Wednesday, July 27, 2016

PAC Attacks When Using HTTPS!
VPN To The Rescue

--

Introduction: What I discuss below fits within the realm of computer networking. As such, it is complicated, has a learning curve and may require homework, time and patience to understand. However, as usual, I've tried to translate the technology into something reasonably easy to comprehend and I've provided some useful reference links.

Open Wi-Fi Hotspots Are Not Our Friend


Using open, no password required, hot spot Wi-Fi routers is dangerous. It's trivial for anyone also on the router to spy on all your Internet activity. There are several tools for the hack job on all computer platforms. So what do you do?


Using HTTPS on the Web is one generally reliable way to encrypt your connections, resulting in hacker spies seeing only gibberish pass between your computer and your destination. That's great, except a lot of servers still use old SSL (Secure Sockets Layer) protocols that are no longer secure, and there are older browser applications that still allow the use of SSL. The replacement technology is TLS (Transport Layer Security) and is considerably safer, albeit not perfect as of yet. For general Web access at a Wi-Fi hotspot, HTTPS via TLS should be adequate.


Except this happened:


New attack bypasses HTTPS protection on Macs, Windows, and Linux
Hack can be carried out by operators of Wi-Fi hotspots, where HTTPs is needed most.
- DAN GOODIN, Ars Technica - 7/26/2016, 1:14 PM
The most likely way the attack might be carried out is for a network operator to send a malicious response when a computer uses the dynamic host configuration protocol to connect to a network. Besides issuing addresses, DHCP can be used to help set up a proxy server that browsers will use when trying to access certain URLs. This attack technique works by forcing the browser to obtain a proxy autoconfig (PAC) file, which specifies the types of URLs that should trigger use of the proxy. Because the malicious PAC code receives the request before the HTTPS connection is established, the attackers obtain the entire URL in plaintext....
(Emphasis mine).

This is a fairly sophisticated attack for the moment. But again could be made trivial with proliferated hacking tools.


So now what do we do?


If you're a casual web browsing user who doesn't mind having your URL connections surveilled in public, you wait for web browser and server updates to solve this problem.


VPN


If you're a professional who must NOT be surveilled in your work online, you enroll into a VPN (Virtual Private Network) service. I won't go into the techy details. But a good VPN service allows you to encrypt every little thing you do on the Internet from wherever you are, on whatever router you're using, out to a server run by the VPS server somewhere else on the planet. You can typically choose your exit server from a list provided by the VPN service. After you exit the VPN server out to the actual Internet, no one can trace back who you are. None of your data is visible at your Wi-Fi router location. Everything is encrypted through the VPN service. Problem solved.


There are many VPN services available. Some of them offer 'Life Time Membership' for a reasonable price. There is typically one VPN service or another running a special offer via a one of the 'Deal' websites / email lists at any point in time.


As examples, I'm on the MacAppware and 9To5Toys 'Deal' lists, which are part of a network of 'Deal' services run through StackCommerce. They offer a variety of hardware, software and service 'Deals' at special discount prices, typically for a limited period of time. If you see something you like on the lists, you check it out. If you like it, you buy it. (Please note how I am deliberately not providing URLs as I am not selling or recommending any of these services. Do a search on their names and you'll find them).


Continuing these examples: 9To5Toys is currently offering both a 3-year subscription and full lifetime subscription to Tiger VPN for decent prices. MacAppware is currently featuring five different VPN service discounts. They include HideMyAss!, Hotspot Shield Elite, PureVPN, and VPN Unlimited.


The closest I'll come to a recommendation is to say that I have a friend who swears by HideMyAss! He regularly uses it to stream sports game video from Europe with great results. I have a lifetime membership with proXPN that works fine for my purposes.


One limiting factor with VPNs is speed, aka bandwidth. Obviously, you run into this factor when you're streaming a lot of data at once, for example when watching video. If that's what you want to do via VPN, it pays to shop around for the fastest service. Be sure to verify that what you read about a VPN service is real. For example, PureVPN calls itself "The World's Fastest VPN." Maybe it is or maybe it isn't. Check out a number of reviews to find out what users have experienced according to their usage of the VPN.


Another limiting factor is which VPN connection protocols the services offer. They may use OpenVPN and/or PPTP (Point-to-Point Tunneling Protocol). It's important to know what your hardware and OS can handle. Some cannot, for example, deal with OpenVPN. Therefore, in this case, you don't want a VPN service that only offers OpenVPN. You'll want one that offers PPTP. Many provide both.


From a security point of view, at the moment it is safer to use PPTP. OpenVPN has had a series of security compromises and was at one point assumed to be hackable. The OpenVPN has been good about patching known security flaws, but they have recently been discovered on a regular basis. Meanwhile, PPTP is considered by some to be 'broken'. Microsoft recommends using a more recent and superior alternative protocol called L2TP/IPSec, with which I am somewhat unfamiliar. If a VPN offers it, consider using it instead of PPTP.


I could link here to a comparison chart of these three protocols, but what I found online was not up-to-date and would therefore be misleading. From a fanatical security perspective, it may be that all three of these protocols are hackable IF someone wants to target specifically YOU.  VPN attacks are sophisticated and take time to enact. As such, for general professional use, any of these three VPN protocols is adequate. Open source advocates of course prefer OpenVPN because its protocol is entirely available for scrutiny and theoretically that means the security holes are found and patched more readily. Meanwhile, Microsoft has been involved with both PPTP and L2TP/IPSec, which may give users a reason to cringe. You decide.


Nice things about good VPN services: 


First, my VPN rates the quality/speed of their own servers day-to-day. I'm in New York. So you'd think connecting to their New York City server would be great! It used to be. Now it's rated on the bottom of their connection listing. IOW it's the last server I want to use. Instead, I typically use the Chicago server, which is in the top third of their connection list. I often visit sites within the UK, in which case I use their London server. Thankfully, that is also in the top third of their connection list at this time. 


Meanwhile, if I want to use an exit server in or near Japan, forget it! There aren't any. That could have killed my interest in their VPN service, if it mattered to me. The closest server is in Singapore, and its near the bottom of the connection list. IOW: It may be important to know what servers a VPN offers, according to your purposes.


Second, my VPN regularly changes its servers in cases where they are being blocked by ISPs. My VPN application grabs the latest list of available servers every day, which prevents me for connection to what amounts to a dead server. 


Why are VPN servers blocked? This gets into a controversy regarding copyright, marketing and costs. To give you at least a rough idea of how and why this can happen: Imagine you're the BBC in the UK. Someone uses VPN to connect to a London server. The IP address of that server is broadcast to every website to which you connect. It's obviously a British IP address, so you look to be British. Therefore, you can access all British web content as a British citizen. You have full access to all BBC web media, including any of their posted TV program streams. What can be 'bad' about that is that: (A) You may not actually be in Britain. You're using a VPN. (B) If you aren't British, you have no access to British copyrighted media. (C) BBC marketing people may go maniacal that you're breaking through an artificial marketing zone barrier to access media directly in the UK. (D) You haven't paid the taxes that support the BBC. Therefore, the BBC is motivated to find and have blocked all VPN servers within the UK.




Then there's that annoying totalitarianism issue where FAILed governments abuse their citizens, rather than serve them. Check this out:


Countries Where VPN Use is Prohibited
WHAT COUNTRIES HAVE BANNED THE USE OF VPN?
VPN is typically banned in countries that have authoritative laws, such as China, North Korea and Iran. With limited access to a majority of online content, in order to unblock blocked websites, citizens, tourists and expats in those countries typically resort to the use of proxy servers and VPN software. 
WHY HAVE THESE COUNTRIES MADE VPN USAGE ILLEGAL?
Some countries have banned the use of Virtual Private Networks so that they can maintain a bird’s eye view on all online movement made by their citizens, who the governments of these countries consider as nonconformists, as well as to control the information their citizens have access to by censoring websites with liberal or opposing views. VPNs allow to bypass censorship and keep all online activities confidential.
Such is our species. I thoroughly recommend deposing all such governments. That's what revolutions are for. We all deserve personal freedom and privacy, no exceptions (apart from the crooks and crazies).

So what about DNSCrypt?


I use DNSCrypt on all my Macs. I've had no trouble with it and it kindly encrypts all my DNS lookups for free. It works hella better than my IPS's DNS servers! (Time Warner Cable :-P). Thank you OpenDNS and Cisco! It prevents any open Wi-Fi hotspot hackers from seeing what websites I want to visit. It even prevents your ISP or anyone else from surveilling your DNS lookups.

Except DNSCrypt won't help with the PAC attacks on HTTPS. Sorry! The resulting IP address still ends up in-the-clear when using the PAC hack. Nonetheless, DNSCrypt is a great precaution and works extremely well. Finishing DNSCrypt took years of annoying betas. Now it's something approaching perfection. Highly recommended.

Questions? Further reference requests? Please drop me a comment below.

:-Derek


--

Wednesday, July 20, 2016

Critical Little Snitch Update to v3.6.4!

--

Today, Objective Development released a critical update of Little Snitch to version 3.6.4. Update ASAP!

Here are the release notes from the installer:
Little Snitch 3.6.4 
This update fixes critical issues. Please update as soon as possible!
  • Added IKEv2 VPN support to Automatic Profile Switching detection.
  • Fixed: A critical bug enabling potential attackers to circumvent the Little Snitch network filter (thanks to @osxreverser for the report).
  • Fixed: Under rare circumstances Fast User Switching causes all connection without rules to be denied without showing an alert.
  • Fixed: Alerts triggered via “ask rule” sometimes produce rules with “Until Quit” instead of “Once” lifetime.
  • Fixed: Rare crash when searching for rules or suggestions in Little Snitch Configuration.
  • Other bugfixes and improvements.
I've made certain that MacUpdate and MajorGeeks Mac (the two download sites I still use) have been notified. If you haven't used Little Snitch, you can find out more about this excellent 'reverse firewall' program HERE. It has a learning curve well worth climbing if you want to stop applications from phoning home or stop potential bot infections dead in their tracks. Intego's NetBarrier has similar functionality.
--

Wednesday, July 13, 2016

'Backdoor.MAC.Eleanor' Is Now XProtected!

--

Yes! Apple has updated XProtect to guard against OSX.Trojan.Eleanor.A.

XProtect is Apple's built-in anti-malware system. It was first integrated into OS X 10.7 Snow Leopard and is regularly and automatically updated over the Internet.

Apple has been a bit slow updating XProtect to ward off evil adware. But, with nagging from the field, Apple eventually catches up. Alongside Eleanor, Apple has also provided protection against the adware OSX.Hmining.A.2

Grateful thanks to my right-hand Mac security pal Al Varnell for helping out, as ever!

--

Tuesday, July 12, 2016

Happy Adobe Security Update Day For July

--

Second Tuesday of the month, the day when Adobe lets loose all the security patches they've been saving up for the past month. (0_o) On this Tue2, Adobe is serving updates for:

Adobe Flash - 52 critical CVEs patched


Adobe Acrobat and Reader  - 32 critical CVEs patched


Adobe XMP Tool for Java - 1 CVE patched


The links above lead to accompanying Adobe security bulletins.


So where's the required Adobe AIR update? After all, Adobe Flash is integrated into Adobe AIR! Nothing new. That's worrying. If you're running AIR, be sure to have it self-check for updates!


Where to get the security updates:


Adobe Flash

Adobe Acrobat
Adobe Reader
Adobe XMP Tool for Java


The Gory Details

Adobe Flash Vulnerability Details

These updates resolve a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

These updates resolve a memory leak vulnerability (CVE-2016-4232).

These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178).

Adobe Acrobat and Reader Vulnerability Details

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-4210).

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2016-4190).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4209).

These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-4215).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4189, CVE-2016-4191, CVE-2016-4192, CVE-2016-4193, CVE-2016-4194, CVE-2016-4195, CVE-2016-4196, CVE-2016-4197, CVE-2016-4198, CVE-2016-4199, CVE-2016-4200, CVE-2016-4201, CVE-2016-4202, CVE-2016-4203, CVE-2016-4204, CVE-2016-4205, CVE-2016-4206, CVE-2016-4207, CVE-2016-4208, CVE-2016-4211, CVE-2016-4212, CVE-2016-4213, CVE-2016-4214, CVE-2016-4250, CVE-2016-4251, CVE-2016-4252).

Adobe XMP Tool for Java Vulnerability Details

This update resolves an issue associated with the parsing of crafted XML external entities in XMPCore that could lead to information disclosure (CVE-2016-4216).
Stay safe out there kids!

--

Wednesday, July 6, 2016

Beware New Mac Malware: 'Backdoor.MAC.Eleanor'

--

[Updated: 2016-07-07 @1:50 am ET with additional references]

This malware should more properly be named OSX.Trojan.Eleanor.A. In the field, it is being called Backdoor.MAC.Eleanor by BitDefender LABS. It is being served up to victims at a number of websites, including apparently MacUpdate.com. BEWARE!

I'll create my own write up about the malware as further details are available. For now, here are some excellent sources of information about Eleanor:


Bitdefender LABS


Backdoor.MAC.Eleanor Grants Attackers Full Access to Mac Systems
A. Description: 
- - The application name is EasyDoc Converter.app, and its main functionality should be to convert documents, but it does anything but that. . . .
9To5Mac

New Mac malware in the wild, Backdoor.MAC.Elanor – can steal data, execute code, control webcam

More about Eleanor from my colleague Thomas Reed over at Malwarebytes:

When the app is opened, it runs a shell script whose first task is to check for the presence of Little Snitch. . . . If LittleSnitch is not present, and if the malware has not already been installed, it then installs three LaunchAgents in the user folder plus a hidden folder full of executable files. All these items have names that attempt to make them seem like Dropbox components....
Interestingly, this app’s page on MacUpdate has ratings submitted by users between 2014 and March 26, 2016, all but one of which are 4.5 or 5 stars. Since this malware appears to have first “turned on” in April, I suspect that the real EasyDoc Converter may have been abandoned by its developer and somehow obtained by malware authors....
If you have Malwarebytes Anti-Malware for Mac, it will detect this malware as OSX.Backdoor.Eleanor.
I.E. the free Malwarebytes Anti-Malware for Mac already detects Eleanor. Use the link in the quote above.

And, Dan Goodin of Ars Technica posted an article about Eleanor as well as a couple other pests: Pellit and Keydnap. I'm waiting for more details about these last two before I bother writing about them.


~ ~

Keep in mind that such malware can have ANY name. Therefore, don't simply avoid 'EasyDoc Converter'. Watch out for ALL software that is not signed by an Apple approved developer via ANY source.


Safety Step: Verify that you at least have Apple's Gateway setup this way in System Preferences...: Security & Privacy: General:




IOW: Don't have 'Anywhere' selected. 
(If you're using macOS 10.12 Sierra, you won't even see 'Anywhere' available).

Until this malware is blocked by Apple, do NOT override Gateway and open unsigned software. 


IOW: If you have Gateway setup properly, you attempt to open something you downloaded and OS X protests that the software may be insecure, do NOT open it. Take the advice of OS X. This will keep you safe from the Eleanor malware. Set the questionable software aside until protection against Eleanor is provided by Apple via its XProtect system. I'll report when XProtect has been updated against Eleanor.


Further helpful information from Apple:


About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection) in OS X

:-Derek



--

Saturday, June 18, 2016

Help Us Stop the Updates to Rule 41
-EFF Calls for a Day of Action on June 21st-

--
This issue is critical to all US citizen computer users.
Therefore, I'm posting about it here to bring it to everyone's attention.
:-Derek


From the Electronic Frontier Foundation

"U.S. government agents want to use an obscure procedure to radically expand their use of hacking techniques. We need to stop them.

"The change to Rule 41 would make it easier for U.S. government agents to break into our computers, take data, and use hacking techniques.

"The rule change especially impacts people using privacy-protective technologies, including Tor and VPNs.

"The United States Congress never approved this expansion of the FBI’s powers. But now, Congress is our last chance to stop the change from taking effect."
Please reject the changes to Rule 41 of the Federal Rules of Criminal Procedure by passing the Stopping Mass Hacking Act (S.2952, H.R.5321). These amendments would lead to a vast expansion of government hacking, a largely unregulated law enforcement technique that makes us all less secure. 

Why you should care

"We’ve written a detailed explanation of the changes to Rule 41, which explains why this update will result in a dramatic increase in government hacking. Here’s an overview of some of the main reasons we are concerned:

"Government agents hacking into computers more frequently is a recipe for disaster. Law enforcement will increase their exploitation of security vulnerabilities in common software products, meaning vulnerabilities that could affect millions will be left open instead of patched.

"Law enforcement will forum shop, finding government-friendly magistrate judges to sign off on warrants with a loose connection to the judicial district.

"Law enforcement will pressure judges to sign off on remote searches of thousands of computers with a single warrant—a direct violation of the Fourth Amendment and a pattern we’re already seeing.

"This rule change especially impacts people using privacy protective technologies like Tor or VPNs, which is why we’re asking privacy tools to join us in standing up for users on June 21."


"The proposal comes from the advisory committee on criminal rules for the Judicial Conference of the United States. The amendment [PDF] would update Rule 41 of the Federal Rules of Criminal Procedure, creating a sweeping expansion of law enforcement’s ability to engage in hacking and surveillance. The Supreme Court just passed the proposal to Congress, which has until December 1 to disavow the change or it becomes the rule governing every federal court across the country.  This is part of a statutory process through which federal courts may create new procedural rules, after giving public notice and allowing time for comment, under a “rules enabling act.”




--

Thursday, June 16, 2016

Adobe Flash Has Another In-The-Wild Exploit:
Flash 22.0.0.192 and AIR 22.0.0.153 Updates
Plus Other Adobe Security Updates

--
Adobe Flash and AIR Updates:

Adobe was supposed to release a security update of Adobe Flash, and therefore AIR, on Tuesday, June 14th. But a Flash zero-day exploit was discovered and Adobe delayed the update until today, Thursday, June 16th. Adobe kindly posted a warning Security Bulletin to that effect. If this sounds familiar, the same scenario played out in May as well. (0_o)


The new versions are Flash v22.00.192 and AIR v22.0.0.153.


You can find the current versions of Adobe Flash and AIR here:


https://get.adobe.com/flashplayer/


https://get.adobe.com/air/download/


- -

Adobe Flash v22.00.192 update:

https://helpx.adobe.com/security/products/flash-player/apsb16-18.html

Vulnerability Details
These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4144, CVE-2016-4149).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4142, CVE-2016-4143, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148).

These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2016-4135, CVE-2016-4136, CVE-2016-4138).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4137, CVE-2016-4141, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171).

These updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4140).

These updates resolve a vulnerability that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2016-4139). 
The CVE currently being exploited In-The-Wild is CVE-2016-4171, bolded above. If you'd like to know more about this exploit, have a read of Dan Goodin's article on the subject:

Critical Adobe Flash bug under active attack currently has no patch
Exploit works against the most recent version; Adobe plans update later this week.
--

Adobe AIR v22.0.0.153 Update:


https://helpx.adobe.com/security/products/air/apsb16-23.html

Vulnerability Details

This update resolves a vulnerability in the directory search path used by the Air (sic) installer that could lead to code execution (CVE-2016-4116).
Note that this is actually a vulnerability found in the previous installer for AIR.
~ ~ ~ ~ ~

The other Adobe security updates from Tuesday, June 14th:

Adobe ColdFusion Hotfixes available:

https://helpx.adobe.com/security/products/coldfusion/apsb16-22.html

Vulnerability Details

These hotfixes resolve an important input validation issue (CVE-2016-4159) that could be exploited to conduct cross-site scripting attacks.
--
  
Adobe Creative Cloud Desktop Application v3.7.0.272 Update:

https://helpx.adobe.com/security/products/creative-cloud/apsb16-21.html

Vulnerability Details

This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4157).

This update resolves an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application(CVE-2016-4158).
--

Adobe Brackets v1.7 Update:

https://helpx.adobe.com/security/products/brackets/apsb16-20.html

Vulnerability Details
This update resolves a JavaScript injection vulnerability, which could be abused in a cross-site scripting attack (CVE-2016-4164).

This update resolves an input validation vulnerability in the extension manager (CVE-2016-4165).
--

Adobe DNG Software Development Kit (SDK) 1.4 (2016 release) Update:

https://helpx.adobe.com/security/products/dng-sdk/apsb16-19.html

Vulnerability Details

This update resolves a memory corruption vulnerability (CVE-2016-4167).
~ ~ ~ ~ ~

And some HaPPy news!

In Safari 10, set to ship with macOS Sierra, Apple plans to disable common plug-ins like Adobe Flash, Java, Silverlight, and QuickTime by default in an effort to focus on HTML5 content and improve the overall web browsing experience. . . .

. . . When a website offers both Flash and HTML5 content, Safari will always deliver the more modern HTML5 implementation. On a website that requires a plug-in like Adobe Flash to function, users can activate it with a click. . . .

Safari 10 will also include a command to reload a page with installed plug-ins activated to give users additional options for controlling the content that's displayed, and there are preferences for choosing which plug-ins are visible to which websites in Safari's Security preferences. . . .
One more nail in the coffin of poorly written Internet plugins. (^_^)

 --