The analysis allowed us to work on mistakes and give a series of recommendations for IT experts who service medical infrastructure.
The two bugs, a buffer overflow and use-after-free vulnerability, were reported by Google Project Zero’s Ian Beer and were patched in iOS 10.2.1 and macOS Sierra 10.12.3. A critical libarchive buffer overflow vulnerability, CVE-2016-8687, was also patched in iOS and macOS Sierra. “Unpacking a maliciously crafted archive may lead to arbitrary code execution,” Apple said. Apple also patched 11 vulnerabilities in the iOS implementation of WebKit, a half-dozen of which lead to arbitrary code execution, while three others attackers could abuse with crafted web content to exfiltrate data cross-origin. Many of the same Webkit vulnerabilities were also patched in Safari, which was updated to version 10.0.3. Rounding out the iOS update, Apple patched a flaw in Auto Unlock that could unlock when Apple Watch is off the user’s wrist, along with an issue that could crash the Contacts application, and another Wi-Fi issue that could show a user’s home screen even if the device is locked. The macOS Sierra update also patched code execution vulnerabilities in other components, including its Bluetooth implementation and Graphics Drivers (code execution with kernel privileges), Help Viewer, and the Vim text editor. The Safari update also patched a vulnerability in the address bar, CVE-2017-2359, that could be exploited if visiting a malicious website, allowing an attacker to spoof the URL. tvOS was updated to version 10.1.1, and the same kernel, libarchive and webkit vulnerabilities present in iOS were patched in the Apple TV OS (4th generation). The watchOS update, 3.1.3, was a sizable one as well with patches for 33 CVEs, including 17 code execution vulnerability. The iCloud for Windows 6.1.1 update, for Windows 7 and later, also patched four Webkit vulnerabilities addressed in other product updates, all off which lead to arbitrary code execution.
In some cases, those certificates made it possible to spoof protected HTTPS-protected websites. One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate.
These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners.
The remaining 99 certificates were issued without proper validation of the company information in the certificate. Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication they were created for test purposes—were revoked within an hour of being issued.
Still, the move represents a major violation by Symantec, which in 2015 fired an undisclosed number of CA employees for doing much the same thing. Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site.
The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials.
There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is. "Chrome doesn't [immediately] check certificate revocation, so a revoked certificate can be used in an attack just as easily as an unrevoked certificate," Ayer told Ars. "By default, other browsers fail open and accept a revoked certificate as legitimate if the attacker can successfully block the browser from contacting the revocation server." ("Fail open" is a term that means the browser automatically accepts the certificate in the event the browser can't access the revocation list.) The nine certificates issued without the domain name owners' permission affected 15 separate domains, with names including wps.itsskin.com, example.com, test.com, test1.com, test2.com, and others.
Three Symantec-owned CAs—known as Symantec Trust Network, GeoTrust Inc., and Thawte Inc.—issued the credentials on July 14, October 26, and November 15.
The other 99 certificates were issued on many dates between October 21 and January 18.
In an e-mail, a Symantec spokeswoman wrote: "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information." This is the second major violation of the so-called baseline requirements over the past four months.
Those requirements were mandated by the CA/Browser Forum, an industry group made up of CAs and the developers of major browsers that trust them.
In November, Firefox recommended the blocking of China-based WoSign for 12 months after that CA was caught falsifying the issuance date of certificates to get around a prohibition against use of the weak SHA1 cryptographic hashing algorithm. Other browser makers quickly agreed. Ayer discovered the unauthorized certificates by analyzing the publicly available certificate transparency log, a project started by Google for auditing the issuance of Chrome-trusted credentials. Normally, Google requires CAs to report only the issuance of so-called extended validation certificates, which offer a higher level of trust because they verify the identity of the holder, rather than just the control of the domain.
Following Symantec's previously mentioned 2015 mishap, however, Google required Symantec to log all certificates issued by its CAs. Had Symantec not been required to report all certificates, there's a strong likelihood the violation never would have come to light.
There are even some declarations that this might be the year, or at least ought to be the year, that it happens. Don’t hold your breath.
Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology. The goal of FIDO, a nonprofit created in 2012, is to supplant passwords with what it calls, “an open, scalable, interoperable set of mechanisms,” for secure authentication. But McDowell said last fall, and said again this past week that passwords will, “have a long tail,” that is unlikely to disappear anytime soon – certainly not this year. There are a number of reasons for that, even though the security problems with passwords are well known and well documented.
As Phil Dunkelberger, CEO of Nok Nok Labs, put it, “the username and password paradigm is fundamentally broken.
It was never designed for, and is inherently incapable of addressing, the use cases of modern society. “ Brett McDowell, executive director, FIDO Alliance And of course it is not just technology that has made it easier for attackers to compromise them. Users frequently make it ridiculously easy as well.
They use short, simple passwords that wouldn’t even take a machine to guess – like “admin,” “password,” “12345,” etc.
They continue to use the same user name and password for multiple sites, since they know they won’t be able to remember a couple dozen of them. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. And even if users do have somewhat rigorous passwords, far too many can still be tricked into giving them away through social engineering attacks. Yet, passwords are such an embedded part of authentication systems – most popular websites still use them – that, as McDowell said, it will take considerable time for them to disappear. Or as Scott Simkin, senior group manager, threat intelligence cloud & security subscriptions at Palo Alto Networks, put it, “We have decades of legacy systems and behavior to change, and it will take years for the industry to catch up.” Joe Fantuzzi, CEO, RiskVision Beyond that, there are at least some in the security community who say we should be careful what we wish for.
They note that cyber criminals have always found a way around every advance in security.
So while biometric credentials – fingerprints, iris scans, voice recognition etc. – are much tougher to compromise than passwords, they may not be a magic bullet.
And if attackers can find ways to steal or spoof them, those will obviously be much more difficult to change or update than a password. Indeed, there have already been multiple reports of biometric spoofing.
FireEye reported more than a year ago that fingerprint data could be stolen from Android devices made by Samsung, Huawei, and HTC because, “the fingerprint sensor on some devices is only guarded by the ‘system’ privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.” The Japan Times reported earlier this month that a team at Japan’s National Institute of Informatics (NII) found that a good digital image of people simply flashing the peace sign could result in their fingerprint data being stolen. Researchers have reported that a high-resolution image of a person’s eyes can allow an attacker to make a ”contact lens” of the iris that would pass as the real thing for authentication. And there have already been demonstrations that a manipulated recording of a person’s voice can trick authentication systems. Advocates of biometric authenticators don’t deny any of this, but say one key to their successful use is for the data from them to stay on user devices only, as is the case with Apple’s Touch ID.
As McDowell notes, one of the many problems with passwords is that they are “shared secrets” – they exist not only on users’ devices, but also have to be given to a website’s server, which then matches them with what is stored in its database. When such a server gets compromised, millions of passwords get stolen at the same time, through no fault of the user. Zohar Alon, Co-Founder and CEO of Dome9 According to McDowell, the risk of biometric spoofing is “infinitesimal” compared to that of passwords. Since the biometric credential data never leaves the device, “the attacker must steal the phone or computer even to attempt an attack,” he said. “This doesn’t scale, and is therefore not viable for financially-motivated attackers.” James Stickland, CEO of Veridium, agreed. “You can purchase a kit from China for $10 to copy and extract a fingerprint.
This has been shown to work on fingerprint sensors from Touch ID to the device used for the Indian government, and is a problem for almost all but the most expensive sensors,” he said. “But this is a problem only when an attacker has access to the user’s device, so the time window for attack is pretty low.” Of course, not all biometrics remain only on the user device.
Some, such as the fingerprints of millions of people who work, or have worked, for government or that are taken by law enforcement, will be stored on servers. Joe Fantuzzi, CEO of RiskVision, said this might lead to the same risks that plague the healthcare industry, because of its storage of patient data. “Incorporating customer biometric information will essentially make all companies lucrative targets for attacks and ransomware,” he said. But those advocating the “death” of passwords say the other key to secure authentication is what security professionals have been preaching for years: multi-factor authentication. In other words, they are not trying to mandate that biometrics be the sole replacement for passwords.
Dunkelberger, who said the FIDO Alliance is using the authentication technology his firm created, said the core idea, “isn’t to replace passwords with biometrics, but rather to replace passwords with a strong, secure signal of any kind.” McDowell agreed. He said many FIDO implementations do use biometrics for authentication, but that the specifications are “technology agnostic.” It is implementers, he said, who decide what mechanisms it will support.
It could be, “a local PIN code for user verification vs. biometrics if you prefer.” He said FIDO specifications, “allow the use of authenticators built into a device, such as biometrics or a PIN, and/or external, second-factor authenticators, such as a token or a wearable.” The message from Stickland is similar. “The only current defense is multifactor authentication, using two or more biometrics – for example, fingerprint and face, or voice.
At the very least fingerprint plus a long, randomized PIN would be good.” He said his firm created an authentication tool that, “uses a combination of hardware, secure certificates, biometrics, and other information to validate not only the biometric, but every communication between a remote device and a server, basically verifying that not only is the user valid, but the hardware the user is using is also valid.” Simkin also said multifactor authentication, “of which there are many options available today,” should be used, “for all critical resources and applications.
The more time and resources you require attackers to expend, the lower the chances of a successful breach.” Stephen Stuut, CEO of Jumio, said organizations will still have to balance security with convenience, since “friction” in the process of signing on to a site may cause users simply to give up on it. “Companies should focus less on one single technology but rather on the correct combination that meets their business requirements and customer needs,” he said. “Adding too many steps to the process may increase session abandonment, especially on mobile, where attention spans are short.” All of which sounds like, passwords could for some time remain as a part of multi-factor authentication: Something you know, something you have and something you are. Zohar Alon, Co-Founder and CEO of Dome9, said he doesn’t think they will ever disappear. “They remain one of the simplest means of proving identity and gaining access,” he said. “We can design better security with multiple factors of authentication and authorization that are not correlated with each other, that cannot be compromised all at once.” But Stickland said he believes they will eventually become obsolete. “Passwords are painful. We forget them, they are stolen, it’s time consuming to reset them.
At some point, new technology will win.” This story, "Passwords: A long goodbye" was originally published by CSO.
Tony Evans from Wick Hill (part of the Nuvias Group) highlights the risks of Wi-Fi and provides some advice for delivering a secure hotspot
The fact that Wi-Fi stands for Wireless Fidelity hints at how long Wi-Fi has been around, but it was only in 1999 that the Wi-Fi Alliance formed as a trade association to hold the Wi-Fi trademark, under which most products are sold.
Today, Wi-Fi is on the top of the list of must-haves for businesses of all types and sizes. People will simply vote with their feet if good and, usually free, Wi-Fi is not available.
But this demand for anytime, anyplace connectivity can mean that some of us are prepared to jump onto Wi-Fi hotspots at cafes, hotel, airports or company guest networks, with only a fleeting consideration of security – a fact that has not gone unnoticed by cyber criminals.
There are over 300,000 videos on YouTube alone explaining how to hack Wi-Fi users with tools easily found online.
Risks from unprotected Wi-Fi:
Wi-Fi Password Cracking
Wireless access points that still use older security protocols such as WEP, make for easy targets because these passwords are notoriously easy to crack. Hotspots that invite us to log in by simply using social network credentials are increasingly popular, as they allow businesses to use demographic information such as age, gender and occupation to target personalised content and advertisements.
Without encryption, Wi-Fi users run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected network.
Cyber criminals can set up a spoof access point near your hotspot with a matching SSID that invites unsuspecting customers to log in leaving them susceptible to unnoticed malicious code injection.
In fact, it is possible to mimic a hotspot using cheap, portable hardware that fits into a backpack or could even be attached to a drone.
There are common hacking toolkits to scan a Wi-Fi network for vulnerabilities, and customers who join an insecure wireless network may unwittingly walk away with unwanted malware.
A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive information.
Joining an insecure wireless network puts users at risk of losing documents that may contain sensitive information.
In retail environments, for example, attackers focus their efforts on extracting payment details such as credit card numbers, customer identities and mailing addresses.
Inappropriate and Illegal Usage
Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communications.
Adult or extremist content can be offensive to neighbouring users, and illegal downloads of protected media leave the businesses susceptible to copyright infringement lawsuits.
As the number of wireless users on the network grows, so does the risk of a pre-infected client entering the network. Mobile attacks, such as Android’s Stagefright, can spread from guest to guest, even if the initial victim is oblivious to the threat.
There are established best practices to help secure your Wi-Fi network, alongside a drive, from companies such as WatchGuard, to extend well-proven physical network safeguards to the area of wireless, providing better network visibility to avoid blind spots.
Implementing the latest WPA2 Enterprise (802.1x) security protocol and encryption is a must, while all traffic should, at a minimum, be inspected for viruses and malware, including zero day threats and advanced persistent threats.
Application ID and control will monitor and optionally block certain risky traffic, while web content filtering will prevent unsuspecting users from accidentally clicking a hyperlink that invites exploitation, malware and backdoors to be loaded into your network.
The use of strong passwords, which are changed frequently, should be encouraged, along with regular scanning for rogue Access Points (APs) and whitelisting MAC addresses, when possible.
WatchGuard’s latest cloud-managed wireless access points also have built-in WIPS (Wireless Intrusion Prevention System) technology to defend against unauthorised devices, rogue APs and malicious attacks, with close to zero false positives.
While WIDs (Wireless Intrusion Detection Systems) are common in many Wi-Fi solutions, WIDs require manual intervention to respond to potential threats.
This may be OK for large organisations with IT teams that can manage this, however WIPs is a fully-automated system, which makes it far more attractive to SMEs and organisations such as schools and colleges.
Using patented, Marker Packet wireless detection technology, WatchGuard WIPS differentiates between nearby external access points and rogue access points.
If a rogue access point is detected, all incoming connections to that access point are instantly blocked. WIPS also keeps a record of all clients connecting to the authorised access points, so if a known device attempts to connect to a malicious access point, the connection is instantly blocked. WIPS will also shut down denial-of-service attacks by continuously looking for abnormally high amounts of de-authentication packets.
Wi-Fi as a marketing tool
While Wi-Fi networks have traditionally been viewed as part of the IT infrastructure and the responsibility of the IT department, the latest Wi-Fi systems deliver more than just connectivity, which makes them an attractive proposition for customer services and marketing departments.
For example, the WatchGuard Wi-Fi Cloud provides visibility into marketing data, including insights into footfall and customer demographics and also makes it possible to have direct communication with individual customers in the form of SMS, MMS or social networks.
And with customised splash pages, businesses can personalise the customer Wi-Fi experiences by offering promotional opportunities or surveys and promoting all-important branding.
It is clear that Wi-Fi is here to stay and is becoming much more than simply a way to get online. While the rapid speed of Wi-Fi adoption has led to a disconnect between physical and wireless security, this is now changing and there is no longer any excuse for providing insecure Wi-Fi.
About Wick Hill
Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions.
The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.
Wick Hill is particularly focused on providing a wide range of value-added support for its channel partners.
This includes strong lead generation and conversion, technical and consultancy support, and comprehensive training. Wick Hill has its headquarters in the UK and offices in Germany and Austria. Wick Hill also offers services to channel partners in fourteen EMEA countries and worldwide, through its association with Zycko, as part of Nuvias Group, the pan-EMEA, high value distribution business, which is redefining international, specialist distribution in IT.
The research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain. “I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a 2014 flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic inflight display.
A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.” IFE system vulnerabilities identified by Santamarta might most straightforwardly be exploited to gain control of what passengers see and hear from their in-flight screen, he claimed.
For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.
An attacker might also compromise the "CrewApp" unit, which controls PA systems, lighting, or even the recliners on first class seating.
If all of these attacks are applied at the same time, a malicious actor may create a baffling and disconcerting situation for passengers.
Furthermore, the capture of personal information, including credit card details, is also technically possible due to backend systems that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data, said the researcher. Aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger-owned devices, airline information services, and finally aircraft control.
Avionics is usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen.
This means that as long as there is a physical path that connects both domains, there is potential for attack.
The specific devices, software and configuration deployed on the target aircraft would dictate whether an attack is possible or not.
Santamarta urged airlines to steer towards a cautious course. “I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analysed case by case.” IOActive reported these findings to Panasonic Avionics in March 2015.
It only went public this week after giving the firm “enough time to produce and deploy patches, at least for the most prominent vulnerabilities”. Panasonic Avionic’s technology is used by a several major airlines including Virgin, American and Emirates airlines. El Reg asked Panasonic Avionic to comment on IOActive's research but we’ve yet to hear back. We’ll update this story as and when we learn more. The avionics research has some parallels with IOActive’s remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the automobile’s entertainment system. Once again, it appears entertainment systems have created a potential route into sensitive systems that hackers might be able to exploit. Stephen Gates, chief research intelligence analyst at NSFOCUS, commented: “In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important.
As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. “This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s 'experience' while flying, but have yet to prove they could impact flight control systems,” he added. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub