Activist pulls off clever Wi-Fi honeypot to protest surveillance state

The chairman of the youth wing of the Swedish Pirate Party successfully fooled attendees at a major Swedish security and defense conference into connecting to an open Wi-Fi network that he controlled—as a way to protest mass digital surveillance.

According to The Local, an English-language newspaper in Sweden, Gustav Nipe watched earlier this week as around 100 politicians, military officers and journalists logged into a network called “Open Guest” and proceeded to search for various non-work-related things including “forest hikes” and monitor eBay auctions.

Previously Nipe was involved in the Pirate Party’s efforts to create its own ISP in 2010, and founded the Church of Kopimism, which was formally recognized by Swedish tax authorities in 2011.

Read 7 remaining paragraphs | Comments

Apps Sending Plain HTTP Put Personal Data at Risk

At the AVAR Conference in November 2014, McAfee Labs presented how to exploit a cross-site scripting vulnerability of the Costco and Walgreens apps on Android. We shared with our audience research on other app vulnerabilities because we believe apps (especially mobile apps) will be an increasing attack surface for cybercriminals. Today we’d like to provide an update to this issue concerning insufficient transport-layer protection.

This topic covers similar ground to the stats Intel Security called out last year in the McAfee Mobile Security Report: “After analyzing the behavior and permissions of thousands of Android apps, our research team found that 82% of apps track mobile activities,” the report said. When this type of data collection is sent to the app developer’s server without proper encryption, users’ personal information and enterprise data are at risk.

Costco app: naked credentials

The Android apps we analyzed in our AVAR paper are also exposed to this vulnerability. When we tested the Costco app with a fake account, the login request was clearly captured in Fiddler because the request was in plain HTTP. What does this mean? Be more cautious if you are shopping online using your phone while connecting to a public wireless network.

sogou1

Motivated to discover similar risks in other apps, we tested a few more programs in depth and became very alarmed. This plain HTTP risk is everywhere. Let’s walk through two such apps, Weibo and Sogou.

Weibo: social media chat easily sniffed or spoofed

Weibo is a Chinese social media platform like Twitter or Facebook. You post your status, chat with your friends, etc. Now suppose you post a message as follows in Weibo:

sogou2

You can see what’s being sent to the Weibo backend by capturing the traffic from Wireshark:

sogou3

And the cookie is there for an attacker to harvest or even alter your post message via a man-in-the-middle attack.

sogou4

You may ask Who cares? This is a post on social media and is meant to be public. But what about your private chats with friends? We sent the following message via the chat window:

sogou5

Again Wireshark shows us exactly the text, without encryption, begging for an attack (such as modifying the chat, injecting malicious links, etc.). There’s no privacy here!

sogou6.1

 

sogou6.2

Sogou sends device data via plain HTTP

Sogou is the most popular Chinese input-method editor, claiming more than 400 million installations. Users benefit from hints to optimized words without having to fully spell them out in Pinyin). (Instead of typing ni hao for “hello”, for example, you type just “nh.”)

sogou7.1sogou7.2

That’s all we want from a language input editor, and that’s why we installed it on a Windows 7 machine. However, when we connected an iPod via USB to this machine, we saw the following captured on Fiddler:

sogou8.1

At first glance the preceding data may not seem like much, but it leads to a question: Why would a language input editor want to know “the user has connected an iOS device (iPod5), it is running on iOS 7.0, the serial number is “650…,” and it is connected via the USB hub “USB#ROOT_HUB20#48…”?

When we connected an Android phone, Fiddler showed a similar data collection:

sogou8.2

Collecting device information in these scenarios is not something we expect or appreciate from language-input software. What is scarier is that the plain-HTTP transport invites attacks in the world full of poisoned mobile hotspots.

We call for app developers to close loopholes like these in their security development life cycles.

The post Apps Sending Plain HTTP Put Personal Data at Risk appeared first on McAfee.

Mozilla Releases Security Updates for Firefox, Firefox ESR, SeaMonkey, and Thunderbird

Original release date: January 14, 2015

The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox, Firefox ESR, SeaMonkey, and Thunderbird. Exploitation of these vulnerabilities may allow a remote attacker to take control of an affected system.

Updates available include:

  • Firefox 35
  • Firefox ESR 31.4
  • SeaMonkey 2.32
  • Thunderbird 31.4

Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR, SeaMonkey, and Thunderbird and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


NSA official: Support of backdoored Dual_EC_DRBG was “regrettable”

It was a mistake for the National Security Agency to support a critical cryptographic function after researchers presented evidence that it contained a fatal flaw that could be exploited by US intelligence agents, the agency's research director said.

The comments by NSA Director of Research Michael Wertheimer were included in an article headlined The Mathematics Community and the NSA published this week in a publication called Notices. The article responds to blistering criticism from some mathematicians, civil liberties advocates, and security professionals following documents provided by former NSA subcontractor Edward Snowden showing that the agency deliberately tried to subvert widely used crypto standards. One of those standards, according to The New York Times, was a random number generator known as Dual EC_DRBG, which was later revealed to be the default method for generating crucial random numbers in the BSAFE crypto toolkit developed by EMC-owned security firm RSA.

NSA officials shepherded Dual EC_DRBG through the National Institute of Standards and Technology (NIST) in 2006. A year later, researchers from Microsoft presented evidence that the number generator contained a type of backdoor known to cryptographers as a "trap door." The weakness, the researchers said, allowed those who knew the specific NSA-generated points on the standard's elliptic curve to work backward to guess any crypto key created by the generator. Despite widespread coverage of the research and concern expressed by security experts, the NSA continued to support Dual EC_DRBG. It wasn't until September 2013—six years after the research came to light—that RSA advised customers to stop using the NSA-influenced code. Last year, NIST also advised against its use.

Read 6 remaining paragraphs | Comments