Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

iPhones used as WiFi hotspots are open to hackers

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 19, 2013

According to a new study from the University of Erlangen in Germany, Apple's iPhone devices being used as Wi-Fi hotspots are open to hacker's attacks because of weak security protocols in the automatic password generation system Apple has in place.

Called "Usability vs. Security-- The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots," the paper reveals that the seemingly random password iOS generates for hotspots is very simple to hack into.

It consists of only four to six characters followed by a four-digit number string. As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time, although the team points out it isn't suggesting Apple used the same dictionary.

Using an AMD Radeon HD 6990 GPU, the average time to crack was just 59 minutes. So the team then reverse-engineered the iOS word list used for password generation, using "static and dynamic analysis," tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks.

They discovered that Apple uses English-language words of between four and six letters from a dictionary made by Lernout & Hauspie Speech Products.

"Only 1,842 different entries of that dictionary are taken into consideration," the paper states. "Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96 percent and thus increased the overall cracking speed signi?cantly."

Additionally, the selection of words picked for passwords was skewed. For example, the word "suave" was used 0.08 percent of the time, while "subbed" cropped up 0.76 percent of the time and "head" 0.53 percent-– ten times the frequency they should have had under a random selection.

By frontloading these selections into any attack code, the chances of cracking the system quickly are greatly increased.

The team also decided to upgrade their hardware to bring down search times and built a box with four AMD Radeon HD 7970 units that could burn through 390,000 guesses per second. This cut the time to crack automatically generated passwords down to 24 seconds, or 52 seconds using a single AMD Radeon HD 6990 GPU. Users should specify their own, the team recommends.

As a test case, the security team built an iOS application dubbed "Hotspot Cracker" which could be used to try out an attack of the target phone. This was limited by the processing power of the smartphone, but can be used in conjunction with a cloud password cracking service.

Once the password has been compromised, the operator can piggyback on the hotspot's bandwidth, stage a man-in-the-middle attack for eavesdropping, and then get access to files stored on the device.

Jailbroken iPhones are extra risky since they could even allow access to the basic iPhone system services code. While the researchers concentrated on Apple, they noted that other mobile operating systems could also be affected as well.

To be sure, Microsoft's Windows Phone 8 uses a similar password system that doesn't even use words, relying instead on eight-digit number strings alone.

Android is somewhat better, but there have been cases of manufacturers such as HTC dumbing down password generation for some handsets, the University says.

"The results of our analysis have demonstrated that the mobile hotspot feature of smart devices increases the attack footprint in several ways," the team concludes.

"As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future," the report added.

In other internet security news

A hacker says he's published what he claims to be three telephone numbers belonging to Philippine president Benigno Aquino, including his private mobile number, in a bid to urge voters to confront their leader directly.

Going by the pseudonym “#pRis0n3r”, the hacker posted the numbers to his 10,000+ followers on Facebook on Friday night, alongside the president’s home address and the address of Aquino’s office in the House of Representatives Batasan building.

Beneath the numbers is the message “This is now the chance for your voice to be heard”, alongside an Anonymous logo.

There was no confirmation as to the veracity of the phone numbers but an Aquino spokesman, Ricky Carandang, didn’t sound too happy about that.

"It's cyber vandalism plain and simple," he told AFP. "We're dealing with it. That's all I can say for now."

When the news wire tried to contact the numbers on Saturday morning they had apparently stopped working. There was no further information on the Facebook page of #pRis0n3r as to exactly how he obtained the numbers, but in a message sent to a local paper, the hacktivist claimed he was “100 percent” sure they were Aquino’s.

He also complained that the president was "very silent when it comes to national issues", adding, "We want to hear him."

The group Anonymous has had several run-ins in the past with the Acquino administration, most notably in January when it defaced several government web sites in response to the Cybercrime Prevention Act of 2012.

Local hacktivists claiming to be affiliated with the group have also been involved in a bitter online battle between Filipino and Malaysian hackers which erupted after bloody clashes in the northern Borneo region of Sabah, and in tit-for-tat exchanges with patriotic Chinese over the disputed group of rocks known as Scarborough Shoal.

In other internet security news

Yesterday's Patch Tuesday update for Microsoft Windows OSs all over the globe went pretty well, and was rolled out with five bulletins, including a single critical security update that deals with flaws in all supported versions of Internet Explorer.

Available at 1.10 PM EST, the IE update (MS13-047) deals with no less than nineteen security vulnerabilities and covers all versions of Internet Explorer from IE6 to IE10 and on all supported versions of Windows, from XP to RT.

It's just the sort of thing that might be latched on by hackers as part of drive-by-download attacks, based on malicious scripts on compromised websites, and therefore needs to be patched sooner rather than later.

The other four security bulletins this week all cover lesser flaws, rated "important" by Microsoft. The most noteworthy of these is (MS13-051) which covers Microsoft Office 2003 on Windows and 2011 for Mac OS X and tackles a parsing vulnerability for the PNG graphic format that has already cropped up in a limited number of active attacks.

"The attack arrives in an Office document and is triggered when the user opens the document," writes Wolfgang Kandek, CTO at cloud security firm Qualys.

"Microsoft rates it only as 'important' because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward," he added.

The remaining three security bulletins rated "important" tackle an information disclosure vulnerability within the Windows kernel, a local privilege escalation vulnerability within the print spooler components in Windows, and a DoS issue in the TCP/IP stack of newer Windows systems.

Taken altogether it's a fairly quiet month. Microsoft's Patch Tuesday bulletin for June can be found on its site. June's patch update from Microsoft omits to fix a recent 0-day security vulnerability discovered by Google's Tavis Ormandy.

The 0-day vulnerability allows an attacker already on a Windows machine to gain admin privileges. In related patching news, Adobe is pushing out an updated version of Flash (APSB13-16), that will be released to Google Chrome and Microsoft IE10 users via an automatic update.

In other cases, the cross-platform update (which covers versions of Flash Player on Windows, Macs and Linux as well as Android smartphones) will need to be applied separately.

Meanwhile, server and data centre system admins would be wise to pay particular attention to the release of a security bulletin from VMware, covering a vulnerability in handling file uploads by the vCenter Chargeback Manager that poses a remote code execution risk on unpatched systems.

For its part, Apple pushed out its own quarterly security updates last week, with a new version of Safari and Mac OS X addressing numerous and some very critical security vulnerabilities.

Those security updates are unrelated to the new versions of Mac OS X and Safari announced at this week's WWDC in San Francisco, which will not be released for some time yet.

In other internet security news

Internet security technicians at Kaspersky Labs report that a recently discovered Android Trojan virus is the nastiest and most sophisticated mobile malware yet to be identified as such, and a lot of thought has been put into it by its creators to cause the most security issues on a typical Android device.

In a recent blog post to Kaspersky Labs' Securelist website, Roman Unuchek describes the virus' malicious program, appropriately called Backdoor.AndroidOS.Obad.a or "Obad" for short, as being closer to Windows malware than to your typical mobile Trojan, owing to its complexity and sophistication.

To be sure, Obad uses multiple layers of encryption and code obfuscation to conceal what it's doing to the operating system, and it exploits previously unknown security vulnerabilities in the Android OS to gain near total control over an Android smartphone or tablet.

The worse element is that it simply runs in the background and has no visible user interface, but communicates with command and control (C&C) servers over the device's internet connection, and can even accept commands via SMS text messages.

Worse, once Obad gains Device Administrator privileges, it takes advantage of an Android security vulnerability to hide itself from the list of applications that have such privileges, making it impossible for the user to remove it from the infected device.

Once installed, Obad can be commanded to perform a variety of several nasty functions. It can connect to preprogrammed IP addresses, ping servers, download files from servers and install them, and send text messages.

It can also send data about the compromised device to the C&C servers, including information about installed applications and the user's full contact information.

On the more sophisticated side, Obad can also allow cybercriminals to execute console commands via remote shell access, send infected files to all detected Bluetooth devices, and can act as a proxy server, sending data to a specified address and returning the response.

Additionally, Obad has the ability to block the device's screen for up to ten seconds, to help conceal its malicious activity from the user.

Kaspersky Labs has offered no theory as to who might be running the Obad malware, and no point of origin has been identified yet.

Unuchek added that Kaspersky Lab has already informed Google about the Android security vulnerabilities exploited by the Trojan, and Obad can now be detected by security software from Kaspersky and other security vendors.

If there is a bright spot to any of this, it's that however sophisticated, Obad is still relatively rare. Over a three-day observation period, Kaspersky Lab found that Obad accounted for no more than 0.15 percent of all security attempts to infect mobile devices with malware, well at least for now that is.

In other internet security news

On average, and with all the many forms of internet attacks system admins are seeing these days, one of the most common types of attack are SQL injections, and although the vector is rather old and well-understood, it's still very difficult to defend against, despite all the precautions already in place in most systems.

Kevin Kennedy, senior manager for Juniper Networks' security business division, is in Australia this week to demonstrate Juniper's latest shot at defeating SQL injection, not with block-by-signature, but by trapping attackers.

Spotlight Secure was first launched across the board in February of this year, and the concept behind it is that signatures in Web application firewalls are no longer that effective against the patient attacker, and input validation only goes so far, and now the time has come for better defenses against such forms of attacks.

Kennedy said it's been proven that input validation must fail at some point. There will inevitably be a collision course between a genuine input that should be passed, and a malicious input that should be blocked, and that's the whole intent of the project.

It's also inevitable that even with a Web application firewall standing between the SQL server and the Internet, a patient attacker will find a combination of inputs that doesn't trigger a signature alert on the firewall – but does give an attacker an SQL injection vector, nevertheless.

It isn't perfect-– nothing ever is, but the idea is to make SQL injection attacks a lot slower and a lot more expensive, while at the same time, using super-cookies to fingerprint the attacker, in an effort to discover him (or her).

And to take a simple example of an attack on a SQL server, an attacker might first try changing some parameters in a URL with the aim of generating errors that offer them more information about the database behind the Website.

From that starting point, the attacker then begins passing increasingly sophisticated parameters to the SQL engine with the ultimate aim of retrieving valuable user IDs and passwords that will gain him access to the system.

Rather than just trying to create a perfect validation list, Juniper is instead building some fake parameters into the URL, for example, offering database parameters such as columns that don't even exist.

If someone tries to access a “trap” parameter, the system starts treating the user as a likely attacker. Rather than simply blocking that user's IP (which isn't particularly useful long-term), there are a number of actions still available to the system administrator.

One of them is to slow down system responses to that user-– a very simple but very effective method to make the attack more 'expensive' when it comes to the attacker.

Another method is the super-cookie mentioned earlier. The principles of super-cookies is that they're harder to detect than the standard cookie, and they collect information to more accurately profile the machine they're installed on.

With enough data captured, the browser, the installed fonts, timezone, screen resolution, pointer device, camera type and so on, the system can capture a more exact fingerprint of the attacking machine that might not be unique, but is a pretty useful characterisation of the attacker in the case of a criminal investigation.

Rather than just watching for something easily changed, like the IP address, the system is now looking for the fingerprint of the super-cookie, and acting accordingly.

The aim, Kennedy said, is to track attackers rather than merely blocking them. “We want to change the economics of the attack,” he said. “Slow them down, waste their time, plant the cookie so we can recognise them and go after them.”

In most circumstances, Kennedy said, the characteristics that the super-cookie uses to build its fingerprint change incrementally but very slowly. It's far more common for someone to replace a keyboard or buy a new screen than to configure a whole new system.

And at the same time, since the ordinary user of a typical website is never going to try to get the SQL database server to display the contents of the fake field in the first place, Juniper also hopes to address the false positive issue that makes even owners of Web application firewalls under-use the technology from the getgo.

But of course not, it isn't perfect-- an experienced attacker will know how to protect themselves against super-cookies. But Kennedy said, this doesn't invalidate the trap in and by itself, since the attack will still be identified and logged anyway.

Another example is-- you can't just 'plant' a super-cookie on a Linux server booted from a USB stick with no write privileges either. But, Kennedy said, the failure of the cookie will flag the server as a likely attacker, and will render the machine useless anyway, as an added security feature.

We asked Kennedy if the fingerprints collected by super-cookies wouldn't be more useful if they could be shared between security vendors. The answer Kennedy told us is yes, if the challenges involved could be overcome.

“In and by itself, the concept of simply sharing fingerprints isn't useful in isolation,” he said. “But we believe that sharing the benefits of security technology is important. This industry does not share well together, and we'd like to improve on that.”

"To begin with, Juniper Networks has a partnership announced with RSA, but broader sharing is difficult, because it requires that you have an active proxy using the fingerprints. This is more complex than scoring the reputation of IP addresses," added Kennedy.

“What should be shared is granular and enforceable information-- that's the whole idea. But what we need is for other security solutions vendors to say 'yes, this is something we could do.' We're open to having that conversation,” said Kennedy.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: The University of Erlangen, Germany.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

















Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Click here to order our special clearance dedicated servers.


Get your Linux or Windows dedicated server today.





Click here to order our special clearance dedicated servers.





Click here to order our special clearance dedicated servers.