Go Directly to Fail | TechSNAP 151

Posted on: February 27, 2014

Posted in: Featured, TechSNAP, Video

Comment on This Video

Share This Video

Embed This Video

Go Directly to Fail | TechSNAP 151

We’ll break down Apple’s major SSL flaw, and what it says about Apple’s general security posture, then the Zeus trojan evolves…

Plus an awesome batch of your questions, our answers.

On this week’s episode of, TechSNAP.

Thanks to:


\"GoDaddy\"

\"Ting\"

\"iXsystems\"

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Apple fixes certificate validation flaw in iOS and OS X

  • The flaw in the certificate verification step allowed an attacker to sign a certificate with any private key, or no key at all, and the certificate would still be accepted by the device
  • This means an attacker could trivially perform a man-in-the-middle (MitM) attack, and intercept all traffic between you and a secure destination
  • This would allow an attack to get your email passwords, logins for services like facebook and twitter, and compromise your online banking account
  • A MitM attack is what TLS/SSL are designed to prevent
  • A MitM is trivial to perform if you can trick a user into connecting to a WiFi access point you control, say at a coffee shop or other public space
  • The flaw is also present in Mac OS X and fixed in 10.9.2 (Released Feb 25th, 4 days after the iOS update)
  • The issue is caused by a duplicate ‘goto’ statement. The first is inside the if structure (with implied curly braces), but the 2nd is unconditional, causing the goto fail to happen in every case
  • It is unclear how long Apple has known about the flaw, but the CVE for the bug was reserved on January 8th
  • diff between Mac OS X 10.8.5 and 10.9 showing the addition of the errant goto
  • OS X 10.9.2 also fixes an issue with cURL, where the TLS/SSL verification code did not check the hostname again the certificate if the URL was an IP address
  • Hacker News thread
  • More analysis
  • Why were there gotos in apple software in the first place?
  • Apple Announcement

University of Maryland ID card system breached

  • 309,079 of the students, faculty, and staff of the University of Maryland College Park and Shady Grove campuses have had their personal information exposed in an attack against the ID card system
  • The breach occurred about 04:00 February 18th
  • An attacker was able to get access to the ID card database that holds information on all card holders dating back to 1998
  • The data includes full name, SSN, birth date and University ID number
  • Brian Voss, CIO of U Md., said “what most concerns him is the sophistication of the attack: The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected”
  • Voss claims that this was not a case of a ‘door left open’, that the attackers had to ‘pick through multiple locks’
  • It will be interesting to see if details of the attack are published
  • Related: The total cost of unmasked data

New Zeus trojan variant targets SalesForce.com

  • “The Adallom Labs team recently discovered an unusual variant of the Zeus trojan that targets Salesforce users. We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.”
  • We have covered the Zeus trojan before, it is a sophisticated malware used to steal online banking credentials and perform transactions, even in the face of two-factor authentication schemes by performing ‘man-in-the-browser’ attacks
  • This attack does not exploit a vulnerability of SalesForce, it is just taking over the user’s device used to access the site, in order to steal data from the site once logged in
  • This attack seems to be a totally new kind of attack, not described by any existing Common Attack Pattern Enumeration and Classification (CAPEC) pattern.
  • When the Adallom security system detected an employee accessing a large number of records in a short period of time, it triggered an ‘insider thread’ alert. This alert is fairly common and is usually related to a sales agent downloading their entire rolodex, sometimes in preparation for leaving the company
  • When corporate security integrated the employee in question, they claimed no knowledge of the bulk download
  • The employees laptop was scanned and found to be clean
  • Further investigation lead to the employees home PC, which was running outdated windows XP, an unpatched version of Internet Explorer, and an expired virus scanner
  • The machine was infected with various bits of malware, but specifically, a modified version of the Zeus Trojan (win32/ZBot)
  • The interesting part is that the Trojan targets *.my.salesforce.com instead of banking sites
  • The attack also leveraged devices not controlled by corporate security
  • This highlights the risks involved with BYOD and allowing employees to use their home computers to access corporate applications, especially SaaS applications

Feedback:

Round Up:

Question? Comments? Contact us here!