Read the full post at darknet.org.uk
Read the full post at darknet.org.uk
The long, painful rollout of patches to a security flaw in the Bourne Again Shell (bash) has left thousands of systems still vulnerable, and malware based on the vulnerability continues to spread, according to a number of security experts. But even for organizations that have already applied the patch for what has been dubbed the “Shellshock” vulnerability, the cleanup may not be over—and it could be long and expensive.
Soon after the Shellshock bug was publicly disclosed and its initial patch was distributed, weaknesses in the patch itself and additional security vulnerabilities were uncovered by developers dealing with the issue. And within a day of the disclosure, attacks exploiting the vulnerability were found in the wild. Some of those attacks are still trying to spread—and in some cases, they’re using Google searches to help them find potential targets. Successful attacks may have made changes to the targeted systems that would not have been corrected by the application of the patch.
The problem with Shellshock is similar to problems that emerged after the Heartbleed bug and numerous other vulnerabilities—while organizations struggle to understand the disclosures, how they affect their systems, and how to successfully implement patches, others—including security researchers—race to build proof-of-concept attacks based on them to demonstrate exactly how dire they are. And those proofs of concept often get picked up by cybercriminals and others with bad intent before organizations can effectively patch them—using them to exploit systems in ways that are much longer-lasting than the vulnerability du jour.
Interest in secure communications is at an all time high, with many concerned about spying by both governments and corporations. This concern has stimulated developments such as the Blackphone, a custom-designed handset running a forked version of Android that's built with security in mind.
But the Blackphone has a problem. The mere fact of holding one in your hand advertises to the world that you're using a Blackphone. That might not be a big problem for people who can safely be assumed to have access to sensitive information—politicians, security contractors, say—but if you're a journalist investigating your own corrupt government or a dissident fearful of arrest, the Blackphone is a really bad idea. Using such a phone is advertising that you have sensitive material that you're trying to keep secret, and is an invitation to break out the rubber hoses.
That's what led a team of security researchers to develop DarkMatter, unveiled today at the Hack In The Box security conference in Kuala Lumpur. DarkMatter is a secure Android fork, but unlike Blackphone and its custom hardware, DarkMatter is a secure Android that runs on regular Android phones (including the Galaxy S4 and Nexus 5) and which, at first glance, looks just like it's stock Android. The special sauce of DarkMatter is secure encrypted storage that selected apps can transparently access. If the firmware believes it's under attack, the secure storage will be silently dismounted, and the phone will appear, to all intents and purposes, to be a regular non-secure device.
From the researchers that brought you BEAST and CRIME comes another attack against Secure Sockets Layer (SSL), one of the protocols that's used to secure Internet traffic from eavesdroppers both government and criminal.
Calling the new attack POODLE—that's "Padding Oracle On Downgraded Legacy Encryption"—the attack allows a man-in-the-middle, such as a malicious Wi-Fi hotspot or a compromised ISP, to extract data from secure HTTP connections. This in turn could let that attacker do things such as access online banking or e-mail systems. The flaw was documented by Bodo Möller, Thai Duong, and Krzysztof Kotowicz, all who work at Google. Thai Duong, working with Juliano Rizzo, described the similar BEAST attack in 2011, and the CRIME attack in 2012.
The attack depends on the fact that most Web servers and Web browsers allow the use of the ancient SSL version 3 protocol to secure their communications. Although SSL has been superseded by Transport Layer Security, it's still widely supported on both servers and clients alike, and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte at time of the encrypted data, and in so doing, extract the plain text of the message byte by byte.