

operating systems such as Linux.

Whether these computers are actually vulnerable depends on

whether they invoke Bash in an unsafe way. We already

know that this is true of many web servers, and it's believed

that other types of network services could also be vulnerable.

But it'll take a while for security experts to audit various

pieces of software to check for vulnerabilities

What should I do to protect myself?

Unfortunately, there isn't a ton you can do in the short run.

Presumably, Apple will release updated versions of their

software soon. So keep an eye out for that on your plat-

form's software update service, and install it as soon as it's

available.

There has also been some speculation that a service called

DHCP might be vulnerable, though this is looking increas-

ingly doubtful. This is a service that allows laptops, tablets,

and smartphones to automatically configure themselves

when they log into a wifi network. A malicious wifi router

could use the bug to hack into users' laptops and mobile

devices. So if you're a Mac user, it might be prudent to

avoid logging into untrusted wifi networks — for example,

at coffee shops — until Apple has released a security up-

date.

But for the most part, the vulnerability affects servers more

than users' own computers. So most of the heavy lifting

needs to be done by security professionals, not the rest of us

this issue

Bash "Shellshock" bug: Who needs to worry? P.1

FBI Head Criticizes Apple, Google Over Data Encryption P.2

Malvertising Could Replace Exploit Kits: Researchers P.3

This Simple tip will protect you from Identity Thieves with Ther-

mal cameras P.4

In Cyberspace, Anonymity and Privacy are Not the SameP.5

Security is hard – technicaleducation.cisco.com vulnerable to

XSS P.5

I S S U E

O c t o b e r 2 0 1 4

05

What could attackers do

with this vulnerability?

The bug can be used to hack into vulner-

able servers. Once inside, attackers could

deface websites, steal user data, and

engage in other forms of mischief.

There's a good chance that hackers will

use the vulnerability to create a worm

that automatically spreads from vulnera-

ble machine to vulnerable machine. The

result would be a botnet, a network of

thousands of compromised machines

that operate under the control of a single

hacker. These botnets — which are often

created in the wake of major vulnerabili-

ties — can be used to send spam, partici-

pate in denial-of-service attacks on

websites or to steal confidential data.

Security professionals are racing to

update their server software before the

bad guys have time to attack it.

FBI Head Criticizes Ap-

ple, Google Over Data

Encryption

Federal Bureau of Investigation direc-

tor James Comey hit out at Apple and

Google over new data-security

measures designed to reassure custom-

ers wary of government prying.

Google and Apple this month an-

nounced they are hardening encryption

tactics on devices powered by their

mobile operating systems.

The move should mean that even if law

enforcement agencies have court-

issued search warrants, they will be

blocked from getting hold of pictures,

messages and other personal data

stored on newer Android or Apple

smartphones and tablets.

"I am a huge believer in the rule of law,"

Comey told journalists.

"But I also believe that no one in this

country is beyond the law. What con-

cerns me about this is companies mar-

keting something expressly to allow

people to place themselves beyond the

law."

Comey said the FBI had had initial

discussions with Apple and Google

about the new security measures. He

said law enforcement, with a search

warrant, must have access to data on

criminals' smartphones..In a reference

to US intelligence leaker Edward

Snowden, the FBI head said that in a

"post-Snowden world... this is an indi-

cation (some corporations) go too far.

Source: www.businessinsider.com

How hard will it be to fix the

problem?

From a technical perspective, the fix

shouldn't be too difficult. A partial fix has

already been made available, and a full fix

should be released soon.

The tricky thing will be that, as with

the Heartbleed vulnerability earlier this

year, Bash is embedded in a huge number of

different devices, and it will take a long

time to find and fix them

all.

For example, many home

wifi routers run web

servers to enable users to

configure them using a

web browser. Some of

these devices may be

vulnerable to a Bash-related attack. And

unfortunately, these devices may not have

an automatic or straightforward mechanism

for upgrading their software. So old IT

devices might have lingering vulnerabilities

for many years.

As expected, attackers have begun exploit-

ing the GNU Bash "Shellshock" remote code

execution bug (CVE-2014-6271) to

compromise systems and infect them

with malware.

After the disclosure of its existence,

Alien Vault has begun running a new

module in their honeypots and waiting

for attackers aiming to exploit this vul-

nerability.

"We have had several

hits. Most of them are

systems trying to de-

tect if the system is

vulnerable and they

simple send a ping

command back to the

attacker’s machine," shared researcher

Jaime Blasco. "Apart from those hits we

have found to attackers that are using

the vulnerability to install two different

pieces of malware on the victims."

Source : www.net-security.org, www.vox.com

There's a good chance hack-

ers will use the vulnerability

to create a worm that spreads

automatically

Over the past months, there have

been numerous reports from securi-

ty companies on successful malver-

tising campaigns. Through malicious

advertisements distributed via

popular ad networks, cybercriminals

reached the visitors of several high-

profile websites such as Amazon,

YouTube, Yahoo, Java.com, Devi-

antArt and many others.

"Drive-by download" is one of the

most efficient malware distribution

methods. In these operations, the

attacker uses spam or compromised

sites to redirect victims to a page

hosting an exploit kit. The exploit

kit then leverages vulnerabilities in

the software running on the victim's

machine to serve malware.In fact,

the experts believe advertising

networks could become the next

primary attack vector as they might

turn out to be even more efficient

than exploit kits.

One important advantage of using

ad networks for distributing mal-

ware is that the attacker can specify

the targeted audience. For example,

Google subsidiary DoubleClick,

which was recently involved in a

major malvertising operation, allows

advertisers to select the users they

are targeting based on parameters

such as language, country, operating

system, browser, device and search

topics.

In fact, the experts believe advertising

networks could become the next primary

attack vector as they might turn out to be

even more efficient than exploit kits.

One important advantage of using ad

networks for distributing malware is that

the attacker can specify the targeted audi-

ence. For example, Google subsidiary

DoubleClick, which was recent-

ly involved in a major malvertising opera-

tion, allows advertisers to select the users

they are targeting based on parameters

such as language, country, operating sys-

tem, browser, device and search topics.

"Similar functionality is usually imple-

mented in exploit kits, but in this case it is

completely handled by the advertising

network. Setting operating system to

Windows XP and browser to Internet

Explorer allows an attacker to use old

exploits that are publicly available and

proven effective. With this configuration

they don’t need to worry about such de-

fenses as ASLR, EMET etc," Kashyap and

Kotov explained in their paper. "Language

and country parameters allow at attacker

to focus on a specific geographical location.

is handy if an attacker has a working

scheme of monetizing stolen bank cards or

victim personal data in a particular coun-

try."

Malvertising usually goes hand in hand

with exploit kits. However, because of the

opportunities offered by Flash, cybercrimi-

nals could soon start launching at-

tacks from the banner itself. The ex-

perts believe Flash banners are the

most dangerous type of ads from a

security standpoint. That's because

they're highly prevalent, they're not

actually malicious so they're more

difficult to detect and block, and the

ActionScript scripting language for

Flash is powerful enough, the re-

searchers said.

Malvertising attacks that leverage

Flash banners are not uncommon.

Bromium analyzed one such attack in

February, and Malwarebytes observed

a campaign back in June. The Flash

banners either redirect users to a

malicious page after they're clicked, or

they add a stealthy redirect to the page

in the form of an iframe. However,

experts believe the banners themselves

could soon incorporate exploit kits.

"The problem with attacking from the

Flash banner directly is there are size

constraints defined by the ad network

and it is usually up to 200K. The ban-

ner must look normal and should not

contain any suspicious elements such

as a huge chunk of high entropy data.

This constraint could be overcome

though by deploying steganography

and hiding malicious code in the im-

age," the researchers said.

Source: www.securityweek.com

Malvertising Could Replace Exploit

This Simple tip will protect you from Identity Thieves with Thermal cameras

With the continued rapid advancement of technology, new soft-

ware and devices are coming out all the time that better your

camera phone and allow you to take unique and high quality pho-

tos. There are apps that can take long exposures, create panora-

mas, edit photos, and so on. There are detachable camera phone

lenses ranging from macro to telephoto, fancy camera mounts, and

flexible tripods. The list goes on. But, with all the good, comes the

bad.

There is a new product, using old technology, that allows iPhones

to take pictures in infrared. Sounds cool—and it is in in many

ways—but the thermal cameras have the ability to capture very

important personal info—specifically banking PIN codes

Here’s how to avoid your PIN getting stolen

Mark Rober explains how you can protect yourself from identity

thieves who use infrared camera phone technology to take pictures

of banking PIN codes. There is a new device that has just hit the

market that clips onto the back of an iPhone and displays infrared.

This means the phone can now photograph heat—your thermal

signature

Every time you touch something, you leave behind

your thermal signature, including when you

punch your PIN into a keypad. Each time you

press a button, the heat from your finger transfers

to that button. As soon as you’ve finished your

purchase, the thief just needs to get to the keypad

before the heat fades and briefly hover their phone

over the keypad long enough to snap a shot.

With the thermal camera, they can easily see

which buttons you pressed, and even worse, the

order in which you pressed them. This is because

the first numbers pressed will start to lose heat as

you continue and the last number in the code will

be hotter than the rest, which shows up as orange

or red.

How to prevent PIN theft

One very simple way to prevent this from happening to

you is to just rest your fingers on the keypad and unused

numbers as you punch in your code. This will spread

your heat all over the keypad, making it almost impossi-

ble to tell which numbers were used.

Now, the means in which theses thieves steal the rest of

your card info, like the absolutely necessary number, can

vary—skimmer devices, taking a snapshot of the front of

the card as you use it, physically robbing you. There are

many ways experienced and crafty identity thieves can

obtain your card number, but we’re just talking about

the PIN here So, as much as you think the PIN is useless

without the actual card, isn’t it best just to cover all your

bases and stay

Source:www.picturecorrect.com

Security is hard tech-

nicaleducation.cisco.com

vulnerable to XSS

On 21 of August 2014 the security researcher

reported to XSSposed (XSS

ex-

posed) that technicaleducation.cisco.com has

an XSS (Cross-Site Scripting) vulner

abiity which currently has 2

vulnerabilities in total reported by

security researchers.

Cross-Site Scripting (XSS) inserts specially

crafted data into existing applications

through Web sites. XSS attacks occur when

an attacker uses a web application to send

malicious code, generally in the form of

a modification to a browser script, to a

different end user. XSS attacks often lead to

bypass of access controls, unauthorized

access, and disclosure of privileged or

co nf ide nt ial inf o rm at io n. C ro s s -

site scripting attacks are listed as the number

three vulnerability on the OWASP Top 10

list for 2013. XSS attacks are becoming more

and more sophisticated these days and are

being used in pair with spear phishing, social

engineering and drive-by attacks.

The vulnerability is still unpatched putting

technicaleducation.cisco.com users, visitors

and administrators at risk of being

compromised by malicious hackers. Theft of

cookies, personal data, authentication

credentials and browser history are probably

the less dangerous consequences of XSS

attacks.

Source:www.infosecnews.org

The Misconception that Internet

Privacy Equals Anonymity Must be

Dispelled if Cyberspace is to be a

Secure and Safe Place...

In July 2014, a bill sponsored by Senator

Dianne Feinstein of California, S.2588 –

The Cybersecurity Information Sharing Act of

2014, was placed on the Senate’s legisla-

tive calendar. S.2588 requires that a

number of Federal agencies, including

the Office of the Director of National

Intelligence and the Departments of

Homeland Security (DHS), Defense and

Justice develop procedures for the real-

time sharing of classified and unclassi-

fied cyber threat indicators with private

entities as well as non-federal govern-

ment agencies and state, tribal, or local

governments and also provides for mak-

ing unclassified indicators publicly

available.

S.2588 is in good company. A bill from

the House of Representatives, sponsored

by Representative Michael McCaul of

Texas, H.R. 3696 – The National Cybersecuri-

ty and Critical Infrastructure Protection Act of

2014, requires the Secretary of Homeland

Security to, among other things, share

cyber situational awareness among

federal entities and to ensure that DHS

policies and procedures enable private

sector critical infrastructure owners and

operators to receive appropriate and

timely cyber threat information. Addi-

tionally, the bill includes language speci-

fying that the legislation does not pro-

vide DHS with any new regulatory au-

thoriy.

Unsurprisingly, security, which is neces-

sarily focused on maintaining a high degree

of environmental and situational aware-

ness, immediately runs afoul of concerns

arising from the “privanymity” conflation.

This collision is both unfortunate, as it

prevents both industry and government

from implementing effective cybersecurity

measures, and based on a misperception of

how anonymity and privacy interact.

There aren’t many who would argue that

information sharing with respect to the

looming, and growing, cyber threat is a

good thing. Shared situational awareness

has the benefit of amplifying the effects of

mitigation efforts and may allow many

targets to avoid the impact of the threat

entirely. So why are these two bills stalled

in the legislature?

Part of the answer can be found in commu-

nications from constituents and organiza-

tions opposing the bills. A few notable

quotes:

“The collection of data and

potential prosecution of

civilians would bolster the

distrust and resentment of

the American people to-

wards their government.”

“You won't like what happens if you try to ruin our

open and free Internet… You're here to govern the

United States from your district as elected, the

Internet isn't yours to regulate.”

“CISA presents many of the same problems as the failed

Cybersecurity Information Sharing and Protection Act

(CISPA) of 2012, which contained significant privacy

concerns and other shortcomings. Privacy experts have

pointed out how CISA would damage the privacy and

civil liberties of users. Language in CISA, like CISPA,

enables the automatic and simultaneous transfer of

cybersecurity information to U.S. intelligence agencies

like the National Security Agency.”

In a nutshell, there’s strong, bipartisan grass-

roots opposition to the idea of the Federal gov-

ernment collecting and disseminating data in an

effort to enhance cybersecurity. Much, if not

most, of this opposition stems from concerns

about privacy and its protection. It’s both easy

and tempting to jump on this bandwagon.

Unfortunately, many of the privacy grievances

stem from the frequent conflation of privacy

with anonymity. The two are qualitatively, and

legally, different, but confusion about this likely

comes from the Internet’s original architecture,

which placed great value on the reliability and

robustness of communications, but less empha-

sis on identity management and security.

Source: www.securityweek.com

In Cyberspace, Anonymity and Privacy are Not the Same

InfoSEC Times Issue

Abu Dhabi Polytechnic, Mohammed Bin Zayed City, PO BOX 111499, Abu Dhabi, UAE

For information and to get involved in the next issue contact :

Dr. Jamal Al-Karaki at:

jamal.alkaraki@adpoly.ac.ae

Phone: +971 2-6951047

Upcoming Events

The Smart Devices Security and

Privacy Contest

Smart devices such as smart phones (IPhone, Android, BlackBerry and Windows devices) are becoming

an integral part of our daily life. Studies show that they are one of the fastest spreading technologies in

human history. This motivated the UAE federal government to develop mobile applications that can serve

better the community as part of the UAE vision 2021 and Abu Dhabi vision 2030 and in line with the

creation of smart government. Such a transition requires good attention to security and privacy related

problems which require the creation and development of secure and reliable applications that can ensure

the security of users and entities. Such a challenge can be considered by organizing a new smart devices

security and privacy competition that can increase the mobile security awareness among the UAE com-

munity.

This competition will be a great opportunity for professionals and students that are working and/or

majoring in the domain of information security and related subjects to measure their skills in smart device

security, and to acquire valuable experience. The competition will allow participants to interact with

other students and professionals from different institutes where they will have the opportunity to test

their security skills and knowledge. For more information visit www.smartsec.ae