Yet Another Adobe Flash Bug

Trend Micro is reporting (see here) yet another Adobe Flash zero-day attack in the wild.  Yes, this is a new one.  No, this is not one I reported about last week.  I had to read the article three times to convince myself this was not the exploit I wrote about last week.  And,  Trend Micro has already caught about 3,300 instances of this attack among their user base.  Given their user base is huge, 3,300 is a small number, but there is not a fix for this yet.  Adobe is promising one this week.

To say that 2015 has not started out well for Adobe would be kind.  They released their normal Flash update in January that fixed 9 critical flaws.  Then 9 days later, they released an out-of-band patch to fix a critical flaw that was being exploited.  Last Saturday, they released another patch to fix a critical flaw and now they are saying they are going to release another patch this week.  That would be 5 patch releases in the first 5 weeks of the year.  Out-of-band patches are a huge pain for both developers and users, so software vendors like Adobe reserve them for critical problems.

This flaw is particularly nasty because, Trend Micro says, it is showing up in ads appearing on web pages and IT DOES NOT REQUIRE THE USER TO CLICK ON THE AD TO WORK.

Some people are suggesting you disable Flash, but that would make many web sites look like a blank page.  I would suggest, at a minimum, that you make sure that you are using a highly rated anti virus product (apparently Trend Micro does catch this and it is pretty cheap – I saw a version of Trend the other day on Amazon for $25/year for 3 PCs or $8 a PC a year).

And, yes, watch for yet another Flash update this week on a computer near you.

Mitch

Internet Explorer 11 Vulnerability Opens Door To Phishing

Many sources are reporting (see here) a bug in Internet Explorer 11 that could support a very credible looking phishing attack.  Interestingly, this attack does not work on older versions of Internet Explorer, which is the reverse of what usually happens.  The problem was disclosed on Saturday with a proof of concept on the full disclosure mailing list, so the hackers even have example code to start from.

The exploit does require the user to click on a link to get it to work, but if the user does click, which is not hard to get a user to do, the web page for say ABC Bank does appear and the Bank’s URL appears in the address bar.  In the demonstration code, a few seconds later, a web page from the hacker appears, but the original web site URL still appears in the address bar.  What this means is that a victim would think he is still at the ABC Bank web site and so if the web page asks for some personal information, the user would think that he is giving that information to the bank but would really be giving it to the hacker.

Unfortunately, this attack even works with HTTPS based web pages (this is yet another way that SSL is broken;  see yesterday’s post for other reasons it is broken).

In concept, this is similar to the bug discovered in the default Android browser a few months ago that allows this same kind of attack.  Google has taken some heat over that one because they said that they are not using that code in the current version of Android (4.4), so they are not going to fix it.  The only solution for Android users using version 4.3 or earlier is to use Chrome or Firefox instead.

For Windows users, a simple solution would be to use another browser, at least until Microsoft fixes this bug.

Microsoft said that they are not aware of hackers using this bug (which is not a surprise since it was only published on Saturday), that they are working on a fix (which may take a couple of months, depending on the priority and the difficulty of fixing it) and that you shouldn’t click on links from “untrusted sources”.  By untrusted sources, they mean a link in a phishing email that appears to have come from your boss.  Good luck in getting that to happen.

Interestingly, the researchers who disclosed this bug said that there was a simple solution to this for web sites (like ABC Bank) to protect themselves simply by inserting a particular option in the web page header (X-Frame-Options with deny specified), but the researchers say that very few web sites do this.  Still, for web site owners, this might be a smart change to make to protect their visitors while Microsoft works on a fix.

Mitch

 

BMW Fixes Bug That Would Allow Hackers To Unlock Your Car

BMW announced that it had fixed a bug that would have allowed hackers to compromise it’s ConnectedDrive car automation system.  The bug affected over two million BMWs, Minis and Rolls Royces, according to Mashable.

Apparently, the communications between BMW’s servers and your car were not even encrypted, so the solution was to use HTTPS to encrypt the traffic.

BMW claimed that the bug did not affect the driving, steering or braking functions of the car.  That’s great, but I am not sure that this is the bar that we should measure their security by.

ADAC, a German automotive group, discovered the bug in the middle of last year and decided not to announce the bug  until BMW came up with a solution.

BMW, the article says, patted itself on the back for coming up with a fix so quickly.  Others said that HTTPS should have been there in the first place.

The good news is that BMW owners do not need to take the car into the dealer to fix the problem;  the fix will be downloaded the next time the car connects to BMW’s servers.

Given how poor BMW’s security was around the car automation function, I am not sure that BMW’s being able to load new firmware into the car over the air is a good thing.  They may want to review the security of that process as well.  I can just see a hacker downloading new firmware into my car causing the car to do who knows what.

Unfortunately, I suspect that this problem will only get worse for a long time before it gets better.

 

Mitch

Is SSL Broken

While every single bank and ecommerce provider tells you that SSL (or HTTPS) is wonderful and fully protects you, unless they are on drugs, they don’t really believe that.  From their perspective, the risk is manageable and they would rather reimburse you if you can prove their SSL connection leaked AND cost you money than tell you that it is not very secure.

Lets remove some of the reasons that people usually give for why HTTPS is not secure and get down to my pet peeve.  First, if you use a public WiFi hotspot, it can execute what is called a man in the middle attack and have your device exchange a handshake with the hotspot instead of the real site.  Your device will never know and the hotspot will see your data in the clear.

Next, there have been many instances of hackers operating fake WiFi hotspots.  Even if the real hotspot is clean, the fake one may execute a man in the middle attack on your traffic.

Next are the bugs in the software.  This year there have been several.  One example is  Heartbleed, which affected the server side of the connection and may have compromised the private half of the SSL lock and key for millions of servers.  Many servers have fixed the problem but many did not bother to create new private keys.  Many have not fixed it.

Next is the problem of revoked certificates.  After Heartbleed was fixed, hundreds of thousands of certificates were revoked because they may have been compromised.  The CRL (certificate revocation list) infrastructure was not and is not designed to handle that.  Firefox uses OCSP, the Online Certificate Status Protocol, but by default, it will accept a certificate if it does not get a speedy response to its request to find out if the certificate is valid.  Some browsers just ignore the CRL question entirely.

Which leads us to my pet peeve.

I looked inside Firefox on my Windows PC today and found HUNDREDS of certificate authorities loaded into the browser.  The Certificate Authority or CA is the (supposedly) trusted organization which certifies that your little SSL padlock – the one that says you are you – is really you.  So who is in the list?  China Telecom.  Hong Kong Telecom. Definitely trust China!  Not!  Actually I did until I deleted their records.  Korea (I hope that would be South and not North).  Many other somewhat friendly countries.  And many that are probably from the U.S. but whom I have never heard of.  I deleted probably 50 of them off Firefox today and there are still more than a hundred active.

Chrome and Internet Explorer use a different CA list than Firefox does.  Apple has their CA list.  If you delete it from your home computer that does not delete it from your phone.  Or your tablet.  Or your laptop.  Think of all the devices that your family uses and you are probably talking well over 1,000 trusted CAs (of course there is a bunch of overlap, but that doesn’t really matter, because even if you tell your desktop you don’t trust China Telecom, you also have to separately tell your phone and your tablet and if you use Chrome and Firefox both, you have to tell each of them separately, even on the same device).

If I had my way, I would have 4 or 5 entries in there and kiss the rest goodbye.

Of course, there is not a decent user interface to manage that and I don’t know, but would not be surprised, if after firefox does an update, China is back.   I will have to test that theory.

Many people agree that SSL is hopelessly broken.  Here is an article from The Register on the subject.  I Googled “is SSL broken” and got 12,400,000 hits.

The bad news is that no one is working on a replacement and even if they did, it would take years to get everyone to agree to it and then we would need to figure out how to do the transition.

Which is why the merchants all cross their fingers behind their backs and say “sure;  it’s secure”.

Mitch

 

Verizon To Allow Opt Out Of Super-Cookie “Soon”

According to USA Today and the NY Times, Verizon has announced that it will allow users to opt out of their super-cookie program “soon”.

You may remember that both Verizon and AT&T were caught adding a unique tracking identifier into all web page requests last year as customers were  using programs such as ad blocker and ghostery to attempt to retain some semblance of privacy as they surfed the web.

Verizon’s super-cookie, dubbed a Unique Identifier Header (UIDH), was added to the web page request after the request left your phone or tablet, hence all the traditional methods for deleting them were ineffective.  Their advertising partner Turn was caught building user profiles of sites visited after Verizon publicly stately surely no one would do that.  Turn said that the fact that people were deleting their cookies did not mean that they did not want to be tracked.

AT&T announced in November that they were ending what they called in their press release an experiment in the use of super-cookies.

Turn announced last week that they would end their use of compiling profiles that way in February – but I assume they will not end the practice of creating user profiles.

Finally, as the story would not go away, Verizon announced that they are “listening to their customers” and would allow their customers to opt-out of the UIDH real soon now.  The only conclusion I can draw from this is that the UIDH does not serve any legitimate purpose other than tracking you and that they are counting on users to be too lazy to opt out.  I will report again when the option is actually available.

Mitch

Sony Breach May Break Even More New Ground

Everyone knows  that the Sony breach was different than, say, the Target or Home Depot breach because of the damage that Sony is still, 10 weeks later, trying to recover from.

But now, the insurance experts are adding yet another wrinkle – thanks Sony.

According to the Hartford Courant, Sony may break new ground in the insurance world too.

Cyber insurance policies tend to be a bit vague on coverage in case of acts of war or terrorism.  Since the government has blamed North Korea for the attack, one might call it an act of war or terrorism.  The President was careful to call it cyber vandalism.  I suspect a number of attorneys argued about that decision and part of that decision may have been to try and avoid trouble with Sony’s cyber insurance policy.  Of course, whether the President calls it vandalism has little impact on what the insurance company calls it and while we have no indication yet that Sony’s insurance carrier is going to try and wiggle out of their policy, they still may.  Writing a $60 million check does cause people to pucker up.

So then, you might rightfully say, if it is terrorism, did Sony have a terrorism policy?  That issue has not come up yet, so we don’t know.

And terrorism insurance is designed to cover losses like the World Trade Center on 9-11, not a hacker erasing some computer disks and posting your new movies on an underground message board.

Suffice it to say, this is all new ground.

It certainly would be smart for companies and their insurance brokers to review their coverages and exclusions in light of this.  And, at renewal time, it behooves them to read the policy carefully.

Whether Sony’s insurer will try playing this card is unknown – I guess we will have to wait and see.  And even if they do, it will take years to sort out.

One more time Sony is breaking new ground.

Mitch

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed