Security Week 34: Vulnerability in iOS, Powershell Trojan, Collisions against 3DES and Blowfish

Vulnerabilities in iOS are definitely the main news of the week. Yesterday, Apple released an urgent update for its mobile devices, and this time it’s really necessary to update faster. The vulnerability was discovered by the Citizen Lab at the University of Toronto and Lookout. A detailed report has been published on the Citizen Lab website, and perhaps it is he who makes the event particularly important, as it provides an important context about how the hole was exploited prior to detection. It doesn't happen that often.

Vulnerability CVE-2016-4655 and 4656 affect the core of iOS: if the first can provide data leakage, the operation of the second leads to the execution of arbitrary code. Another vulnerability ( CVE-2016-4657 , although the Lookout report has another numbering order) found in the WebKit component and also results in the execution of arbitrary code when visiting an infected website. All three vulnerabilities are exploited comprehensively: first, infection via the website, then the device jailbreak, and using publicly available jailbreak components (Cydia).

The investigation, which ended with the detection of vulnerabilities, began with suspicious SMS messages with links that civil activist Ahmed Mansour sent to the Citizen Lab. By clicking on the link to the phone, a spy module was secretly installed, which blocked the device updates, and collected data from popular instant messengers, programs for social networking, and so on. According to the representative of Lookout, this hole could have been used since 2013 and iOS 7 version. In addition, there is political implication in the story: Citizen Lab claims that this sample of cyber weapon was developed by one of the companies specializing in the sale of such systems by the state and law enforcement agencies. However, with the release of patches, information about exploits and attack methods can be used more widely, so I repeat - it is worth updating right now.

We are waiting for a new auction on Zero-day in iOS.
')

New banking Trojan uses Powershell during infection.

News Research "Laboratories".

News from Brazil, where not only the Olympics, but also the dubious privilege of the country's number one in the number of financial cyber attacks. Laboratory expert Fabio Assolini published a short study of an interesting Trojan-Proxy.PowerShell.Agent.a bank Trojan. In the process of infection, the Trojan uses a Powershell shell. It is sent in phishing messages to which a file in the .PIF format is attached - this is such an ancient and half-forgotten rudiment of MS-DOS times, which was originally used to store information about program launch parameters. For some strange reason, it is still processed in Windows, and, by analogy with .bat files, the system executes the scripts it contains.



As a result, Powershell starts, in which the script tries to change the global proxy settings. Actually, this is all the “local” activity of the Trojan, but it is enough: after replacing the proxy, it is possible to slip the victim into a fake banking website, very similar to the real one. Not the most perfect attack in the entire history of observations, but it raises the important problem of the hidden features of administration tools. And even more problems in the future may be brought not even by PowerShell, but by BASH, which is now available in Win10 along with the Linux subsystem.

Researchers warn of potential unreliability of 3DES and Blowfish encryption algorithms

News Announcement of the study.

The encryption algorithms 3DES and Blowfish have joined RC4, which has long been on the list of potentially unreliable ones. Unlike RC4, these two algorithms are still actively used. Blowfish is the default method for OpenVPN, and 3DES is supported by all browsers for HTTPS communication. The share of 3DES connections is small - only 1-2 percent, but in absolute numbers it is a lot of users and traffic.

It’s too early to talk about the technical details of the research - the scientific work is only planned for publication. Nevertheless, its authors, researchers from the French Institute INRIA, claim that they manage to decrypt encrypted traffic with a high degree of reliability. The reason, if everything is extremely simplified, is in the shortcomings of both algorithms that begin to be detected with large amounts of transmitted data - from 32 GB. Actually, this makes the work of theoretical researchers, especially since the practical parameters of an attack are even more difficult. To simulate the situation of theft of cookies, the authors took two days and capture 785 gigabytes of traffic!

However, if everything is confirmed, such conditions in no way detract from the merits of researchers. Early warning of the unreliability of encryption algorithms allows software and hardware developers to abandon their support before the attack becomes practical. A good example is the SHA-1 hash algorithm. Last year, it was shown that an attack on him took only (or whole, depending on how you look) 49 days. Although this is not the most practical attack, manufacturers of all major browsers have since refused to support SHA-1.

What else happened:

An interesting study without the danger of the Chinese router, in which you forgot to create a password for the root.

In Russia (and not only), there is a noticeable shortage of information security specialists.

EFF criticized Microsoft for its bulldozer tactics for promoting Windows 10 (and for telemetry too).

Antiquities:

Taiwan Family

Family of non-resident very dangerous viruses. Bypass subdirectories and written to the beginning of .COM files. When infecting files, they block the keyboard (apparently, the action is directed against resident antivirus monitors). If no .COM file is found, then the Taiwan viruses can erase part of the sectors of the current disk and then say: “Greetings from National Central University! Is today sunny? ". In addition to this, they contain the string "* .com".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 47.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.