Microsoft issues Emergency Windows Update to Block Fake SSL Certificates

Today, Microsoft has issued an emergency update for almost all versions of Windows and also for Microsoft devices running Windows Phone 8 and 8.1 to secure users from attacks that abuse the latest issued rogue SSL certificates, which could be used to impersonate Google and Yahoo! websites.

A week after the search engine giant Google spotted and blocked unauthorized digital certificates for a number of its domains that could result in a potentially serious security and privacy threat, Microsoft has responded back to block the bogus certificates from being used on its software as well.

"Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates," said Dustin Childs, group manager of response communications.

The fake digital certificates, issued by the National Informatics Centre (NIC) of India - a unit of India’s Ministry of Communications and Information Technology, were uncovered at the beginning of this month by Google's security team.

Microsoft officials warned the country's certification authorities as well as Microsoft, because the certificates issued by NIC are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome.

Yet, Microsoft is not aware of any kind of attack leveraging this issue, but millions of websites operated by banks, e-commerce companies and other types of online services make use of such kind of cryptographic credentials to encrypt the web traffic and prove the authenticity of their servers.

"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."

The Certificate Trust list (CTL) update has been rolled out to all users who have automatic updates enabled, and for those who do not have the automatic updater of revoked certificates installed, Microsoft has released a patch that can be manually installed.

The emergency update addresses all Microsoft PC operating systems including Windows Vista, Windows version 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, and its Windows Phone 8 software. At this moment, there is no update available for systems running Windows Server 2003 to revoke the fraudulent certificates – Microsoft says it will issue an update as soon as one becomes available. Also Server 2003 support ends next year, but the company will provide a fix before then.

Read More

Android Vulnerability Allows Applications to Make Unauthorized Calls without Permissions

A major vulnerability believed to be present in most versions of Android can allow a malicious Android applications on the Android app store to make phone calls on a user’s device, even when they lack the necessary permissions.

The critical vulnerability was identified and reported to Google Inc. late last year by researchers from German security firm Curesec. The researchers believe the virus was first noticed in Android version 4.1, also known as “Jelly Bean.”

APPS CAN MAKE CALLS FROM YOUR PHONE

“This bug can be abused by a malicious application. Take a simple game which is coming with this code. The game won’t ask you for extra permissions to do a phone call to a toll number – but it is able to do it,” Curesec’s CEO Marco Lux and researcher Pedro Umbelino said Friday in a blog post. “This is normally not possible without giving the app this special permission.”

By leveraging these vulnerabilities, malicious applications could initiate unauthorized phone calls, disrupt ongoing calls, dialing out to expensive toll services, potentially framing up big charges on unsuspecting users' phone bills.

Android bug allows unauthorized users to terminate outgoing calls and Send USSD

The vulnerability can also be exploited to disconnect the outgoing calls, to send and execute :

• Unstructured Supplementary Service Data (USSD)
• Supplementary Service (SS)
• Manufacturer-defined MMI (Man-Machine Interface) codes.

These special codes can be used to access various device functions or operator services, which makes the problem a nasty one for those who value the data they store on their mobile phone.

“The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on,” reads the blog post.

Even the Android security programs, where apps without the CALL_PHONE permission should not be able to initiate phone calls, can be easily bypassed and offer no protection from these flaws, because the exploits have capability to deceive the Android permissions system altogether.

"As the app does not have the permission but is abusing a bug, such apps cannot easily protect you from this without the knowledge that this bug exists in another class on the system," wrote the researchers.

A large number of versions of Android are affected by the vulnerabilities. Researchers have found two different flaws that can be exploited to achieve the same ends – one that's present in newer Android releases and another that's found in older versions.

FIRST BUG - AFFECTS NEWER VERSION OF ANDROID

The first security bug, identified as CVE-2013-6272, appears to be introduced in Android version 4.1.1 Jelly Bean, and outlasted all the way through 4.4.2 KitKat before the security team at Google was able to fixed it in Android 4.4.4.

But, luckily only about 14% of users are currently updated to the latest version of the mobile Operating System. So, just think about it, How many users are currently in the grip of the flaws? Not less than a generous users open to vulnerabilities and attack paths.

SECOND BUG - AFFECTS OLDER VERSION OF ANDROID

The second security hole is wider in its reach, affecting both Android 2.3.3 and 2.3.6, the popular versions of Gingerbread variant which are used by lower-end smartphones, budget-style smartphones which continue to surge in popularity amongst emerging markets like those found in Brazil, China, and Russia.

The bug was fixed in Android 3.0 Honeycomb, but that was a tablet-only release that no longer even charts on Google's Android statistics. That means the bugs leave nearly 90 percent of Android users running vulnerable versions of the Operating System to dialer-manipulating vulnerability.

Researchers at Curesec have provided source code and a proof-of-concept demonstration app for both the bugs, so that customers can help themselves to test if their Android devices are vulnerable or not.

It is strongly advised to Android users those are running KitKat on their devices to get upgraded to the latest version 4.4.4 as soon as possible. It is expected that the device makers and carriers will soon roll out the updates in the coming weeks.

Read More

Google catches Indian Government Agency with Fake Digital Certificates

 

Google has identified and blocked unauthorized digital certificates for a number of its domains issued by the National Informatics Centre (NIC) of India, a unit of India’s Ministry of Communications and Information Technology.

National Informatics Center (NIC) holds several intermediate Certification Authority (CA) certs trusted by the Indian government’s top CA, Indian Controller of Certifying Authorities (India CCA), which are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome.

The use of rogue digital certificates could result in a potentially serious security and privacy threat that could allow an attacker to spy on an encrypted communication between a user’s device and a secure HTTPS website, which is thought to be secure.

 

Google became aware of the fake certificates last Wednesday on July 2 and within 24 hours, the Indian Controller of Certifying Authorities (India CCA) revoked all the NIC intermediate certificates and also issued a CRLSet to block the fraudulent certificates in Chrome. CRLSets enable Chrome to block certificates in an emergency.

The search engine giant believes that no other root stores include the Indian CCA certificates, which means that Chrome on any other operating systems, Chrome OS, Android, iOS and OS X were not affected.

“Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misused certificates for other sites may exist,” said Google security engineer Adam Langley.

Langley added that “Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”

It’s the second high-profile incident of a government agency caught issuing fake SSL certificates since December, when Google revoked trust for a digital certificate for several of its domains, mistakenly signed by a French government intermediate certificate authority.

Google has taken many measures to advance the security of its certificates, as SSL certificates are still one of the core elements of online security and still, since hundreds of entities issue certificates, it makes the company difficult to identify fake certs that aren’t following proper procedures.

One such measure is Google’s recently launched Certificate Transparency project, which provides an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. 

DigiCert was one of the first Certificate Authority’s to implement Certificate Transparency after working with Google for a year to pilot the project.

Google also upgraded its SSL certificates from 1024-bit to 2048-bit RSA to make them more secure and unbreakable. Because longer key length would make it even more difficult for a cyber criminal to break the SSL connections that secure your emails, banking transactions and many more.

Read More

Germany to Consider Typewriters to Protect From US Spying

So far we have heard that using privacy tools by every individual and offering encrypted communication by every company is the only solution to Mass Surveillance conducted by the government and law enforcement authorities. But, Germany says the only solution to guard against surveillance is - Stop using Computers!!

Ohh Please!! Is it a joke?

No, it does not mean that they are going to completely throw out all of their computer systems, but rather they would use it preposterous.

A year ago, when it came to light that German Chancellor Angela Merkel’s own personal mobile phone had been spied by the U.S. National Security Agency (NSA) for years, Surveillance has become a big issue for Germany. Such a big that prominent politicians are seriously considering using manual typewriters for sensitive documents instead of computers.

The head of the Germany's NSA Inquiry Committee, Patrick Sensburg said in an interview with the Morgenmagazin TV show on Monday night, that the government is seriously considering a low-tech solution to the ongoing espionage problem and to keep American eyes off of sensitive documents.

According to the Guardians translation of the German interview:

Interviewer: Are you considering typewriters?

Sensburg: As a matter of fact, we have - and not electronic models either.

Surprised interviewer: Really?

Sensburg: Yes, no joke.

Sensburg is heading up the Bundestag’s parliamentary inquiry into the NSA’s activities on German soil and is the one who know about the serious concerns caused by foreign states surveillance programs.

Germany's NSA Inquiry Committee was established in March to investigate allegations by NSA whistle blower and former contractor Edward Snowden that the United States government has been eavesdropping Germans and even bugged Chancellor Angela Merkel’s personal cell phone, an issue that has strained relationships and raised trust issues between old allies, Berlin and Washington.

The relations between the two became even more worse when earlier this month, Germany arrested a German intelligence officer who worked as a double agent and passed information to the CIA about the parliament’s NSA investigation. According to Sensburg, US snooping is ongoing.

After Edward Snowden released his first document about the U.S. government's surveillance activities, even Russia also thought to revert again to the old-school forms of communication, and bought 20 electric typewriters last year to keep inside communications more private, according to the Moscow Times.

“Any information can be taken from computers,” a Russian member of parliament said. "[F]rom the point of view of keeping secrets, the most primitive method is preferred: a human hand with a pen or a typewriter.”

IN-SHORT

But, Just think that How much is this Practically possible? Just to safeguard ourselves from spying, we should start using Typewriters instead of emails, What it means? Means we should go on-foot instead of using cars, just to protect ourselves from an accident. Agree? Well, I am not!

Every individual, even government authorities should be encouraged to make use of best privacy tools and encrypted communication only, this would protect them from the risk of spying.

Read More

Update Your Java to Patch 20 Vulnerabilities Or Just Disable it

Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company’s products.

The security update for Oracle’s popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn't need a username and password to exploit them over a network.

MOST CRITICAL ONE TO PATCH FIRST

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most “critical” rating according to Oracle’s Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near.

Although, numerous other Oracle products and software components addressed in the latest security updates, which address around 29 vulnerabilities in Oracle Fusion Middleware out of which 27 enable remote code execution, seven vulnerabilities in Hyperion products and five apiece for Oracle database and E-Business Suite. But, Java was the only impacted with security issues scoring the highest critical rating.

So, Java patches are the most urgent and should be at the top of your list, as one of the Java SE vulnerabilities (CVE-2014-4227) in this patch update, scores ten out of ten in the common vulnerability rating system, and seven of the other Java SE client vulnerabilities received a CVSS score of 9.3.

Oracle Database Server will also be updated for five vulnerabilities, one of which is remotely exploitable, while there will be 10 patches released for MySQL Server, but none of them are remotely exploitable.

JAVA WILL CONTINUE TO SUPPORT WINDOWS XP

The company recently announced that it would no longer support Java on Windows XP, though it expect Java 7 to continue to work on Windows XP platform and Oracle security updates for Java on XP machines will continue.

“This end of support announcement has been misread as ‘Java no longer works on Windows XP’ or ‘Oracle will stop Java updates from being applied on Windows XP.’ These statements are not correct,” said Oracle vice-president of product management in the Java Platform Group Henrik Stahl.

“We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future. In particular, we expect that JDK 7 will continue to work on Windows XP.”

However, Java 8 is not designed even to install on Windows XP operating system. So, the installer for the developer releases of Java 8 will not run on it without manual intervention.

PATCH OR SIMPLY DISABLE JAVA?

Java runs on more than 850 million personal computers and on billions of devices worldwide, therefore protecting against Java zero-day exploits is a rising concern among millions of Windows, Mac OS, and Linux users.

  Security experts recommend not installing Java if you don't already have it, and perhaps even disable it if you have it if you do not regularly use an application or visit any Web site that requires Java.

UPDATE YOUR SYSTEMS NOW

The company is urging its customers to update their systems as soon as possible. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the firm warned.

Oracle has published the full details about the list of patches here.

Read More

Project Zero - A Team of Star-Hackers Hired by Google to Protect the Internet

Google has publicly revealed its new initiative called “Project Zero,” a team of Star Hackers and Bug Hunters with the sole mission to improve security and protect the Internet.

A team of superheroes in sci-fi movies protect the world from Alien attack or bad actors, likewise Project Zero is a dedicated team of top security researchers, who have been hired by Google to finding the most severe security flaws in software around the world and fixing them.

PROTECT ZERO vs ZERO-DAY

Project Zero gets its name from the term "zero-day," and team will make sure that zero-day vulnerabilities don't let fall into the wrong hands of Criminals, State-sponsored hackers and Intelligence Agencies.

"Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage." Chris Evans said, who was leading Google’s Chrome security team and now will lead Project Zero.

Zero-day vulnerabilities could give bad actors the power to completely control target users’ computers, and in such scenario - no encryption can protect them.

 

RECRUITMENT OF STAR HACKERS

Google has already recruited some hackers at Project Zero:

• Ben Hawkes - an independent researcher from New Zealand, and well known for discovering dozens of bugs in software like Adobe Flash and Microsoft Office.
• George Hotz - best known for hacking Sony PlayStation 3, cracking iPhone and Google's Chrome browser.
• Tavis Ormandy - working as an Information Security Engineer at Google and known for discovering lots of critical zero-day vulnerabilities in various softwares.
• and many more..

Main objective of the Project Zero is to significantly reduce the number of people harmed by targeted attacks.

"We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet." Chris added.

TEAM WORK

However, they are not restricted to finding bugs in Google's products only, rather they can choose targets by themselves strategically, but possibly team would majorly focus on the softwares that relied upon by a significant number of people. Flaw hunting and reporting process will be as mentioned below:

1. The Project Zero team will hunt for zero-day vulnerabilities in Popular Softwares.
2. Google will report flaws to vendors.
3. Google will release full vulnerability disclosure only when the vendor issues a patch for it.
4. Every bug will be filed transparently in an external database.

"We'll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment." Chris said.

Google is looking forward to grow their team of security experts and is making every effort to dedicatedly contribute to the Infosec Community.

 

Read More

Motorola Moto E Outshines all the phone under 10000Rs

1. Motorola Moto E:

Again a magical phone from Motorola. The Moto E has got everything you can expect at this price range, it even has additional features you can’t imagine at just Rs. 7,000. This is the best phone under 10,000 Rs. and yet it is cheaper by about 3,000 Rs. than other phones in this list. The Moto E runs on the latest Android 4.4.2 Kitkat and most important is that, Motorola has promised at least one update of the Android when a new version is released. It has a Dual Core Qualcomm Snapdragon 200 A7 processor clocked at at 1.2 GHz and is supported by 1 GB of RAM, the combination of which can handle most everyday needs, multitasking and gaming. The phone has a very good design which is similar to the Moto G. It has a 1980 mAh Li-Ion battery which can last all day. Its camera is not so great but come on…., you are not buying a phone at 7,000 Rs to click high resolution images. Additionally it has water resistance and smudge coating with Corning Gorilla Glass 3. Sometimes, I wonder how Motorola manages to put so many things at such a low price. Overall, it is a perfect all round phone one should buy at this price range and yes, it is better than Micromax Unite 2.

PRICE	6,999 Rs.
OS	Android OS, v4.4.2 (KitKat)
CPU	Dual-core 1.2 GHz, Qualcomm Snapdragon 200 Processor
RAM	1 GB RAM
SCREEN	4.3 inches capacitive touchscreen with Corning Gorilla Glass
DISPLAY	540 x 960 pixels, 256 ppi pixel density
SIM	Optional Dual SIM (Micro-SIM, dual stand-by)
CAMERA	5 MP Primary Camera, No Secondary Camera
MEMORY	Internal Storage 4. microsd expandable upto 32 GB
BATTERY	Non-removable Li-Ion 1980 mAh battery
OTHERS	3G, Bluetooth, WiFi, GPS

 

2. Micromax Canvas 2 A120 Colours:

PRICE	8623 Rs.
OS	Android v4.2 (Jelly Bean)
CPU	1.3 GHz, Quad Core, MT6582 Processor
RAM	1 GB RAM
SCREEN	5.0 inches, Color IPS capacitive touchscreen
DISPLAY	1280 x 720 pixels, 294 ppi pixel density
SIM	Dual SIM (GSM+GSM)
CAMERA	8 MP Primary Camera, Secondary Camera: 2 MP
MEMORY	Internal Storage 4 GB, microsd expandable upto 32 GB
BATTERY	2000 mAH, Li-ion Battery
OTHERS	3G, Bluetooth, WiFi, GPS

 

3. Sony Xperia M:

PRICE	10,799 Rs.
OS	Android OS, v4.1 (Jelly Bean)/ v4.2.2 - C2004/C2005 models, upgradable to v4.3 (Jelly Bean)
CPU	Dual-core 1 GHz Krait, Qualcomm Snapdragon S4 Plus MSM8227 Processor
RAM	1 GB RAM
SCREEN	4.0 inches, TFT capacitive touchscreen
DISPLAY	480 x 854 pixels, 245 ppi pixel density
SIM	Optional Dual SIM (Micro-SIM)
CAMERA	5 MP Primary Camera, 0.3 MP Front Camera
MEMORY	Internal Storage 4 GB, microsd expandable upto 32 GB
BATTERY	Li-Ion 1750 mAh battery
OTHERS	3G, NFC, Bluetooth, WiFi, GPS

 

4. Nokia XL:

PRICE	10,320 Rs.
OS	Android OS, v4.1.2 (Jelly Bean)
CPU	Dual-core 1 GHz Cortex-A5, Qualcomm MSM8225 Snapdragon S4 Play Processor
RAM	768 MB RAM
SCREEN	5.0 inches, IPS LCD capacitive touchscreen
DISPLAY	480 x 800 pixels, 187 ppi pixel density
SIM	Dual SIM (GSM + GSM)
CAMERA	5 MP Primary Camera, 2 MP Secondary Camera
MEMORY	Internal Storage 4 GB, microsd expandable upto 32 GB
BATTERY	Li-Ion 2000 mAh battery (BN-02)
OTHERS	3G, Bluetooth, WiFi, GPS

 

5. HTC Desire 310:

PRICE	9,833 Rs.
OS	Android OS, v4.2.2 (Jelly Bean)
CPU	Quad-core 1.3 GHz Cortex-A7 Mediatek MT6582M Processor
RAM	512 MB RAM
SCREEN	4.5 inches, 218 ppi pixel density
DISPLAY	480 x 854 pixels TFT capacitive touchscreen
SIM	Dual SIM, (Micro-SIM, dual stand-by)
CAMERA	5 MP, 2592х1944 pixels, autofocus, Geo-tagging, touch focus, face detection & Front Camera: 0.3 MP
MEMORY	Internal Storage 4 GB, upto 32 GB microSD expandable
BATTERY	Li-Ion 2000 mAh battery
OTHERS	3G,Bluetooth, WiFi, GPS

 

Read More

Why Does Modi Concern Obama?

When I came across a piece of report on Obama-Modi equation, my guess was that the news would go viral creating a stir in not only India, but worldwide. The story reported that in an exclusively small fundraiser, the United States’ President Barack Obama made quite a statement that shook up the little number of audience present there. When a person asked him about his concern with the newly elected Indian Prime Minister, the President gave a six word answer that left the audience dumbfound. He said, “My name is Barack HUSSEIN Obama.”

 The article first appeared on firstpost.com but now seems to have been removed.With Bharatiya Janata Party’s (BJP) sweeping electoral victory, most Indian chose to forget about the bygone concerns regarding Prime Minister Modi’s equation with Muslims. However, it seems that the world is still haunted by the PM’s alleged past.
  Modi is believed to have remained ineffective during the 2002 Gujarat riots. Some even accused him responsible for the whole riot. Therefore, quite a few remained skeptical about Modi’s past, saying that his rule would alter what the idea of “India” stands for i.e. it would undermine secularism. Others on the other hand, endowed Modi with their confidence. However, with India getting Modi-fied, almost everyone in India have eventually come to terms with his rule.
While he seems to have convinced India of his credibility, the short statement made by someone as strong a figure as Obama is certainly going to hang in the air for PM Modi. Modi thus cannot afford to delude any of his moves while in office. There is a need of a concrete, materialized assurance on the part of PM Modi, for he needs to turn around his image of a Hindu nationalist into that of a secular head of government.
As the world, on one hand, might continue to monitor the Indian Prime Minister’s efforts for a secular India, we need to put our trust on the PM that he will bring “acche din” (good days) for the Indian Muslims as well!

Read More