How MITMproxy has been slaying SSL Dragons

Monday, April 16th, 2012 | Jim Cheetham | Comments Off

I’ve just returned from the excellent OWASP regional conference in Sydney (the one with the long name of OWASP AppSec AsiaPac 2012), where I presented “How MITMproxy has been slaying SSL Dragons“.

The presentation covered the basics of what MITMproxy is (a developers/pen-testers HTTPS interception/modification proxy), why such software is useful, and what MITMproxy itself is especially good at.

The section on how to use MITMproxy ran about 90% successfully over the live Internet, which is always a risk for a demo at a conference!

The slides are available here, as the original LibreOffice ODP format, or as a PDF. They are Copyright © The University of Otago, released under the CC By-SA 3.0 NZ license.

Flashback Malware Infecting Macs

Thursday, April 12th, 2012 | Gene Teo | Comments Off

Screenshot - Java for OS X Lion 2012-003 update

Java for OS X Lion 2012-003 update

Edit: 9:29am 13 Apr 2012 – Apple have just released “Java for OS X Lion 2012-003” – a security update that removes the most common variants of the Flashback malware, and also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

A new variant of Java-based malware dubbed “Flashback” has been spreading rapidly on OSX – some reports suggested over 550 thousand Macs were infected as of 4 April 2012. It gains a foothold on a vulnerable system and can be used to download more malware at a later date.

There has been lots of publicity about Flashback, mainly because Apple contributed significantly to the problem by release a fix 8 weeks late. Ed Bott summarizes the situation very well in a blog post at zdnet.com.

It is caused by attackers exploiting several bugs in Java to trigger a “drive-by” infection of vulnerable computers. This means viewing a malicious website is enough to infect your computer. Java is used to run various applications and comes built in to most Apple computers. The official Apple support document (HT5228) is very brief – and only notes that that “Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7″ fixes multiple vulnerabilities in Java 1.6.0_29. While Java is made by Oracle, Apple manages Java updates to OSX independently.

Lessons:

  • Macs and OSX should not be viewed as “more secure” than Windows or other operating systems, especially since Apple has a history of being slow in releasing security fixes.
  • Antivirus software should be installed on all computers – it is cost effective protection against most threats.

What you should do:

Detection and removal (Technical users only):

  1. Check the DYLD_INSERT_LIBRARIES environment variable in web browsers, or visit flashbackcheck.com or www.drweb.com/flashback/?lng=en to detect infected computers.
  2. Rebuild infected machines from known good media. Cleanup should only be opted for where a rebuild is prohibitively costly
  3. Manually cleanup the infection, or use a removal tool: We know of tools from Apple (via Software Update), Kapersky and F-Secure.