Windows Phones susceptible to password theft when connecting to rogue Wi-Fi

Smartphones running Microsoft's Windows Phone operating system are vulnerable to attacks that can extract the user credentials needed to log in to sensitive corporate networks, the company warned Monday.

The vulnerability resides in a Wi-Fi authentication scheme known as PEAP-MS-CHAPv2, which Windows Phones use to access wireless networks protected by version 2 of the Wi-Fi Protected Access protocol. Cryptographic weaknesses in the Microsoft-developed technology allow attackers to recover a phone's encrypted domain credentials when it connects to a rogue access point. By exploiting vulnerabilities in the MS-CHAPv2 cryptographic protocol, the adversary could then decrypt the data.

"An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point and in turn allow the attacker to intercept the victim's encrypted domain credentials," the Microsoft advisory warned. "An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials."

Read 3 remaining paragraphs | Comments


Researchers find trojanized banking app that exploits critical Android bug

A page displayed by trojanized app found by Trend Micro.
Trend Micro

Researchers have unearthed another malicious app exploiting a critical vulnerability in Google's Android OS that allows attackers to inject malicious code into legitimate programs without invalidating their digital signature.

The threat poses as an update for the official Android app available to customers of NH Nonghyup Bank, one of South Korea's biggest financial institutions, according to a blog post published Friday by researchers from antivirus provider Trend Micro. By exploiting the so-called master-key vulnerability in the mobile OS, this malware bears the same cryptographic signature found in the legitimate release, even though the update contains malicious code that uploads user credentials to a remote server.

The good news is that the app verification tool Google released in Android 4.2 late last year flags these malicious apps. And according to this recent post, Google developers have added the protection to earlier versions and turned it on by default. The verification tool checks the authenticity of apps downloaded both from the official Google Play marketplace and alternative sources as well. As an added safety measure, users should avoid these alternative marketplaces unless there's a strong case for doing otherwise.

Read 1 remaining paragraphs | Comments


“Most” of Apple’s developer site services to be restored “this week”

Roughly two weeks after it first acknowledged the problem, Apple has restored many of the services that were taken offline when its developer site servers were accessed by an "intruder" on July 18. Developers can once again access iOS and OS X betas, view prerelease documentation, download certificates, and watch videos from Apple's Worldwide Developer Conference (WWDC) sessions just as they could before the security breach. Apple today sent out an update via e-mail to registered developers regarding the remaining services.

"We plan to reinstate most of the remaining services this week: Xcode automatic configuration as well as access to license agreements, TSIs, program enrollments, and renewals in Member Center," the company said. The message went on to reiterate that the status page that Apple created about a week after the breach remains the most up-to-date source of information, and developers whose program subscriptions were set to expire during the outage would continue to have their subscriptions extended. Membership renewal is one of the services that remains down, and extending these developers' subscriptions guarantees that their apps won't be delisted from Apple's various app stores.

Following the breach, Apple promised that it would be performing an "overhaul" of its developer systems, including security updates and a rebuilding of the company's database. In its initial status updates on the security breach Apple promised that no "sensitive" information had been accessed, but as always we recommend a password change and two-factor authentication for any registered Apple developer whose information may be at risk.

Read on Ars Technica | Comments


Attackers wield Firefox exploit to uncloak anonymous Tor users

Attackers exploited a recently patched vulnerability in the Firefox browser to uncloak users of the Tor anonymity service, and the attack code is now publicly circulating online. While the exploit was most likely designed to identify people alleged to have frequented a child porn forum recently targeted by the FBI, anonymity advocates say the code could be used against almost any Tor user.

A piece of malicious JavaScript was found embedded in webpages delivered by Freedom Hosting, a provider of "hidden services" that are available only to people surfing anonymously through Tor. The attack code exploited a memory-management vulnerability, forcing Firefox to send a unique identifier to a third-party server using a public IP address that can be linked back to the person's ISP. The exploit contained several hallmarks of professional malware development, including "heap spraying" techniques to bypass Windows security protections and the loading of executable code that prompted compromised machines to send the identifying information to a server located in Virginia, according to an analysis by researcher Vlad Tsrklevich.

Discovery of the exploit came as the FBI reportedly sought the extradition of Freedom Host founder on child porn charges. Word of 28-year-old Eric Eoin Marques's arrest also came as members of the Tor Project reported the disappearance of a "large number" of hidden service addresses used by Freedom Hosting. The confluence of the three events has prompted speculation that the de-anonymizing exploit is the work of the FBI or another organized group targeting child pornographers.

Read 4 remaining paragraphs | Comments