Citrix patches Netscaler hole, ARM TrustZone twisted, Android Dirty COW exploited – and more security fails

The good, the bad and the weird from this week

Roundup As ever, it has been a busy week on the security front with good news, some very bad reports, corporate failings all round and troubling signs ahead for those worried about government intrusion in the online world.

Here's El Reg's take on the resulting wreckage.

Cloudflare opens up protection

Among the good news, Cloudflare said it will give all customers "Unmetered Mitigation" against DDoS attacks, meaning anyone who subscribes will now get the full protection afforded by the edge network provider, rather than having to pay based on volume of protected traffic.

Cloudflare CEO Matthew Prince reasons it's wrong of his firm to charge users based on the size of the person attacking them, or let them get knocked offline because they can't afford to guard against huge volumes.

"DDoS attacks are, quite simply, a plague on the Internet and it’s wrong to surprise customers with higher bills when they are targeted by one," Prince said.

"With Unmetered Mitigation, we’re breaking the industry’s practice of surge pricing when someone comes under attack. It was an easy decision for us because it’s the right thing to do."

Malware mutterings

In malware news Trend Micro spotted the first Android malware sample that tries to exploit the Dirty COW Linux kernel vulnerability that emerged last December. The ZNIU malware popped up across the world installed in over 300,000 apps that were spammed out to stores around the world.

In all around 5,000 unlucky and unpatched Android users got a taste of ZNIU, but it was Chinese users suffered most. The malware cost them dearly by sending out premium-rate SMS messages and deleting any evidence it was doing so.

Google is trying to use machine learning to spot such malware before it becomes an issue. At the Structure Security conference in San Francisco on Tuesday the company's head of Android security Adrian Ludwig reported considerable success, with the Chocolate Factory claiming its AI systems spotted only five per cent of malware samples at the start of the year compared to 55 per cent now.

It wasn't just threats to Android that surfaced this week. Cisco's Talos Security team spotted a very nasty bit of code going after the bank accounts of Brazilian computer users - the first to be found written in Delphi.

The malware was signed with a legitimate VMware digital signature and used this to worm onto computers and then download a full suite of financial fraud tools. These stole credentials to some of Brazil's most popular banks using fake webpages and keyloggers.

Bugs bork apps n'chips

Citrix said on Monday the Netscaler and SD-WAN issue that prompted it to halt software downloads last week was an authentication bypass in its management interface. The software maker released a patch along with remediation advice on Monday in an advisory here.

Cisco also had issues with its Umbrella Virtual Appliance Version 2.0.3 software, after an undocumented encrypted remote support tunnel (SSH) was found in the code. Cisco said that it had been put there for remote support by its staff but, as it hadn't mentioned this in the documentation, was reporting it as a vulnerability.

"While Cisco has NO indications that our remote support SSH hubs have ever been compromised, Cisco has made significant changes to the behavior of the remote support tunnel capability to further secure the feature," it said.

Also this week an interesting side-channel attack against ARM’s TrustZone popped up. The TrustZone is the chip firm's supposedly secure data haven contained on its latest silicon. Usually side-channel attacks need physical access to the target device, but not all the time.

Researchers subverted the energy management systems of a Nexus 6 phone and were able to read data moving in TrustZone just by measuring power output. They then injected attack code of their own. The technique also appears to be transferable to other ARM-powered systems, just to make matters worse.

However, there was good news for macOS users who have upgraded to the High Sierra operating system. The new code has an eficheck function that will check the firmware of the Extensible Firmware Interface to make sure nothing has been tampered with.

Snoopy snoopy sneak sneak

Police use of fake mobile phone masts dubbed "Stingrays" might be slightly better regulated in the future thanks to a court ruling on Thursday. An appeals court in Washington ruled that their use requires a warrant - something the police have fought vociferously against.

Law enforcement in the US has spent over $100m on such devices and while states and politicians are trying to limit Stingray, governments show no sign of backing down. The case will probably now go to the Supremes.

Meanwhile the American Civil Liberties Union is fighting an data-harvesting request from the Department of Justice into who isn't keen on President Trump. The DoJ wants the names of 6,000 people who signed up to an anti-Trump website before the inauguration.

A gag order prevented Facebook discussing the case, but The Social Network™ fought and won. The case is ongoing, but based on past experience the government may have been overreaching itself again.

Storefront fails

Amazon's efforts to remake grocery chain Whole Paycheck Foods encountered a setback when malware was discovered on some of its point-of-sale terminals.

Thankfully the damage was limited to the in-store restaurants and taprooms (pubs) in Whole Foods, which don't share terminals with the main grocery system. So far there's no word on how many customers have been affected.

Not so at Sonic, the US purveyor of fast food. Earlier in the week security blogger Brian Krebs discovered a cache of five million credit cards offered for sale online. They turned out to be sourced from customers of the burger slingers eateries.

The company has confirmed that an attack on its POS terminals was successful but didn't say how many people were affected. Given the chain has over 3,500 outlets it's perfectly possible that the archive was all from its customers.

And finally, secure messaging app Telegram's CEO has said Russia's spies demanded the decryption keys for his messaging app, and Apple has published [PDF] its latest surveillance transparency report: yup, governments are still demanding data on some fanbois. ®

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018