Tag Archives: security research

Background Monitoring on Non-Jailbroken iOS 7 Devices

Posted on by

We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.

via Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation | FireEye Blog.

Before Apple fixes this issue, the only way for iOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring.

Yikes!  This might be a problem for android devices as well.  I have noticed that since a device stays on 24/7 resident apps can build up in the background because even though you think you closed an app it sometimes doesn’t actually close as in terminate until its icon is touched to activate.  The proof of concept above got this “keylogger” through Apple’s App Store which is pretty remarkable.

VPN Related Vulnerability Discovered on an Android device

Posted on by

In this video we demonstrate the vulnerability via the following steps:

  1. We present a regular Android device (in this case it is the popular Samsung S4 device). Behind it we display a screen with packet capturing tool, showing the traffic that flows through that computer.
  2. Now the user runs the malicious app and clicks on the Exploit button which takes advantage of the vulnerability in the phone’s system.

via VPN Related Vulnerability Discovered on an Android device – Disclosure Report | Cyber Security Labs @ Ben Gurion University.

The exploit vector requires a user to do something.

Zero-Day Flaws Found, Patched In Siemens Switches

Posted on by

The Siemens switch zero-day vulnerabilities are in the Web server interface to the devices. The researcher says the first of the two zero-day flaws he found in the Siemens SCALANCE X-200 switch was basic: a poorly constructed session ID setup, which would allow an attacker to hijack an administrative session on the switch without credentials. The session ID basically exposes the client’s IP address so an attacker could then hijack the admin’s Web-based session while managing the switch. “But you don’t log onto these switches very often — maybe once a year– so, in that sense, it’s a weak vulnerability,” he says.

The more critical zero-day Leverett found in the switch was the second one, which would let an attacker take over the admin operations of the switch — no authentication required. The attacker could then download any network configuration information, or upload a malware-ridden firmware update, for example, Leverett says. “The device assumes if you know the URL, you must have authentication. But it never asks you to authenticate [for it],” he says.

via Zero-Day Flaws Found, Patched In Siemens Switches — Dark Reading.

Malicious advertisements served via Yahoo

Posted on by

Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:

  • blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
  • slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
  • original-filmsonline.com (192.133.137.63)
  • funnyboobsonline.org (192.133.137.247)
  • yagerass.org (192.133.137.56)

via Malicious advertisements served via Yahoo | Fox-IT International blog.

14 MEPs emails intercepted by a hacker thanks to Microsoft flaws

Posted on by

My best guess is that what they did was to impersonate the EP-EXT wifi network and steal our credentials from the login page (https://wifiauth.europarl.europa.eu/, now no longer available, see screenshot below for what it more-or-less used to look like). In this scenario, after I automatically connect to the rogue WiFi (because my phone recognizes the SSID), it presents me with the familiar login page, but this time it’s not HTTPS but plain HTTP. So, no warning about a self-signed certificate is presented to the user.

After I type in my credentials, the rogue WiFi is turned off for a minute or more, so my phone re-connects to the real EP-EXT network and I am asked for my credentials again. I would probably think that I mistyped the password or something and not think twice about it. After a minute the rogue WiFi goes back online, waiting for the next victim.

via epfsug – Re: Ang.: [EPFSUG] 14 MEPs emails intercepted by a hacker thanks to Microsoft flaws – arc.

This is classic MITM where a user inadvertently accepts a different certificate than provided from the mail server which allows the man in the middle access to the encrypted stream.  Always be on the lookout for those pop up notifications.  An attacker can’t get to an encrypted stream without your permission — even on an unsecured open wifi.

From: Temporary Switch-off of the EP Public WI-FI Network. EP Private Wi-Fi Network Still Available.

The Parliament has been subject for a man-in-the-middle attack, where a hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).

The consequence is that some individual mail-boxes have been compromised. All concerned users have already been contacted and asked to change their password.

As a precaution, the Parliament has therefore decided to switch-off the public Wi-Fi network until further notice, and we invite you to contact the ITEC Service Desk in order to install an EP software certificate on all the devices that you use to access the EP IT systems (email, etc..).

Targeted Internet Traffic Misdirection

Posted on by

In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes.

This kind of attack should not happen. You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.

via The New Threat: Targeted Internet Traffic Misdirection – Renesys.

Microsoft Warns Customers Away From RC4, SHA-1

Posted on by

RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications.

via Microsoft Warns Customers Away From RC4, SHA-1 | Threatpost | The First Stop For Security News.

The software company also is recommending that certificate authorities and others stop using the SHA-1 algorithm.

Critical NETGEAR ReadyNAS Frontview security vulnerability

Posted on by

Frontview is the ReadyNAS web management interface; the vulnerability allows command injection and fails to validate or sanitize user input and can be triggered without authentication, Young said.

“The consequence is that an unauthenticated HTTP request can inject arbitrary Perl code to run on the server,” Young wrote on the Tripwire blog. “Naturally, this includes the ability to execute commands on the ReadyNAS embedded Linux in the context of the Apache web server.”

via Critical NETGEAR ReadyNAS Frontview security vulnerability | Threatpost | The First Stop For Security News.

5 Reasons Every Company Should Have A Honeypot

Posted on by

While honeypots have been used widely by researchers to study the methods of attackers, they can be very useful to defenders as well. Here are five advantages that the digital sandboxes can bring to companies.

via 5 Reasons Every Company Should Have A Honeypot — Dark Reading.

Honeypots fill the gap, because attackers have a much more difficult time predicting their use and countering the defenses, Strand says. Because production honeypots are machines that no legitimate user should be accessing, they also have a low false positive rate.

iPhone Hacked in Under 60 Seconds Using Malicious Charger

Posted on by

Once the charger is plugged in and the user inputs their PIN code, the charger silently and invisibly removes the target app, in this case the official Facebook app. It then replaces it – in exactly the same position on your iPhone/iPad homescreen – with what looks like a perfect replacement.

In actual fact this is malware and once you launch it, your phone/tablet has been compromised. This malware could be used to capture passwords, take screenshots, access your contacts, messages and phone calls, or even make premium rate calls.

via iPhone Hacked in Under 60 Seconds Using Malicious Charger – IBTimes UK.