Security Week 46: OAuth 2.0 bypass, low-voltage ICMP DDoS, iOS privacy and loxcreen bypass

For a long time we had no scientific papers on security, and here you are. At the European BlackHat EU conference, researchers from the University of Hong Kong showed examples of incorrect implementation of the OAuth 2.0 protocol, which, in some cases, can steal user accounts. Since we are talking about scientific research, the terminology is appropriate - without any of these “AAAAA! 1 One billion accounts can be easily cracked through OAuth 2.0”. But no, oh wait, something like this job is called ( news and the research itself).



Be that as it may, the problem discovered by researchers is not in OAuth itself, but in its specific implementations. The need to implement Single-Sign-On systems not only for the web, but also for mobile applications (belonging not only to the owners of identification services like Facebook and Google, but also to a third party) led to the fact that the OAuth 2.0 standard began to be overbuilt, not always following safety practices.



As a result, user authorization in some places happens as horrible: the study describes a situation when it is possible to log in on behalf of another user, knowing only his login (usually this is an e-mail). However, the described attack scenarios provide for a man-in-the-middle position, and are not always possible. Of the problematic applications discovered during the study, most of them work with the Chinese identity provider Sina, and of the 99 apps tested that support OAuth through Google and Facebook, only 17 are susceptible to attack. You can solve the problem on the side of the providers: trust data from the application (which can be tampered with along the way), the elegant hack will not work.



DDoS attack detected, which disables firewalls with a relatively small number of requests.

News Research of the security management center TDC Group.

')

A typical DDoS attack disables websites with more force than intelligence: an example is the recent attack on Dyn DNS servers with a capacity of up to one terabit per second. Disabling network equipment attack under low pressure is more difficult, but still possible. Specialists of the Danish telecom TDC observed about a hundred cases of attack, which can cause a denial of service in a number of popular firewall models with a power of 15-18 megabits or 40-50 thousand requests per second.







The attack, just in case beautifully named (BlackNurse), uses the ICMP protocol. Unlike the common ping flood attack, in this case a lot of Type 3 Code 3 packets (Destination Unreachable, Destination Port Unreachable) are sent to the server. For some reason (this point is not disclosed in the study), the processing of these packets causes one hundred percent load on the firewall processor, and, accordingly, denial of service.



A note in the blog of the American SANS Institute acknowledges the existence of a problem, but it qualifies more as an incorrect configuration: it is fairly easy to filter out packages of this type, or change the processing parameters. It is noted that Cisco did not even qualify as a vulnerability. It is assumed that after receiving the unavailability messages, the firewall tries to solve a non-existent problem by analyzing the previous data packets, which takes significant resources. Interestingly, the attack method came in part to us from the 90s, when the so-called " deadly ping " problem was relevant.



Published three thousand first way to bypass the lock screen in the iPhone

News



Circumference loxcreen turned into some kind of special sport. Participants compete in high-speed pressing on all buttons and icons available on the locked phone, the winner is determined based on the success of access to the private data. Like last time , Siri is involved in bypassing the blocking. In addition, the sequence of actions begins with an attempt to respond to an incoming call — you must either wait for the call on the phone, or ask Siri “Who am I?”, After which the victim's phone number will be displayed on the screen. This is followed by shamanism, easier to watch the video.







However, the most discussed news around Apple was (predictably) not this one. According to the Russian company ElcomSoft, iOS transmits to the company's servers information about calls made and received by default. The only thing that is needed for data transfer is the use of iCloud, and in order for the phone to stop sending call history to the server, synchronization with iCloud needs to be completely disabled. This story relates more to the topic of privacy rather than security: as a result of discussions on disputes between Apple and the FBI earlier this year, it became clear that the authorities could get information from the company's servers much easier, and not from the device itself, if it is blocked.



What else happened:

An interesting report from the well-known security and cryptographic expert Bruce Schneier is quoted in this news : he is in favor of the fact that manufacturers of IoT devices are legally obliged to comply with security standards. According to Schneier, only economic tools to influence vendors (= leaky devices will not buy) will not be enough (= they will still, everyone does not give a damn).



Yahoo still knew about the theft of user data back in 2014. We are talking about a leak, information about which was made public only in September of this year, when the bases began to be poured into open access.



Meanwhile, 412 million accounts were stolen from the FriendFinder network, mostly from various adult dating sites .

Antiquities

"Petersburg-529"



Resident virus, not dangerous. Infects .COM-files when loading them into memory for execution, is embedded at the beginning of the file. When executing an infected program, it remains resident in memory, performing the following actions:



- changes the size of the memory allocated for the main program, reserving additional memory for its needs;

- determines the name of the main program and executes it (ie, the main program is restarted);

- at the end of the program, the virus remains resident (int 21h, ah = 31h).



The virus does not manifest itself and does not have a destructive function.



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 79.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.