Aug 22

Microsoft says don’t use PPTP and MS-CHAP

Microsoft is warning of a serious security issue in MS-CHAP v2, an authentication system that is mainly used in Microsoft’s Point-to-Point Tunneling Protocol (PPTP) VPN technology. Three weeks ago at the Black Hat conference, encryption expert Moxie Marlinspike presented the CloudCracker web service, which can crack any PPTP connection within 24 hours for $200.

The basic problem has been known for many years: MS-CHAP v2 uses a strangely convoluted combination of three DES operations. This combination can reliably be cracked by trying out all 256 possible DES keys – no matter how complex the password is. A specially developed server can finish this task in less than a day using FPGAs.

Once a PPTP log-in process has been recorded using a network sniffer, the chapcrack open source tool can extract the required tokens, and the key can be cracked for $200 by CloudCracker; this key can then be used to decrypt all the network traffic. The same is also true for corporate Wi-Fi networks that are encrypted with WPA2 and MS-CHAP2. Their MS-CHAPv2 challenge-and-response traffic can be intercepted with FreeRADIUS-WPE and then fed to chapcrack as before.

Two basic strategies can provide more security: either the MS-CHAP authentication traffic is given its own, separately encrypted tunnel – Microsoft recommends the Protected Extensible Authentication Protocol (PEAP) for this purpose – or the system is migrated to a secure VPN technology. Microsoft’s suggested alternatives include L2TP/IPSec, IPSec with IKEv2 and SSTP. The OpenVPN open source protocol is not listed in the recommendation.

Permanent link to this article:

Aug 22

Multi-platform spyware penetrates smartphones and VMs

In late July, virus researchers discovered a trojan going by the names Crisis and Morcut that uses a number of techniques to spy on Windows and Mac OS X users. It installs a backdoor in the system and then uses rootkit functionality to conceal itself from the system. Crisis includes a wide range of espionage tools, allowing it to perform functions such as eavesdropping on Skype calls, keylogging and tapping into webcams.

Anti-virus company Symantec has now discovered that, when running under Windows, the malware has a number of other interesting tricks up its sleeve. Crisis searches for VMware images and infects them with a copy of itself. It also uses the Remote Application Programming Interface (RAPI) to install modules on any devices running Windows Mobile (the forerunner to Microsoft’s current Windows Phone operating system). What exactly these modules do there is not yet clear – Symantec’s virus lab has not managed to get hold of them.

With the help of a little social engineering, the malware appears to be being spread via a Java file named AdobeFlashPlayer.jar, which is signed using a self-signed VeriSign certificate. If a user opens the file and chooses to ignore the error message generated by the self-signed certificate, separate payloads for Windows or Mac OS X are executed depending on the operating system on which the file is opened.

It is notable that this piece of spyware has not yet been observed in the wild by any of the major anti-virus software companies. Samples were uploaded to anti-virus service VirusTotal, which passed them on to the virus labs. Its limited distribution suggests that Crisis is being used for targeted attacks, along the lines of those carried out using commercial trojan toolkit FinSpy, sold by Finfisher. According Russian AV company Dr Web, this is the latest specimen of Italian company HackingTeam’s Remote Control System, also known as Da Vinci.

The company sells its spyware as a “hacking suite for governmental interception” and, among other things, its product brochure promises the ability to eavesdrop on Skype calls. As well as Windows and Mac OS X, Da Vinci also supports iOS, Android, Blackberry, Symbian and Linux. Close inspection of the screenshots in the brochure suggests that Da Vinci also appears to be able to divulge the current location of the person under surveillance.

Permanent link to this article:

Aug 22

Adobe Flash Player update patches six critical holes

Adobe has released the second update for its Flash Player software in a week, this time for six critical vulnerabilities. Four of the issues addressed are problems with memory corruption that could lead to remote code execution; additionally, the update fixes an integer overflow vulnerability that could also lead to remote code execution. Another bug that was fixed is a cross-domain information leak. The problems exist in Flash Player 11.3.300.271 and earlier versions on Windows, Macintosh and Linux, and in the Android versions (Android 4.0) and (Android 3.x and 2.x) and earlier.

All six vulnerabilities were rated critical by Adobe. The company’s security bulletin does not contain any detailed information about the flaws. Users are advised to update their version of Flash as soon as possible.

Adobe has released Flash Player 11.4.402.265 for Windows and Mac OS X, version for Linux and Flash Player and for Android. The Android updates are only available to devices that had Flash Player installed before 15 August when Adobe stopped making Flash for Android available. As Adobe’s AIR is based on Flash, it has also been updated to version

Windows, Mac OS X and Linux users can get the update appropriate for their system from the Flash Player Download Center or for a different system through another page on Adobe’s web site. The users of Google’s Chrome browser will be automatically updated to the latest version of the Flash Player component, which is included in version 21.0.1180.81 of Chrome for Linux, 21.0.1180.83 for Windows and 21.0.1180.82 for Mac OS X.

The latest Flash update comes a week after Adobe had fixed several other vulnerabilities in its Flash Player and Adobe Reader software. Several vulnerabilities in Adobe Reader remain unpatched.

Permanent link to this article:

Aug 21

Google’s Motorola takes on Apple

Motorola Mobility logoGoogle’s subsidiary Motorola Mobility has lodged a complaint with the International Trade Commission (ITC), seeking to ban several Apple devices from being imported into the US by citing that Apple has violated its patents. The complaint was filed on Friday but the details of the complaint were not made public until after the weekend. In the ITC complaint, Motorola lists the following seven patents which it says Apple has infringed on:

  • No. 5,883,580, titled “Geographic-Temporal Significant Messaging,” which issued on March 16, 1999
  • No. 5,922,047 , titled “Apparatus, Method and System for Multimedia Control and Communication,” which is sued on July 13, 1999
  • No. 6,425,002, titled “Apparatus and Method for Handling Dispatching Messages for Various Applications of a Communication Device,” which issued on July 23, 2002
  • No. 6,493,673, titled “Markup Language for Interactive Services And Methods Thereof”, which issued on December 10, 2001
  • No. 6,983,370, titled “System For Providing Continuity Between Messaging Clients And Method Therefor,” which issued on January 3, 2006
  • No. 7,007,064, titled “Method And Apparatus For Obtaining And Managing Wirelessly Communicated Content,” which issued on February 28, 2006
  • No. 7,383,983 , titled “System And Method For Managing Content Between Devices In Various Domains,” which issued on June 10, 2008

The legal action is seen by some observers as Google striking back at Apple for the design and patent legal actions it has taken against phone makers who use Google’s Android operating system. Motorola Mobility is asking for an import ban on all Apple equipment “which utilize wireless communication technologies to manage various messages and content”. This is not the first time that Motorola Mobility have taken legal action against Apple; in October 2010, Motorola filed complaints with the ITC and US district courts alleging patent infringement.

Meanwhile, Google’s Director for Public Policy, Pablo Chavez, has criticised the patent system of the United States, saying that Google doubts the current state of affairs is conducive to innovation or the needs of consumers. According to a report by CNET, Chavez was speaking at the Technology Policy Institute’s conference in Aspen, Colorado when he said “we think that these patent wars are not helpful to consumers. They’re not helpful to the marketplace. They’re not helpful to innovation.”

He also pointed out that he thinks software patents are different from patents in areas such as medicine and that the company is looking to “brainstorm longer-term solutions.” Chavez’s comments came as a reaction to an accusation by News Corp. executive Rick Lane who alleged Google was acting anti-competitively by having its Motorola Mobility subsidiary attack Apple for infringing its patents.

Google and its subsidiaries are also involved in other patent-related lawsuits in the US and Europe, and Google itself recently won a legal battle against Oracle involving Java-related patents.

Permanent link to this article:

Aug 21

Microsoft’s security software modifies HOSTS file


Windows 8 iconWindows 8, set for release on 26 October, automatically deletes entries in the HOSTS file for specific domains. Try, for example, to prevent attempts to access, or ad servers such as by rerouting them to by adding entries to the HOSTS file and the relevant entries will soon disappear from the HOSTS file as if by magic, leaving nothing but an empty line. The effect does not occur for other domains, such as The H‘s sister site, however.

The agent behind this phenomenon turns out to be the Windows Defender security program, which is preinstalled and enabled by default on new installations of Windows. The cause quickly becomes clear on inspecting Defender’s history, accessed from the start menu by entering “Defender” and clicking on the history tab. Defender is convinced it’s uncovered a potentially malicious modification of the HOSTS file and thus records ‘SettingsModifier:Win32/PossibleHostsFileHijack’. Microsoft Security Essentials (MSE) in older versions of Windows also takes care to reset entries for these domains. This is not particularly surprising, since Windows Defender in Windows 8 is essentially just a rebranded version of MSE.

w8 hosts cropped
Windows 8 will soon delete HOSTS entries for Doubleclick, Facebook and Twitter;, on the other hand, will be allowed to remainZoom
Malware will in fact often create such erroneous entries in the HOSTS file in order to divert users to alternative servers when they attempt to access sites such as These servers may play host to phishing sites that send user data entered on them to internet fraudsters. The removal of entries for ad servers, which many users utilise as a simple but effective ad blocker, may be down to the fact that malware also makes use of the HOSTS file to divert queries from legitimate advertising servers to their own servers. This enables fraudsters to display their own malicious ads on third-party web sites.

Users who resent being wrapped in cotton-wool like this and wish to continue to use the HOSTS file for the affected domains can add their HOSTS file (c:\windows\system32\drivers\etc\hosts) to MSE’s or Windows Defender’s exceptions list. The relevant setting can be found under “Settings, Excluded files and locations”. Of course this also mean that the anti-virus program will no longer detect any malicious modifications to the HOSTS file.

Permanent link to this article:

Page 30 of 52« First...1020...27282930313233...4050...Last »