boot13The folks over at Duo Security recently posted a fun infographic about some of the more common network-based attacks. It’s presented in a comic book format, but it includes some useful descriptions of actual events from the past year or so. Highly recommended.
Facebook gives Tor a huge boost
Tor (The Onion Router) is a software toolkit that can be used to make your Internet-based communication more secure. It’s been getting a lot more attention since the Snowden leaks, as most people are uncomfortable with the knowledge that the NSA is spying on everyone.
Of course, the NSA and its supporters characterize Tor as a tool for criminals and terrorists, but in fact it’s used by plenty of regular folks who just want some privacy on the ‘net. Certainly there are some people who use Tor to hide criminal activity, but those people also use telephones.
Note that if Tor is used improperly, it won’t completely hide your Internet activity. It also adds overhead to network communications, making browsing somewhat slower. Worse, many Internet-based services and sites now detect the use of Tor, and limit or block Tor connections. As a result, Tor has been falling out of favour lately.
Now Facebook, in a move that seems to have surprised everyone, has decided to back Tor in a big way. A version of Facebook is now available via Tor. This move has the potential to propel Tor into wider use, and sets a standard for the general acceptance of Tor by large service providers. Whether Facebook actually turns out to be the ‘killer app’ for Tor remains to be seen.
Extremely critical Drupal vulnerability
Drupal is a Content Management System, similar to WordPress and Joomla. On October 15th, a very dangerous vulnerability in Drupal was announced. Within hours, exploits attacking this vulnerability started to appear on the web.
Yesterday, a special follow-up Public Service Announcement was posted on the Drupal web site. From the Drupal PSA:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement. Simply updating to Drupal 7.32 will not remove backdoors.
Anyone who runs a Drupal site should deal with this issue immediately.
New versions of Firefox fix hardware-related problems
Two new Firefox releases in the past few days fix crashing and black screen problems experienced by some users in Firefox 33.0.
Firefox 33.0.1 fixes a black screen at start-up with certain graphics drivers.
Firefox 33.0.2 fixes a startup crash with some combinations of hardware and drivers.
As usual, there were no proper announcements for the new versions. The release notes have improved, but they still list changes from previous versions, and the link to the complete list of changes shows a list so long that Bugzilla can’t even display it properly. Clearly the vast majority of issues shown there were addressed in much earlier versions.
Last chance to buy Windows 7 Home and Ultimate
After October 31st, you will no longer be able to purchase the Home Basic, Home Premium and Ultimate versions of Windows 7. The Professional version will still be available, and Microsoft has yet to announce when that will stop.
If you are planning to purchase or build a new PC and want to run Windows 7 Home or Ultimate, you need to buy your Windows license before the end of the month.
Chrome 38.0.2125.111 released
Another new version of Chrome was announced yesterday.
The announcement unfortunately contains no details about what was changed. There is a link to the full change log, but that page is rather technical and likely difficult to read for typical users. However, it appears that the new version fixes several minor bugs, none of which are related to security.
Reviewing the change log reveals this:
Flip 32-bit warning string to let users know itโs the end of the line. The string is changing to “This computer will no longer receive Google Chrome updates because its hardware is no longer supported.” Previously, the message began with “This computer will soon stop receiving”.
Since my main computer currently runs a 32-bit O/S, I became somewhat alarmed at this. Digging into the related material, I was able to determine that the message in question is only for Mac systems. 32-bit versions of Windows will continue to receive Chrome updates.
Java 8 ready for general use
Back in March, Java 8 was made available for developers and anyone else interested in testing it. Soon afterward, Oracle clarified their position on Java 8, explaining why it was not available on the main Java site.
As of October 27, Java 8 (update 25) is now available for general use, and can be obtained from the main Java site.
UPnP now being used for DDoS attacks
The troubled Universal Plug and Play protocol has a new problem: malicious hackers are increasingly using it as the basis for Distributed Denial of Service attacks.
UPnP is a set of protocols – intended to be used with home networks – that simplifies the process of making connections between network-enabled devices. Unfortunately, misconfigured devices often make UPnP devices visible on the Internet, allowing easy access for intruders.
Now, according to Internet content caching service provider Akamai, those exposed UPnP devices are being used for DDoS attacks. Specially-crafted requests are sent to such devices, so that replies from those UPnP devices are sent to the DDoS target, flooding it with traffic.
If you think you may have UPnP devices that are exposed to the Internet, or just want to make sure you don’t, head over to Steve Gibson’s ShieldsUp site. Click the Proceed button, then on the next page, click the big button labeled GRC’s Instant UPnP Exposure Test. After a moment or two, your results will be shown.
Windows vulnerable to document-based attack
According to Microsoft, all versions of Windows except Windows Server 2003 are vulnerable to attacks based on a bug in OLE (Object Linking and Embedding).
Attacks exploiting this vulnerability would take the form of a specially-crafted PowerPoint document.
Microsoft has released a Fix It solution that can be used to close this hole until a proper patch is released. If you commonly receive PowerPoint documents from unknown sources, you are strongly encouraged to apply this fix or refrain from opening those documents.
References:
SSL3 protocol compromised
SSL3 is one of the ways web sites encrypt data. It has theoretically been superseded by TLS, but in fact is still widely used.
Now researchers at Google have demonstrated that SSL3 encryption can be made to reveal supposedly secure information. The name they’ve given to the new attack is POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption. In any case, this technique has been verified, and now the race is on to mitigate the vulnerability of browsers and web servers worldwide. If you run a web server, and it supports SSL3, you should disable SSL3 as soon as possible.
A post on Microsoft’s MSRC security blog provides a brief overview of the problem from their perspective and points to security advisory 3009008. The advisory provides instructions for disabling SSL3 in Internet Explorer.
Anyone still using Internet Explorer 6 (why?) is going to have difficulty accessing secure web sites from this point forward, because IE6 requires SSL3 for secure web browsing, and web servers are now busily having SSL3 disabled.
More information:
- Duo Security – POODLE: A Critical Vulnerability in the SSL 3.0 Protocol
- Mozilla – The POODLE Attack and the End of SSL 3.0
Update 2014Dec11: A new variant of the POODLE attack targets TLS and apparently affects up to 10% of the world’s servers. Brian Krebs has more.
Update 2015Jan12: One of the SANS handlers posted a followup that looks in detail at assessing the actual risk of a POODLE attack. It turns out that the risk is actually fairly low.