DROWN attack risks millions of popular websites

An international team of researchers warned that more than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a new, low-cost attack that decrypts sensitive communications in few hours.

The cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team found that more than 81,000 of top one million popular websites are vulnerable.
The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable.

The DROWN attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through short for secure sockets layer version 2 (SSLv2).

The vulnerability allows everyone on the internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.  It allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.

Websites, mail servers, and other TLS-dependent services are at risk for this attack, and many popular sites are affected.

In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.

Though a fix has been issued but it will take time for many of the website administrators to protect their systems.

The researchers have released a tool that identifies websites that appear to be vulnerable.

The SSLv2 protocol was weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.

It has since eased its export limits, but the effects live on.

Researcher discovers flaws in Telekom’s server

Ebrahim Hegazy, an Egyptian researcher, has found another vulnerability that affected the Web servers of Deutsche Telekom, Germany's biggest telecommunications provider.

He discovered the bug on the telekom.de website, on one of the subdomains that displayed a generic landing page. The subdomain umfragen.telekom.de translates to suggestions.telekom.de, and seems to be an abandoned Web page left behind from previous site iterations.

According to the researcher, attackers could have gained full control of the Deutsche Telekom server.
The researcher said that the vulnerability was the most basic example of Remote Code Execution (RCE) vulnerability that allows attackers to gain full control of a Web server just by pinging its ports and open connections with malicious requests.

Having brute-forced the URL, Hegazy came across an upload.php file. The researcher built a tool called Pemburu for pen testing.

He managed to find the URL, which the upload.php file sent user-submitted data. His tool went through a large set of URL variations and eventually discovered that the file sent data to umfragen2.telekom.de/upload.php. This allowed Hegazy to take a closer look at the code.

He came across a mechanism that acquired user input from the HTTP POST request without sanitizing it in any way and then attached the data as parameters to the PHP system function.

This particular function is modeled after the system function in C and allows PHP developers to execute shell commands from inside their PHP app and retrieve the results. Generally, it's considered a good practice not to use this function on any front-facing Web server.

He reported about the flaw to the telco's security team. The flaw has been patched.

As per a report published in Softpedia said that his research was carried out as part of the company's bug bounty program and received a €2,000 / $2,150 reward.

Danske bank fixes several vulnerabilities that could allow hackers to get into bank accounts

Most of us prefer to keep money at our bank accounts than to keep at home as we believe that banks are safer in comparison to our homes. But, you must get panicked, once you read a blog post by Sijmen Ruwhof, Freelance IT Security Consultant and an Ethical Hacker.

He has published a bank review entitled “How I could hack internet bank accounts of Danish largest bank in a few minutes”  in which he revealed that any hacker could easily get into the website of Danske Bank, one of the largest banks of Denmark, and get access to the users accounts.

His in-depth technical post explains the extent to which Danske Bank is vulnerable to hacking.

He discovered the vulnerability in August when he got intrigued with the idea of testing Bank’s security while interacting with a group of Danish hackers at the Chaos Communication Camp (CCC), near Berlin.

During the interacting program, security experts and Whitehat hackers were disappointed with the terrible security implementations adopted by many Danish Banks.

“I opened up the Danske Bank’s website and was curious to see how the HTML code looked like, so opened the code of the customer login screen of the banking environment. I strolled thru the code to get a grasp of the technology used,” the security researcher wrote in the blog.

Then he saw JavaScript comments that seemed to contain internal server information. Not just a few variables, but quite a lot of confidential data.

“It was in URL encoded format, so I decoded it right away. Really wondering what kind of secrets it contained,” he added. I was shocked. Is this happening for real? In less than a minute on their web site, this is just the HTML code of the login screen, one of the most visited pages of Danske Bank’s web site.”

The researcher said that he could see IP address of a probable customer via variable HTTP_CLIENTIP while visiting Danske Bank’s website. Similarly, HTTP_USER_AGENT contains an operating system and web browser details.

He warned that variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in a very few time.

According to the researcher, Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80. The bank is still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

However, the good news is bank has patched all the vulnerabilities only after the researcher had uploaded his findings on his blog.

Starbucks fixes critical flaws that could allow an attacker to steal users’ credit-cards

Mohamed M. Fouad, an Information Security Consultant from SecureMisr, has discovered a critical flaw in Starbucks that allowed an attacker to steal users’ credit-cards and perform Remote Code Execution.

“I discovered a lot of critical security vulnerabilities at (Starbucks) that can lead to very harmful impact on all users by forcing them to change their passwords, add alternative emails or change anything in their store profile settings and steal users’ stored credit-cards. It can also perform phishing attack on users and remote code execution on Starbucks servers,” the Egyptian researcher said in a blog post.

According to the researcher, Remote File Inclusion Vulnerability occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. It allowed me to able to perform:

         -  Code execution on the web server.

          - Code execution on the client-side such as JavaScript which can lead to other    attacks   such as cross site scripting (XSS).

         -  Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information.

The researcher started his research a year ago when there was a Zero-Day for Starbucks about iOS Mobile Application and "Insecure Data Storage" vulnerability was detected.

While he was searching about Starbucks hacking news he found another vulnerability two months ago which allowed the attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards.

“I noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks  looking for a vulnerabilities in Starbucks until I found two major vulnerabilities which allow an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history,” he added.

However, Starbucks confirmed that it has fixed the vulnerabilities.

Apple claims to have fully fixed a critical iOS Airdrop vulnerability, which researcher says it doesn’t

Some days ago, Mark Dowd, a security researcher, discovered a critical flaw in iOS 9 that allows an attacker within Bluetooth range of an iPhone to install malicious apps using the Airdrop filesharing feature.

A report published in Ars Technica confirms that after that, the researcher privately reported it to Apple.

Then, Apple released a press statement on Wednesday informing that the vulnerability has been mitigated in iOS 9.

However, the researcher did not stop his research and revealed that the bug still hasn't been fixed.

The mitigations available in Wednesday's release of iOS 9 are one more benefit that security-conscious iPhone users should consider when deciding whether to install the update.

The researcher exploited a directory traversal flaw that allows attackers to write and overwrite files of their choice to just about any file location they want.

The researcher used an enterprise certificate that Apple makes available to developers so large organizations can install custom apps on large fleets of iPhones.

During his research, his technique installs did not generate a dialog that warns the end user that the app is signed by a third party and asking for approval to proceed.

“Another method for bypassing iOS code-signing restrictions would be to combine my Airdrop hack with jailbreak exploit, such as the TaiG jailbreak that Apple recently patched with version 8.4 of iOS,” he said.

He posted a video to show how thw bug allows attackers who briefly have physical access to a vulnerable iPhone or who are within Bluetooth range of it, to install an app that the device will trust without prompting the user with a warning dialog.

Security Bug allows Hackers to take Control of Curiosity Rover's OS

Serious security flaws has been discovered in VxWorks, a real-time operating system made by Wind River of Alameda, California, US, in 1987. The OS is used from network  routers to critical instruments like NASA's Curiosity Rover on Mars and Boeing 787 Dreamliners.

A Canadian researcher Yannick Formaggio presented a detailed significant flaw in VxWorks at 44Con, an information security conference in London. He said that, "VxWorks is the world's most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few." Formaggio added, "In this age of IoT, the issue will have a widespread impact."

The researcher discovered the flaw after an Istuary client requested about the understanding of the critical  infrastructure industry.

The flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system."

One of the another major finding of his research was that the “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.

The current version of VxWorks is 7, Versions 653 has the problem, which might have affected many millions of devices and they need to be patched. Wind River has acknowledged the flaw and is in the process of providing patches.