Security Week 36: jailbreak-robbery, farewell to RC4, porosity of routers

When computers finally learn to incorporate directly into the brain, our life will become much more interesting. Instead of SMS, we will receive mentograms, they are inquisitively whispering an inner voice. I thought an interesting idea - share with your friends a slight movement of the brain! Remember that the wife asked to buy in the store; for only $ 2.99 without VAT. Imperfect technologies of the first bio-discrete interfaces will transmit terabytes of data per minute to a computer (smartphone, only without a screen), leaving the powerful processors to work on catching bits of meaning from the noise of electrical pulses.

In short, the newest iPhone 164 will know absolutely everything about us. Having survived 34 rebranding and 8 restructurings, Google will store this data and process it further in data centers that occupy more than 2 percent of the Earth’s surface. And only then, having made an incredible breakthrough in technology, they will start thinking about how to protect this data. Only after the first appearance of a collection of erotic dreams of unsuspecting citizens and women on the black market in Bangkok. Only after the scandal with the bank, which reads the thoughts of the credit recipients right at the time of applying. And then you have to seriously understand - what do we collect for the data? How do we store?

But it will all be later. Interestingly, but now someone thinks about how strongly the owner gives the archive of the gyroscope readings from the mobile phone? Security research always takes place after technology enters the market, while technology makers almost never think about security. In today's digest of important information security news for the week - analysis of flights in software and devices of today's day, which millions of people have been using for a long time. I remind the rules: each week the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .
')
Why on the picture serves in the head 5 and 12 volts? I dont know!

Trojan stealing data from hacked iPhones
News Palo Alto Networks study .

Not all reports of any vulnerability or theft can be taken and re-told in simple words. This one is possible. In China, found an application for iPhone, which is embedded in the communication between the smartphone and Apple servers, and steals passwords from the iTunes Store. Found by sideline: mass complaints of users about the theft of money from their accounts - a card for all Apple users is tied to an account with a tight sea node, and nothing but a password to pay for “birds” is usually not required.

Cool, yeah? Not really. Only owners of devices with a jailbreak were attacked. Independent researchers from China, who asked to call them WeipTech, accidentally broke the C & C server of criminals and found there in open access data of more than 225 thousand users (I didn’t know that there are so many jailbreak supporters) in the format “username, password, device GUID”. Well, then everything is clear: the malicious application is distributed through the pirate freemen of the alternative Cydia store, embedded in the communication between the device and Apple using man-in-the-middle technology, and sends it stolen to its server. Cherry on the cake: the key for encrypting passwords is static, using the phrase "mischa07".


Mischa07 steals user passwords

It is not clear whether this very “Misha” could earn a lot on the KeyRaider attack, and that’s not the point. The main thing in this news is this: in terms of security, an iPhone with a jailbreak is worse than Android. If you break the (very strong) protection of iOS, then there are no checks anymore? Do whatever you want? Quite a typical situation for well-protected systems, by the way: powerful firewalls around the perimeter, physical protection, everything is disconnected from the Internet, the fly will not fly. Inside is a computer on the fourth stump and with Windows XP unpatched since 2003. And if the perimeter will be able to get around? Actually, in the context of iOS, the same question arises: if a simple, active, mass root-exploit suddenly appears - what will happen? Does the vendor have a plan B? Or suddenly it turns out that Android has a big advantage in this situation, since it has long been clear to him that everything can be broken, and the development is being carried out accordingly?

Google, Mozilla and (even earlier) Microsoft will say goodbye to RC4 in 2016
News

In the previous series (with reference to the man-on-the-side DDoS attack on GitHub), we stopped at the fact that using HTTPS is a blessing for both the user and the owner of the web service. And this is so, the only problem is that not all HTTPS implementations are equally useful, and some that use ancient encryption methods are even harmful. Examples are SSLv3 in the POODLE attack, and generally everything that uses the RC4 cipher. If SSLv3 recently celebrated its 18th anniversary and now can legally buy alcohol, then RC4 has its roots in the 1980s. For the web, it’s not yet possible to say that connecting using RC4 guarantees that the connection is compromised. Earlier, the organization Internet Engineering Task Force noted that the theoretical attacks against RC4 are "on the verge of implementation in practice."

Indeed, here is an example of a recent study : rolling back from a normal cipher to RC4 when connected to a site allows you to decrypt transmitted cookies (and therefore hijack a session) in just 52 hours. To do this, you need to intercept several cookies, and approximately understanding what will be at the exit, brute force with a slightly higher probability of success than usual. Maybe? Yes, but with reservations. In practice, use? But who knows? In Snowden’s leaks it was hinted that intelligence agencies could break RC4 with a high degree of reliability.



In general, the news turns out to be positive: the potentially vulnerable encryption algorithm has not even completely finished (at least not massively), and it will soon be finally blocked. And now it is used extremely rarely - for Chrome it is 0.13% of all connections (in absolute terms, this is still a lot of dofig ). Funeral RC4 officially scheduled for January 26 (Firefox 44) until the end of February (Chrome). Microsoft also plans to ban the connection to RC4 at the beginning of the year, for Internet Explorer and Microsoft Edge, for the reason, I quote, “it’s impossible to distinguish the webmaster’s error from the man-in-the-middle attack from the fallback on TLS 1.0 using RC4”.

I can not dilute the optimism with a bit of skepticism. Victims of such upgrades usually become either crookedly configured and little-needed websites, or time-tested critical web services, in which it is difficult to change something. It is possible that in February we will see a lively discussion on the forums about how users, after updating the browser, cannot get into any super-protected Internet bank. We'll see.

Vulnerabilities in Belkin N600 routers
News CERT Advisory .

I really like news about vulnerabilities in routers. Unlike computers, smartphones and other devices that we use every day, the router usually gathers dust somewhere in the corner, it is not paid attention to for years, especially if the router is good and works smoothly. At the same time, to be honest, no one knows what is actually happening in this black box. Even if you personally rolled on it custom firmware based on OpenWRT. Especially if you are not a techie, and the router has set and configured the provider. At the same time, the router contains the key to all your data - if you want to go to the home file sphere, you want to - intercept traffic, substitute Internet banking pages, thrust ads into Google search results. It is enough to get access only once through a single vulnerability or, more often, not even a vulnerability, but a manufacturer’s configuration curve.

At the end of the post, I added a survey on the regularity of updating the firmware of the router. And I myself would like to answer that I myself update the firmware of the router often, as soon as a fresh update comes out, but it is not. At best, every six months, and that is because a reminder appears in the web interface of the router. More often, I updated the previous router, but only because I tried to defeat the constant hangs. And for a while, personally, my router was exposed to this vulnerability, which allows remote access.



So what happened with Belkin routers? Five vulnerabilities were immediately found there, one way or another affecting security. For example:

• Predictable transaction IDs when querying DNS, in theory, allow to substitute another server in response, for example, when requesting a firmware update to a server. Not very scary.
• HTTP is the default for important operations, for example for the same firmware update requests. Scary.
• No default password for web interface. You can change anything at all, though already inside the local network. The average level of scary.
• Bypass user password authentication when accessing the web interface. The bottom line is that the browser tells the router whether it is logged in or not, and not vice versa. Substitute the value of a pair of parameters in the information transmitted to the router, and the password can be omitted. 76% scary.
• CSRF. If you force the user to click on the prepared link, you can remotely change something in the settings of the router. This is especially easy to do if the password for the web interface is not set. Scary as much horror.

Well, okay, we found a lot of holes in the not very popular router, well, okay. The problem is that not so many people are involved in finding vulnerabilities in routers, and the fact that Belkin was found, and not found by another manufacturer, does not mean that another manufacturer is more reliable. It's just that his hands have not reached him yet. This collection of news makes it clear that everything is very, very bad in this area. Conclusion? You need to protect your local network with at least the means that you have: passwords to the web interface, no WiFi with WEP, disable WPS and other unused features like an FTP server and telnet / SSH access, especially from the outside.

What else happened:
US plans to sanction China for cyber espionage. One of the most popular news of the week, but it has a feature: cybersecurity or, if you like, the landscape of threats, it will not affect in any way, in any case. Sheer politics.

Routers are not the most insecure devices. Video monitors and other “user-friendly” surveillance devices are even worse . Lack of encryption, authorization and other troubles.

Found a way to select groups in Facebook from owners through the Pages Manager application. The vulnerability is closed, the researcher received the promised bug bounty.

Antiquities:
Family "Andryushka"

Very dangerous resident "ghost" -viruses. COM- and EXE-files, except COMMAND.COM, are striking when starting an infected file (searching in directories) and from their TSR copies (when opening, executing, renaming, etc.). "Andryushka-3536" during infection translates EXE-files into COM-format (see "VASCINA" virus). The introduction of the virus occurs in the middle of the file, while the part of the infected file, where the virus is recorded, is encrypted and added to the end of the infected file.

They organize counters in the boot sectors of disks and, depending on their values, can destroy several sectors on the C: drive. At the same time, they play the melody and display the text:



Also contain the text "insufficient memory". It is rather difficult to work with interrupt handlers: they keep in their body a part of the int 25h handler, and write their code to the free space (call int 21h). When int 25h is called, the int 25h handler is restored.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 23.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.