Week in review 14 November 2014
Mac devices are pretty secure, right? Wrong! As two items from this week’s news show. And that is not touching on the Rootpipe vulnerability discovered last week. Meanwhile in Microsoft-land, Winshock may have been trying to beat the Shellshock record for an undiscovered flaw, but fell short at 19 years. In other news, Google finds that phishing is pretty effective, even if the phishing site is obvious. Finally, the US Postal Service became the latest casualty in a soaring number of data breaches detected in 2014.
WireLurker breaks new ground for iOS users
Palo Alto networks released a report late last week that documented a new form of malware, which they dubbed WireLurker. WireLurker looked to be unique, in that it could infect non-jail-broken iOS devices. Previous malware was known to only target jail-broken devices. In the report, the authors note that the infected apps were uploaded to an app store in China called Maiyadi. Maiyadi is notorious for hosting pirated versions of well-known software. Between 20th April 2014 and 11th June 2014, 467 infected applications were uploaded to Maiyadi. Various popular apps hosted on Maiyadi were affected, including Angry Birds, GRID and Bejewelled. WireLurker installs applications that are run at start-up as daemons; this allows WireLurker to listen for connections on the USB port. WireLurker can communicate with a command and control server, and can download updated malware. When WireLurker detects an iOS device, it can download malware to the iOS device. The report on WireLurker sounded ominous, especially given that it could affect non-jail-broken iOS devices. Worse was to come.
Masque Attack malware a danger to iOS devices
The disclosure of WireLurker was followed very quickly by Fire Eye announcing the discovery of the Masque Attack malware. This had similar traits to WireLurker, but with one big difference: Masque Attack could download from Wi-Fi. It was downloaded by posing as a well known app, with a slight name change: “New Angry Birds” and “New Flappy Bird” were two examples. When the infected app was installed, Masque Attack would often replace well known icons (such as Gmail) with its own. These icons were basically phishing type icons, designed to steal user credentials. Masque Attack also could prowl through the cache, looking for user logins and passwords, which it would then steal and send to a command and control server. Fortunately, these types of malicious app downloads can be averted if you steer clear of third party sites. Only download apps from the Apple Store or your own organisation, and don’t click on pop-ups on websites.
Phishing is simple but effective
45% of users fall for high quality phishing sites, according to a report released by Google this week. That might be astonishing, but a truly astonishing statistic is that 3% of users fall for the most blatant of phishing sites. The report provided many other statistics, including the fact that attackers assess an account for its likely value. Accounts that are judged to be of little or no value are left alone; the attackers usually log out without performing any further actions. The process of assessing the value of an account takes an average of 3 minutes. According to the study, 20% of compromised accounts were accessed by the attackers within 30 minutes of the compromise. 50% of accounts were accessed within 7 hours.
Winshock: a forever day vulnerability
Shellshock’s record for the longest time to discover an exploitable flaw is safe; for the time being, anyway. This week Winshock came very close to toppling the record; it has been around for 19 year. Winshock is a vulnerability exploiting Secure Channel. Secure Channel is the Windows implementation of SSL and TLS. This vulnerability is reminiscent of the Heart Bleed vulnerability discovered in early 2014. On one front, however, Winshock could be a winner: it is the first forever day vulnerability for now unsupported Windows versions such as NT, 2000 and XP. Whilst patches for Winshock have been released, none will be released for the aforementioned version of Windows, making Winshock a forever day vulnerability, and creating headaches for organisations that may still be running those versions of Windows. Or more accurately, creating headaches for the System Administrators working for organisations running unsupported versions of Windows. Although no exploit(s) (currently) exist, the Shellshock experience has shown that attackers will not be tardy in developing attacks. The message is to patch servers that can be patched, and replace/upgrade those that can’t.
US Postal Service latest to be hit by data breach
Target, Home Depot, Kmart and now US Postal Service (USPS) have been the victims of data breaches this year, with varying levels of severity. This latest breach has affected employees of USPS, who have had various types of personal information stolen, and customers who contacted the Postal Service Customer Care Centre between the 1st January 2014 and 16th August 2014. At this stage, responsibility for the attack has not been determined. VPN access has been shutdown, however, whilst the USPS puts in place a better solution. It appears that the existing VPN has several identified flaws that could lead to a compromise.