Security Week 47: bookmarks in Android, Wi-Fi security, NTP vulnerability

In the last issue, I wrote that Apple seems to send information about the history of phone calls to iCloud by default, and you can disable this only by completely blocking the cloud backup. This week was not the only news on the topic: the developer of Android-based devices also excelled. Researchers from Anubis Networks discovered ( news , research ) in Chinese smartphones OEM companies Ragentek a mechanism that can be qualified as a backdoor in a number of ways.

This is a firmware update scheme: the software module has root rights in the smartphones of this manufacturer, regularly requests the manufacturer’s servers, and can download and install updates from them. Everything seems to be fine, but there are two “buts.” Firstly, all communications are over HTTP, which makes smartphones vulnerable to attacks such as man-in-the-middle with the ability to execute arbitrary code. Secondly, of the three domains wired into the module, two software developers simply forgot to register - they would still be in the public domain if Anubis researchers did not register them for themselves. Monitoring connections to domains allowed us to estimate the approximate number of vulnerable devices: under three million.

A little earlier, on November 15, in the New York Times, with reference to the Kryptowire research group, they toldthat a number of Android devices of the manufacturer BLU Products have a monitoring module for the Adups advertising network that sends “somewhere to China” detailed information about the user, including “call history, message texts” and so on. Then the manufacturer explained the problem as an unfortunate mistake, and released a patch. A week passes, and it turns out that BLU smartphones are also subject to a problem with the update downloader.




It is likely that this is indeed a coincidence, and the fact is that they begin to think about privacy only after publication in the New York Times, and sometimes this does not help. Today, by the way, thoughts on the same topic publishedin his blog Evgeny Kaspersky. Some Chinese OEMs are of course quite bad, but this does not mean that reputable vendors are doing well. A variety of telemetry about the user wants to collect absolutely everything, and yet yes, sometimes it is really necessary, and it benefits everyone. At a minimum, user information needs to be safely transferred and stored, and this week’s news shows an example of how not to do it. As a maximum, it is desirable to take into account the wishes of the users themselves, communicating the reasons and goals of data collection clearly and openly. Otherwise, there is a feeling that our gadgets are gradually getting out of our control. However, privacy is not limited. Understanding what your smartphone, tablet or laptop does is becoming more difficult over time.

NTP vulnerabilities detected and closed
The news .

On Monday, NTP project maintainers released a patch covering a number of vulnerabilities in the system for transmitting accurate time information. One of the vulnerabilities discovered by the researcher Magnus Stabman allows to disable the ntpd server using a single prepared request. Other vulnerabilities do not necessarily lead to a denial of service, but lead to increased resource consumption, and could potentially be used to conduct a DDoS attack. Since 2013, there have been many cases of strengthening DDoS attacks due to the exploitation of various problems in ntp servers. However, while for new vulnerabilities there is only one Proof of Concept, which leads only to a denial of service.

A quarter of Wi-Fi hotspots worldwide are unprotected
The news . Research of the "Laboratory".

According to Kaspersky Lab, approximately 22% of access points around the world are, in principle, in no way protected from unauthorized access and traffic interception. A little less than 3% are protected by the WEP protocol, about which it has been known for many years that it is unsafe - that is, they can be equated to open hotspots. Interestingly, this information does not apply to access points theoretically accessible to the user, but to those that are actually used. The good news is that three quarters of Wi-Fi points are protected quite reliably: in 68% of cases the protocol WPA2 is used, in 7% - WPA. One of the leaders in the share of unsafe hotspots is South Korea (48% of open points or WEP), Germany was the most protected country (85% of hotspots are reliably protected).


The share of unsafe hotspots by country.

Connection security is an important factor, but if you are connecting to someone else's access point, it is not so important how the connection itself is protected. The built-in paranoid recalls that trusting the transfer of important data in such a configuration is undesirable. However, I personally have been using open WiFi for a long time only in conjunction with a VPN: regular reading of information security news hints that there seem to be no other options. The statistics of the "Laboratory" is based on the analysis of 32 million hotspots around the world.

What else happened:
Another Tesla hack , although not really. Researchers have shown how you can take control of a proprietary application for remote control of a car on a smartphone.

The US Department of Defense formulates disclosure rules for vulnerabilities. The recommendations are based on the experience of the Bug Bounty program (known as Hack The Pentagon) and look very progressive, especially for government agencies. Interestingly, the “pentest” is directly prohibited from phishing against employees of the Ministry of Defense. It remains only to prohibit cybercriminals from doing the same.

Antiquities

“Form”

A very dangerous virus that infects the boot sector of floppy disks when accessing them and the boot sector of the hard drive when booting from a floppy disk. It is located on the hard drive in the last sectors of the disk on a floppy disk - using the Brain method. It appears on the 24th of every month - when you press the keys, the virus makes an idle cycle. When working with the hard drive, data loss may occur. It hooks int 9 and int 13h. Contains the text “The FORM-Virus sends greettings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne. "

Quote from the book" Computer viruses in MS-DOS "by Eugene Kaspersky. 1992 year. Page 101.

Disclaimer:This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.