Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

by