Masque Attack — New iOS Vulnerability Allows Hackers to Replace Apps with Malware

Android have been a long time target for cyber criminals, but now it seems that they have turned their way towards iOS devices. Apple always says that hacking their devices is too difficult for cyber crooks, but a single app has made it possible for anyone to hack an iPhone.

A security flaw in Apple's mobile iOS operating system has made most iPhones and iPads vulnerable to cyber attacks by hackers seeking access to sensitive data and control of their devices, security researchers warned.

The details about this new vulnerability was published by the Cyber security firm FireEye on its blog on Monday, saying the flaw allows hackers to access devices by fooling users to download and install malicious iOS applications on their iPhone or iPad via tainted text messages, emails and Web links.

MASQUE ATTACK - REPLACING TRUSTED APPS

The malicious iOS apps can then be used to replace the legitimate apps, such as banking or social networking apps, that were installed through Apple's official App Store through a technique that FireEye has dubbed "Masque Attack."

"This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier," the researchers said on the company's blog. "An attacker can leverage this vulnerability both through wireless networks and USB."

Masque attacks can be used by cyber criminals to steal banking and email login credentials or users’ other sensitive information.

Security researchers found that the Masque attack works on Apple’s mobile operating system including iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta version and that all of the iPhones and iPads running iOS 7 or later, regardless of whether or not the device is jailbroken are at risk.

According to FireEye, the vast majority, i.e. 95 percent, of all iOS devices currently in use are potentially vulnerable to the attack.

MASQUE ATTACK IS MORE DANGEROUS THAN WIRELURKER

The Masque Attack technique is the same used by "WireLurker," malware attack discovered last week by security firm Palo Alto Networks targeting Apple users in China, that allowed unapproved apps designed to steal information downloaded from the Internet. But this recently-discovered malware threat is reportedly a "much bigger threat" than Wirelurker.

"Masque Attacks can pose much bigger threats than WireLurker," the researchers said. "Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI."

"Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly."

HOW TO PROTECT YOURSELF FROM MASQUE ATTACK

Apple devices running iOS are long considered more safe from hackers than devices running OS like Microsoft’s Windows and Google’s Android, but iOS have now become more common targets for cybercriminals.

In order to avoid falling victim to Masque Attack, users can follow some simple steps given below:

• Do not download any apps offer to you via email, text messages, or web links.
• Don't install apps offered on pop-ups from third-party websites.
• If iOS alerts a user about an "Untrusted App Developer," click "Don't Trust" on the alert and immediately uninstall the application.

In short, a simple way to safeguard your devices from these kind of threats is to avoid downloading apps from untrusted sources, and only download apps directly from the App Store.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Microsoft to Issue 16 Security Patches and 60 Other Updates

Microsoft has this time quite a big pile of security patches in its November 2014 Patch Tuesday, which will address almost 60 non-security updates for its Windows OS along with 16 security updates.

The software giant released Advance Notification for 16 security bulletins, the most in more than three years, which will be addressed as of tomorrow, 11 November, 2014. Five of the bulletins have been marked as "critical", nine are "important" in severity, while two were labeled "moderate."

The updates will patch vulnerabilities in Microsoft’s various software including Internet Explorer (IE), Windows, Office, Exchange Server, SharePoint Server and the .NET framework as well.

Five critical vulnerabilities affect specific versions of Microsoft Windows, including Windows 7, Windows 8, Windows RT, and Windows Server. One of them also affects Internet Explorer versions 7 through 11 as well.

Four of the five critical bugs are said to allow remote code execution, meaning that successful hackers could hijack a system and install malicious softwares on the victim’s machine, while the last could allow an attacker to gain administrative privilege on a vulnerable machine.

"A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email," is how Microsoft describes a critical patch.

Another nine patches are rated as "important", which are not as severe as the critical ones but should still be installed in order to keep your systems safe. These affect Microsoft Windows, Office and Microsoft Exchange.

Five of the nine important updates will patch "elevation of privilege" vulnerabilities, two others fix the OS security features bypass vulnerabilities, one addresses Remote Code Execution bug, while the other one plugs an information leak.

Last two patches are rated as "moderate", which indicates a much lower risk, but should still be installed by the users. One of them addresses a denial of service flaw in Microsoft Windows, while the other patches an Elevation of Privilege bug.

If you have Automatic Updates enabled on your machine, these fixes will all be made available via Windows Update and will be applied automatically for most users. But in case users have not enabled it, Microsoft is encouraging them to apply the updates promptly. Some patches applied may require restarting the servers as well.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

CVE-2014-4877: Wget FTP Symlink Attack Vulnerability

The open-source Wget application which is most widely used on Linux and Unix systems for retrieving files from the web has found vulnerable to a critical flaw.

GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS.

When a recursive directory fetch over FTP server as the target, it would let an attacker "create arbitrary files, directories or symbolic links" due to a symlink flaw.

IMPACT OF SYMLINK ATTACK

"It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.

A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget.

The vulnerability was first reported to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable (although not by default) on OS X machines as well, so needs a patch as soon as possible.

PATCH AVAILABLE

"This flaw can lead to remote code execution through system-level vectors such as cron and user-level vectors such as bash profile files and SSH authorized_keys," Moore wrote.

The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks.

"Upgrade to wget version 1.16 or a package that has backported the CVE-2014-4877 patch," Moore said.

WORKAROUND AVAILABLE EXPLOIT

"This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option," wrote Tomas Hoger on the Bugzilla report. "Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally."

"In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"

An exploit for the vulnerability is now available on the open-source Metasploit penetration testing Website, so that security researchers could test the bug. You can download the exploit from here.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Samsung 'Find My Mobile' Flaw Allows Hacker to Remotely Lock Your Device

The National Institute of Standards and Technology (NIST) is warning users of a newly discovered Zero-Day flaw in the Samsung Find My Mobile service, which fails to validate the sender of a lock-code data received over a network.

The Find My Mobile feature implemented by Samsung in their devices is a mobile web-service that provides samsung users a bunch of features to locate their lost device, to play an alert on a remote device and to lock remotely the mobile phone so that no one else can get the access to the lost device.

The vulnerability in Samsung’s Find My Mobile feature was discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. The flaw is a Cross-Site Request Forgery (CSRF) that could allow an attacker to remotely lock or unlock the device and even make the device rings too.

Cross-Site Request Forgery (CSRF or XSRF) is an attack that tricks the victim into loading a page that contains a specially crafted HTML exploit page. Basically, an attacker will use CSRF attack to trick a victim into clicking a URL link that contains malicious or unauthorized requests.

The malicious link have the same privileges as the authorized user to perform an undesired task on the behalf of the victim, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attack generally targets functions that cause a state change on the server but it can also be used to access victim’s sensitive data.

"In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website," Elnoby said.

The researcher has also provided a proof-of-concept (POC) video that will give you a detail explanation on How the researcher made the attack work on Samsung’s Find My Mobile feature.

According to the researcher, the first attack to remotely lock victim’s device is critical if exploited because the attackers are able to lock victim’s device with a lock code of their own choice, forcing the victim to do a recovery for the lock code with his Google Account.

The US-CERT/NIST identified the vulnerability in the Samsung Find My Mobile as CVE-2014-8346 and rated the severity of the flaw as HIGH, whereas the exploitability score of the flaw is 10.0.

"The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic," the security advisory issued by the NIST states.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Microsoft PowerPoint Vulnerable to Zero-Day Attack

It seems that there is no end to the Windows zero-days, as recently Microsoft patched three zero-day vulnerabilities in Windows which were actively exploited in the wild by hackers, and now a new Zero-day vulnerability has been disclosed affecting all supported releases of Windows operating system, excluding Windows Server 2003.

Microsoft has issued a temporary security fix for the flaw and also confirmed that the zero-day flaw is being actively exploited by the hackers through limited, targeted attacks using malicious Microsoft PowerPoint documents sent as email attachments.

According to the Microsoft Security Advisory published on Tuesday, the zero-day resides within the operating system’s code that handles OLE (object linking and embedding) objects. OLE technology is most commonly used by Microsoft Office for embedding data from, for example, an Excel spreadsheet in a Word document.

The vulnerability (designated as CVE-2014-6352) is triggered when a user is forced to open a PowerPoint files containing a malicious Object Linking and Embedding (OLE) object. For now on, only PowerPoint files are used by hackers to carry out attacks, but all Office file types can also be used to carry out same attack.

"The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," the advisory explained.

By gaining same rights as a logged-in user, an attacker could infect victim’s computer by installing other malicious programs on it. According to the software giant, some attacks that compromise accounts without administrator rights may pose less of a risk.

Microsoft has released a Fix it "OLE packager Shim Workaround" which will stop the known PowerPoint attacks. But it is not capable to stop other attacks that might be built to exploit this vulnerability. Also, the Fix it is not available for 64-bit editions of PowerPoint on x64-based editions of Windows 8 and Windows 8.1.

Meanwhile, Microsoft also urged Windows users to pay attention to the User Account Control (UAC) prompt, a pop-up alerts that require authorization before the OS is allowed to perform various tasks, which would warn a user once the exploit starts to trigger – asking permission to execute. But, users many times see it as an inconvenience and many habitually click through without a second thought.

"In observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed," Microsoft's advisory states.

Furthermore, Redmond didn't mention an out-of-band patch for the Zero-Day vulnerability, nor did it mention if a patch would be ready by November Security Patch update.

Earlier this month, Microsoft released eight security bulletins, as part of its monthly patch update, fixing threezero-day flaws at the same time. One of which (CVE-2014-4114) was discovered by iSight partners in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 that was being exploited in the "Sandworm" cyberattack to penetrate major corporations' networks.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Hacking Smart Electricity Meters To Cut Power Bills

Smart devices are growing at an exponential pace with the increase in connecting devices embedded in cars, retail systems, refrigerators, televisions and countless other things people use in their everyday life, but security and privacy are the key issues for such applications, which still face some enormous number of challenges.

Millions of Network-connected electricity meters or Smart meters used in Spain are susceptible to cyberattack by hackers due to lack of basic and essential security controls that could put Millions of homes at risk, according to studies carried out by a pair of security researcher.

HACKERS TO CAUSE BLACKOUT AND BILL FRAUD

The security vulnerabilities found in the electricity meters could allow an intruder to carry out billing fraud or even shut down electric power to homes and cause blackouts.

Poorly protected credentials inside the devices could let attackers take control over the gadgets, warn the researchers. The utility that deployed the meters is now improving the devices' security to help protect its network.

During an interview on Monday, the security researchers, Javier Vazquez Vidal and Alberto Garcia Illera, said the vulnerability affects smart meters installed by a Spanish utility company, the one on which the Spanish government relied in order to improve national energy efficiency.

The research carried out by the duo researchers will soon be presented at Black Hat Europe hacking conference in Amsterdam next week. The duo will explain on how they reverse engineered smart meters and found blatant security weaknesses that allowed them to commandeer the devices to shut down power or perform electricity usage fraud over the power line communications network.

SMART METER’S REPROGRAMMABLE MEMORY RUNS FLAWED CODE

The Vulnerability resides in the memory chips of the smart meters, which are reprogrammable and contain flawed code that could be exploited to remotely shut down power supplies to individual households, tamper meter readings, transfer meter readings to other customers and insert "network worms" that could leave millions of homes without power causing widespread blackouts.

Though the researchers will not provide any detail explanation on what they actually did, until the problems are fixed by the Smart meter vendor. "We are not releasing the exact details; we are not going to say how we did this," Garcia Illera, a security expert involved in the smart meter research, told Reuters. "This issue has to be fixed."

WEAK ENCRYPTION USED

According to the two researchers, the Smart meters use relatively easy to crack symmetric AES-128encryption, which was designed to secure communications and prevent tampering with billing systems by fraudsters.

There are three major utility companies in Spain — Endesa, Iberdrola and E.ON and collectively 8 million Smart meters have been installed on over 30 percent of households. However, the two haven't yet disclosed the specific smart meter manufacturer at this time.

The duo said they could take full control of the meter box, switch its unique ID to impersonate other customer boxes or turn the meter itself into a weapon for launching attacks against the power network.

"Oh wait? We can do this? We were really scared," said Vazquez Vidal, another security expert involved in the smart meter research. "We started thinking about the impact this could have. What happens if someone wants to attack an entire country?" he said.

Internet of Things (IoTs) promise to make life easier in countless ways, but as with any technology seeing an upswing, it’s to be expected that there will be associated security issues and challenges and this was what happened with the Smart meters in Spain.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Microsoft Patches 3 Zero-day Vulnerabilities actively being Exploited in the Wild

As part of monthly patch update, Microsoft released eight security bulletins on Tuesday that address dozens of vulnerabilities including a zero-day flaw reportedly being exploited by Russian hackers to target NATO computers and a pair of zero-day Windows vulnerabilities that attackers have been exploiting to penetrate major corporations' networks.

Just a day before yesterday, our team reported you about a Zero-day vulnerability discovered by the cyber intelligence firm iSight Partners affecting all supported versions of Microsoft Windows and is being exploited in a five-year old cyber-espionage campaign against the Ukrainian government and U.S organisations.

Researchers at FireEye found two zero-day flaws, used in separate, unrelated attacks involving exploitation of Windows kernel, just a day after iSight partners disclosed zero-day in Windows. The pair of zero-day vulnerabilities could allow an attacker to access a victim's entire system.

According to the researchers at FireEye, the two of three so-called zero-day flaws are being actively exploited in the wild by hackers and are being used as "part of limited, targeted attacks against some major corporations."

Microsoft updates for the month of October 2014 Patch Tuesday address several vulnerabilities in all currently supported versions of Windows, Internet Explorer, Office, Sharepoint Server and the .Net framework. Three of the bulletins are marked "critical" and rest are "important" in severity. Systems administrators are recommended to apply the patches immediately for the critical updates.

The zero-day flaw (CVE-2014-4114) discovered by iSight partners in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 that is being exploited in the "Sandworm" cyberattack, are patched as part of MS14-060. Microsoft rated Bulletin MS14-060 as important rather than critical because it requires a user to open a Microsoft Office file to initiate the remote code execution.

"The vulnerability [exists in Windows OLE] could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object," Microsoft warned in its bulletin. "An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user." (OLE is Microsoft technology for creating complex documents that contain a combination of text, sound, video and other elements.)

However, the two zero-days discovered by FireEye are patched as part of MS14-058 and are marked critical. They are designated CVE-2014-4148 and CVE-2014-4113.

"We have no evidence of these exploits being used by the same actors. Instead, we have only observed each exploit being used separately, in unrelated attacks," FireEye explained.

CVE-2014-4148 exploits a vulnerability in TrueType Font (TTF) processing. TTF processing is performed in kernel mode as part of the GDI and has been the source of critical vulnerabilities in the past as well.

The vulnerability affects Windows 8.1/Windows Server 2012 R2, Windows 8/Windows Server 2012, Windows 7/Windows Server 2008 R2 (Service Pack 0 and 1) and Windows XP Service Pack 3. It affects both 32-bit and 64-bit versions of the Operating System, but the attacks have only been observed against 32-bit systems.

However, CVE-2014-4113 is a local Elevation of Privilege (EoP) vulnerability that affects all versions of Windows including Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, Windows Server 2008/R2, Windows 8.x and Windows Server 2012/R2.

Out of remaining bulletins, two are rated critical, both address remote code execution vulnerability in Internet Explorer and Microsoft .NET Framework respectively. Remaining bulletins are rated important in severity, include elevation of privilege bugs, Security Feature Bypass, and a remote code execution flaw.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

Authentication Flaw in PayPal mobile API Allows Access to Blocked Accounts

Payment services provider PayPal is vulnerable to an authentication restriction bypass vulnerability, which could allow an attacker to bypass a filter or restriction of the online-service to get unauthorized access to a blocked users’ PayPal account.

The security vulnerability actually resides in the mobile API authentication procedure of the PayPal online-service, which doesn’t check for the blocked and restricted PayPal accounts.

HOW THE VULNERABILITY WORKS

In case if a PayPal user enters a wrong username or password combination several times in an effort to access the account, then for the security reasons, PayPal will restrict the user from opening or accessing his/her account on a computer until the answers to a number of security questions is provided.

However, if the same user, at the same time switches to a mobile device and tries accessing the temporarily closed PayPal account with the right credentials via an official PayPal mobile app client through the API, the user will get access to the account without providing any additional security detail.

WHAT WENT WRONG

“The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for the blocked user to get access to his PayPal account and is able to make transactions and he can send money from the account,” states the vulnerability disclosure document.

For some other security reasons, such as for preventing a fraudster from reaching illicitly obtained funds, PayPal could temporarily denied users to access their PayPal account. In such cases, a remote attacker could “login through the mobile API with PayPal portal restriction to access account information or interact with the compromised account.”

REPORTED OVER ONE YEAR BUT STILL NO PATCH AVAILABLE

The critical vulnerability in PayPal was discovered about a year ago by Benjamin Kunz Mejri from Vulnerability Laboratory, and as a responsible researcher, he reported the flaw to the PayPal’s team, but the fix for the vulnerability is still not available. Also no bug bounty has been paid to him for the discovery and responsible disclosure of the bug.

According to the vulnerability disclosure document, the authentication restriction bypass vulnerability in PayPal online service has been assigned a high CVSS (Common Vulnerability Scoring System) base score of 6.2, but no identifier has been assigned to the bug.

VIDEO DEMONSTRATION

A video demonstration of the vulnerability has also been published by the researcher, showing how he intentionally enters the wrong username several times in order to have his PayPal account blocked. After account blocked, the online payment service requests him to answer some security question in order to validate the user.

But, despite answering those questions, the researcher used his iOS device and entered the correct combination of username and password, which easily granted him access to his blocked account, allowing him to initiate financial transactions.

PRODUCTS AFFECTED

The vulnerability affects the iOS mobile application for both iPhone and iPad, as it fails to check for the restriction flags that would not allow access to the blocked or temporarily blocked account. According to the researcher, the version 4.6.0 of the iOS app is affected, and the flaw is also working on the latest version 5.8.

An eBay owned company, PayPal provides a faster and safer way to pay and get paid. The service gives people simpler ways to send money without sharing financial information, with over 148 million active accounts in 26 currencies and across 193 markets, thereby processing more than 9 million payments daily.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates