Top vulnerabilities for the year
November 30 marked the International Day of information. Holiday appeared almost 30 years ago – in 1988, when it was first recorded mass epidemic of “worm” Morris. Mitapy security we hold regularly, and today we can afford to do without another announcement (just watch out for events in the blog). Stir all who in any way associated with information protection, and recall the methods of information security protection will top the main vulnerabilities 2015
The year began wondering. Not had time to cool off from the community news error HeartBleed, which, perhaps, was the largest in the history of vulnerability information, how to identify a comparable scale vulnerability, which received the code nameGHOST. Critical hole was found in the system library Glibc and manifested itself in the processing of a specially designed data functions gethostbyname () and gethostbyname2 (), which are used in many programs to convert the host name in the IP-address. The problem touched the 7 Debian, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, Ubuntu 10.04 and 12.04, SUSE Linux Enterprise 10 and 11. Interestingly, there is a bug in the code since 2000 and was eliminated in May 2013 but no indication that the vulnerability can have serious consequences. As a result, a huge amount of distributions simply ignored updated to stable version of the package.
An ancient evil has awakened
Spring in the server and client implementations of TLS / SSL discovered a critical vulnerability, called FREAK. She touched on Android devices and the browser Safari. Dangers are subject, including sites that use the technology SSL. The most amazing thing is that this vulnerability for many years. Until 1999, the United States prohibits the export of devices with strong cryptographic protection. To get around this restriction, companies had to incorporate a little protection, effectively leaving the future open door to hackers SSL. A matter of time was to reveal a way to spend man-in-the-middle-attack and force the client to use TLS-sensitive codes from the server. Breaking these codes takes only a few hours, because they are based on the encryption key of 512 bits.
Regular column “The vulnerability in Flash»
July 14, Adobe has released updates to Flash Player, which closes a critical vulnerability that allowed you to take remote control of the system in Windows, Linux and OS X, covertly setting cipher files CryptoWall 3.0. Due to the found vulnerability could execute code in almost all of the existing browsers. The whole year has passed under the slogan “Let’s bury have Flash». Chief Information Security Facebook Alex Stamos called Adobe permanently close Flash. A company Recorded Future has conducted a study which addressed vulnerabilities in popular exploit kits. Of the ten major exploits vulnerabilities found in eight focus on plug-in Flash.
Remote car burglary
In July, at the Defcon conference in 2015 told the six vulnerabilities found in the Tesla Model S, with which it was possible to hack a car. However, this will still require access to the machine. Tesla quickly released a fresh update. In the same month, the IB-Schnick in collaboration with Wired magazine do break-Cherokee Jeep. Due to the vulnerability of the system vehicle Uconnnect «white hackers” remote access to multimedia system, wipers and air conditioning. Following fell Protection Steering, ultimately, to disable the brakes. At the same time managed to hack the whole system remotely. Bug of hiding in the dongle inserted into the diagnostic port on-board computer. These devices measure the efficiency of fuel consumption and distance traveled. In February of this year, vulnerability was found in the infotainment system ConnectedDrive car the BMW. The researchers conducted the attack by creating a fake base station. Using the substitution of network traffic, rolled down the window and managed to open the door, but do not start the engine.
95% of vulnerable users
It is no secret that there is a direct link between the popular and the number of technologies implemented at her attacks. In July (summer hackers hot season) suddenly it turned out that nearly a billion Android-devices vulnerable to remote access to them through the MMS. Built on the Android library for handling media files of various formats contain bugs that allow to infect 95% Android-devices. Fortunately, Google quickly released an update axis. Unfortunately, the old devices by this update do not fall.
IOS Hacking 9
In November, it is not known who is not known how it was possible to hack iOS 9. This was stated by the company Zerodium, search and sale of vulnerabilities. The company held a contest, which required participants to find and exploit a flaw in Safari or Chrome. As a result, a group of hackers called not received $ 1 million for an exploit that allows you to install arbitrary software on devices running iOS 9.
Encryption in the trend
Software encrypts files, it’s not easy to users to Linux, as the site administrator on the machine which deployed its own Web server. Trojan Linux.Encoder.1 downloads files to the requirements to pay a ransom of Bitcoins and a file containing the path to the public RSA-key, then launched himself like a demon and removes the original files. This RSA-key is then used to store AES-keys with which the Trojan encrypts files on the victim machine. The Trojan first encrypts files in users’ home directories and catalogs relating to the administration of websites. Only after that bypasses Linux.Encoder.1 rest of the system. Encrypted files get a new extension .encrypted. On November 12, 2015, there were about 2 thousand. Website allegedly attacked cryptographer Linux.Encoder.1. However, this was not the only Trojan. Linux.Encoder.2 uses a different pseudo-random numbers for encryption uses a library OpenSSL (but not PolarSSL, in Linux.Encoder.1), encryption is implemented in the AES-OFB-128.
Instead of an epilogue
There is still a whole month, so it’s easy to imagine how the top-7 turns in the top 10. But while hackers are looking for zero-day vulnerabilities, the main danger is closer than you can imagine. This year, at an international forum on practical securityPositive Hack Days have sounded corny, but the eternal truth: its own employees of the companies are a major source of vulnerability. According to the analysis of 18 large state and commercial companies, some of which are included in the Fortune Global, it was revealed a significant reduction in the level of awareness of employees in safety issues. So take care of their counterparts in the first place. Do a good deed – remind them how important it is to monitor safety.