Category Archives: Security

aka infosec

Adobe, Flash, Security, Windows

New Flash vulnerability discovered

Leave a comment

According to a security bulletin published yesterday by Adobe, all versions of Flash older than 21.0.0.182 running on Windows are vulnerable. The specific vulnerability involved — designated CVE-2016-1019 — is flagged as Critical, and could allow an attacker to crash or take over control of targeted Windows systems.

Adobe says that Flash 21.0.0.182 contains a mitigation that protects it from this vulnerability, so if you use Flash, and you’re not already running 21.0.0.182 or newer, you should install it ASAP.

Adobe is working on a more comprehensive fix for this vulnerability and plans to release another new version of Flash in the next day or so.

Firefox, Security

Malicious Firefox add-ons can co-opt other, vulnerable add-ons

Leave a comment

Security researchers recently discovered that Firefox add-ons can use functions and data from other add-ons. This allows malicious persons to create seemingly-innocuous add-ons that look for and use vulnerable versions of popular add-ons like NoScript and Firebug.

For this type of exploit to work, a user would need to a) leave a vulnerable add-on unpatched; and b) install the malicious add-on. Which means that we have yet another reason to make sure that Firefox add-ons are kept up to date. Thankfully, the extremely useful NoScript add-on receives updates automatically, and frequently.

This also serves as a reminder to be careful when installing any add-on, no matter how innocuous it seems.

Mozilla is currently revamping the add-on framework in Firefox. The new system will improve security, preventing add-ons from accessing each others’ functions and data.

Security, Tools

Password managers

Leave a comment

“If you’re not using a password manager, you should be.” You’ve heard the refrain, and you’re probably tired of hearing it. But we won’t stop saying it until people get the message.

Rule #1 in online security is “Don’t re-use passwords for multiple web sites and services.” Rule #2 is “Use long, complex passwords.” Following those two rules means you have to remember multiple, long, complex passwords. This is not something humans are particularly good at, which is why we need password management software.

I use Password Corral, free Windows software from Cygnus Productions. It’s not limited to storing passwords, so you can use it for bank accounts, license information, and so on. It can generate strong passwords according to customizable rules. It won’t fill in web forms for you, and it can’t be accessed on the cloud, but I don’t actually want either of those features.

I also recommend Bruce Schneier’s Password Safe.

When deciding on a password management solution, there are several factors to consider. There’s a useful comparison of password management tools (PDF) over at the SANS InfoSec Reading Room. It doesn’t include Password Corral or Password Safe, preferring to concentrate on the more mainstream and popular services, but it’s worth reading.

Adware, Android, Google, Hardware, Internet crime, Malware, Mobile, Opera, Security, Spam and scams

Security roundup for March 2016

Leave a comment

Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.

Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.

Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.

A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.

The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.

Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.

Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.

Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.

Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.

Opera announced that their web browser will now include ad-blocking features that are enabled by default.

Chrome, Google, Patches and updates, Security

Chrome 49.0.2623.108

Leave a comment

Earlier this week, Google announced another new version of Chrome.

Version 49.0.2623.108 addresses five security issues, so if you use Chrome, you should make sure it’s up to date. Click the browser’s ‘hamburger’ menu at the top right, then select Help > About Google Chrome. If you’re not running the latest version, Chrome will start the update process automatically.

The full log lists about sixty changes in the new version, but nothing particularly interesting.

Java, Patches and updates, Security

Java 8 Update 77

Leave a comment

A single major security bug fix appears to be the reason for the newest version of Java 8: Update 77.

The release notes don’t provide much useful information, and neither does the security alert for the bug addressed in the new version.

If you’re still using a web browser with Java enabled, you should consider disabling it. At least configure it as ‘click to play’, so that Java content doesn’t load and play automatically on any web page you visit. If you’re not sure whether Java is enabled in your browser, find out by visiting Check-and-Secure.

Internet crime, Security, Tools

Was your account exposed as part of a breach?

Leave a comment

It seems like every few weeks another web site or online service is breached. When that happens, user account information is almost always stolen, and usually published online.

If you have an account on a breached site or service, you may not be in any immediate danger. Often, only email addresses are published. Sometimes account/user names are also published. Occasionally, encrypted passwords are published, and when that happens, the weaker of those passwords are also quickly decrypted. The worst case scenario is where you’ve used a single, weak password for several different web sites or services.

After learning about a breach on a site or service, your first step should be to determine whether you have an account there. If you do, you should sign in and change the account’s password immediately (sometimes this is forced by the site owner in response to a breach). Then, if you’ve used the same account/email + password anywhere else, sign in to those other sites and change those passwords. Then stop using the same password everywhere, and start using a password manager like Password Corral.

If you’re not sure where you’ve used a particular account/user name or email address, you should start by searching for them on the Have I Been Pwned site. ‘Pwn’ is gamer slang for ‘own’, if you were wondering. Enter a username or email address, and the site will search it them in all known lists of breach data.

Java, Patches and updates, Security

Old Java vulnerability still not fixed

Leave a comment

A serious security vulnerability affecting current versions of Java, originally reported in 2012 (PDF), remains only partially fixed, according to Adam Gowdiak of Security Explorations.

When Oracle released Java 7 Update 40 in October 2013, the original issue appeared to have been fixed. Subsequent testing showed that while the fix addressed the original Proof of Concept code provided by Mr. Gowdiak, changing the PoC code slightly revealed that the fix was incomplete.

Until recently, Gowdiak was reluctant to announce his discovery of the partial fix, because of his own organization’s disclosure policies. On March 7, 2016, those policies were updated: “A recent change to those policies means that if an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice.”

Mr. Gowdiak revealed his findings (PDF) at the recent Javaland conference, and on the Full Disclosure security email list. The original PoC code was altered slightly to demonstrate the vulnerability and provided to Oracle.

Whether we will ever see a complete fix for this issue remains to be seen. Meanwhile, our advice about Java is unchanged: if you don’t need it, uninstall it. If you need it to run a specific application, remove Java from your web browsers, or leave it enabled in a browser you only use for specific applications. At the very least, make sure your browsers are configured so that Java content does not run automatically (i.e. enable click-to-play).

You can read more about the history of this and other Java security vulnerability research conducted by Adam Gowdiak at his Security Explorations web site.

Other references: Ars Technica.

Adobe, Edge, Flash, Internet Explorer, Patches and updates, Security

Emergency update for Flash

Leave a comment

If you use a web browser with Flash enabled, you should stop what you’re doing and update Flash.

According to the associated Adobe security bulletin, Flash 21.0.0.182 fixes twenty-three security vulnerabilities, including one (CVE-2016-1010) that is being actively exploited on the web.

The release notes for Flash 21.0.0.182 provide additional details. The new version fixes several bugs that are unrelated to security, and adds some new features.

As usual, Chrome will update itself with the new version of Flash, and Internet Explorer and Edge on newer versions of Windows will be updated via Windows Update.