Wednesday, July 27, 2016

PAC Attacks When Using HTTPS!
VPN To The Rescue


Introduction: What I discuss below fits within the realm of computer networking. As such, it is complicated, has a learning curve and may require homework, time and patience to understand. However, as usual, I've tried to translate the technology into something reasonably easy to comprehend and I've provided some useful reference links.

Open Wi-Fi Hotspots Are Not Our Friend

Using open, no password required, hot spot Wi-Fi routers is dangerous. It's trivial for anyone also on the router to spy on all your Internet activity. There are several tools for the hack job on all computer platforms. So what do you do?

Using HTTPS on the Web is one generally reliable way to encrypt your connections, resulting in hacker spies seeing only gibberish pass between your computer and your destination. That's great, except a lot of servers still use old SSL (Secure Sockets Layer) protocols that are no longer secure, and there are older browser applications that still allow the use of SSL. The replacement technology is TLS (Transport Layer Security) and is considerably safer, albeit not perfect as of yet. For general Web access at a Wi-Fi hotspot, HTTPS via TLS should be adequate.

Except this happened:

New attack bypasses HTTPS protection on Macs, Windows, and Linux
Hack can be carried out by operators of Wi-Fi hotspots, where HTTPs is needed most.
- DAN GOODIN, Ars Technica - 7/26/2016, 1:14 PM
The most likely way the attack might be carried out is for a network operator to send a malicious response when a computer uses the dynamic host configuration protocol to connect to a network. Besides issuing addresses, DHCP can be used to help set up a proxy server that browsers will use when trying to access certain URLs. This attack technique works by forcing the browser to obtain a proxy autoconfig (PAC) file, which specifies the types of URLs that should trigger use of the proxy. Because the malicious PAC code receives the request before the HTTPS connection is established, the attackers obtain the entire URL in plaintext....
(Emphasis mine).

This is a fairly sophisticated attack for the moment. But again could be made trivial with proliferated hacking tools.

So now what do we do?

If you're a casual web browsing user who doesn't mind having your URL connections surveilled in public, you wait for web browser and server updates to solve this problem.


If you're a professional who must NOT be surveilled in your work online, you enroll into a VPN (Virtual Private Network) service. I won't go into the techy details. But a good VPN service allows you to encrypt every little thing you do on the Internet from wherever you are, on whatever router you're using, out to a server run by the VPS server somewhere else on the planet. You can typically choose your exit server from a list provided by the VPN service. After you exit the VPN server out to the actual Internet, no one can trace back who you are. None of your data is visible at your Wi-Fi router location. Everything is encrypted through the VPN service. Problem solved.

There are many VPN services available. Some of them offer 'Life Time Membership' for a reasonable price. There is typically one VPN service or another running a special offer via a one of the 'Deal' websites / email lists at any point in time.

As examples, I'm on the MacAppware and 9To5Toys 'Deal' lists, which are part of a network of 'Deal' services run through StackCommerce. They offer a variety of hardware, software and service 'Deals' at special discount prices, typically for a limited period of time. If you see something you like on the lists, you check it out. If you like it, you buy it. (Please note how I am deliberately not providing URLs as I am not selling or recommending any of these services. Do a search on their names and you'll find them).

Continuing these examples: 9To5Toys is currently offering both a 3-year subscription and full lifetime subscription to Tiger VPN for decent prices. MacAppware is currently featuring five different VPN service discounts. They include HideMyAss!, Hotspot Shield Elite, PureVPN, and VPN Unlimited.

The closest I'll come to a recommendation is to say that I have a friend who swears by HideMyAss! He regularly uses it to stream sports game video from Europe with great results. I have a lifetime membership with proXPN that works fine for my purposes.

One limiting factor with VPNs is speed, aka bandwidth. Obviously, you run into this factor when you're streaming a lot of data at once, for example when watching video. If that's what you want to do via VPN, it pays to shop around for the fastest service. Be sure to verify that what you read about a VPN service is real. For example, PureVPN calls itself "The World's Fastest VPN." Maybe it is or maybe it isn't. Check out a number of reviews to find out what users have experienced according to their usage of the VPN.

Another limiting factor is which VPN connection protocols the services offer. They may use OpenVPN and/or PPTP (Point-to-Point Tunneling Protocol). It's important to know what your hardware and OS can handle. Some cannot, for example, deal with OpenVPN. Therefore, in this case, you don't want a VPN service that only offers OpenVPN. You'll want one that offers PPTP. Many provide both.

From a security point of view, at the moment it is safer to use PPTP. OpenVPN has had a series of security compromises and was at one point assumed to be hackable. The OpenVPN has been good about patching known security flaws, but they have recently been discovered on a regular basis. Meanwhile, PPTP is considered by some to be 'broken'. Microsoft recommends using a more recent and superior alternative protocol called L2TP/IPSec, with which I am somewhat unfamiliar. If a VPN offers it, consider using it instead of PPTP.

I could link here to a comparison chart of these three protocols, but what I found online was not up-to-date and would therefore be misleading. From a fanatical security perspective, it may be that all three of these protocols are hackable IF someone wants to target specifically YOU.  VPN attacks are sophisticated and take time to enact. As such, for general professional use, any of these three VPN protocols is adequate. Open source advocates of course prefer OpenVPN because its protocol is entirely available for scrutiny and theoretically that means the security holes are found and patched more readily. Meanwhile, Microsoft has been involved with both PPTP and L2TP/IPSec, which may give users a reason to cringe. You decide.

Nice things about good VPN services: 

First, my VPN rates the quality/speed of their own servers day-to-day. I'm in New York. So you'd think connecting to their New York City server would be great! It used to be. Now it's rated on the bottom of their connection listing. IOW it's the last server I want to use. Instead, I typically use the Chicago server, which is in the top third of their connection list. I often visit sites within the UK, in which case I use their London server. Thankfully, that is also in the top third of their connection list at this time. 

Meanwhile, if I want to use an exit server in or near Japan, forget it! There aren't any. That could have killed my interest in their VPN service, if it mattered to me. The closest server is in Singapore, and its near the bottom of the connection list. IOW: It may be important to know what servers a VPN offers, according to your purposes.

Second, my VPN regularly changes its servers in cases where they are being blocked by ISPs. My VPN application grabs the latest list of available servers every day, which prevents me for connection to what amounts to a dead server. 

Why are VPN servers blocked? This gets into a controversy regarding copyright, marketing and costs. To give you at least a rough idea of how and why this can happen: Imagine you're the BBC in the UK. Someone uses VPN to connect to a London server. The IP address of that server is broadcast to every website to which you connect. It's obviously a British IP address, so you look to be British. Therefore, you can access all British web content as a British citizen. You have full access to all BBC web media, including any of their posted TV program streams. What can be 'bad' about that is that: (A) You may not actually be in Britain. You're using a VPN. (B) If you aren't British, you have no access to British copyrighted media. (C) BBC marketing people may go maniacal that you're breaking through an artificial marketing zone barrier to access media directly in the UK. (D) You haven't paid the taxes that support the BBC. Therefore, the BBC is motivated to find and have blocked all VPN servers within the UK.

Then there's that annoying totalitarianism issue where FAILed governments abuse their citizens, rather than serve them. Check this out:

Countries Where VPN Use is Prohibited
VPN is typically banned in countries that have authoritative laws, such as China, North Korea and Iran. With limited access to a majority of online content, in order to unblock blocked websites, citizens, tourists and expats in those countries typically resort to the use of proxy servers and VPN software. 
Some countries have banned the use of Virtual Private Networks so that they can maintain a bird’s eye view on all online movement made by their citizens, who the governments of these countries consider as nonconformists, as well as to control the information their citizens have access to by censoring websites with liberal or opposing views. VPNs allow to bypass censorship and keep all online activities confidential.
Such is our species. I thoroughly recommend deposing all such governments. That's what revolutions are for. We all deserve personal freedom and privacy, no exceptions (apart from the crooks and crazies).

So what about DNSCrypt?

I use DNSCrypt on all my Macs. I've had no trouble with it and it kindly encrypts all my DNS lookups for free. It works hella better than my IPS's DNS servers! (Time Warner Cable :-P). Thank you OpenDNS and Cisco! It prevents any open Wi-Fi hotspot hackers from seeing what websites I want to visit. It even prevents your ISP or anyone else from surveilling your DNS lookups.

Except DNSCrypt won't help with the PAC attacks on HTTPS. Sorry! The resulting IP address still ends up in-the-clear when using the PAC hack. Nonetheless, DNSCrypt is a great precaution and works extremely well. Finishing DNSCrypt took years of annoying betas. Now it's something approaching perfection. Highly recommended.

Questions? Further reference requests? Please drop me a comment below.



Wednesday, July 20, 2016

Critical Little Snitch Update to v3.6.4!


Today, Objective Development released a critical update of Little Snitch to version 3.6.4. Update ASAP!

Here are the release notes from the installer:
Little Snitch 3.6.4 
This update fixes critical issues. Please update as soon as possible!
  • Added IKEv2 VPN support to Automatic Profile Switching detection.
  • Fixed: A critical bug enabling potential attackers to circumvent the Little Snitch network filter (thanks to @osxreverser for the report).
  • Fixed: Under rare circumstances Fast User Switching causes all connection without rules to be denied without showing an alert.
  • Fixed: Alerts triggered via “ask rule” sometimes produce rules with “Until Quit” instead of “Once” lifetime.
  • Fixed: Rare crash when searching for rules or suggestions in Little Snitch Configuration.
  • Other bugfixes and improvements.
I've made certain that MacUpdate and MajorGeeks Mac (the two download sites I still use) have been notified. If you haven't used Little Snitch, you can find out more about this excellent 'reverse firewall' program HERE. It has a learning curve well worth climbing if you want to stop applications from phoning home or stop potential bot infections dead in their tracks. Intego's NetBarrier has similar functionality.

Wednesday, July 13, 2016

'Backdoor.MAC.Eleanor' Is Now XProtected!


Yes! Apple has updated XProtect to guard against OSX.Trojan.Eleanor.A.

XProtect is Apple's built-in anti-malware system. It was first integrated into OS X 10.7 Snow Leopard and is regularly and automatically updated over the Internet.

Apple has been a bit slow updating XProtect to ward off evil adware. But, with nagging from the field, Apple eventually catches up. Alongside Eleanor, Apple has also provided protection against the adware OSX.Hmining.A.2

Grateful thanks to my right-hand Mac security pal Al Varnell for helping out, as ever!


Tuesday, July 12, 2016

Happy Adobe Security Update Day For July


Second Tuesday of the month, the day when Adobe lets loose all the security patches they've been saving up for the past month. (0_o) On this Tue2, Adobe is serving updates for:

Adobe Flash - 52 critical CVEs patched

Adobe Acrobat and Reader  - 32 critical CVEs patched

Adobe XMP Tool for Java - 1 CVE patched

The links above lead to accompanying Adobe security bulletins.

So where's the required Adobe AIR update? After all, Adobe Flash is integrated into Adobe AIR! Nothing new. That's worrying. If you're running AIR, be sure to have it self-check for updates!

Where to get the security updates:

Adobe Flash

Adobe Acrobat
Adobe Reader
Adobe XMP Tool for Java

The Gory Details

Adobe Flash Vulnerability Details

These updates resolve a race condition vulnerability that could lead to information disclosure (CVE-2016-4247).

These updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-4223, CVE-2016-4224, CVE-2016-4225).

These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-4173, CVE-2016-4174, CVE-2016-4222, CVE-2016-4226, CVE-2016-4227, CVE-2016-4228, CVE-2016-4229, CVE-2016-4230, CVE-2016-4231, CVE-2016-4248).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4249).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4172, CVE-2016-4175, CVE-2016-4179, CVE-2016-4180, CVE-2016-4181, CVE-2016-4182, CVE-2016-4183, CVE-2016-4184, CVE-2016-4185, CVE-2016-4186, CVE-2016-4187, CVE-2016-4188, CVE-2016-4189, CVE-2016-4190, CVE-2016-4217, CVE-2016-4218, CVE-2016-4219, CVE-2016-4220, CVE-2016-4221, CVE-2016-4233, CVE-2016-4234, CVE-2016-4235, CVE-2016-4236, CVE-2016-4237, CVE-2016-4238, CVE-2016-4239, CVE-2016-4240, CVE-2016-4241, CVE-2016-4242, CVE-2016-4243, CVE-2016-4244, CVE-2016-4245, CVE-2016-4246).

These updates resolve a memory leak vulnerability (CVE-2016-4232).

These updates resolve stack corruption vulnerabilities that could lead to code execution (CVE-2016-4176, CVE-2016-4177).

These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2016-4178).

Adobe Acrobat and Reader Vulnerability Details

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2016-4210).

These updates resolve a use-after-free vulnerability that could lead to code execution (CVE-2016-4190).

These updates resolve a heap buffer overflow vulnerability that could lead to code execution (CVE-2016-4209).

These updates resolve various methods to bypass restrictions on Javascript API execution (CVE-2016-4215).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-4189, CVE-2016-4191, CVE-2016-4192, CVE-2016-4193, CVE-2016-4194, CVE-2016-4195, CVE-2016-4196, CVE-2016-4197, CVE-2016-4198, CVE-2016-4199, CVE-2016-4200, CVE-2016-4201, CVE-2016-4202, CVE-2016-4203, CVE-2016-4204, CVE-2016-4205, CVE-2016-4206, CVE-2016-4207, CVE-2016-4208, CVE-2016-4211, CVE-2016-4212, CVE-2016-4213, CVE-2016-4214, CVE-2016-4250, CVE-2016-4251, CVE-2016-4252).

Adobe XMP Tool for Java Vulnerability Details

This update resolves an issue associated with the parsing of crafted XML external entities in XMPCore that could lead to information disclosure (CVE-2016-4216).
Stay safe out there kids!


Wednesday, July 6, 2016

Beware New Mac Malware: 'Backdoor.MAC.Eleanor'


[Updated: 2016-07-07 @1:50 am ET with additional references]

This malware should more properly be named OSX.Trojan.Eleanor.A. In the field, it is being called Backdoor.MAC.Eleanor by BitDefender LABS. It is being served up to victims at a number of websites, including apparently BEWARE!

I'll create my own write up about the malware as further details are available. For now, here are some excellent sources of information about Eleanor:

Bitdefender LABS

Backdoor.MAC.Eleanor Grants Attackers Full Access to Mac Systems
A. Description: 
- - The application name is EasyDoc, and its main functionality should be to convert documents, but it does anything but that. . . .

New Mac malware in the wild, Backdoor.MAC.Elanor – can steal data, execute code, control webcam

More about Eleanor from my colleague Thomas Reed over at Malwarebytes:

When the app is opened, it runs a shell script whose first task is to check for the presence of Little Snitch. . . . If LittleSnitch is not present, and if the malware has not already been installed, it then installs three LaunchAgents in the user folder plus a hidden folder full of executable files. All these items have names that attempt to make them seem like Dropbox components....
Interestingly, this app’s page on MacUpdate has ratings submitted by users between 2014 and March 26, 2016, all but one of which are 4.5 or 5 stars. Since this malware appears to have first “turned on” in April, I suspect that the real EasyDoc Converter may have been abandoned by its developer and somehow obtained by malware authors....
If you have Malwarebytes Anti-Malware for Mac, it will detect this malware as OSX.Backdoor.Eleanor.
I.E. the free Malwarebytes Anti-Malware for Mac already detects Eleanor. Use the link in the quote above.

And, Dan Goodin of Ars Technica posted an article about Eleanor as well as a couple other pests: Pellit and Keydnap. I'm waiting for more details about these last two before I bother writing about them.

~ ~

Keep in mind that such malware can have ANY name. Therefore, don't simply avoid 'EasyDoc Converter'. Watch out for ALL software that is not signed by an Apple approved developer via ANY source.

Safety Step: Verify that you at least have Apple's Gateway setup this way in System Preferences...: Security & Privacy: General:

IOW: Don't have 'Anywhere' selected. 
(If you're using macOS 10.12 Sierra, you won't even see 'Anywhere' available).

Until this malware is blocked by Apple, do NOT override Gateway and open unsigned software. 

IOW: If you have Gateway setup properly, you attempt to open something you downloaded and OS X protests that the software may be insecure, do NOT open it. Take the advice of OS X. This will keep you safe from the Eleanor malware. Set the questionable software aside until protection against Eleanor is provided by Apple via its XProtect system. I'll report when XProtect has been updated against Eleanor.

Further helpful information from Apple:

About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection) in OS X