iPhones vulnerable to 9 year old SSL sniffing attack

• A nine year old bug discovered and disclosed by Moxie Marlinspike in 2002 allows attackers to decrypt intercepted SSL sessions. Moxie Marlinspike released a newer, easier to use version of the tool on monday, to coincide with Apple finally patching the flaw on iPhone and other iOS devices.
• Any unpatched iOS device can have all of it’s SSL traffic trivially intercepted and decrypted
• This means anyone with this new easy to use tool sitting near a wifi hotspot, can intercept encrypted login information (gmail, facebook), banking credentials, e-commerce transactions, or anything else people do from their phone.
• The bug was in the way iOS interpreted the certificate chain. Apple failed to respect the ‘basicConstraint’ parameter, allowing an attacker to sign a certificate for any domain with an existing valid certificate, a condition normally prevented by the constraint.
• There are no known flaws in SSL it self, in this case, the attacker could perform a man-in-the-middle attack, by feeding the improperly signed certificate to the iPhone which would have accepted it, and used the attackers key to encrypt the data.
• Patch is out with a support doc and direct download links

Apple Notebook batteries vulnerable to firmware hack

• After analyzing a battery firmware update that Apple pushed in 2009, researchers found that all patched batteries, and all batteries manufactured since, use the same password
• With this password, it is possible to control the firmware on the battery
• This means that an attacker can remotely brick your Macbook, or cause the battery to overheat and possibly even explode
• The attacker can also falsify the data returned to the OS from the battery, causing odd system behaviour
• The attacker could also completely replace the Apple firmware, with one designed to silently infect the machine with malware. Even if the malware is removed, the battery would be able to reinfect the machine, even after a complete OS wipe and reinstall.
• Further research will be presented at this years Black Hat Security Conference
• In the meantime, researchers have notified Apple of the vulnerability, and have created a utility that generates a completely random password for your Mac’s battery.
  Additional Link

Facebook fixes glitch that let you see private video information

• A glitch in facebook allowed you to see the thumbnail preview and description of private videos posted by other users, even when they were not shared with you.
• It was not possible to view the actual videos

Google was quick to shutdown Webmaster Tools after vulnerability found

• Using the google webmaster tools, users were able to remove websites that did not belong to them from the Google Index
• By simply modifying the query string of a valid request to remove your own site from the google index, and changing one of the two references to the target url, you were able to remove an arbitrary site from the google index
• The issue was resolved within 7 hours of being reported to Google
• Google restored sites that were improperly removed from its index.

Researchers find vulnerablity in Skype

• Inproper input validation and output sanitation allowed attackers to inject code into their skype profile
• By entering html and java script in to the ‘mobile phone’ section of your profile, anyone who had you on their friends list would execute the injected code.
• This vulnerability could have allowed attackers to high your session, steal your account, capture your payment data, and change your password

Feedback

Q: (Sargoreth) I downloaded eclipse, and I didn’t bother to verify the md5 hash they publish on the download page, how big a security risk is this?
A: Downloadable software often has an MD5 hash published along with the downloadable file, as a measure to allow you to ensure that the file you downloaded is valid. Checking the downloaded file against this hash can ensure that the file was not corrupted during transfer. However it is not a strong enough indicator that the file has not been tampered with. If the file was modified, the MD5 hash could just as easily have been updated along with it. In order to be sure that the file has not been tampered with, you need a hash that is provided out of band, from a trusted source (The FreeBSD Ports tree comes with the SHA256 hashs of all files, which are then verified once they are downloaded). SHA256 is much more secure, as MD5 has been defeated a number of times, with attackers able to craft two files with matching hashes. SHA-1 is no longer considered secure enough for cryptographic purposes. It should also be noted that SHA-512 is actually faster to calculate than SHA256 on 64bit hardware, however it is not as widely supported yet. The ultimate solution for ensuring the integrity of downloadable files is a GPG signature, verified against a trusted public key. Many package managers (such as yum) take this approach, and some websites offer a .asc file for verification. A number of projects have stopped publishing the GPG signatures because the proportion of users who checked the signature was too low to justify the additional effort. Some open source projects have had backdoors injected in to their downloadable archives on official mirrors, such as the UnrealIRCd project.

Q: (Christoper) I have a windows 7 laptop, and a Ubuntu desktop, what would be a cheap and easy way to share files between them?
A: The easiest and most secure way, is to enable SSH on the ubuntu machine, and then use an SFTP client like FileZilla (For Windows, Mac and Linux), and then just login to your ubuntu machine using your ubuntu username/password. Alternatively, If you have shared a folder on your windows machine, you should be be able to browse to it from the Nautilus file browser in Ubuntu. Optionally, you can also install Samba, to allow your Ubuntu machine to share files with windows, it will appear as if it were another windows machine in your windows ‘network neighbourhood’.

Q: (Chad) I have a network of CentOS servers, and a central NFS/NIS server, however we are considering adding a FreeNAS box to provide ZFS. I need to be able to provide consistent centralized permissions control on this new file system. I don’t want to have to manually recreate the users on the FreeNAS box. Should I switch to LDAP?
A: FreeNAS is based on FreeBSD, so it has a native NIS client you can use (ypbind) to connect to your existing NIS system. This would allow the same users/groups to exist across your heterogeneous network. You may need to modify the /etc/nsswitch.conf file to configure the order local files and NIS are checked in, and set your NIS domain in /etc/rc.conf. Optionally, you could use LDAP, again, adding some additional parameters to nsswitch.conf and configuring LDAP. If you decide to use LDAP, I would recommend switching your CentOS machines to using LDAP as well, allowing you to again maintain a single system for both Linux and BSD, instead of maintaining separate account databases. If you are worried about performance, you might consider setting the BSD machine up as an NIS slave, so that it maintains a local copy of the NIS database. The FreeBSD NIS server is called ypserv. You can find out more about configuring NIS on FreeBSD here

Bitcoin Blaster

• Allan’s Bitcoin mining rig mined it’s 36th bitcoin today
• Research shows Bitcoin may be less anonymous than initially though
• Buy Humble Bundle 3 with Bitcoins!
• Why We Are No Longer Accepting Dwolla « TradeHill

Roundup

• Do It Yourself Dropbox Alternatives
• Attackers steal 8GB of data from the Italian Cybercrime unit
• Build your own 135 Terabyte storage server for under $8000
• Anonymous claims to have 1GB of stolen data from NATO and plans to release it
• Google is now actively warning users who it detects are infected with malware, especially attempts to hijack their search results
• The US Department of Defense lost 24k files via a compromised contractor
• Australian ISP’s Wireless Routers setup second hidden unprotected WiFi network