Category Archives: Internet

Test your browser’s security

A new, free, web-based service from cyscon GmbH tests your web browser and reports any security issues it finds.

Check-and-secure starts by checking your computer for open ports, then compares your IP address against a list of addresses associated with botnet activity.

Next, you have the option of checking your browser version and looking for out of date plugins like Java, Flash, and Silverlight. This is arguably the most useful part of the service, and you can get to it directly, which is handy.

The remainder of the service consists of offers to install various local security software packages. I haven’t yet tried the Cyscon Vaccination software, so can’t comment on its efficacy.

February security roundup

In February, a security researcher discovered that a Silverlight exploit – patched by Microsoft in January – is now being distributed through the Angler hacking kit. The researcher also found web sites using the exploit to infect site visitors who have not yet installed the Silverlight patch.

Comodo Internet Security, a highly-rated security package, was found to include features that actually make the host computer less secure. Most notably, that included a VNC server running without a password. VNC is a remote desktop application. The problems were resolved in subsequent updates from Comodo.

Brian Krebs wrote about serious security issues found in some Internet-connected Trane thermostats, and warns buyers to use caution when purchasing ‘smart’ devices.

IPv6 addresses are confusing

ZeroTier has an interesting and amusing look at IPv6 addresses.

At one time, there were a lot of dire predictions about running out of Internet addresses. It seemed clear that given the number of addresses available with the IPv4 scheme, they would soon all be in use. The increasing use of Network Address Translation (NAT) provided relief, as each single address was then able to provide Internet access to multiple devices behind a router.

However, NAT only delayed the inevitable for IPv4, and IPv6 was planned as its replacement. While there are only four billion IPv4 addresses, IPv6 allows for up to 340,000,000,000,000,000,000,000,000,000,000,000,000 addresses. Which should be plenty, even once the Internet expands to other planets.

Acceptance and deployment of IPv6 has been steady, but there are a few hurdles to overcome. One of those is the IPv6 numbering scheme itself.

I’m sure you’re familiar with the IPv4 scheme, in which any device on the Internet is identified by a sequence of four numbers, like this: 123.456.789.123. A full IPv6 address looks like this: adde:efbe:0000:0000:0000:0000:0000:0001. That’s a lot of digits to remember.

Luckily, the IPv6 developers invented ways to abbreviate IPv6 addresses, so that they typically look more like these:

  • adde:efbe::1
  • 2607:f2f8:a368::2
  • fe80::3cee:cdff:fe30:c27
  • fe80::1
  • 2607:f8b0:4007:809::200e

But while those abbreviated numbers are shorter, they are difficult to understand. The ZeroTier post explains why.

NetworkWorld has a fun and informative infographic that compares IPv4 and IPv6.

Critical security flaw affects millions of systems

Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.

The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.

The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.

But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.

Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.

The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.

Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.

Google clamps down on misleading ‘download’ buttons

We’ve all run into this: you’re trying to find some software, and when you finally get to a download page, you’re faced with multiple DOWNLOAD buttons. It’s like a really bad game, in which clicking the right button gets you the software, and clicking the wrong one infects your computer with malware.

Google is aware of this problem, and in keeping with its goal of using its vast resources to help protect users, will now detect these misleading buttons and warn users. Increasingly, when you navigate to a page with these deceptive buttons, Google will warn you: ‘Deceptive Content Ahead’. A welcome improvement.

Latest Ouch! newsletters from SANS

It’s been a while since I posted a link to the SANS Ouch! Security Awareness (“Securing The Human”) Newsletter. It’s a monthly PDF publication that’s aimed at ordinary users, and each issue covers a topic that is – or should be – of interest to everyone.

The most recent issues are Two Step Verification, Password Managers, and Shopping Online Securely. Note: these are all PDF documents.

Note: because they are written for ordinary users, more knowledgeable users may not learn anything new from Ouch! newsletters. Still, they’re worth reading and passing on to anyone who may benefit.

Many new top-level domains used for malicious activity

Blue Coat, a company that develops network security software, recently published a report on the amount of shady activity associated with top-level domains (TLDs) on the Internet. Examples of TLDs are .com, .net, and country-specific domains like .ca and .us.

A few years ago, a new batch of TLDs was introduced, including .zip, .review and .country. At the time, ICANN said the changes would “unleash the global human imagination.” Well, as was widely predicted, many of those new TLDs are apparently being used almost exclusively in connection with all kinds of malicious activity. Apparently it was mostly the imagination of criminals that was unleashed.

July security roundup

Flash improvements

Adobe is trying desperately to keep Flash viable. In July, they announced structural changes that are expected to strengthen Flash’s overall security. The changes are so far only available in the most recent versions of Chrome, but they are expected to find their way into the other major browsers in August.

Asprox botnet status

There’s an interesting (though technical) overview of recent changes in the behaviour of the Asprox botnet over on the SANS Handler’s Diary. Apparently the botnet is no longer sending malware attachments, and is instead sending pornography and diet-related spam. Comparing my inbox contents with the samples in the linked article, it looks like most of the spam I currently receive is thanks to Asprox. Hopefully Asprox will be targeted by the anti-botnet heavy hitters in the near future.

Flaw in BIND could cause widespread issues

BIND is one of the most common pieces of software on Internet-facing servers. It translates human-readable addresses like ‘boot13.com’ into IP addresses. A bug in version 9 of BIND causes it to crash when a specially-crafted packet is sent to it. Attackers could exploit this bug to execute an effective Denial of Service (DoS) attack against a server running BIND9. Patches have been created and distributed, but any remaining unpatched servers are likely to be identified and attacked in the coming months. Update 2015Aug05: As expected, this bug is now being actively exploited.

Mobile versions of IE are vulnerable

Current, patched versions of Internet Explorer running on mobile devices were recently reported to have four flaws that could allow attackers to run code remotely. Exploits were published, although none have yet been seen in the wild. The vulnerabilities were disclosed by the HP/TippingPoint researchers who discovered them, six months after they privately reported them to Microsoft. Microsoft has yet to patch these vulnerabilities; they apparently feel that vulnerabilities are too difficult to exploit for them to be dangerous.

Stagefright vulnerability on Android devices

A flaw in Stagefright, a core Android software library that processes certain types of media, makes almost all Android phones and tablets vulnerable. The flaw can be exploited as easily as sending a specially-crafted text (MMS) message to a phone, but also by tricking the user into visiting a specific web site. Successful attackers can then access user data and execute code remotely. Unfortunately for users, it’s up to individual manufacturers to develop and provide patches, and this process may take months in some cases. There’s not much users can do to mitigate this problem until patches arrive. Update 2015Aug05: Google is working with its partners to push updates to affected mobile devices.

Mediaserver vulnerability on Android devices

More bad news for Android users: the mediaserver service apparently has difficulty processing MKV media files, and can render a device unusable when it encounters one on a malicious web site. In most cases, the device can be brought back to life by powering it down and back up again.

Android spyware toolkit widely available

And the hits just keep on coming for Android devices. Among the information revealed in the recent Hacking Team breach was the source code for an advanced Android spyware toolkit called RCSAndroid. Like everything else taken from Hacking Team’s systems, this has now been published, and no doubt malicious persons are working on ways to use the toolkit. There’s no easy way to protect yourself from this toolkit, aside from keeping your device up to date with patches. From Trend Micro: “Mobile users are called on to be on top of this news and be on guard for signs of monitoring. Some indicators may come in the form of peculiar behavior such as unexpected rebooting, finding unfamiliar apps installed, or instant messaging apps suddenly freezing.

We’re finally running out of IP addresses

Some of you may remember dire predictions, years ago, that the Internet would soon run out of IP addresses. These predictions turned out to be somewhat early. A variety of factors combined to decrease the rate at which new address blocks were required. Still, it was clear that the limit would be reached, so the Internet Engineering Task Force (IETF) got to work designing a new IP address scheme. The new scheme is called IPv6, and supports a virtually unlimited number of addresses. The current IPv4 address system supports up to 4,294,967,296 unique addresses.

A typical IPv4 address: 96.49.181.168
A typical IPv6 address: 2001:db8:85a3::8a2e:370:7334

Now, according to American Registry for Internet Numbers (ARIN), the organization that doles out IP address blocks, we’re about to run out of IP addresses at last.

Before you start to panic, you should know that reaching this limit only really affects Internet Service Providers (ISPs). These organizations are the ones who buy IP blocks, then provide them to regular users. New ISPs, and ISPs that need to expand, are going to find it increasingly difficult to obtain the addresses they need.

There’s more good news: since we’ve seen this problem coming for a while now, most network hardware and operating systems are fully compatible with IPv6, including Windows XP and newer. When it’s time to make the switch, it will happen gradually, and will involve enabling IPv6 on devices and in operating systems where it’s currently disabled. Of course, there are likely to be glitches during the transition, but given the amount of testing already done, these should be resolved quickly. In most countries, the transition to IPv6 has already begun, with adoption as high as 35% in Belgium.

Security roundup for June 2015

What’s in a name?

ICANN is the non-profit organization that governs the basic naming system used on the Internet. Anyone who owns a domain name has an ongoing relationship (even if indirect) with ICANN. Unfortunately, there’s alarming evidence that ICANN is now being guided by corporate interests. Update 2015Jul08: this is a very real privacy threat.

ICANN wants to make it impossible for site owners to be anonymous. They insist that this will only apply to commercial sites, but the definition of commercial promises to be so vague that almost any site would qualify. Spammers will be rubbing their hands together in glee, since the information associated with domain registration is extremely valuable to them.

Free proxies: use with caution

Brian Krebs reports on recent research in which 443 free, open proxy services were tested, to determine whether they: a) support secure web traffic; b) maintain the privacy of user information; and c) modify user traffic in any way. Fully 79% of the tested proxies force web pages to load non-securely, which means that the service operator can see all their user traffic in unencrypted form. Sixteen percent of the services actively insert advertising into customer web traffic.

Recommendation: if you’re looking for a free proxy service, try to find one that allows secure (HTTPS) web traffic.

Why We Encrypt

Another insightful post from security expert Bruce Schneier explains why encryption is important, why it should be enabled by default, and why recent efforts to weaken encryption are a huge mistake.

Failure to encrypt

Researchers at AppBugs used their security software to detect flaws in the way apps encrypt Internet traffic, and the results are depressing. Over fifty Android applications – downloaded by millions of users – are using encryption incorrectly, or not at all. While some of these apps probably don’t transmit anything sensitive, many do, including several high profile apps from the NBA, Match.com, Safeway, and Pizza Hut.

New method for managing passwords

The free, open source Master Password simplifies the task of securely generating and storing secure, unique passwords. It does this without the need to store or access anything on the Internet; all you need is the app itself and a master password. The catch? You’ll have to generate and set new passwords for all the sites and services you use. Master Password is available for iPhone/iPad, Mac, Windows Desktop, Android, and on the web.

Steganography toolkit for malware

Steganography is a technique used to hide information inside otherwise harmless-looking image files. Security researchers have previously detected its use in hiding malware, but now they’ve discovered software that helps malware authors use the technique. Dell SecureWorks researchers recently analyzed StegoLoader’s capabilities. From their report:

Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.

The dangers of using secret questions for account recovery

Anyone who uses Internet-based services has seen them: ‘secret’ questions and answers you set up to facilitate password resets and account recovery. The idea is that the service can be sure you are who you say you are because you can correctly answer one or more of these questions. The problem is that this method has serious failings, as reported by Google researchers (PDF). The authors recommend using email-based, or – better still – SMS/text-based account recovery methods.

Testing your anti-malware solution

Is your anti-malware software working? Short of visiting a web site known to distribute malware, how can you be sure? One method involves a special string of text known as the EICAR test. Visit the EICAR web site and download a file containing the text; your anti-malware software should detect the text and identify it as the EICAR test. Alternatively, you can download Didier Stevens’ EICARGen software, which generates files containing the EICAR text. Depending on your anti-malware software’s configuration, the EICAR text may be detected when you attempt to download it, or when you write, read, or execute a file containing it. I currently use Avast, which by default detects EICAR when attempting to download it, and during full and explicit scans, but only detects EICAR in existing files when they are executed.