Monthly Archives: September 2014

Apple patches OS X against Shellshock

If you’re a Mac user, you may have felt wrongfully left out of all the Shellshock kerfuffle over the past few days.

A lot of the talk about the bug has been Linux, Linux, Linux on servers, servers, servers.

Web servers are particularly at risk, because they often handle special functions such as searches using command scripts that are fed with data from external web requests.

For all you know, when you send a web request like this:

 

http://example.net/search?term=banana

 

you might very well be telling the server to run a special command in the background, such as:

/usr/local/bin/searchfor –database=website.index \

–searchword=banana

That command might be launched by the server using Bash.

And the server might set some helpful environment variables for the searchfor Bash script to have handy, such as:

USER_AGENT

GET_REQUEST

HTTP_REFERER

All of these would be populated with data sent in your original request.

So you could control not only when to run Bash, but also what was contained in some of its environment variables when it ran.

That’s most of what you need to exploit Shellshock.

So, with many web servers running Linux, and many Linux servers running Bash, it’s understandable that a lot of the Shellshock buzz has concentrated on this combination.

What about OS X?

Of course, Macs famously use Bash as their default command shell.

Yet most Macs aren’t running Linux, and aren’t servers.

So what about some Shellshock excitement for OS X users?

Here it is: Apple has pushed out an update entitled OS X bash Update 1.0.

So far, at least [2014-09-29T23:55Z], it doesn’t seem to be available via the Software Update… option in the Apple menu, so you will have to get it yourself:

When you’ve done the download, you’ll have a DMG (disk image) file called BashUpdateXxxx.dmg, where Xxxx is your operating system name, e.g. Mavericks:


Open the DMG and you will find a .pkg (installation package) file:


Double click it, give it an administrator password so it can change key system files, and you are done.

You can check that the update worked by opening a Terminal window and issuing the bash -version command:


See?

Geeky bugfixing fun isn’t just for Linux acolytes.

 

Via: sophos

Apple Says Majority Of OS X Users Are Safe From Bash Exploits

Apple has issued a public statement in response to the so-called Shellshock vulnerability, assuring OS X users that for the most part, they’re safe from any potential attacks. An Apple spokesperson provided the following regarding the vulnerability, which affects bash, a Unix shell that’s part of Apple’s desktop OS:

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

You can find a guide regarding what you need to know about Shellshock to protect yourself, but as Apple notes here, in OS X you should be safe so long as you haven’t configured advanced access (which means probably most are okay). Apple will also issue an OS X update shortly to close the potential hole, so also just make sure you don’t go enabling any advanced UNIX options before that happens.

 

Via: techcrunch

Apple releases iOS 8.0.2 to quell buggy update complaints

In record time, Apple has released iOS 8.0.2 to resolve issues caused by a previous buggy update which frustrated iPhone 6 and iPhone 6 Plus users.

On Wednesday, iOS 8.0.1 was made available to Apple customers, but hours later the update was abruptly pulled by the tech giant. Complaints that the update interfered with cell phone service, and that it caused Touch ID (Apple’s fingerprint recognition technology) to no longer be recognized, prompted the action.

Upset over the troubled release was compounded since the issues seemed to only impact individuals with the new iPhone 6 and iPhone 6 Plus smartphones.

In a recent statement, Apple apologized to iPhone 6 and iPhone 6 Plus users for the faulty release, a Mashable
report said.
The statement also explained that iOS 8.0.2 “includes improvements and bug fixes originally in iOS 8.0.1,” as well as fixes for the reported technical concerns.

iOS 8.0.2 is available through an over-the-air (OTA) update, and includes fixes for cell network connectivity and Touch ID issues present in 8.0.1, along with HealthKit app availability issues (on the App Store) and third-party keyboard usability concerns.

Apple said that fewer than 40,000 users downloaded the buggy 8.0.1 update in the brief time it was available, but resounding endorsement of the 8.0.2 release by consumers is yet to be confirmed.

According to CNET, after updating to the new iOS, Reddit users in Australia took to the web to report Touch ID and cell services concerns identical to those brought on by 8.0.1.

 

 

Via: scmagazine

Three steps you need to take to avoid overreacting to the bash bug

The steps necessary to be effective in the wake of the frenzy with an executive plan of action that explains and brings others into the response while protecting the business.

Despite the crush of information and demand for action over the latest bug affecting us, the sky isn’t falling. This isn’t the first, and it won’t be the last. While the shock and magnitude of the problem requires attention, the key is to guide the appropriate response. Ultimately, our ability to detect and respond accordingly must become as much a part of our fabric as the bias for prevention we’re pivoting from.

Describing each new discovery as dire quickly leads to a fatigue of our colleagues to the point where they tune out.

What happens when we really need them to pay attention and take action?

Before firing off an email about “the worst bug ever that affects everyone,” take a few minutes to consider an executive plan of action that generates the appropriate response while still maintaining the security of the organization.

Here are three steps to get started. Done right, these steps inform your ability to plan, decide, and act with confidence.

First, take a moment to understand

When it feels like everyone is calling for action, start with a deep breath. Take a moment to grasp the challenge, the severity, and potential consequences and impacts. The news and analysis will shift. New discoveries and understanding will advance. The context and the consequence typically gets clearer.

At this early stage, focus on gathering the information necessary to understand. More, consider these basic goals:

  • Get good information to make sure you understand the situation; sometimes this is hard while the initial analysis is happening, mixing hype in with solid insights. Rely on others and share the insights helping you.
  • Figure out how to explain it to others. This includes multiple audiences — anyone affected that needs to take action. That likely means the ability to ensure your team shares a common understanding, your colleagues understand, and you are prepared to brief executives.
  • Consider how your organization operates. Who needs to be involved? What processes and procedures need to be followed? What is the anticipated scale and speed of response needed?

By considering multiple perspectives, you gain time to review the early analysis and recommendations of others. It also means pulling in colleagues and including them in the process. No need to recreate the wheel. This is where we need to find and share good information, explanations, and recommended actions.

Given the likelihood of working with others (and across teams/platforms), the key is consistency and clarity of communication. Make the investment early in the process to overcome the friction in communication that complicates the remediation process.

Keep in mind that everyone is busy. Most are dealing with pressing concerns of their own. Coming to them with another emergency is adding more stress and complexity to their job. Just because we deem this more urgent than their current focus doesn’t mean they agree – or that we’re right.

Instead of shouting louder, consider how to make the case for action— in the context of the company and business outcomes — in a way that ensures everyone gets what they need.

Then quickly assess your environment

As with most newly discovered vulnerabilities, different ways of determining risk are coming forth. Manual checks lead to automated scans. Popular tools are updating their capabilities to look for this, too. Check with your vendors to see how they can help.

Conduct whatever inventory and assessment is available to you. It’s the one place where taking some action is generally better than waiting. Focus on understanding the magnitude of the potential risk. Use the assessment to help scale the response and put the entire effort into context for the organization.

Involve others in the process. Leverage their reach and experience to assess the potential range of impacts. When the business and other teams are exposed to the process and given a voice to explain what could go wrong, the conclusion is more accurate and holds more validity with others.

Take time to capture the high-level approach, steps, and resources necessary. Test out the steps and map out the time and effort necessary to provide an estimate of timeline, cost, and impact. Identify potential challenges and complicated elements to address.

Consider detection when prioritizing your response

While news of the bug surfaced this week, it’s possible that attackers have already exploited it. Are you able to detect if someone has compromised a machine using the vulnerability (as opposed to reporting the potential)?

Now that we’ve moved past prevention, the spotlight shines on detection and response. In the event an attacker managed to exploit the bash bug – regardless of when – you need to know. It is essential to detect them as quickly as possible and remediate those machines.

Ultimately, the priority of the response is governed by a blend of vulnerable systems, infected machines, and the policies/processes that dictate testing and patch management. Focus on the most important systems first, and systematically address the balance.

What actions are providing you the best results?

Remember that “slow is smooth, smooth is fast” when considering and coordinating the appropriate response to a broad industry-wide challenge.

Start to finish, forming an executive plan of action might take a few hours, possibly a day or two. Taking the time to work through these three steps reduces the friction in communication that often hampers the response. That leads to a faster remediation. 

Where are you finding good insights, information, and tools that are helping you explain the challenge — and the solution — to others? Share the links and elements you like in the comments to help others improve their responses.

 

 

Via: csoonline

Shellshock: ‘Deadly serious’ new vulnerability found

A “deadly serious” bug potentially affecting hundreds of millions of computers, servers and devices has been discovered.

The flaw has been found in a software component known as Bash, which is a part of many Linux systems as well as Apple’s Mac operating system.

The bug, dubbed Shellshock, can be used to remotely take control of almost any system using Bash, researchers said.

Some experts said it was more serious than Heartbleed, discovered in April.

“Whereas something like Heartbleed was all about sniffing what was going on, this was about giving you direct access to the system,” Prof Alan Woodward, a security researcher from the University of Surrey, told the BBC.

“The door’s wide open.”

Some 500,000 machines worldwide were thought to have been vulnerable to Heartbleed. But early estimates, which experts said were conservative, suggest that Shellshock could hit at least 500 million machines.

The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.

Patch immediately

Bash – which stands for Bourne-Again SHell – is a command prompt on many Unix computers. Unix is an operating system on which many others are built, such as Linux and Mac OS.

The US Computer Emergency Readiness Team (US-Cert) issued a warning about the bug, urging system administrators to apply patches.

However, other security researchers warned that the patches were “incomplete” and would not fully secure systems.

Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug.

Shellshock rates a 10 on the scale of vulnerabilities. As bugs go, it’s about as bad as it gets.

Except that the last big bad bug, Heartbleed, rated an 11, according to one expert.

That should mean Shellshock isn’t as bad. Right?

Maybe. It’s too early to tell.

With Heartbleed, more work had been done by the folks that found it so it was easier to estimate who was at risk. There were lots of big targets, many of which had large user populations.

With Shellshock, the sheer number of potential victims is higher. And we do know that an exploit has been produced and some folks are scanning sites to see which are vulnerable to attacks based around that code.

So far, what’s keeping servers safe is the fact that cyber thieves are lazy and tend to copy what has already worked. Finding exploits is specialised, hard work so they only tend to pile in once that appears. With that code already in circulation, the early news about Shellshock may just be the first tremor of a much bigger quake.


Cybersecurity specialists Rapid7 rated the Bash bug as 10 out of 10 for severity, but “low” on complexity – a relatively easy vulnerability for hackers to capitalise on.

“Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, et cetera,” said Tod Beardsley, a Rapid7 engineer.

“Anybody with systems using Bash needs to deploy the patch immediately.”

Security firms have suggested that there is evidence Shellshock is being used by hackers.

“The vulnerability has already been used for malicious intentions – infecting vulnerable web servers with malware, and also in hacker attacks,” said Kaspersky Labs.

“Our researchers are constantly gathering new samples and indications of infections based on this vulnerability.”

For general home users worried about security, Prof Woodward suggested simply keeping an eye on manufacturer websites for updates – particularly for hardware such as broadband routers.

Free questions

The new bug has turned the spotlight, once again, onto the reliance the technology industry has on products built and maintained by small teams often made up of volunteers.

Heartbleed was a bug related to open source cryptographic software OpenSSL. After the bug became public, major tech firms moved to donate large sums of money to the team responsible for maintaining the software.

Similarly, the responsibility for Bash lies with just one person – Chet Ramey, a developer based at Case Western Reserve University in Ohio.

That such key parts of everyday technology are maintained in this way is a cause for concern, said Tony Dyhouse from the UK’s Trustworthy Security Initiative.

“To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up,” he said.

“This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK.

“Ultimately, this is a lifecycle problem. It’s here because people are making mistakes whilst writing code and making further mistakes when patching the original problems.”

 

Via: bbc

Mozilla fixes “phishing friendly” cryptographic bug in Firefox and Thunderbird

Here’s a quick note about an important issue!

Mozilla has patched a bug in its cryptographic library, NSS.

NSS stands for Network Security Services, used by Mozilla products such as Firefox (web browsing), Thunderbird (email) and SeaMonkey (both).

All these products have now been patched, including the Firefox Extended Support Release (ESR) versions.

→ As far as I am aware, Google’s Chrome and Chromium browsers, as well as Opera, also use NSS.

The bug is rated “critical” because is deals with the validation of digital signatures in TLS connections.

TLS (Transport Layer Security), often also known by its old name of SSL (Secure Sockets Layer), is the cryptographic protocol that puts the S in HTTPS.

When you use HTTPS, it’s not just confidentiality you are after, but also integrity (to stop a crook fiddling with the message in transit) and authenticity (to stop a crook claiming to be your bank).

Without certificate validation, you could easily end up conducting a totally secure and unsniffable interaction…

…with a complete imposter.

Unfortunately, this recently-patched NSS vulnerability affects digital signature verification in all the above mentioned products.

Phishing HTTPS logins

Remember that crooks who have hacked into your Wi-Fi access point – at your local coffee shop, for instance – could sneakily redirect any of your HTTPS logins to phishing sites instead.

Usually, however, the crooks can’t present a digital certificate to vouch for the fake site they have drawn you into.

Sometimes, the crooks avoid the need for digital certificates altogether by dropping back to a plain old HTTP site that doesn’t use encryption at all.

You should be able to spot this sort of ruse due to the absence of any security indicators in the address bar of your browser.


Or the crooks could present a TLS certificate that claims to be from your bank, but which isn’t vouched for by any recognised certificate authority.

You should be able to spot this sort of ruse due to an “untrusted connection” warning from your browser.


But if there’s a cryptographic vulnerability that can be exploited to make a bogus digital certificate seem valid, then the crooks may be able to redirect you to an imposter site without raising any alarms.

And that could lead to the digital theft of your personal information, including usernames and passwords.

Get the latest update

If you have a software product (e.g. Firefox) that uses NSS, make sure you’ve got the latest update; for Mozilla software, that means (at 2014-09-24T23:45Z):

  • Firefox 32.0.3
  • Firefox ESR 24.8.1
  • Firefox ESR 31.1.1
  • Thunderbird 31.1.2
  • Thunderbird 24.8.1
  • SeaMonkey 2.29.1

For what it’s worth, I’m using Firefox 32 on OS X, and the update was so small I didn’t get time to read its size during the download.

Applying the update was quick: less than a second to download the patch, and a few more seconds to restart the browser process.

So my recommendation is, “Just do it.”


Worried about rogue Wi-Fi access points?

Why not run a secure VPN from home?

Download our full-featured Sophos UTM Home Edition for free…

 

 

 

Via: sophos

Karma Rolls Out An LTE Version Of Its Pay-As-You-Go Mobile Hotspot, Pre-Order For $99


Karma, makers of the small, portable Wi-Fi hotspot that lets you pay-as-you-go, contract free, for the data you use ($14/1 GB), is now accepting pre-orders for its latest device, the Karma Go portable LTE Wi-Fi hotspot. The new device, which also supports up to 8 concurrent users, runs on Sprint’s Nationwide 4G LTE network, with fallback to 3G CDMA.

Before, the device ran on Sprint’s 4G WiMAX network (previously known as Clearwire.) Now that the company has switched to LTE, the Karma Go provides users with broader coverage.

The new device maintains its lilliputian size, at 2.59″ x 2.59″ x .47″, so it easily slides into your pocket. It also offers up to 220 hours of battery life in standby mode, or 5 hours during use with upload speeds of 2-3 Mb/s and download speeds of 6-8 Mb/s.


As before, the data you purchase to use with Karma never expires, allowing you a true pay-as-you go experience without having to commit to a contract. That makes the device ideal for the occasional business traveler, for example, or anyone who doesn’t like getting stuck without an internet connection.

In addition, what really makes the company unique is its philosophy around Wi-Fi sharing. Unlike with the mobile hotspots sold by mobile operators, Karma users are encouraged – and incentivized – to share their connection by earning free data for doing so. When a Karma hotspot is powered on, it broadcasts a signal like “Free Wi-Fi by Karma,” and when others connect to it they’re prompted to login with their own Karma account or create a new one. After doing so, both the sharer and recipient earn 100 MB of free data.

You can also save on data fees by purchasing data in bulk. For example, if you buy 10 GBs, the cost comes down to $9.90/GB.

The new Karma Go is available on pre-order for $99, though it will eventually retail for $149. Current Karma customers can also receive an additional discount for upgrading. The devices will ship in December.


 

Via: techcrunch

GiveADay to link charities to vital cyber security skills

Up to 100 legal, IT, cyber security and privacy professionals have committed to give a day to help charities in all aspects of information security and data privacy.

Charities including Great Ormond Street Hospital, Future First and Cancer Research have signed up to the non-profit GiveADay scheme prior to its official launch on 9 October 2014.

The launch will include introductory sessions on best practice in information security and data protection at IP Expo Europe in London.

According to GiveADay, UK charities hold personal and sensitive information on three in four people.

Although charities face the same challenges and obligations to protect that information as many commercial organisations, they typically lack the same level of budget, resources and expertise.

The GiveADay campaign to help redress this imbalance is supported by the Security4Charity.com platform that enables professionals to donate their time to help charities with their cyber security issues.

GiveADay will then match an appropriately skilled and available professional with a charity, based on that organisation’s specific requirements.

Volunteers who have signed up so far include Andrzej Kawalec, CTO of HP, who joins the GiveADay advisory board.

Other advisory board members include Edward Tucker, head of cyber security at HM Revenue & Customs; Brian Honan of BH Consulting; and Neira Jones, an independent security advisor.

Media consultants Jim Shields from Twist&Shout and Neil Stinchecombe from Eskenzi PR are also on the advisory board and have committed support and sponsorship to the campaign.

“Charities are in a particularly vulnerable position – they hold a lot of sensitive data on both their service users and their donors,” said Amar Singh, GiveADay co-founder and privacy and security executive.

“In addition, they are still subject to the same fines from the ICO [Information Commissioner’s Office] as any other company, and are subject to far more rigorous requirements to report a breach.

“We want to support charities to protect the vast quantities of sensitive data they hold with professional advice and training,” said Singh.

Ian Chivers, director of finance and operations for the Great Ormond Street Hospital Children’s Charity, said information security has always been, and continues to be, a big focus.

“The GiveADay movement sounds like a great way to achieve greater focus across the sector and collectively pool our knowledge and experience.” he said.

“Our members – service users and supporters alike – trust us with a lot of their personal data. Protecting their private information is of utmost importance to us and we are delighted that the UK’s best talent are willing to help us with this, via the GiveADay movement,” said Chivers.

 Martyn Croft and Brian Shorten, co-founders of the Charities Security Forum (CSF), have welcomed this new initiative to bring information security professionals and charities closer together.

“The Charities Security Forum was founded in 2007 to recognise and support the individuals who carry the responsibility for information security in the third sector,” said Croft.

“For GiveADay to facilitate easy access to freely given expertise in this way is a fantastic opportunity for all charities to further enhance the information security so essential in their work,” he said.

 

Another great option and organization to check into is: hackersforcharity

 

Via: computerweekly

Verizon Will Be Getting iPhone 6-Friendly Wi-Fi Calling In 2015

A quick update for those trying to figure out which carriers will/won’t support the iPhone 6’s Wi-Fi calling feature anytime soon: T-Mobile is a go. AT&T will get it in 2015. Now Verizon is pledging to support it next year, too.

Word of the new feature comes from Verizon CFO Fran Shammo who mentioned it at a conference this morning — but not before taking the opportunity to take a not-so-subtle jab at T-Mobile for rushing to play up their support for it.

FierceWireless quotes him here:

“We built our voice platform so extensively that there was never a need for us to tell our customers, ‘Oh, our network is not good enough so you need to go on Wi-Fi to complete your call.'”

So WTF is Wi-Fi calling, and why should you care?

In short: Wi-Fi calling lets you place calls/send texts as you normally would, except it all runs over any Wi-Fi network you’ve got access to rather than your cell carrier’s towers. Even if you leave Wi-Fi-range mid-call, the call will just transition right over to the cell network (implementing that bit, as it happens, is a good chunk of why most carriers can’t flip the switches and claim iOS Wi-Fi calling support right this second).

And as an added bonus: Depending on your carrier’s policies, Wi-Fi calls often don’t count against your monthly minutes.

If your coverage is consistently solid, it might not be a huge thing for you. If you consistently find yourself dropping calls at your home, or work, or any other place you’ve got Wi-Fi, though, it’s a damned killer feature — though not one that is at all exclusive to iPhone. With all of the carriers now moving to support it following the iPhone 6 launch (and T-Mobile requiring it in all new phones they sell), I’d expect it to be a standard feature within two years.

 

Via: techcrunch

New Apple encryption locks out police from iPhones, iPads

Apple said that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user data.

The move, announced with the publication of a new privacy policy tied to the release of Apple’s latest mobile operating system, iOS 8, amounts to an engineering solution to a legal quandary: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that makes it almost impossible for the company — or anyone but the device’s owner — to gain access to the vast troves of user data typically stored on smartphones or tablet computers.

The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails, and recordings. Apple once kept possession of encryption keys that unlocked devices for legally binding police requests, but will no longer do so for iOS 8, it said in a new guide for law enforcement.

”Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” Apple said on its website. ”So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

As the new operating system becomes widely deployed over the next several weeks, the number of iPhones and iPads that Apple is capable of breaking into for police will steadily dwindle to the point when only devices several years old — and incapable of running iOS 8 — can be cracked by Apple.

Apple will still have the ability — and the legal responsibility — to turn over user data stored elsewhere, such as in its iCloud service, which typically includes backups of photos, videos, e-mail communications, music collections, and more. Users who want to prevent all forms of police access to their information will have to adjust settings in a way that blocks data from flowing to iCloud.

Apple’s action comes less than five months after the Supreme Court ruled that police in most circumstances need a search warrant to collect to information stored on phones. Apple’s action makes that distinction largely moot by depriving itself of the power to comply with search warrants for the contents of many of the phones it sells.

The move is the latest in a series in which Apple has sought to distinguish itself from competitors through more rigorous security.

Though the company’s security took a publicity hit with the leak of intimate photos of celebrities from their Apple accounts in recent weeks, the move to block police access to the latest iPhones and iPads will thrill privacy activists and frustrate law enforcement officials, who have come to rely on the extensive evidence often found on personal electronic devices.

 

Via: bostonglobe