Experts Find 11 Issues in TrueCrypt, but No Backdoors or Malicious Code

Vulnerabilities found in TrueCrypt

In October 2013, some experts announced their intention to audit TrueCrypt, the open source file and disk encryption software, to see if it was really secure. The first phase of the audit has been completed and the results are in.

According to the report from iSEC Partners, the company in charge of reviewing the software, a total of 11 issues have been discovered. Four of them are medium-severity, another four are low-severity and the rest are “informational” issues.

iSEC says the source code for the bootloader and the Windows kernel driver does “not meet expected standards for source code.” The issues include the use of insecure or deprecated functions, lack of comments, and inconsistent variable types.

On the other hand, the online documentation does contain good recommendations on how to use TrueCrypt and a detailed description of the application’s functionality.

On the bright side, the auditors say they haven’t found any evidence of “backdoors or otherwise intentionally malicious code in the assessed areas.”

The vulnerabilities they have identified appear to be a result of bugs that have been introduced unintentionally.

The list of vulnerabilities includes a weak Volume Header derivation algorithm, multiple issues in the bootloader decompressor, sensitive information paged out from kernel stacks, and the fact that the memset() function is used by the Windows kernel driver to clear sensitive data.

These are the medium-severity flaws that put user information at risk. Successful exploitation could lead to legal implications, a negative impact on the client’s reputation and moderate financial impact.

The list of low-severity bugs includes integer overflows in IOCTL_DISK_VERIFY and MainThreadProc(), kernel pointed disclosure in TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG, and multiple issues in TC_IOCTL_OPEN_TEST. In the case of these vulnerabilities, the risk is relatively small or considered not important.

iSEC recommends that the Windows build environment is updated because it depends a great deal on tools and software packages that are difficult to obtain from trustworthy sources. Once this is done, all binaries, with all security features enabled, should be rebuilt.

In addition to updating the build environment, experts also recommend that the quality of the code should be improved because the way it is now makes it difficult to review and maintain TrueCrypt.

Phase two of the audit focuses on cryptanalysis. This second phase will also probably take several months to complete.

A full report on phase one of the TrueCrypt audit can be found on the opencryptoaudit.org website.

Expert Finds SQL Injection, RCE Vulnerabilities in Flickr Photo Books – Video

SQL Injection vulnerability in Flickr

Security researcher Ibrahim Raafat has managed to gain access to Flickr’s databases after uncovering an SQL Injection vulnerability in Flickr’s Photo Books section. In addition, the expert has also found a remote code execution vulnerability.

Raafat initially found a couple of Blind SQL Injection vulnerabilities in the “Checkout” section of Flickr Photo Books, which the photo sharing website introduced back in November 2013.

He reported his findings via HackerOne, but he didn’t get a reply for eight days. After poking around on the website a bit more, he managed to identify a direct SQL Injection flaw, which he could leverage to gain access to Flickr databases, including the MySQL root password.

Then, the expert went even further and managed to write files and execute code on the server. After his second report, Yahoo, which owns Flickr, addressed the vulnerabilities within 6 hours.

Last week, Yahoo fixed an information disclosure flaw in Flickr that had existed for two months before it was taken seriously by the company.

For additional details on the Flickr SQL Injection and RCE vulnerabilities, check out Ibrahim Raafat’s blog PWN Rules. Also, take a look at the video proof-of-concept published by the expert:

Details of 480,000 People Compromised in UK Cosmetic Surgery Company Hack

Harley Medical Group form targeted by hackers

Harley Medical Group, a British plastic and cosmetic surgery company based in Thames Ditton, Surrey, has suffered a data breach in which the details of 480,000 individuals have been compromised. The attackers have reportedly attempted to blackmail the company.

According to The Guardian, hackers gained access to the names, addresses and phone numbers of individuals who have entered their information in the initial inquiry form on the company’s website.

The form is used by people who are considering various procedures like tummy tucks, liposuction and breast enlargement.

Fortunately, no medical or financial information has been accessed by the cybercriminals.

Impacted individuals have been notified. A report has also been filed with the Information Commissioner’s Office and the police.

Harley Medical Group representatives have told The Guardian that they took measures as soon as they learned of the breach. The company says the attackers were trying to blackmail them. Additional security measures have been put in place to prevent future incidents.

The ICO has confirmed that it has been made aware of the incident, and says that an investigation has been launched. The agency will decide if any action must be taken against the Harley Medical Group for the data breach.

UK ICO Says Wirral and Wokingham Councils Breached Data Protection Act

ICO warns councils over poor practices

The United Kingdom’s Information Commissioner’s Office (ICO) has published reports on a couple of councils that have breached the Data Protection Act. The councils in question are the Wirral Borough Council and the Wokingham Borough Council.

According to the ICO, the Wokingham Borough Council lost sensitive social services records relating to the care of a young child. The files, requested by a family member, were left by the delivery driver outside the requester’s home.

The driver should have been informed that the documents were sensitive and that he should have requested a signature. If no one was there to sign for the package, it should have been returned to the council. Furthermore, the council didn’t contact the requester to arrange a delivery time.

“No one expects to have sensitive information about the care of their child left on the doorstep for anyone to stumble across. However, a series of errors by the council has led to a situation where a social service record containing damaging allegations of abuse suffered by the child, has been delivered with no consideration given to its content,” noted ICO Head of Enforcement, Stephen Eckersley.

“This is not good enough and Wokingham Borough Council has now agreed to take action to make sure future deliveries containing sensitive personal information are carried out securely. They must also make sure their staff receive regular training so they can follow the council’s updated processes.”

In the case of the Wirral Borough Council, it had breached the Data Protection Act after sending sensitive social services records to wrong addresses on two different occasions. The council has agreed to improve its practices.

“While human error was a factor in each of these cases, the council should have done more to keep the information secure. Social workers routinely handle sensitive information and Wirral Borough Council failed to ensure their staff received adequate training on how to keep people’s information secure,” Eckersley said.

“We are pleased that the council has now made its data protection training mandatory for all staff following these incidents and has agreed to take further action to address the underlying problems that led to these mistakes,” he added.

“This includes ensuring that all staff complete the data protection training by the end of June and adequate checks are in place to make sure sensitive records are being sent to the right address.”

These two incidents show that government organizations should really focus more on internal security practices.

Digital Storage Company LaCie Hacked

LaCie suffers data breach

High quality digital storage manufacturer LaCie has suffered a data breach. The company says cybercriminals used a piece of malware to steal information on transactions made through the LaCie website.

According to an incident notification posted on the company’s website, the hackers could have obtained usernames, passwords, names, addresses, email addresses, credit and debit card numbers and card expiration dates.

A forensic investigation firm has been called in to analyze the breach. All individuals who made transactions on the LaCie website between March 27, 2013, and March 10, 2014 are impacted.

User passwords have been reset and the e-commerce section of the website has been disabled while the company transitions to the services of a firm that specializes in secure payment processing.

Customers are also advised to keep a close eye on their payment cards and contact their banks in case they spot any unauthorized charges.

“We recommend that you remain vigilant by reviewing your account statements and credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies,” LaCie noted.

So far, there’s no mention of free credit monitoring or identity theft protection services being offered to impacted customers.

Over Two Dozen VMware Products Affected by Heartbleed

VMware promises to patch products affected by Heartbleed by April 19

VMware says that more than two dozen of its products are affected by the recently disclosed OpenSSL vulnerability dubbed Heartbleed. The company plans to release updates and patches for the impacted products by April 19.

The list of VMware products shipped with OpenSSL 1.0.1, which contains the Heartbleed bug, includes ESXi 5.5, NSX-MH 4.x, NSX-V 6.0.x, NVP 3.x, vCenter Server 5.5, vFabric Web Server 5.0.x – 5.3.x, VMware Fusion 6.0.x, VMware OVF Tool 3.5.0.

Several VMware Horizon View, VMware Horizon Workspace and VMware vCloud versions are also affected.

“The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation,” the company noted in its advisory.

Heartbleed is causing problems for many major companies. Last week, Akamai released a patch that was designed to protect organizations against potential attacks. However, experts shortly discovered that the patch was not completely efficient.

“In short: we had a bug. An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others. In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p,” explained Akamai Chief Security Officer Andy Ellis.

“These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement,” Ellis added.

“As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability. Given any CRT value, it is possible to calculate all 6 critical values.”

Akamai has started rotating all SSL certificates to make sure that the company’s customers are protected.

In the meantime, Trend Micro has analyzed the impact of Heartbleed on the Deep Web. Experts say that many Tor hidden services are affected by the OpenSSL vulnerability, so their customers are just as concerned about the integrity of their data as regular Internet users.

“You can rest assured that law enforcement will be scanning potential ecosystems that are potential anonymous criminal networks. This will be an attempt to discern if they might be able shine a bright lens on communities thought to be untraceable but now equally vulnerable due to this pervasive bug in OpenSSL,” noted Trend Micro’s JD Sherry.

Robert Hannigan Is the GCHQ’s New Director

Robert Hannigan appointed as director of the GCHQ

Robert Hannigan has been appointed as the new director of the Government Communication Headquarters (GCHQ). Hannigan replaces Sir Ian Lobban, who will step down this fall.

“I am delighted that Robert Hannigan has been appointed as the next Director of GCHQ. GCHQ’s world-class work is vital to the safety and security of the United Kingdom,” Foreign Secretary William Hague commented.

“As well as his impressive personal qualities, Robert brings to the job a wealth of relevant experience in the fields of national security, counter-terrorism and international relations. I’d also like to thank Sir Iain Lobban for his consistently strong and professional leadership as Director of GCHQ since 2008,” Hague added.

It’s worth noting that Hannigan is responsible for the UK’s first Cyber Security Strategy. He has also overseen the first National Security Strategy.

Before becoming the director of the GCHQ, Hannigan was the director general of defense and intelligence at the Foreign and Commonwealth Office. He occupied the position since March 2010.

He advised the country’s prime minister on counter terrorism, intelligence and security policy issues for a number of years. Hannigan was also the prime minister’s security adviser and head of intelligence, security and resilience in the Cabinet Office from 2007. That’s when he oversaw the National Security Strategy.

He has been the principal adviser to Tony Blair and Secretaries of State for Northern Ireland on the peace process. He has acted as a liaison with the Irish and the US government. He has also been a member of the Joint Intelligence Committee.

“It is a privilege to be asked to lead GCHQ, an organisation which is so central to keeping the people of this country safe,” Hannigan said.

He added, “I have great respect for the integrity and professionalism of the staff of GCHQ and for what they have achieved under the outstanding leadership of Iain Lobban. I am excited about meeting the challenges of the coming years with them.”

Over the past period, the GCHQ has come under scrutiny after the world found out that the intelligence agency is involved in all sorts of spying operations. Earlier this month, we have learned that the GCQH, along with its US counterpart, have infiltrated Twitter, Facebook and other social media platforms in an effort to misinform and conduct propaganda.

In February, news broke that the agency had collected webcam images of millions of Yahoo users between 2008 and at least 2012 as part of a surveillance program dubbed “Optic Nerve.”

BeyondTrust Launches BeyondInsight 5.1

BeyondTrust updates BeyondInsight

BeyondTrust, a company that specializes in context-aware security intelligence solutions, has updated its IT risk management platform BeyondInsight.

BeyondInsight 5.1 enables IT and security teams to easily import QualysGuard vulnerability data via a new QualysGuard Cloud Connector. It also allows customers to import flat files from vulnerability management products developed by Tenable, Qualys and Rapid7.

In addition, the latest release of BeyondInsight includes an audit viewer that enables users to search and review vulnerability audits and mitigation procedures in the Retina CS Enterprise Vulnerability Management database.

Customers can now create custom vulnerability alerts, and filter security holes so that they can prioritize remediation efforts.

The Asset Profile Data feature can be used to enumerate the users, services and permissions for each system on the network. Rogue accounts and misappropriated privileges can be identified this way.

“Utilizing BeyondInsight, security and IT professionals can jointly keep track of assets, assess risk, ensure compliance, and communicate progress throughout the organization,” said Marc Maiffret, CTO of BeyondTrust.

“In addition to providing granular, role-based access to specific vulnerability and privilege management capabilities, BeyondInsight offers centralized asset discovery, asset profiling, management, reporting, and analytics capabilities. With the latest updates incorporated into BeyondInsight 5.1, businesses now have the increased visibility they need to make smart decisions and reduce their overall risk.”

The list of changes in BeyondInsight 5.1 also includes enhanced graphics and more filtering capabilities in Vulnerabilities by Business Unit Reports, exploit information has been added to Vulnerability Delta Reports, and operating system parameters are now included in Remediation Reports

Apple ID Phishing Email Shows Some Cybercriminals Are Not Trying Very Hard

Poorly designed Apple phishing email (click to see full)

Security researchers from Malwarebytes have come across an interesting Apple ID phishing email. When I usually say it’s interesting, I mean that it relies on some clever technique to trick users, but this time it’s not the case.

This particular email is interesting because it’s so poorly designed that no one would probably fall for it. Some phishing emails contain “security warnings” to make the fake notifications look more legitimate.

However, in this case, recipients are told right from the start that the email is spam. The actual body of the message is displayed at the middle of the email, unformatted. Then, at the end of the email, additional information which shows that it’s spam and that it could contain “a virus” is displayed.

The actual phishing notification reads something like this:

“Dear customer,
Your Apple ID was used to sign in to iCloud on an iPhone 4.
Time: February 10, 2014
Operating System: iOS;6.0.1
If you recently signed in to this device, you can disregard this email.
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have accessed your account, please click here to confirm your details and change your password.”

As you can see, the spammers haven’t even taken the time to change the date to something more recent.

As Malwarebytes’ Chris Boyd highlights, “Sometimes scammers get it right and pull off extremely clever and subtle phish attacks. Other times, they get it wrong and you’re left scratching your head and wondering what on earth happened.”

Will Facebook’s New Anti-Spam Measures Put an End to Scams?

Typical like-farming scam

Last week, Facebook announced a series of improvements to reduce the number of spammy posts that showed up in users’ News Feed. We’ve talked to a couple of experts to find out what they think about the new measures.

With the improvements, Facebook is targeting three types of posts: “like-baiting,” in which the poster asks readers to like, comment or share the post; frequently circulated content; and spammy links.

Like-baiting has become increasingly common on Facebook. We’ve covered a lot of scams in which users are promised cars, vacations and other prizes if they like pages and share posts. The scammers are trying to harvest as many likes as possible to increase the value of their pages, which they can sell on the underground market or repurpose for other schemes.

As far as frequently circulated content is concerned, Facebook is “de-emphasizing” pages that publish frequently circulated content.

In an effort to reduce spammy links, ones used to trick users into visiting websites containing ads (and even malicious sites) by promising interesting content, the social media platform has started measuring how many likes and shares the original posts get. If they don’t get many likes and shares, it most likely means that it’s spam.

So what do experts believe about Facebook’s new anti-spam measure? Hoax Slayer’s Brett M. Christensen, who has been writing advisories about Facebook scams and hoaxes for a long time, says that the measures taken by the company should be efficient when it comes to putting an end to like-farming schemes.

“Facebook’s new rules should certainly go a long way towards stopping like-farming scams. A typical like-farming scam fits into at least two and possibly all three of Facebook’s new feed spam categories, so hopefully we will see a lot less of this type of scam messages on the network in coming months,” Christensen told Softpedia via email.

The expert says that the scammers could switch to a new tactic and carry on with their operations. However, he believes that these changes are at least a step in the right direction.

Security expert Graham Cluley, who has also published numerous alerts on Facebook scams, refrains from making assumptions, but he doesn’t appear too convinced that the new systems will work.

“Hard to say what impact this will have. In the past, Facebook has sometimes introduced systems to defeat (for instance) clickjacking scams only for them to completely fail to have any impact,” Cluley told us.

“We’ll have to see whether this has any positive impact on spam messages spread via Facebook, and whether it adversely affects those who are using Facebook for legitimate innocent purposes.”