With the large number of web applications for the iPhone, Apple lists more than 600, the Mobile Safari browser plays a large role. Recently a Denial of Service(DoS) vulnerability was discovered in iPhone’s web browser.

The researchers who found the vulnerability were looking for a method to unlock the filesystem on iPhones with the latest firmware(1.1.3). Unlocking the filesystem allows the installing of custom ringtones and 3rd party applications. With the last firmware version you could automatically unlock your iPhone by visiting a particular website with the Mobile Safari browser.

The DoS exploit can be triggered by visiting the proof of concept page and clicking on one button.

Fig 1 - Clicking “Go!” launches the exploit

Once it’s clicked a warning will pop up and the exploit code will run.

Fig 2 - The proof-of-concept site displays a warning

The iPhone will then become unresponsive, touching the screen or pressing the Home button will have no effect. Under a minute later, the iPhone will reboot.

The DoS bug exploit is partially based on JavaScript code from the Month of Browser Bugs(MOBB). During the MOBB, which we’ve covered previously, a group of security researchers released an exploit for a web browser vulnerability every single day. While the original exploit was targeted at desktop browsers, the modified version simply attempts to fill memory and crash the phone.

Fortunately because the researchers did not have enough time or possibly any inclination, they have not produced a more troublesome exploit. The bug will only prevent you from using the iPhone temporarily and doesn’t steal your data or permanently damage the phone.

While the proof of concept site requires you to press “Go!” before it runs the exploit, a more malicious site could run the code without permission.

It’s possible to avoid the DoS vulnerability, at the cost of not being able to access certain web applications. JavaScript can be disabled by going to Home > Settings > Safari.

Fig 3 - Changing Mobile Safari settings

Apple also provides details on other settings(cookies,plug ins, cache) that can be changed.

If you are running WPA Enterprise with PEAP, or EAP/TTLS its about time you take a serious look at your client configuration! This weekend at Shmoocon in Washington D.C, Josh Wright and I gave a presentation that demonstrated how a very common, but incorrect client supplicant configuration can lead to the compromise of certain wireless networks and in some cases, provide Windows domain access.

Our AP impersonation attack on PEAP and EAP/TTLS relies on the client failing to properly validate the authentication server’s (RADIUS) TLS certificate. By default, the Windows Zero Configuration (WZC) wireless supplicant performs this validation by putting the trust of the network in the client’s hands. WZC will prompt the client to either continue or cancel upon connecting to the wireless network (similar to the way your web browser prompts you when accessing certain websites over HTTPS). Furthermore, the client may be mislead by this message as it only contains the signing authorities’ name (i.e Verisign) rather then the actual certificate name.

The severity of this issue is further escalated when the client is configured not to validate the server certificate at all. Unfortunately, this is the most common configuration I’ve seen used within organizations. It should be noted that because this is a configuration related attack, WZC is not the only vulnerable client supplicant. OSX’s client, Juniper’s Odyssey Client, and virtually every other wireless supplicant is vulnerable as well.

In either of these scenarios, FreeRADIUS-WPE (our modified version of the open source RADIUS server) can be used to gain access to the inner authentication credentials passed in the TLS tunnel that is established between client and the authentication server. These weak inner authentication protocols (i.e. PAP, MSCHAPv1, MSCHAPv2, etc..) rely on the outer TLS tunnel for protection, so without this protection they are greatly exposed to attack. In some cases these protocols reveal the client’s username and password in clear text, while other cases require a brute force attack. Due to active directory integration, these credentials may also be those used for domain authentication.

Finally, because this is the result of a client related issue, clients may be vulnerable in areas such as coffee shops, airports and other locations outside of the vicinity of the corporate wireless network.

When using WZC and other supplicants, you’ll want to make sure that the client clearly validates the server certificate by only trusting certificates that match the signing authority, and hostname of the RADIUS server. An example of the WZC configuration is below. This is also covered in Microsoft knowledge base article KB941123. For additional information on protecting yourself from this and other attacks, please see my 802.11 attacks whitepaper on Foundstone.com!

Today at Avert Labs, we released the third edition of Sage - our security journal. As always, we strive to be a bit different with our content in Sage. A little provocative, new trends, new ideas… And this issue is no different.

In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They’re not just skilled at computer programming—they’re skilled at psychology and linguistics, too.

We examined global malware trends in this report, titled “One Internet, Many Worlds.” The report is based on data compiled by our international security experts and examines the globalization of threats and the unique threats in different countries and regions. In the report, we detail the following trends and conclusions:

• Sophisticated malware authors have increased country-, language-, company-, and software-specific attacks
• Cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly
• Cybercrime rings recruit malware writers in countries with high unemployment and high levels of education such as Russia and China
• Cybercriminals take advantage of countries where law enforcement is lax
• Around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks
• More exploits than ever before are targeted at locally popular software and applications

Download Sage 3

Since yesterday, we have been tracking some heavy spammings of fraudulent emails geared towards Italian citizens. In these emails, the receiver of the email was notified of being the subject of an investigation from a fictitious Italian investigation task force named “CAFF”, which is supposed to be an acronym for “Comando AntiFrode”. In the email, the receiver of the email is urged to check out the list of people under investigation of the CAFF (which again, does not exist - but sounds real enough), conveniently located on an external website. On this website, the user is tricked into clicking a link to view the list of people under investigation. The site then tries to install its malware, in case the user’s security settings are low, without further user intervention. The list, of course, is a lovely piece of malware, that we detect as W32/Caffer@MM.

While the malware in this run does not represent anything particularly new, it is interesting to note the high quality of the localized social engineering attempt: we’re afraid that this “quality content” may have tricked numerous local users into visiting the malicious website then downloading and executing the linked malware. In fact, the language used in this email is carefully chosen, as is the layout of the website, which leads an unsuspecting user to conclude that the webpage is legitimate. Avert Labs is also assisting the Italian authorities in this matter.

In order to be better prepared and educated against this kind of threats, our readers may also want to download the latest issue of our Sage magazine, which got released today and speaks of localized threats. Grab a fresh copy now here!

Logging off now,

Paolo

Good news on the botnet-busting front comes to us from Canada! Yesterday 17 people ages 17-26 were arrested on charges stemming from alleged botnet-related activities, which resulted in $45 Million in damages.

Evidently, this is the first time that a hacking network has been dismantled in Canada (and the first time I recall hearing that a female was busted in connection with botnet activities). Over the course of the two years that this network was under investigation, the network took control of up to a million computers. When you figure the number of computers hijacked, the amount of the damages, and the number of people they were able to connect with this crime, this is a very impressive win for the Quebec police.

The maximum sentence for the charges is 10 years in jail - it will be interesting to see how much jail time this could mean for the people who’re found guilty. When the 15-year-old Canadian who called himself “Mafiaboy” was arrested for DDoS attacks against several major websites in 2000, he was sentenced to only 8 months in jail. He was also found to have caused millions of dollars worth of damage in the attacks. The people charged as part of this hacking network may have begun their criminal activities at the same age as Mafiaboy, as the initial investigation into this network goes back to summer of 2006. However, it seems that the trend has been towards longer sentences for people convicted of cybercrime, so it may be that they will not get off as light as Mafiaboy did.

The two primary differences that will figure into the sentencing, as I see it, are that the hacking network did this as a money-making enterprise, and that this was done over a long span of time. Arguably, Mafiaboy’s actions could be explained away as a moment of youthful indiscretion. These people allegedly profited from these crimes over the course of two years.

This makes me wonder how much of the total damage amount they actually took home, versus the cost of cleaning up infected machines, the cost of down-time and lost productivity. I doubt sincerely that these kids’ friends and family wouldn’t have noticed an influx of almost $3 million a piece in such a short span of time.

All in all, this is an impressive step in the direction of making legal action a real deterrent for kids who would consider taking up cybercrime.

A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China.

WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning.

The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.

The trojan is installed with a collection of legitimate games.

WinCE/InfoJack was created by a specific website. The website may have hired someone to create the trojan and distribute it to other sites. The maintainer of the website claims that the software was just necessary to collect information on the types of mobiles used to access their site. That would be easier to believe if they had notified the user prior to installation or if they had provided some sort of uninstallation method.

WinCE/InfoJack installs silently along with other applications.

WinCE/InfoJack has a number of features that show its malicious intent:

• installing as an autorun program on the memory card
• installing itself to the phone when an infected memory card is inserted
• protecting itself from deletion, copying itself back to disk
• replaces the browser’s home page
• allows unsigned applications to install without warning

WinCE/InfoJack installs as an autorun program on the memory card.

That last feature, allowing silent installation of an unsigned app, is used by WinCE/InfoJack to auto update itself. It also leaves the mobile open to other malware being installed silently. Fortunately the trojan’s website is no longer reachable, due in part to an investigation by local law enforcement.

Most users in China, especially those with limited knowledge of computer security, have experienced the installation of a rootkit while surfing the Internet. In some cases, users don’t notice that a rootkit has been installed. In other cases, users do notice, but are unable to remove the rootkit and opt to reinstall their operating system instead. Once a rootkit has been installed, additional malicious software, such as a trojan horse program, is usually installed. The rootkit is typically used to hide the trojan. The hidden trojan is typically used to steal important information from the system such as online game accounts or bank accounts information and so on. In addition, the attacker can use the compromised system in conjunction with other systems to carry out DDoS attacks.

Some companies apply rootkit technology in their products as a means of defending against tampering with their software. For example, the 3721 web browser plugin makes use of rootkit technology to avoid being uninstalled by other programs and/or plugins. Many other rogue applications like CNNIC, YiSou, qyule, etc, also do this. Some of this rogue software is hard to remove once it has been installed and/or can cause systems to become unstable. Rootkit technology is also often used in software designed to help users cheat in online games. A lot of people play online games in China and many are willing to pay for software that can be used to cheat in the games that they play. Developers use rootkit technology to create software that can be used to cheat in online games without being detected by the gaming software.

Since rootkits are so widespread in China, many local Chinese security software companies focus on defending against them.

Nowadays, many viruses in China install both rootkits and trojan horse programs, causing extensive harm to Chinese networks and significant financial loss. Many people, including victims of these kinds of malware, have organized to help stop its spread. The Chinese government has also taken notice of the spread of malware and has begun to treat malware authors as criminals. Li Jun, the author of the “Panda Burning Joss Sticks” virus, which installed rootkits and trojans on millions of machines, was recently convicted. In addition, a new anti-malware law will come into effect next year. This law will penalize those who create malware.

References:

McAfee Rootkit Paper 1
McAfee Rootkit Paper 2

We came across an interesting presentation at the recent Blackhat Conference that discusses a technique to decrypt cellular signals here. The article discusses a cheaper, faster method of cracking the encryption used between the mobile devices (phones), and mobile stations (cell towers). The encryption in question is the A5/1 algorithm, which is used widely in GSM networks in United States.

The encryption was actually proved to be vulnerable, and can be cracked with a long pre-processing stage (around 2^40 stages or so) with huge amounts of storage. More details can be found here, here, and here. There are also known plain-text based attacks, found here, that can attack A5/1 in minutes, but requires the attacker to be active in the attack.

What makes this attack interesting is that it is completely passive, and was able to overcome the long, pre-processing stage of the attacks discussed above by using custom designed FPGAs instead of the personal PC. With this, they were able to crack the encrypted data within 30 minutes, which makes “real-time” decryption a possibility. Furthermore, the presenters are planning to sell a hardware based product that can do this much faster. This could lead to easier espionage or other illegal activities if the technology lands in the wrong hands.

The presenters also shown various different weaknesses in the current implementation of cellular networks.

Besides the GSM cracking attack , there’s also another paper published on cellular network security, which can be found here. This paper simulates the scheduler (proportional fair) commonly used in several 3G networks and shows that malicious users, with access to a few mobile devices, can manipulate the scheduler into assigning an unfair amount of time slots to the attacker. This shows that with only a few attackers, they were able to steal a majority of time slots.

I think these works, although controversial, could provide the stimulus for a new and robust direction for security practices in cellular technology, since now, cellular networks are used as widely, or even more so, than the Internet. The Internet is relatively well understood compared to the cellular network. More attention focused on the security of the cellular networks might help both consumer and cellular service provider build a more secure network that we all already depend on.

Last night I shared about how Ryan and I went through most of the challenges in Applied Security’s HackIT 2.0 contest at ShmooCon 2008 with the group at AHA! I spoke about how we approached and solved most of the challenges, and I thought I would share the process with whoever else was interested. I posted an informal report describing the methodologies and how to run/use the tools that we employed during the contest. The report is located on AHA!’s wiki, so if you’re interested, it’s located here on the meeting page. There is also a link to a PDF report if you want to take it off line. Also, if you are in Austin, Texas, (or the surrounding area) you should check out AHA! We get together and present as many short DefCon-style talks as we can before we get kicked out of Mangia Pizza. We share a lot of interesting/fun/useful ideas and information with each other. Plus, if you are a remote worker, it’s nice opportunity to get out and meet other “hackers” and shoot the breeze. We are a very welcoming bunch, but if you do come, be prepared to present.

Until recently most ATM skimmers had to go through the inconvenient process of extracting PIN numbers from a video of the PIN pad when it was entered. Problems with the camera being blocked or discovered would cause many PINs to be lost. The only improvement implemented was sometimes replacing the entire PIN pad in order to directly save every number entered. Replacing the pad solves the video problem but requires a level of physical access that is rarely possible without being detected.

Visa certifies many ATMs based on their requirements for PIN Entry Devices (PEDs). These requirements are supposed to define how to implement a PED so that no PIN is stolen from the ATM. As an example, one of these requirements is the use of 3DES to encrypt the PIN when sent to the ATM. In the definition of the requirements it states that the PIN must be encrypted even within the PED. Of course because the entry from the pad can not be directly encrypted there must be some interpretation as to how soon the encryption takes place.

Despite this certification process there are several terminals, such as the Ingenico i3300, that have been discovered to be vulnerable by a pair of researchers from Cambridge named Steven Murdoch and Saar Drimer. They discovered that in several models of ATM there were cables from the PIN pad that contained unencrypted PIN data. While the ATMs were designed to detect physical tampering the researchers found that it was not difficult to insert a paperclip that would avoid detection and tap the critical line from the PIN pad.

These ATM devices were allowed to be certified presumably because the unencrypted data is considered to be within the PED or because the data is only single key entries and not a complete PIN. However, these details do not make a significant difference to an attacker. The ATM PIN problem is similar to what would happen if a web user viewed an encrypted web site through an unencrypted web proxy. While the traffic appears encrypted to the server or central ATM computer there is still a large opening for viewing the unencrypted data on the user’s side.

Visa has claimed that this threat is not a real-world threat because it requires specialized knowledge of the ATM terminal. What attack of this type doesn’t require specialized knowledge? Attackers have to research in advance to make sure their second magnetic stripe reader and their camera are well positioned and hidden. Finding out where in the case to insert the paperclip to connect to the PIN wire is not a difficult additional item to research.

Awareness of identity theft and fraud is increasing in the general population. Criminals who make a living from large databases of ATM and credit card numbers are always looking for new ways to steal that information. This new vulnerability will allow fraudsters to gather data on even the most paranoid individuals.