Critical cURL library flaw could expose many apps to hackers

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

Feb 222013

Critical cURL library flaw could expose many apps to hackers

Libcurl 7.29.0 addresses a critical remote code execution vulnerability

Computer World
by Lucian Constantin
February 8, 2013

IDG News Service –

A critical buffer overflow vulnerability patched this week in the widely used open-source cURL library (libcurl) has the potential to expose a large number of applications and systems to remote code execution attacks.

CURL is a cross-platform command line tool and library for transferring data using URL (uniform resource locator) syntax. It supports a wide range of protocols including HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, DICT, FILE, FTP, FTPS, Gopher, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, Telnet and TFTP.

The vulnerability can be exploited when a program that uses libcurl or the cURL command line tool communicates with a malicious server over the POP3, SMTP or IMAP protocols, the cURL developers said Wednesday in a security advisory. The flaw is located in the libcurl function that handles SASL DIGEST-MD5 authentication and affects versions 7.26.0 to 7.28.1 of the library, they said.

Libcurl 7.29.0 was released Wednesday to address the flaw. However, the issue can also be mitigated by using the CURLOPT_PROTOCOLS option to disable support for the vulnerable protocols at run-time.

Vulnerability research and management firm Secunia rated the flaw as highly critical. “Successful exploitation may allow execution of arbitrary code but requires tricking a user into connecting to a malicious server,” the company said Thursday in a security advisory.

Even though a potential exploit involves POP3, IMAP or SMTP authentication, HTTP URLs can also be used as an initial attack vector because cURL supports redirection, said Volema, the vulnerability research outfit that discovered the vulnerability, in a blog post Wednesday.

If a program that uses libcurl is instructed to open an HTTP URL to a malicious server, the server can respond with status “302 Found” and redirect the library to another location, which can be pop3://x:x@evilserver.com/, Volema said. The library will then attempt authentication and the server can deliver the exploit.

There’s a run-time option called CURLOPT_FOLLOWLOCATION that can be used to prevent libcurl from following “Location” headers sent in HTTP responses. If this feature is needed, another option called CURLOPT_REDIR_PROTOCOLS can be used to limit what protocols are supported for redirect attempts.

“I don’t expect that many applications use these options to limit exposure – at least not before this discovery,” Carsten Eiram, chief research officer at security firm Risk Based Security, said Friday via email.

CURL is highly portable and works on Windows, Mac OS X, Linux, Solaris, BSD variants, other UNIX-derived OSes including those for embedded systems, as well as mobile OSes like iOS, Android, BlackBerry Tablet OS and BlackBerry 10 OS. This makes it very popular among application developers who would rather use an already robust library for data transfer than code their own solution from scratch.

The library is used by a wide range of desktop, Web and mobile applications. According to the cURL developers it’s even used in Internet-connected TV sets and Bluray players, in embedded systems and in games. An incomplete list of applications that use libcurl is available on the project’s website.

Some applications bundle a copy of the library with their installers while others use the version of the library installed on the operating system. Some Linux distributions come with libcurl installed by default, while others provide it as an optional package.

Because of the many ways and places where libcurl is used, a lot of systems and applications are likely to remain vulnerable to this vulnerability for some time to come, despite a patch being available.

This will especially be the case for those applications that use it statically, meaning that the applications include a copy of the library, Eiram said.

“This is one of the problems in general with software that often includes a lot of third-party components and libraries,” Eiram said. “How do these software vendors get informed about vulnerabilities in any components that they bundle, and how quick are they at evaluating if their software is vulnerable and update it?”

“We regularly see products affected by vulnerabilities in their bundled components, which were fixed upstream a long time ago,” he said. “An example is the latest http://www.pcworld.com/article/2026654/researcher-upnp-flaws-expose-millions-of-networked-devices-to-remote-attacks.html“>UPnP research by Rapid7. Some of the described vulnerabilities were fixed many years ago, yet device vendors are still using old, vulnerable versions of the components.”

Eiram believes that if a reliable exploit is released, there will definitely be attacks that will target this vulnerability. “We will at least see random websites trying to exploit this if targets happen — or are tricked — to visit it with a vulnerable application,” he said.

Direct Link: http://www.computerworld.com/s/article/9236644/Critical_cURL_library_flaw_could_expose_many_apps_to_hackers?taxonomyId=11&pageNumber=1

Re-Visit: Attack Turns Android Devices Into Spam-Spewing Botnets

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

Jan 242013

Attack Turns Android Devices Into Spam-Spewing Botnets

Beware Trojan app sending 500,000 spam SMS messages per day, charging messages to smartphone owners.

Information Week
by Mathew J. Schwartz
December 19, 2012

SPAM-BOT

From an attacker’s perspective, malware doesn’t need to be elegant or sophisticated; it just needs to work.

That’s the ethos behind a recent spate of Trojan applications designed to infect smartphones and tablets that run the Android operating system, and turn the devices into spam-SMS-spewing botnets.

By last week, the malware was being used to send more than 500,000 texts per day. Perhaps appropriately, links to the malware are also being distributed via spam SMS messages that offer downloads of popular Android games–such as Angry Birds Star Wars, Need for Speed: Most Wanted, and Grand Theft Auto: Vice City–for free.

Despite the apparent holiday spirit behind the messages, however, it’s just a scam. “If you do download this ‘spamvertised’ application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author,” according to an overview of the malware written by Cloudmark lead software engineer Andrew Conway.

The malware in question uses infected phones “to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server,” said Conway. Of course, the smartphone owner gets to pay any associated SMS-sending costs.

An earlier version of the malware was discovered in October, disguised as anti-SMS spam software, but it remained downloadable for only a day. “Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell,” said Conway. Subsequently, the malware was repackaged as free versions of popular games, and the malware’s creator now appears to be monetizing the Trojan by sending gift card spam of the following ilk: “You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at [redacted website name] can claim it!”

As with the majority of Android malware, the malicious apps can be downloaded not from the official Google Play application store, but rather from third-party download sites, in this case largely based in Hong Kong. In general, security experts recommend that Android users stick to Google Play and avoid third-party sites advertising supposedly free versions of popular paid apps, since many of those sites appear to be little more than “fakeware” distribution farms. But since Android users are blocked from reaching Google Play in some countries, including China, third-party app stores are their only option.

After installing the malware and before it takes hold, a user must first grant the app numerous permissions — such as allowing it to send SMS messages and access websites. Only then it can successfully transform the mobile device into a spam relay. Of course, people in search of free versions of paid apps may agree to such requests. Furthermore, “not many people read the fine print when installing Android applications,” said Conway.

If a user does grant the malware the requested permissions, it will transform their Android device into node, or zombie, for the malware creator’s botnet. At that point, the malware immediately “phones home” to a command-and-control server via HTTP to receive further instructions. “Typically a message and a list of 50 numbers are returned,” said Conway. “The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers.”

Again, the Android malware used to build the accompanying SMS-spewing botnet isn’t sophisticated, but it does appear to be earning its creator money. “Compared with PC botnets this was an unsophisticated attack,” said Conway. “However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down.”

Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it’s a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. Read our Security: Get Users To Care report to find out how to keep your company safe. (Free registration required.)

**** [ Anonymous hacks Westboro Baptist Church in aftermath of Connecticut school shooting. Read more at Anonymous Posts Westboro Members' Personal Information. ] ******

Direct Link: http://www.informationweek.com/security/attacks/attack-turns-android-devices-into-spam-s/240144988?cid=SBX_iwk_related_news_Attacks/breaches_security&itc=SBX_iwk_related_news_Attacks/breaches_security

Android-Based Network Built to Study Cyber Disruptions and Help Secure Hand-Held Devices

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Science & Related Space Technology, Social Media, Technology & Digital Security Comments Off

Nov 062012

Android-Based Network Built to Study Cyber Disruptions and Help Secure Hand-Held Devices

As part of ongoing research to help prevent and mitigate disruptions to computer networks on the Internet, researchers at Sandia National Laboratories in California have turned their attention to smartphones and other hand-held computing devices.

ScienceDaily
Oct. 2, 2012

Sandia’s David Fritz holds two Android smartphones, representing the virtual network of 300,000 such devices that he and other researchers are using to advance understanding of malicious computer networks on the Internet. (Credit: Dino Vournas)

Sandia cyber researchers linked together 300,000 virtual hand-held computing devices running the Android operating system so they can study large networks of smartphones and find ways to make them more reliable and secure. Android dominates the smartphone industry and runs on a range of computing gadgets.

The work is expected to result in a software tool that will allow others in the cyber research community to model similar environments and study the behaviors of smartphone networks. Ultimately, the tool will enable the computing industry to better protect hand-held devices from malicious intent.

The project builds on the success of earlier work in which Sandia focused on virtual Linux and Windows desktop systems.

“Smartphones are now ubiquitous and used as general-purpose computing devices as much as desktop or laptop computers,” said Sandia’s David Fritz. “But even though they are easy targets, no one appears to be studying them at the scale we’re attempting.”

The Android project, dubbed MegaDroid, is expected to help researchers at Sandia and elsewhere who struggle to understand large scale networks. Soon, Sandia expects to complete a sophisticated demonstration of the MegaDroid project that could be presented to potential industry or government collaborators.

The virtual Android network at Sandia, said computer scientist John Floren, is carefully insulated from other networks at the Labs and the outside world, but can be built up into a realistic computing environment. That environment might include a full domain name service (DNS), an Internet relay chat (IRC) server, a web server and multiple subnets.

A key element of the Android project, Floren said, is a “spoof” Global Positioning System (GPS). He and his colleagues created simulated GPS data of a smartphone user in an urban environment, an important experiment since smartphones and such key features as Bluetooth and Wi-Fi capabilities are highly location-dependent and thus could easily be controlled and manipulated by rogue actors.

The researchers then fed that data into the GPS input of an Android virtual machine. Software on the virtual machine treats the location data as indistinguishable from real GPS data, which offers researchers a much richer and more accurate emulation environment from which to analyze and study what hackers can do to smartphone networks, Floren said.

This latest development by Sandia cyber researchers represents a significant steppingstone for those hoping to understand and limit the damage from network disruptions due to glitches in software or protocols, natural disasters, acts of terrorism, or other causes. These disruptions can cause significant economic and other losses for individual consumers, companies and governments.

“You can’t defend against something you don’t understand,” Floren said. The larger the scale the better, he said, since more computer nodes offer more data for researchers to observe and study.

The research builds upon the Megatux project that started in 2009, in which Sandia scientists ran a million virtual Linux machines, and on a later project that focused on the Windows operating system, called MegaWin. Sandia researchers created those virtual networks at large scale using real Linux and Windows instances in virtual machines.

The main challenge in studying Android-based machines, the researchers say, is the sheer complexity of the software. Google, which developed the Android operating system, wrote some 14 million lines of code into the software, and the system runs on top of a Linux kernel, which more than doubles the amount of code.

“It’s possible for something to go wrong on the scale of a big wireless network because of a coding mistake in an operating system or an application, and it’s very hard to diagnose and fix,” said Fritz. “You can’t possibly read through 15 million lines of code and understand every possible interaction between all these devices and the network.”

Much of Sandia’s work on virtual computing environments will soon be available for other cyber researchers via open source. Floren and Fritz believe Sandia should continue to work on tools that industry leaders and developers can use to better diagnose and fix problems in computer networks.

“Tools are only useful if they’re used,” said Fritz.

MegaDroid primarily will be useful as a tool to ferret out problems that would manifest themselves when large numbers of smartphones interact, said Keith Vanderveen, manager of Sandia’s Scalable and Secure Systems Research department.

“You could also extend the technology to other platforms besides Android,” said Vanderveen. “Apple’s iOS, for instance, could take advantage of our body of knowledge and the toolkit we’re developing.” He said Sandia also plans to use MegaDroid to explore issues of data protection and data leakage, which he said concern government agencies such as the departments of Defense and Homeland Security.

Direct Link: http://www.sciencedaily.com/releases/2012/10/121002091753.htm

How Did BlackBerry Go From Most Desired to Simply Disappointing? … The BlackBerry as Black Sheep

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Social Media, Technology & Digital Security Comments Off

Oct 172012

The BlackBerry as Black Sheep

Quick Hide the BlackBerry, It’s Too Uncool

The New York Times
by Nicole Perlroth
October 15, 2012

BlackBerry vs iPhone

Rachel Crosby speaks about her BlackBerry phone the way someone might speak of an embarrassing relative.

“I’m ashamed of it,” said Ms. Crosby, a Los Angeles sales representative who said she had stopped pulling out her BlackBerry at cocktail parties and conferences. In meetings, she says she hides her BlackBerry beneath her iPad for fear clients will see it and judge her.

“I want to take a bat to it,” Rachel Crosby, of Los Angeles, says of her creaky BlackBerry. “You can’t do anything with it.” J. Emilio Flores for The New York Times

The BlackBerry was once proudly carried by the high-powered and the elite, but those who still hold one today say the device has become a magnet for mockery and derision from those with iPhones and the latest Android phones. Research in Motion may still be successful selling BlackBerrys in countries like India and Indonesia, but in the United States the company is clinging to less than 5 percent of the smartphone market — down from a dominating 50 percent just three years ago. The company’s future all depends on a much-delayed new phone coming next year; meanwhile RIM recorded a net loss of $753 million in the first half of the year compared with a profit of more than $1 billion a year earlier.

Among the latest signs of the loss of cachet: One of the first steps Marissa Mayer took as Yahoo’s newly appointed chief executive to remake the company’s stodgy image was to trade in employees’ BlackBerrys for iPhones and Androids. BlackBerrys may still linger in Washington, Wall Street and the legal profession, but in Silicon Valley they are as rare as a necktie.

As the list shrinks of friends who once regularly communicated using BlackBerry’s private messaging service, called BBM, many a BlackBerry owner will not mince words about how they feel about their phone.

“I want to take a bat to it,” Ms. Crosby said, after waiting for her phone’s browser to load for the third minute, only to watch the battery die. “You can’t do anything with it. You’re supposed to, but it’s all a big lie.”

The cultural divide between BlackBerry loyalists and everyone else has only grown more extreme over the last year as companies that previously issued employees BlackBerrys — and only BlackBerrys — have started surrendering to employee demands for iPhones and Android-powered smartphones.

Goldman Sachs recently gave its employees the option to use an iPhone. Covington & Burling, a major law firm, did the same at the urging of associates. Even the White House, which used the BlackBerry for security reasons, recently started supporting the iPhone. (Some staff members suspect that decision was influenced by President Obama, who now prefers his iPad for national security briefings. A spokesman for the White House declined to comment.)

Out in the world, the insults continue. Victoria Gossage, a 28-year-old hedge fund marketer, said she recently attended a work retreat at Piping Rock Club, an upscale country club in Locust Valley, N.Y., and asked the concierge for a phone charger. “First he said, ‘Sure.’ Then he saw my phone and — in this disgusted tone — said, ‘Oh no, no, not for that.’ ”

“You get used to that kind of rejection,” she said.

“BlackBerry users are like Myspace users,” sneers Craig Robert Smith, a Los Angeles musician. “They probably still chat on AOL Instant Messenger.”

BlackBerry outcasts say that, increasingly, they suffer from shame and public humiliation as they watch their counterparts mingle on social networking apps that are not available to them, take higher-resolution photos, and effortlessly navigate streets — and the Internet — with better GPS and faster browsing. More indignity comes in having to outsource tasks like getting directions, booking travel, making restaurant reservations and looking up sports scores to their exasperated iPhone and Android-carting partners, friends and colleagues.

“I feel absolutely helpless,” said Ms. Gossage. “You’re constantly watching people do all these things on their phones and all I have going for me is my family’s group BBM chats.”

Ryan Hutto, a director at a San Francisco health information company, said he frequently depended on others, often his wife, for music playlists, navigation and sports scores. “After two or three questions, people start to get irritated,” Mr. Hutto said.

His wife, Shannon Hutto, says with a sigh: “Anytime we go anywhere, I always have to pull up the map. If we’re searching for a restaurant, I pull up the Yelp app. If we need a reservation, I pull up OpenTable. I kind of feel like his personal assistant.”

Still, a few BlackBerry users say they’re sticking with the device, mainly because of the BlackBerry’s efficient, physical keyboard. “I use my BlackBerry by choice,” said Lance Fenton, a 32-year-old investor who frequently travels and needs to send e-mails from the road. “I can’t type e-mails on touch-screen phones.”

Mr. Fenton said he could not wrap his head around iPhone fever. “I constantly ask people, ‘What is so great about it?’ and they have these nonsensical answers,” he said. “Someone told me I’m missing out on some app that maps their ski runs. I ski four days a year. On the road, I don’t need a ski app.”

RIM’s most recent efforts to hold on to loyal customers, as well as software developers building apps for its next generation of phones scheduled to be available next year, have elicited universal cringes. In a recent promotional video, Alec Saunders, RIM’s vice president for developer relations, is shown belting out a rock song titled “Devs, BlackBerry Is Going to Keep on Loving You,” a riff on the 1981 power ballad by REO Speedwagon “Keep on Loving You.”

“This is the sign of a desperate company,” said Nick Mindel, a 26-year-old investment analyst. “Come on, BlackBerry, I always had some faith, but you just lost a customer. Frankly, I don’t think they can afford to lose many more.”

After eight years with a BlackBerry, Mr. Mindel said he just joined the wait list for the iPhone 5. When it arrives, he said, “I’m considering removing my BlackBerry battery, pouring in cement, and using the BlackBerry as an actual paperweight.”

Direct Link: http://www.nytimes.com/2012/10/16/technology/blackberry-becomes-a-source-of-shame-for-users.html?_r=0

At Defcon, Hackers Show How To Bypass Android Encryption

Articles of Interest, Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security Comments Off

Jul 282012

At Defcon, Hackers Show How To Bypass Android Encryption

All Things D
by Ina Fried
July 28, 2012

If you lose your Android phone, your data could find its way into the wrong hands, even if you have encryption turned on.

A pair of security researchers have found an easy way past the encryption on many Android phones.

The method isn’t a flaw in the Linux-based encryption system used in Android itself, but rather the fact that the passwords that protect the encryption tend to be rather weak.

That’s because Android uses the same password to decrypt the data on the phone as is used to unlock the device. People tend to use either short pin numbers, simple patterns or easy to remember words. As a result, the encryption is fairly easily broken through what is known as a brute force attack.

“The encryption is good but you are able to brute force it,” said Thomas Cannon, director of research and development for Chicago-based Viaforensics. Cannon highlighted the issue during a presentation at the Defcon hacker conference on Saturday.

Once unlocked, all the information in the user data partition is easily accessible.

An easy fix, Cannon told AllThingsD, is if Android were to incorporate two passwords–a strong one for decrypting a phone at boot-up and a simpler, easy-to-remember one for unlocking the device.

“You only boot up your phone once in a while,” Cannon said.

Not all Android devices are vulnerable, Cannon said. First of all, Android didn’t even support encrypted data until Android 3.0, so there’s nothing to crack on devices before then — a user’s data is already unencrypted. The technique also relies on either devices without what’s known as a unlocked bootloader or else ones that are easily unlocked.

Direct Link: http://allthingsd.com/20120728/at-defcon-hackers-show-how-to-bypass-android-encryption/

Older Entries