Authentic iOS Apps can be replaced with malware, the US Postal service gets breached & Microsoft has a hot mess of critical patches.

Plus some great feedback, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Masque Attack — authentic iOS apps can be replaced by malware with ease

• Last week we talked about new malware for OS X that infected iOS devices with malicious apps
• Part of the problem seemed to stem from the fact that if a corporation got a certificate from Apple to sign internally developed apps for use by employees, these apps were innately trusted by all iOS devices, even those not part of the corporation who signed the application
• While we suspected this may be a fairly major vulnerability in the architecture of iOS, it turns out was was only the tip of the iceberg
• “In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier”
• This means that the malicious app, signed by a random corporate certificate issued by Apple (supposedly only for internal use), can replace any application on your phone, except those directly from Apple
• “An attacker can leverage this vulnerability both through wireless networks and USB”
• If you install ‘new flappy bird’, or, connect your iOS device to an infected computer, a malicious charging port in some public space, or untrusted wifi, the Twitter app on your device could be replaced with one that steals the credentials for your account and tweets spam, or worse
• “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly”
• FireEye shared this information with Apple in July, but after the news about the WireLurker malware, which uses a very limited form of this attack (the attackers may not have realized the full extend of what they had discovered), FireEye felt it necessary to go public with the information so customers can take steps to protect themselves
• “As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.”
• “The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team”

USPS computer networks compromised, telecommuting VPN temporarily shutdown

• Attackers compromised the internal network of the United States Postal Service
• It is not clear how or where the compromise happened, although some information suggestions a call center was compromised, possibly via the VPN
• Possibly compromised information includes: Employee names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information
• “The intrusion also compromised call center data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information. At this time, we do not believe that potentially affected customers need to take any action as a result of this incident”
• Additional Information
• “VPN was identified as vulnerable to this type of intrusion and will remain unavailable as we work to make modifications to this type of remote access to our networks. When VPN is available again users will notice changes in functionality. We will have additional information about VPN in the near future”
• I wonder if this might have been related to Heartbleed. We have had stories in the recent past about SSL based VPNs that were compromised before they could be upgraded with the heartbleed fix, and then this access was used later on because passwords were not changed
• “Should I change my ACE ID and password, Postal EIN or other postal passwords as a result of this incident?”
• “At this time there is no requirement to change your ACE password or other passwords unless prompted to do so by email prompts from IT as part of the normal password change process. You will be notified if other password changes are required.”
• Having IT email you to ask you to change your password just seems like a really bad idea. This is a great opening for a phishing campaign. If a password change is required, it should be prompted for from a more trustworthy source than email
• After a breach, out of an abundance of caution, all passwords should be changed.

Microsoft releases patch for OLE vulnerability

• As part of this months Patch Tuesday, Microsoft has released an official patch for both OLE vulnerability (specially crafted website, and malicious office document) used in the “Sandworm Team” attacks against NATO and other government agencies that we discussed on episode 185
• This new patch, MS14-064 replaces the patch from October’s Patch Tuesday MS14-060
• Microsoft – November Patch Update Summary
• Microsoft Advisory – MS14-064
• Microsoft Advisory – MS14-070 – Local user remote code execution via vulnerability in Windows TCP/IP stack
• Also included was a cumulative patch for Internet Explorer, however this patch breaks compatibility with EMET (Enhanced Mitigation Experience Toolkit
  ) 5.0, and customers are instructed to upgrade to EMET 5.1 before upgrading IE
• “If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation”
• “Microsoft also patched a remote code execution vulnerability in Microsoft Secure Channel, or Schannel, a Windows encryption security package used for SSL and TLS connections”
• “MS14-067 is the final bulletin ranked critical by Microsoft. The vulnerability can be exploited by a malicious website designed to invoke Microsoft XML Core Services through IE. MSXML improperly parses XML content, which can then in turn corrupt the system state and enable remote code execution”
• The previous patch for the OLE vulnerability merely marked files that come from the internet as untrusted. However there are a number of ways around this, some of which may already be in use by attackers
• McAfee Labs – Bypassing Microsofts Patch for Sandworm Zero Day
• In addition, the Microsoft ‘workaround’ for the flaw, by marking the file as untrusted, only applies when you try to ‘execute’ a file. If you right click and file and open it for ‘editing’, or open it from within an application, the untrusted flag is never checked
• McAfee also found samples in the wild that ran the untrusted file as administrator, which only pops up the standard ‘run this program as admin?’ prompt (only if UAC is not disabled), and does not show the ‘this file is not trusted’ prompt

• OpenZFS Developer Summit – OpenZFS

Feedback:

• Instant Answer tutorial

• SGID SFTP Uploads
  • This only works on some file systems
  • On FreeBSD, only set-uid on a directory works (sets owner on all newly created files), only if the file system is UFS, only if the file system is mounted with the MNT_SUIDDIR flag, and only if the Kernel is compiled with support for SUIDDIR (not enabled by default)
  • ZFS is working on a feature to force the owner/group on a dataset

• caryhartline comments on Apple Approved Malware

• FreeBSD ZFS – preferred method of auto snapshot
  • ZFSTools
• shared root password or sudo?
  • SUDO Master

Round Up:

• ISPs caught stripping StartTLS flag from servers, causing clients to not be aware that the remote server supports encryption
• FBI’s most wanted cybercriminal used his cat’s name as a password
• Pwn2Own event in Tokyo breaks security on slew of modern mobile devices
• Home Depot attackers also got 53 million customer email addresses. Other details about the attack, original compromise was via stolen 3rd party vendor credentials
• 4 NOAA (National Oceanic and Atmospheric Administration) websites hacked, services including satelite weather and ice data temporarily suspended
• ‘Replay’ attack used to pilfer money from stolen Home Depot credit cards via chip-and-pin system, even though the bank has never issued cards with chips – because banks do not check properly
• German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security
• Silk Road 2.0 and other ‘hidden services’ sites may have been decloaked via DDoS, sending huge amounts of traffic and looking for where it ended up
• Retailers ask to be regulated to protect customers, is the government too gridlocked to actually do it?
• BrowserStack a website testing service for developers, has a rather embarassing security breach
• Mozilla’s “Open Standard” interviews Brian Krebs

The post Hackers Go Postal | TechSNAP 188 first appeared on Jupiter Broadcasting.

We’ll push past the distractions and focus on the important events. During an interview this week NSA Whistleblower Russ Tice claims to have held the orders in his hands to wiretap top government officials, today the NSA Admits It Analyzes more people’s data than previously revealed, in what continues to be a series of story changes. We’ll bring you up to date.

Then: Edward Snowden seeks asylum in Russia, while the media runs wild with claims of a secret NSA blueprint.

Plus a follow up on the death of Michael Hastings, your feedback, and much much more.

On this week’s Unfilter.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

Zimmerman Trial a Distraction?

• Lyons: Race a distraction in Zimmerman trial | Amarillo Globe-News

For the record, that’s where I’m coming from regarding the George Zimmerman-Trayvon Martin murder trial in Florida — a lamentable tragedy of errors marketed as a multimedia morality play on the combustible theme of race. It makes me crazy to see what I call the Mighty MSNBC Art Players and other media figures fictionalize, dissemble and play fast and loose with facts. The case is troubling enough without turning the participants into political symbols.

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Tony D
• Michael
• Chris B
• Joseph S
• Todd E
• Jonathan H
• Travis D
• Conrad
• Jason H
• Jacob B

• Thanks to our 138 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience.

Latest Leaks

• NSA Blackmailing Obama? | Interview with Whistleblower Russ Tice – YouTube

Abby Martin talks to Russell Tice, former intelligence analyst and original NSA whistleblower, about how the recent NSA scandal is only scratches the surface of a massive surveillance apparatus, citing specific targets the he saw spying orders for including former senators Hilary Clinton and Barack Obama.

• The NSA Admits It Analyzes More People’s Data Than Previously Revealed

But Inglis’ statement was new. Analysts look “two or three hops” from terror suspects when evaluating terror activity, Inglis revealed. Previously, the limit of how surveillance was extended had been described as two hops. This meant that if the NSA were following a phone metadata or web trail from a terror suspect, it could also look at the calls from the people that suspect has spoken with—one hop. And then, the calls that second person had also spoken with—two hops. Terror suspect to person two to person three. Two hops. And now: A third hop.

For a sense of scale, researchers at the University of Milan found in 2011 that everyone on the Internet was, on average, 4.74 steps away from anyone else. The NSA explores relationships up to three of those steps. (See our conversation with the ACLU’s Alex Abdo on this.)

• NSA Sued By Unusual Coalition Of Gun Rights And Environmental Activists Over ‘Dragnet Surveillance’

Plaintiffs include: GreenPeace, Human Rights Watch and the National Organization for the Reform of Marijuana Laws. CalGuns, which lobbies against more restrictive gun laws, and one California gun manufacturer, Franklin Armory, have also joined the case, as have religious groups including the Council on American-Islamic Relations.

The suit was brought by the Electronic Frontier Foundation, a digital rights advocacy group and law firm. It asserts that the NSA’s “dragnet surveillance” – which extends to millions of Americans – is illegal and unconstitutional.

Other organizations, including the American Civil Liberties Union, have also recently sued the NSA in response to leaked information on its surveillance programs. This most recent case is especially notable in that it represents a broad coalition of groups that often don’t have much use for each other.

• Report: Postal Service uses “spying” programs similar to NSA – CBS News

Approximately 160 billion envelopes, packages and postcards were photographed by the United States Postal Service last year, reports The New York Times.

• ACLU reveals docs of mass license plate reader surveillance

The American Civil Liberties Union has released documents confirming that police license plate readers capture vast amounts of data on innocent people, and in many instances this intelligence is kept forever.

According to documents obtained through a number of Freedom of
Information Act requests filed by ACLU offices across the United
States, law enforcement agencies are tracking the whereabouts of
innocent persons en masse by utilizing a still up-and-coming
technology.

In some jurisdictions, that information is then held forever.
FOIA requests obtained by the ACLU estimated that authorities in
Jersey City, New Jersey have accumulated 10 million license plate
records as of last year — in a town of only 250,000 — because
retention policies allow officials to keep that data for five
years. In Milpitas, California — a town with roughly four times
the population — has no retention policy and has picked up around
4.7 million plates.

• Millions of US license plates tracked and stored, new ACLU report finds | Law | guardian.co.uk

Some authorities such as Minnesota State Patrol delete all their scanned records after 48 hours. Others are much looser in their regulations, such as the town of Milpitas in California, population 67,000, which stores almost 5m plate reads with no time limits at all.

• NJ Congressman Rush Holt Is Attempting To Repeal The Patriot Act And FISA Amendments Act | Techdirt

Soon, I will introduce legislation that would repeal the laws that brought us our current “surveillance state”: the Patriot Act and the FISA Amendments Act. My bill would restore the probable cause-based warrant requirement for any surveillance against an American citizen being proposed on the basis of an alleged threat to the nation.

Where in the World is Snowden

• Edward Snowden requests temporary asylum in Russia in compromise

WikiLeaks, which has been advising Snowden, announced his application in a tweet: “Edward Snowden today has filed for a temporary protection visa with Russia’s ministry of immigration.”

• NSA leaker Snowden has asked for asylum in Russia, lawyer says

National Security Agency leaker Edward Snowden on Tuesday submitted a request for temporary asylum in Russia, his lawyer said.

Anatoly Kucherena, a lawyer who is a member of the Public Chamber, a Kremlin advisory body, said that Snowden submitted the asylum request to Russia’s Federal Migration Service. The service had no immediate comment.

Kucherena told The Associated Press that he met Snowden in the transit zone of Moscow’s Sheremetyevo airport and Snowden made the request after the meeting.

• Glenn Greenwald: Edward Snowden has NSA ‘blueprints’

“In order to take documents with him that proved that what he was saying was true he had to take ones that included very sensitive, detailed blueprints of how the NSA does what they do,” Greenwald said in Brazil, adding that the interview was taking place about four hours after his last interaction with Snowden.

• Email exchange between Edward Snowden and former GOP Senator Gordon Humphrey | Glenn Greenwald | Comment is free | guardian.co.uk

Former two-term GOP Senator Gordon Humphrey of New Hampshire emailed Edward Snowden

Michael Hastings Cremated Without Family Consent:

• Investigation into Michael Hastings accident continues

Hastings’ friend and confidant SSgt. Joe Biggs disclosed a macabre twist in the award-winning journalist’s death in a suspicious single-car accident. According to SSgt. Biggs, “Michael Hastings’ body was returned to Vermont in an urn.”

Feedback:

Bitmessage Address: BM-GuQ4gqmBeW8CYpSo3Htg2pBrBdHbvpe7

• Bitmessage for Unfilter?

• Gun Rights more Important than Ever?

• Timeline of Ed’s chat with der Spiegel

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Chase’s Indiegogo Campaign

The post The Zimmerman Distraction | Unfilter 59 first appeared on Jupiter Broadcasting.