I’ve just returned from the excellent OWASP regional conference in Sydney (the one with the long name of OWASP AppSec AsiaPac 2012), where I presented “How MITMproxy has been slaying SSL Dragons“.
The presentation covered the basics of what MITMproxy is (a developers/pen-testers HTTPS interception/modification proxy), why such software is useful, and what MITMproxy itself is especially good at.
The section on how to use MITMproxy ran about 90% successfully over the live Internet, which is always a risk for a demo at a conference!
The slides are available here, as the original LibreOffice ODP format, or as a PDF. They are Copyright © The University of Otago, released under the CC By-SA 3.0 NZ license.
Java for OS X Lion 2012-003 update
Edit: 9:29am 13 Apr 2012 – Apple have just released “Java for OS X Lion 2012-003” – a security update that removes the most common variants of the Flashback malware, and also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.
A new variant of Java-based malware dubbed “Flashback” has been spreading rapidly on OSX – some reports suggested over 550 thousand Macs were infected as of 4 April 2012. It gains a foothold on a vulnerable system and can be used to download more malware at a later date.
There has been lots of publicity about Flashback, mainly because Apple contributed significantly to the problem by release a fix 8 weeks late. Ed Bott summarizes the situation very well in a blog post at zdnet.com.
It is caused by attackers exploiting several bugs in Java to trigger a “drive-by” infection of vulnerable computers. This means viewing a malicious website is enough to infect your computer. Java is used to run various applications and comes built in to most Apple computers. The official Apple support document (HT5228) is very brief – and only notes that that “Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7” fixes multiple vulnerabilities in Java 1.6.0_29. While Java is made by Oracle, Apple manages Java updates to OSX independently.
- Macs and OSX should not be viewed as “more secure” than Windows or other operating systems, especially since Apple has a history of being slow in releasing security fixes.
- Antivirus software should be installed on all computers – it is cost effective protection against most threats.
What you should do:
Detection and removal (Technical users only):
- Check the DYLD_INSERT_LIBRARIES environment variable in web browsers, or visit flashbackcheck.com or www.drweb.com/flashback/?lng=en to detect infected computers.
- Rebuild infected machines from known good media. Cleanup should only be opted for where a rebuild is prohibitively costly
- Manually cleanup the infection, or use a removal tool: We know of tools from Apple (via Software Update), Kapersky and F-Secure.
There’s a nice and very detailed article over on Ars Technica covering the history of the micronation Sealand operating as a Data Haven …
Written by James Grimmelmann, Associate Professor at New York Law School, http://arstechnica.com/tech-policy/news/2012/03/sealand-and-havenco.ars covers the history, motivation and inevitable failure of the HavenCo business, as well as a good part of the history of Sealand itself. There is a significantly longer and much more detailed paper (80 pages) published by Mr Grimmelmann in the University of Illinois Law Review journal for those who enjoy more in-depth discussions.
And no, WikiLeaks is not going to be able to move servers to Sealand in order to avoid prosecutions, sorry.
We’ve just updated the Common Internet Scams page with a new and unusual scam that’s recently been seen around the world. Known as the “hit man” or “Assassin” scam, this email essentially claims that the senders are going to kill you – contact them immediately if you want to live.
We suspect the obvious – contact them and they will ask for money. Ignore the email. However, if you do feel threatened, contact your local law enforcement agency. An example of these emails is below:
Subject: You have been betrayed by your Friend
You have been betrayed!!! Its a pity that this how your life is goingto come to an end as your death had already been paid for by someone who is very close to you from all investigations.
I have ordered 3 (three) of my men to monitor every move of you and make sure you are not out of sight till the date of your assassination.
According to the report I gets, you seem to be innocent about what you have been accuse but I have no business with that, so thats why am contacting you to know if truly you are innocent and how much you value your life.
Get back to me if you sure want to live on, ignore this mail only if you feel its a joke or just a threat.
Dont forget your days on earth are numbered, so you have the chance to live if only you will comply with me.
WARNING: Tell no one about this mail to you because he or she might just be the person who wants you dead, and if that happens, I will be aware and am going to make sure you DIE instantly.
I will give you every detail of where to be and how to take any actions be it legal or illegal, thats only when I read from you.
You need to stay calm and act unaware of this situation and follow instructions because any move you make that is suspicious; you will DIE as your days are numbered.
One of the most important protections against malware is to have up-to-date versions of software in use. The base OS and some applications are very good at checking and updating themselves, but there are lots of applications that leave it up to you to check; and who has time for that?
The security services company Secunia has recently updated their Personal Software Inspector application, and you can find the v3 beta version available free of charge at https://secunia.com/psi_30_beta_launch/
This app scans your Windows PC, looking for outdated software; it then downloads and installs the updates for you. I have a Windows virtual machine here that I occasionally use, and it has very little installed on it at all; PSI still found updates for Firefox, Opera and most importantly Adobe Flash!
If you are responsible for maintaining the state of your own Windows PC, I’d recommend adding Secunia PSI to your toolbox.
I am sure that after the recent news regarding the Hon Murray McCully’s email account at xtra being hacked will have many people concerned with internet service providers’ security. The essence of this particular event is; McCully was able to redirect (at least some of) his parliamentary email to his electoral account. This redirection was probably done to facilitate some event or action. However, the possible long term consequences this action don’t seem to have been considered. The xtra account was apparently more exposed than the parliamentary one and hence had less protection (McCully’s official contact page lists several contact accounts) so guessing the password will have been a matter of time. Note that this type of activity is an offence under the Crimes Act.
If you are redirecting corporate email to an external service be very very sure that you are staying within policy and contractual obligations. Generally the highest data classification (e.g. confidential, sensitive or personally identifiable information) will apply to an email account if it contains or is likely to contain such content. This way the risk of unauthorised disclosure is minimised and should keep away situations like the one McCully now finds himself in. He will now spend many hours in damage control probably far more time than the time that he would have saved by not redirecting his email.
Just published a page listing some common internet scams that the Information Security Office often gets asked about. It’s just a wall of text at the moment, but I’ll add some annotated screenshots over the next few weeks to better illustrate each type of scam.
The Electronic Frontier Foundation have released a quick tutorial on clearing your private data before the new policy takes effect.
I was delighted by a recent post on the SANS web site from Johannes B. Ullrich. In his article he lists 5 documents that deal with hardening OSX. For those that don’t know, hardening is the process is securing a computer by reducing the vulnerable attack surface. I was only aware of the Apple documentation and not the others. Ullrich notes that the Apple documents do not cover OS X Lion (10.7). This is disappointing as I would have thought that Apple would have been more proactive given their increasing market share.
Anyway the list included below and anyone exposing an Apple to the internet is advised to check the documents to make sure that they have enabled sufficient sheilding to withstand probes and attacks.
Apple, NSA Guide, Mac Shadows, University of Texas, Center for Internet Security