Information Security News
by Sean Gallagher
Jacob Ajit, a 17-year-old student at the Thomas Jefferson High School for Science and Technology in Fairfax, Virginia, was bored and screwing around with a smartphone that had service and a SIM for T-Mobile's prepaid phone service. He soon discovered it was possible to still gain access to the Internet without paying for an account; all he had to do was route everything through a proxy application running on a server with "/speedtest" in its Web address.
The T-Mobile prepaid SIM makes it possible to pay for new service from the phone itself. This requires the phone to be able to connect to T-Mobile's network to do so, essentially blocking access to the rest of the Internet through a capture portal until the account is activated. But Ajit found that the Speedtest mobile app worked even when the phone's data plan hadn't been activated—likely as a marketing tool to demonstrate the speed of T-Mobile's 4G network.
By capturing some of the data sent to Speedtest when connected to a shared network connection through his Mac (he used mitmproxy to do so), Ajit discovered the graphics used in the Speedtest app to measure download speed were hosted on a number of different sites. The only similarity in them was their Web addresses all included "/speedtest" in the URL. He manually entered the URLs into a browser on the phone and was able to reach them despite the T-Mobile block.
Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to tamper with the contents of encrypted messages sent by Android users. The update is available on this Github submission, but isn't yet available in the Google Play market for Android apps.
The message authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised a Signal server or were otherwise able to monitor data passing between Signal users to modify a valid attachment with a fraudulent data. A second bug possibly would have allowed attackers to remotely execute malicious code, but a third bug made limited exploits to a simple remote crash.
"The results are not catastrophic, but show that, like any piece of software, Signal is not perfect," Aumasson wrote in an e-mail. "Signal drew the attention of many security researchers, and it's impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we'll keep trusting it."
by Sean Gallagher
China's Mid-Autumn Festival started today, as much of the world now knows due to a runaway inflatable moon incident reported yesterday (as seen below). Celebrated on the 15th day of the eighth month in the Han calendar—corresponding to the full moon closest to the Autumnal Equinox—the holiday is commemorated in Chinese culture through the exchange and sharing of moon cakes.
The cakes are round pastries filled with lotus seed paste or red bean paste and occasionally the salted yolk of a duck egg surrounded by a thin crust. They are traditionally given as presents by businesses and are in huge demand in much of China and in Chinese communities around the world leading up to the festival. And that's likely what drove four employees of the Chinese e-commerce site Alibaba to exploit a weakness in an internal company website offering discounted mooncakes to company staff.
Alibaba offered its employees one free mooncake each—complete with a plush Alibaba mascot hidden inside, rather than the traditional duck yolk. Additional cakes were sold at cost to employees for friends and family through an internal e-commerce page. But as China Daily reports, the four employees—software engineers at the company—were able to surreptitiously insert additional software into the website, directing extra mooncakes to themselves. Alibaba's internal security team detected the hack and found that the four were "cheating using technology" to amass 124 boxes of the cakes (with four cakes per box). All four employees were dismissed.
One of my morning rituals is to take the last few malware samples I received in any of my inboxes and run them in a virtual machine to see if there is anything new. To be honest: There isnt much new that we havent already written about. The sample is usually a zipped VBScript file that will download and run ransomware. But that isnt the only constant. The other constant is the inability of anti-malware to protect your system from these consistent attacks.
The virtual machine runs a fully patched Windows 10 install, and home-user grade anti-malware. I would consider it a well configured average home user system.
This morning, for example, I tried these three samples:
They all arrived in similar emails with a subject of SCAN ." />
If you are paying attention of malware, you probably have seen e-mails like this for years with various attachments.
Virustotal shows that some name-brand anti-malware solutions do not detect this particular sample:
It also shows that all of these samples were rather fresh in that Virustotal had received them about 30 minutes ago, so around the time I had received them.
So what can you do?
For example, here are the URLs that I think where used in the undetected sample (I didnt do a full analysis):
(spaces added to protect readers.)
bigfishcasting .com/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO
delicefilm .com /afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO (this one has some reasonable recognition as a bad URL)
keratin .sk/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO
The issue with anti-malware missing the downloader, and then hoping that the downloaded malware will be detected, isnt new, and going back at least to the famous WMF incident more than 10 years ago, when anti-virus was suggested as a mitigation for the vulnerability, even though it didnt detect actual exploitation of the vulnerability but instead only the additional malware downloaded via the exploit. 10+ years later... not much changed. We are still making it too easy for the bad guys.