Security

It has been pretty chaotic in German Chancellor Angela Merkel's cabinet ever since the Chaos Computer Club dumped some alarming technology news in her lap. Turns out that the German government's "lawful interception" application, supposedly designed only to monitor IP telephone calls, is just a little more powerful than the police let on.

Berlin-based CCC released its analysis of Germany's "Quellen-TKÜ" ("source wiretapping") trojan on Saturday. The results weren't pretty. Despite a constitutional court ban on the use of malware to crack PCs, the state-sanctioned malware's makers didn't even bother to add technical barriers ensuring that the code would only be used for tapping Internet telephone conversations.

iOS 5, still slowly rolling out to users after its launch on Wednesday, not only brings new features—it also brings a number of important security fixes for iPhone, iPad, and iPod touch users. The update removes trust for any and all security certificates from hacked certificate authority DigiNotar, and drops support for certs with MD5 hashes and updates TLS to version 1.2 to improve security of SSL connections.

Dutch certificate authority DigiNotar was hacked in July by a hacker calling himself ComodoHacker, who used DigiNotar's servers to generate hundreds of fraudulent security certificates. Though the company had believed that it had deleted all of them from its servers, the company ended up missing at least one certificate. That particular certificate allowed the hacker to put his servers between Gmail users and Google's Gmail servers in order intercept e-mail from a number of Iranian citizens.

Once news of the hack spread, Mozilla, Google, Microsoft, and others issued patches that blacklisted all DigiNotar certs. Effectively, any server using a cert from DigiNotar would not be trusted. Apple took almost two weeks to issue a patch for Mac OS X, and it wasn't until today's iOS 5 update that iPhone, iPad, and iPod touch users received a similar patch.

According to Apple, the DigiNotar issue "is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted."

iOS 5 also adds two additional improvements to data security. Apple has removed support for X.509 certs signed using the MD5 hash algorithm, which has some known vulnerabilities. It also updates the TLS protocol to version 1.2, which addresses a potential man-in-the-middle attack when using otherwise trusted SSL connections.

Additionally, iOS 5 includes a number of patches for buffer overflows and other potential exploits in libxml, ImageIO, Unicode support, WebKit, and more. Full details are posted on Apple's website.

Read the comments on this post

Researchers at a German university have published a paper detailing a security exploit of the Mifare DESfire MF3ICD40, a widely used RFID smart card. The exploit, which uses an approach previously used to break other wireless crypto systems, demonstrates that even the relatively strong encryption algorithms used in "touchless" smart cards can be broken with a small investment of time and equipment—exposing the shared crypto key and the data stored on them.

The exploit was revealed by researchers David Oswald and Christof Paar at the recent Workshop on Cryptographic Hardware and Embedded Systems (CHES) in Nara, Japan. The attack uses a templated “side-channel” attack on the card's crypto, an approach first described in a paper by Suresh Chari, Josyula Rao, and Pankaj Rohatgi of IBM's Watson Research Center in 2002. It requires the attacker to have the card itself, an RFID reader, and a radio probe. Using differential power analysis, data is collected from radio frequency energy that leaks out of the card (its “side channels”). Through this process, Oswald and Paar were able to retrieve the entire 112-bit secret key from the MF3ICD40, which uses Triple DES encryption.

Researchers at the Department of Energy's Argonne National Laboratory have demonstrated an electronic "man in the middle" attack that allows remote tampering with the Diebold AccuVote voting system. Argonne's Vulnerability Assessment Team has previously exposed the same sort of vulnerability in Sequoia AVC machines in 2009, and believe the attack could be used against a wide range of voting machines.

The attack requires tampering with voting machine hardware, and allows for votes to be changed as the voter prepares to commit them. But the devices require no actual changes to the hardware—the hardware required to make the attacks can be attached and removed without leaving any evidence that it had ever been there. The electronics in the demonstrated attack are simply jacked in between two components on the Diebold's printed circuit board using existing connectors.

VAT team leader Roger Johnston said in a video posted by Brad Friedman of the voting watchdog site The Brad Blog that the physical security measures taken to protect voting machines in many states are inadequate to protect them from pre-Election Day tampering. "They're often kept a week or two before elections in a school or church basement,"Johnston said. And the modifications can be made without picking locks or breaking seals on the devices.

Diebold has a shaky security history. In 2004, Johns Hopkins University computer science professor Avi Rubin and a team of researchers revealed a broad set of cyber vulnerabilities in the AccuVote system. In the past, there have been suggestions that Diebold itself tampered with elections in Georgia in 2002.

But while cyber attacks would require a high level of sophistication, the electronic man-in-the-middle attack demonstrated by Argonne's VAT team requires only basic electronics skills, and about $10.50 worth of hardware. "Anybody with an electronics workbench could put this together," Argonne VAT team member John Warner said in the video.

Read the comments on this post

As if the MySQL community doesn't have enough to worry about, a security firm is reporting that the MySQL.com website has been commandeered by hackers. And recent visitors to the MySQL.com website may have downloaded something other than the database software to their systems.

Web security firm Armorize reported in its blog today that the MySQL.com website has been turned into a launchpad for serving up malware attacks. Visitors to the home page of the site are hit with a JavaScript injection attack that has been planted on the site. The script opens an IFRAME to a malicious site, which in turn launches a BlackHole exploit "pack" that probes for known browser and plugin weaknesses and then stealthily installs malware on the visitor's PC. There's no warning button or action required by the user other than visiting the site to trigger the download.

Security blogger Brian Krebs reports that he had seen a post last week on a Russian hacker forum by a member offering to sell root access MySQL.com for $3,000. The site is owned by Oracle.

Read the comments on this post

Hot on the heels of last week's Mac malware posing as a PDF is a new piece of malware posing as something even more insidious: a Flash player installer. Security firm Intego was the first to post about the new malware on its blog, noting that although the company has only received one report so far from a user who downloaded it, the malware does exist in the wild and may trick Mac users who don't yet have Flash installed.

The malware in question is a trojan horse called Flashback (OSX/flashback.A); users may end up acquiring it by clicking a link on a malicious website to download or install Flash player. If those users also have their Safari settings to automatically open safe files (which .pkg and .mkpg files are considered to be), an installer will show up on their desktops as if they are legitimately installing Flash.

Continuing through the installation process will result in the trojan deactivating certain types of security software (Intego specifically noted that the popular Little Snitch would be affected) and installing a dynamic loader library (dyld) with that can auto-launch, "allowing it to inject code into applications the user launched." The trojan then reports back to a remote server about the user's MAC address and allows the server to detect whether the Mac in question has been infected or not.

The threat is currently marked as "low," but Mac users are advised to follow safe security practices—don't open files or attachments that you don't remember downloading, and turn off Safari's setting for opening safe files automatically. It's also worth noting that Apple now updates its malware definition file on a daily basis, and has already updated it to address the PDF trojan discussed last week. If you haven't already scoured the Internet for a malicious version of the Flash installer, then it's likely Apple will have added the new malware to the file by the time you run into it.

Read the comments on this post