Watch Out! This Poodle Attacks …

This time, the entire security community is abuzz with the latest SSLv3 vulnerability, codenamed the “Poodle” (Padding Oracle On Downgraded Legacy Encryption) – which basically allows a skilled attacker to carry out the “Man-in-the-middle” attack and eavesdrop on a “secure” (https) connection between a vulnerable client and server.

SSLv3 Poodle Bug AttackWhy is all this happening now? I believe it’s the “bandaid” mentality.  The SSL protocol is actually quite an ancient technology, developed by the “once-upon-a-time” famous company called Netscape (for those of you old enough to remember, the Netscape browser was the most popular browser in the late 80s and early 90s before IE killed it).

SSL  version 1.0 and was never publicly released because of the various security flaws in it, version 2.0 was released in Feb 1995 but it still contained a number of security bugs which was addressed by the release of SSL ver 3.0.

I’m no cryptographic expert, but it would appear that instead of addressing the fundamental security issues/flaws in the SSL protocol, the developers decided to “bandaid” over it – each time a security bug was discovered in SSL ver 3.0, a new “bandaid” was applied.

Now, many years later, the evil Poodle emerges and attacks!

But of course, all is not lost (yet) – the good security folks recognizes the faults in the SSL protocol and started developing a more secure and robust protocol called “TLS” (Transport Layer Security) – which is backward compatible with SSL 3.0 to ensure nothing breaks.

Although the TLS protocol is available, many SSL clients still implement a protocol downgrade “dance” to work around the server side interoperability issues. Once this happens, the evil POODLE emerges! (For the more technically inclined, please see the links in the resources section for the technical discussion/papers).

Who is vulnerable? Nearly all the web-servers on the Internet – because SSL ver3.0 is enabled by default. Turning SSL3 off will cause many users (especially those using Firefox) unable to connect through the “secure” HTTPS

Are you vulnerable?

In most likely hood, the answer is yes.  Point your browser to:

http://www.poodletest.com

If you see this “cutie” poodle, you’re vulnerable to the SSLv3.0 bug.

Vulnerable Browser SSL3/PoodleBoth my browsers – Firefox & Chrome showed that cute poodle. But I’m not worried (yet) … see the Poodle Solution below

The Poodle Solution!

Get a German Shepherd! :-)  Just joking – don’t stone me, all you poodle lovers!

BUT seriously, what does the SSL v3.0 / POODLE vulnerability mean for the average joe? Is the sky falling?

Fortunately not. The POODLE bug just means that if you are in a public wifi area, and you’re trying to do your Internet Banking (or access some sensitive data) via the “now-not-so-secure”  HTTPS connection, you’re susceptible to the ‘man-in-the-middle’ attack where the attacker can hijack your connection and eavesdrop on you.

In other words, the attacker is able to steal your session cookies and use those to access your accounts (be it your email account, bank account, etc).

SO, to prevent that, don’t do anything that requires HTTPS connection in a public area! OR if you simply must, then invest in a VPN (or go through your company’s VPN).

The long term solution is for the vendors to fix this – RedHat, Debian, Ubuntu, Cpanel, Apache, etc – they are working round the clock from what I can tell to find a “proper” fix that will address this issue without breaking too many things.

The browser folks – Firefox/Mozilla, Google Chrome are working on a patch for their browsers as well. It is rumoured that Mozilla will drop support for SSL v3.0 (finally!!) on November 25th.

 

Resources:

The Evil Poodle – SSL 3.0 Vulnerability (CVE-2014-3566)

Google Security Blog on the Poodle SSLv3.0 Bug

FedoraMagazine – what you need to know about the Poodle

Official Poodle SSLv3.0 Vulnerability by SANS ISC

Malala, shot in 2012, receives Nobel Peace Prize in 2014

Ok, this post has nothing to do with Open Source, Security, Linux or hacking or anything remotely tech – but I’m so stoked to hear the news that this spunky teenage girl – Malala won the prestigious 2014 Nobel Peace Prize – that I just have to ramble here. (Hey, it’s my blog, I can post whatever I like right?)

Anyway, for those of you who (sometimes?) live under a rock ;-) – here’s the scoop …

Malala Nobel Peace Prize Winner 2014, with Satyarthi

Malala Yousafzai, a Pakistani teen is the youngest person to win the 2014 Nobel Peace Prize at the age of 17. This spunky teenager was shot in the head by the fanatical Talibans for advocating girl’s education back in her home country. This happened exactly 2 years ago, 9th October 2012.

Malala’s first public address after that fateful shooting incident – she said,

“Dear friends, on the 9th of October, 2012, the Taliban shot me on the left side of my forehead. They shot my friends too. They thought that the bullets would silence us, but they failed.”

Ref: http://www.nbcnews.com/news/other/malala-yousafzai-being-shot-taliban-made-me-stronger-f6C10612024

Today, she stands tall and proud to be honored with the 2014 Nobel Peace Prize for her heroic efforts in fighting for the rights of under-privileged children, especially girls in Muslim majority countries where their chances of receiving education is practically zero. In these countries, girls were ‘doomed’ to being house-wifes, to cook and clean and serve the men-folk.

“This award is for all those children who are voiceless, whose voices need to be heard,” said Malala, who was at school in Birmingham when she received news of being awarded the Nobel Prize.

“They have the right to receive quality education. They have the right not to suffer from child labor, not to suffer from child trafficking. They have the right to live a happy life.”

To read more about Malala – please visit: http://malala.org

It is also heartening to note that this year’s prestigeous Nobel Peace Prize was jointly awarded to two nationals – Malala from Pakistan (a Muslim) and Kailash Satyarthi (from India, a Hindu) – at a time where there is increasing tension between these 2 countries.

If only the leaders of these countries would put aside their petty differences and join the common cause for children’s education, peace and goodwill. Wishful thinking? Yeah, maybe the leaders of these countries should  grow up :-)

Mr. Kailash Satyarthi, 60, was an Electrical Engineer before he gave up his lucrative career and founded the “Save the Childhood Movement” (“Backpan Bachao Andolan” movement). In the course of 20+ years, Satyarthi has freed tens of thousands of Indian children who were forced into slavery by unscrupulous businessmen, land-owners, and sometimes, by their own poverty-stricken families to pay off family debts. He is also the first Indian National to receive this prestigious Nobel Peace Prize, and the 2nd Nobel Peace prize winner from India after Mother Teresa.

For more info about Satyarthi, http://www.straitstimes.com/news/asia/south-asia/story/5-things-about-nobel-peace-prize-winner-kailash-satyarthi-20141010

The cash prize, $1.1 million will be paid out to Malala & Satyarthi on Dec 10, 2014.

Way to go girl!  Rock on Satyarthi!

Bank ATM machines hacked!

atm-hacker1

Using a “low risk” trojan software, a group of hackers (believed to be from South America) managed to cart away about RM3 million (about USD $1million) from various ATM machines in Malaysia.  ($1.00 USD ~ RM 3.3) .

Below are the photos of the suspects released by the Bukit Aman Police in Malaysia:

atm-hacker1 atm-hacker2

To date, the ATM machines in the following locations have been compromised by this trojan/virus called “ulssm.exe”

Selangor & Kuala Lumpur

  • ATM in USJ (Subang Jaya):  Lost: RM 265,000
  • ATM in Section 14, PJ:  Lost RM 395,850
  • ATM in Dataran Sunway, PJ: Lost 221,160
  • ATM in Kota Damansara, PJ: Lost 285,700
  • ATM in Shah Alam: Lost 116,000
  • ATM in Klang: Lost RM 150,000
  • ATM in Jalan Imbi: RM 92,900
  • ATM in Jln Yoong Shook Lin: RM 303,000
  • ATM in Puchong: Lost RM ??
  • ATM in Kajang: Lost RM ??
  • ATM in Kelana Jaya: Lost RM ??

Malacca

  • ATM in Malacca Raya: Lost RM ??
  • ATM in Bandar Hilir: Lost RM 232,770

Johor

  • ATM in Batu Pahat: Lost RM 265,000
  • ATM in Kluang: Lost RM 288,200
  • ATM in Johor Baru: Lost RM ??
  • ATM in Taman Molek: Lost RM ??

The Commercial Crime Investigation Department in Bukit Aman (Malaysia’s elite police force) said the suspects managed to opened the top panel of the ATM machines without using a “common key” and inserted a malicious CD to infect the machine with the “Ulssm.exe” virus – which caused the ATM system (running on Windows XP) to reboot.

The infected ATM system after the reboot will “obey” the commands to dispense all the available cash in the machine issued on the keypad by the hackers. This is the first “high-tech” method used by robbers to clean out ATM machines.

BUT is it really “high-tech” ?  Perhaps it is compared to previous reported methods (e.g. trying to cart away the entire machine with bulldozers, pick-up trucks or trying to blast the machine open with a bomb).

In reality, I would consider it “low-tech” – because:

  1. These ATM machines were running on outdated, un-supported Windows XP which were discontinued early this year. Microsoft has issued ample warning about the XP’s end of life since last year.
  2. What were the banks thinking/doing – running a critical service on outdated, un-supported Operating System? And if they must run Windows XP, why wasn’t there an AntiVirus software installed? That is the first thing any sane person would do if they are running Windows Operating System.
  3. The Trojan/Virus is considered “low risk” by Symantec. See the Technical details below.

TECHNICAL DETAILS

Backdoor.Padpin is a Trojan horse that targets automated teller machines (ATM). The Trojan enables an attacker to use the ATM PIN pad to submit commands to the Trojan.

Once executed, the Trojan creates the following file, which can be placed in any folder on the compromised computer:
[PATH TO THREAT]\ulssm.exe

The Trojan then creates the following registry entries so that it runs every time Windows starts:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”ulssm.exe” = “[PATH TO THREAT]\ulssm.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”ulssm.exe” = “[PATH TO THREAT]\ulssm.exe”

The Trojan can delete itself if it fails to gain control of the PIN pad or dispenser.  The Trojan runs in the background until a specific code is entered on the ATM’s PIN pad.

The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:

  • Dispense money from the compromised ATM
  • Select which cassette the ATM dispenses money from
  • Display cassette information such as bills left, denomination and total amount per cassette
  • Temporarily disable the local network to avoid triggering alarms when withdrawing money
  • Extend the duration of the session in order to continue stealing money
  • Delete the Trojan from the compromised ATM

Ref: Symantec Security Response

Fortunately, non of the Banks’ customer accounts have been compromised. This attack vector only targets the ATM Host machine (running Windows XP) to spit out available cash in the machines.

Maybe, it is high time the Banking Industry consider the more secure Linux for their ATM machines?  :D

You might be interested to read the article on the Bash Shellshock Bug Discovery.

Bash Shellshock Vulnerability Discovered

This is quite serious as it allows the attacker to run any arbitary code as bash sub-shell. This bash vulnerability(discovered by Stephane Chazelas)  is related to how the environment variables are processed, i.e. trailing code in function definition was executed, independent of the variable name.

(ref: http://seclists.org/oss-sec/2014/q3/649 )

This vulnerability is can be easily exploited by skilled hackers over the network in common configurations/setups. The GNU Bash upstream maintainer, Chet Ramey has already released the official upstream patches.

If you’re running CentOS or another RHEL derivatives, please update Bash immediately:

# yum update bash

If you’re running Ubuntu, you can run this command:

# apt-get upgrade bash

If your host or webserver has some kind of Control Panel (e.g. Cpanel or Plesk) that has auto-update enabled, it may have already updated Bash for you when the cronjob runs.

After updating Bash, please verify that you are no longer vulnerable by running the following command on the command shell/bash:

export badvar='() { :;}; echo vulnerable’ && bash -c “echo This is a sub process in ‘$BASH_VERSION'”

If you have patched up BASH, then you will see something like the following on your shell:

bash: warning: badvar: ignoring function definition attempt
bash: error importing function definition for `badvar’
This is a sub process in 4.1.2(1)-release

BUT if your BASH hasn’t been updated yet, then you will see the following:

vulnerable
This is a sub process in 4.1.2(1)-release

 

The word “vulnerable” is a dead giveaway that your version of Bash is vulnerable to this exploit. Update immediately!

Slider Revolution Plugin Vulnerability

Sometimes, when you’re cruising along nicely in life, something bad had to happen – like a low-down, good for nothing hacker who discovered a critical vulnerability in the Slider Revolution Plugin and used it to wipe out my entire blog :-(

Yeah, it was bad. The entire WordPress blog got wiped out. I guess that hacker had a bad day and decided to take out his frustration on my blog. This vulnerability in the plugin allows an attacker to download the WordPress’ configuration file – “wp-config.php”  – and view the database connection parameters (username, password and dbserver name).

The latest version of t his popular plugin is 4.6.0 (released on 25th August 2014). Versions 4.1.4 and earlier are vulnerable to hackers. If you’ve purchased this plugin from the Envato marketplace, please contact the vendor and get an update immediately.

It seems that the developers of this plugin, “ThemePunch” released version 4.2 which mentioned that it addressed a ‘security’ issue in the changelog, but did not disclose the magnitude of the severity of the security. As a result of that, many other theme authors who made use of the slider code/plugin did not pay much attention to it and many did not update their code base.

Sadly, it was the low-life worms in the underground (i.e. crackers and hackers) who took this information about the vulnerability seriously and began to circulate it on various underground forums. This went on for several months and on 1st September, someone posted a proof-of-concept of the exploit on a public forum. That’s when all-hell broke loose and many script kiddies took advantage of the exposed vulnerability.

Note: Even if you don’t have this plugin installed, but you’re using a paid/commercial theme, you may want to check with the theme author and ask them if the theme is using an earlier version of this popular plugin. There are many commercial themes that uses the Slider Revolution plugin/code.

In fact, most of the WordPress sites that got hit was because of the vulnerable slider code in the theme files. Even though the developer of this plugin has updated the code and fixed the security hole, many wordpress sites out there are still vulnerable because it all depends on how the theme developers handle the plugin updates.

How to Check If Your WordPress site is vulnerable:

Type this URL into your browser:

http://YOURSITE.COM/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

 

*note: replace “YOURSITE.COM” with your domain/url.

If you can view the contents of your wp-config file – then you’re vulnerable. Switch theme immediately and contact your theme vendor. If you see a “0” – then you’re safe.