Hacking & Security

So Far, So Good for TrueCrypt: Initial Audit Phase Turns Up No Backdoors

Threatpost - 14 Duben, 2014 - 19:42

A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase.

A report on the first phase of the audit was released today by iSEC Partners, which was contracted by the Open Crypto Audit Project (OCAP), a grassroots effort that not only conducted a successful fundraising effort to initiate the audit, but raised important questions about the integrity of the software.

TrueCrypt is praised as not only free and open source encryption software, but also that it’s easy to install, configure and use. Given that it has been downloaded upwards of 30 million times, it stood to reason that it could be a prime target for manipulation by intelligence agencies that have been accused of subverting other widely used software packages, commercial and open source.

The first phase of the audit focused on the TrueCrypt bootloader and Windows kernel driver; architecture and code reviews were performed, as well as penetration tests including fuzzing interfaces, said Kenneth White, senior security engineer at Social & Scientific Systems. The second phase of the audit will look at whether the various encryption cipher suites, random number generators and critical key algorithms have been implemented correctly.

“With Phase II, we will be conducting a formal cryptanalysis and looking at these issues,” White said. “In security engineering, we never say a system is ‘unbreakable,’ but rather, ‘we looked at X, Y, and Z and couldn’t find a vulnerability.’

“But yes, I would say there is certainly an increased level of confidence in TrueCrypt,” White said.

Among the still-outstanding questions publicly asked by OCAP, which was kicked off by White and Johns Hopkins professor and crypto expert Matthew Green, revolved around the Windows version of TrueCrypt. Since those are available only as downloadable binaries, they cannot be compared to the original source code, yet behave differently than versions compiled from source code. There were also concerns about the license governing TrueCrypt use, as well as the anonymous nature of the development group behind the software.

iSEC Partners’ report gave TrueCrypt a relatively clean bill of health.

“iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors,” iSEC’s Tom Ritter said in a statement. “All identified findings appeared accidental.”

Ritter said iSEC recommends improvements be made to the quality of code in the software and that build process be updated to relay on tools with a “trustworthy provenance.”

“In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report,” Ritter said.

Specifically, iSEC security engineers Andreas Junestam and Nicolas Guigo audited the bootloader and Windows kernel driver in TrueCrypt 7.1a. The report says iSEC performed hands-on testing against binaries available from the TrueCrypt download page and binaries compiled from source code. Work was completed Feb. 14.

The engineers found 11 vulnerabilities, four rated medium severity, four low severity and three were rated informational issues having to do with defense in depth.

“Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code,” the report said. “This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.”

The team dug deeper into its recommendations of updating the Windows build environment and code quality improvements, specifically replacing outdated tools and software packages, some of which date back to the early 1990s.

“Using antiquated and unsupported build tools introduces multiple risks including: unsigned tools that could be maliciously modified, unknown or un-patched security vulnerabilities in the tools themselves, and weaker or missing implementations of modern protection mechanisms such as DEP and ASLR,” the team wrote in its report. “Once the build environment has been updated, the team should consider rebuilding all binaries with all security features fully enabled.”

They added that “lax” quality standards make the source code difficult to review and maintain, impeding vulnerability assessments.

Of the four most serious bugs uncovered in the audit, the most serious involves the key used to encrypt the TrueCrypt Volume Header. It is derived using PBKDF2, a standard algorithm, that uses an iteration count that’s too small to prevent password-guessing attacks.

“TrueCrypt relies on the what’s known as a PBKDF2 function as a way to ‘stretch” a users’ password or master key, and there is concern that it could have been stronger than the 1,000 or 2,000 iterations it uses currently.” White said. “The TrueCrypt developers’ position is that the current values are a reasonable tradeoff of protection vs. processing delay, and that if one uses a weak password, a high-count PBK2DF2 hash won’t offer much more than a false sense of security.”

White said the OCAP technical advisors are also concerned about TrueCrypt’s security model which offers narrowly restricted privacy guarantees,” White said.

So, for example, if you are not running whole volume (system disk) encryption, there are many known exploits to recover plaintext data, including decryption keys,” White said, pointing out that Microsoft’s Bitlocker software and PGP, for example, have similar attack paths.

“But in the case of TrueCrypt, whole volume disk encryption is only available for the Windows port, and there exists today point-and-click forensic tools that can be purchased for a few hundred dollars that can easily decrypt data from a running machine with any of these packages, TrueCrypt included,” White said. “I have a feeling that while most in the security industry understand this, it is probably worth emphasizing to a broader audience: on the vast majority of machines that use file or disk encryption, if the underlying operating system or hardware can be compromised, then so too can the encryption software.”

Kategorie: Hacking & Security

With a Warning, FTC Approves WhatsApp, Facebook Union

Threatpost - 14 Duben, 2014 - 18:54

Facebook’s acquisition of messaging application WhatsApp was approved by the Federal Trade Commission late last week, but not without a stern notice from the agency, which warned that it would be keeping a watchful eye on the two companies going forward.

In a letter addressed to officials at Facebook and WhatsApp on Thursday, the FTC’s Bureau of Consumer Protection Director Jessica Rich made it clear that the agency would continue to ensure the companies honor their promises to users.

“WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties–promises that exceed the protections currently promised to Facebook users,” Rich wrote. “We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.”

The privacy policy for WhatsApp, the popular app that allegedly sends 50 billion messages between users daily, states that user information will not be used for advertising purposes and won’t be sold to a third party. The FTC’s letter (.PDF) claims this is something that shouldn’t be nullified by the Facebook purchase. The FTC adds that if Facebook were to go ahead and share any of its newly acquired WhatsApp information, it would violate its privacy promises, not to mention an order the agency has placed on the social network.

That order basically makes sure Facebook doesn’t misrepresent the way it handles users’ privacy or the security of consumers’ personal information.

The letter, which was addressed to Facebook’s Chief Privacy Officer Erin Egan and WhatsApp’s General Counsel Anne Hoge, goes on to state that data collecting changes could be made as long as they get users’ “affirmative consent.” If users don’t agree with new procedures they should be granted the opportunity to opt out or at least understand “that they have an opportunity to stop using the WhatsApp service.”

“Failure to take these steps could constitute a violation of Section 5 and/or the FTC’s order against Facebook,” the letter states.

When the $19 billion acquisition was first announced in February, privacy advocates were rattled that Facebook would be able to mine WhatsApp’s vast reservoir of user information and convert that into ad revenue without the users’ consent.

Organizations such as the Center for Digital Democracy (CDD) and the Electronic Privacy Information Center (EPIC) both decried the move in March, requesting the FTC look into it. Jan Koum, WhatsApp’s founder later responded with a blog post, “Setting the record straight,” that insisted both firms would “remain autonomous and operate independently.”

*Photo via alvy‘s Flickr photostream, Creative Commons

Kategorie: Hacking & Security

Heartbleed bug exploited to steal taxpayer data

Ars Technica - 14 Duben, 2014 - 17:32
xxdigipxx

Underscoring the severity of the Heartbleed bug affecting huge swaths of the Internet, hackers exploited the vulnerability to steal taxpayer data for at least 900 Canadian citizens and an unknown number of businesses, officials in that country warned Monday morning.

Canada Revenue Agency (CRA) officials said they removed public access to online tax services last Tuesday, a day after the catastrophic defect in the widely used OpenSSL cryptography library surfaced. But by then it was too late. Hackers casing online CRA services were nonetheless able to exploit the OpenSSL flaw, which makes it possible to pluck private encryption keys, passwords, and other sundry sensitive data out of the private computer memory of servers running vulnerable versions of the open-source library.

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," Canadian officials disclosed in a blog post published Monday morning. "Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Please vote for Sophos Naked Security in the European Security Blogger Awards 2014 !

Sophos Naked Security - 14 Duben, 2014 - 17:30
The second annual European Security Blogger Awards are coming up soon, and we're up for a prize in two categories. We'd love you to vote for us! (This time you don't have to vote in every category.)

Arbitrary Code Execution Bug in Android Reader

Threatpost - 14 Duben, 2014 - 17:04

P { margin-bottom: 0.08in; }A:link { }
-->The Android variety of Adobe Reader reportedly contains a vulnerability that could give an attacker the ability to execute arbitrary code on devices running Google’s mobile operating system.

The problem arises from the fact that Adobe Reader for Android exposes a number of insecure JavaScript interfaces, according to security researcher Yorick Koster, who submitted the details of the bug to the Full Disclosure mailing list.

In order to exploit the security vulnerability, an attacker would have to compel his victim to open a maliciously crafted PDF file. Successful exploitation could then give the attacker the ability to execute arbitrary Java access code and, in turn, compromise reader documents and other files stored on the device’s SD card.

Adobe verified the existence of the vulnerability in version 11.1.3 of Reader for Android and has provided a fix for it with version 11.2.0.

On the point of exploitation, the specially crafted PDF file required to exploit this vulnerability would have to contain Javascript that runs when the targeted-user interacts with the PDF file in question. An attacker could deploy any of the Javascript objects included in Koster’s report to obtain access to the public reflection APIs inherited by those objects. It is these public reflection APIs that the attacker can abuse to run arbitrary code.

In other Android-related news, Google announced late last week that it would bolster its existing application regulation mechanism with new a feature that will continually monitor installed Android applications to ensure that they aren’t acting maliciously or performing unwanted actions.

Kategorie: Hacking & Security

Zeus malware - nine charged with conspiracy to steal millions of dollars

Sophos Naked Security - 14 Duben, 2014 - 16:41
The US Department of Justice (DOJ) has charged nine individuals over their alleged involvement in a criminal organisation that stole millions of dollars from victims' bank accounts.

INFOCon Green: Heartbleed - on the mend, (Mon, Apr 14th)

SANS [Internet Storm Center] - 14 Duben, 2014 - 16:21

We are going back to INFOCon Green today.   Things have stabilized and the INFOCon is used t ...(more)...

Kategorie: Hacking & Security

A Bug That’ll Make Your Heartbleed

InfoSec Institute Resources - 14 Duben, 2014 - 15:41

Darn, I had to change my Dropbox password a few days ago. For good measure, I changed my Google password, too. Although I only use it for OAuth these days, well, especially for OAuth, I changed my Facebook password, too. Do you notice when you buy things online or log [...]

The post A Bug That’ll Make Your Heartbleed appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Facebook wages war on Like-baiting and spammy posts

Sophos Naked Security - 14 Duben, 2014 - 14:52
It's a full frontal assault on cute kittens and the Pages that pimp them out for Likes. Facebook's tweaked its algorithms to try to scrape off the clingy, whiny, needy stories published by Pages that deliberately try to game Facebook's News Feed to get more distribution than they normally would.

Andrew Auernheimer's computer hacking conviction is overturned by appeals court

LinuxSecurity.com - 14 Duben, 2014 - 14:38
LinuxSecurity.com: A federal appeals court on Friday overturned the conviction of a prominent computer hacker whose imprisonment had highlighted a growing debate over whether the government is overreaching in its campaign against cybercrime.
Kategorie: Hacking & Security

Tests confirm Heartbleed bug can expose server's private key

LinuxSecurity.com - 14 Duben, 2014 - 14:37
LinuxSecurity.com: Four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.
Kategorie: Hacking & Security

Obama backs disclosing software vulnerabilities in most cases

InfoWorld.com [Security] - 14 Duben, 2014 - 14:21

The administration of U.S. President Barack Obama favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need, the country's spy agency said.

Kategorie: Hacking & Security

Obama backs disclosing software vulnerabilities in most cases

InfoWorld.com [Security] - 14 Duben, 2014 - 14:21

The administration of U.S. President Barack Obama favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need, the country's spy agency said.

Kategorie: Hacking & Security

Obama backs disclosing software vulnerabilities in most cases

InfoWorld.com [Security] - 14 Duben, 2014 - 14:21

The administration of U.S. President Barack Obama favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need, the country's spy agency said.

Kategorie: Hacking & Security

Obama backs disclosing software vulnerabilities in most cases

InfoWorld.com [Security] - 14 Duben, 2014 - 14:21

The administration of U.S. President Barack Obama favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need, the country's spy agency said.

Kategorie: Hacking & Security

Information Gathering Using Metasploit

InfoSec Institute Resources - 14 Duben, 2014 - 14:00

Your goals during information gathering should be to gain accurate information about your targets without revealing your presence or your intentions, to learn how the organization operates, and to determine the best route. Metasploit is the best console for information gathering, as it is a very comprehensive penetration testing tool. [...]

The post Information Gathering Using Metasploit appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Tests confirm Heartbleed bug can expose server's private key

InfoWorld.com [Security] - 14 Duben, 2014 - 14:00

Four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.

The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.

Kategorie: Hacking & Security

Tests confirm Heartbleed bug can expose server's private key

InfoWorld.com [Security] - 14 Duben, 2014 - 14:00

Four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.

The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.

Kategorie: Hacking & Security

Tests confirm Heartbleed bug can expose server's private key

InfoWorld.com [Security] - 14 Duben, 2014 - 14:00

Four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.

The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.

Kategorie: Hacking & Security

Tests confirm Heartbleed bug can expose server's private key

InfoWorld.com [Security] - 14 Duben, 2014 - 14:00

Four researchers working separately have demonstrated a server's private encryption key can be obtained using the Heartbleed bug, an attack thought possible but unconfirmed.

The findings come shortly after a challenge created by CloudFlare, a San Francisco-based company that runs a security and redundancy service for website operators.

Kategorie: Hacking & Security
Syndikovat obsah