{"id":10278,"date":"2015-10-19T11:11:58","date_gmt":"2015-10-19T15:11:58","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=10278"},"modified":"2021-03-01T12:11:59","modified_gmt":"2021-03-01T17:11:59","slug":"security-week-42","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/security-week-42\/10278\/","title":{"rendered":"Security Week 42: SHA-1 collisions, a real hack for routers, Android\/Security\/Gloom"},"content":{"rendered":"<p>When find yourself caught in the eye of the storm, you might have problems understanding what has really happened. While stuck in a traffic jam, you would never know it happened because of an accident, until you reach the spot seeing two jet pilots whose wreckage occupied three lanes. Until then, you simply don\u2019t have enough information to make a correct assumption.<\/p>\n<p>It happens all the time in the infosec industry: this topic is complex and contains lots of details and peculiarities, and due to this complexity the results of certain research might have real leverage years in the future.<\/p>\n<p>This week, our three top pieces of security news have nothing in common, besides meaningful sub-context. When you have no experience in the industry, you cannot properly evaluate the importance of some of the security events or might miss some critical details.<\/p>\n<p>I will try, as hard as I can, to explain this importance with apprehensible examples, as sub-context is vague and flexible, so that anyone could see something different when assessing it. So, sit back and relax with this week\u2019s edition of Security Week, titled Breaking Covers. As always, our <a href=\"https:\/\/threatpost.com\/\" target=\"_blank\" rel=\"noopener nofollow\">Threatpost<\/a> editorial staff handpicks the three most important news items of the week, which I ruthlessly comment. All the previous editions are available <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/security-week\/\/\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a>.<\/p>\n<h3>The search for SHA-1 collisions got immensely cheaper<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/practical-sha-1-collision-months-not-years-away\/114979\/\/\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2012\/10\/when_will_we_se.html\" target=\"_blank\" rel=\"noopener nofollow\">Predictions<\/a> by Jesse Walker made three years ago. <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2015\/10\/sha-1_freestart.html\" target=\"_blank\" rel=\"noopener nofollow\">The new research<\/a> which changed the take on the security of this algorithm.<\/p>\n<p>Those who advanced in their Linux exploration a bit further than automatically setting up Ubuntu know that the system prompts one to carefully read instructions. I mean, I would, of course, first try to Google a doc with a sequence of commands, but in some cases everything would fail to work properly and then would totally break down.<\/p>\n<p>This news is similar: without an at least short orientation, the topic is not that easy to apprehend. Whereas it is, by far, the most complex topic in our Security Week series to date, I would dare to explain what it means in simple words.<\/p>\n<div id=\"attachment_10280\" style=\"width: 330px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023946\/security-week-42-cat-jumps.gif\"><img decoding=\"async\" aria-describedby=\"caption-attachment-10280\" class=\"wp-image-10280 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023946\/security-week-42-cat-jumps.gif\" alt=\"cat jumps\" width=\"320\" height=\"291\"><\/a><p id=\"caption-attachment-10280\" class=\"wp-caption-text\">Well, I\u2019ll try something like this<\/p><\/div>\n<p>SHA-1 is a cryptographic hashing algorithm. This algorithm could be fed an unlimited sequence and produce a 160-bit piece of data, which then can be used to identify the initial data array. This is impossible if you don\u2019t have that initial data array \u2013 otherwise you cannot simply restore the information from the hash, as you cannot turn minced meat into a whole steak.<\/p>\n<p>More precisely, it SHOULD be impossible, even if you have a password like \u2018123456\u2019. There are two requirements to any of such algorithms: the impossibility of getting the initial data if you only have the hash, and the impossibility of getting a match to the data array so they both have the same hash.<\/p>\n<p>To be precise, there IS a possibility to do both. The thing is that it means so much heavy lifting computing that it\u2019s not even worth a try. So, you might buy a supercomputer and entrust it with the task of breaking the cipher. Then, 240 years later, it says the answer is 42, but at the moment you wouldn\u2019t care less.<\/p>\n<p>Yet, there\u2019s the rub. First, PCs continue to gain more and more computing power. Second, researchers are constantly seeking bypasses to break cryptographic algorithms. It\u2019s way simpler to find a collision to an encryption algorithm rather than decrypt the initial data array.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Practical SHA-1 Collision Months, Not Years, Away via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"https:\/\/t.co\/fU5VQUjLI4\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/fU5VQUjLI4<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/652502642850144256?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Meanwhile, SHA-1 is used in different encryption systems and authorization solutions, and its task is to ensure the data of two different agents match. Once two or more data arrays with the same hash are discovered in a moderately less cumbersome and costly process, the algorithm is not reliable anymore.<\/p>\n<p>Allow me to stop here to spare you an unbearably hard-core AP Calculus lecture: Here\u2019s the bottom line: researchers compile an algorithm to search for a collision, and the algorithm is capable of finding the collision with less effort than the ordinary brute force method. Or, more precisely, we talk now about <a href=\"https:\/\/en.wikipedia.org\/wiki\/Birthday_attack\/\" target=\"_blank\" rel=\"noopener nofollow\">Birthday<\/a> attack (Sic!).<\/p>\n<p><em>Well, those simple words of mine are not that simple, after all.<\/em><\/p>\n<p>Researchers then improve the algorithm and thus reduce the number of decrypt operations. As a result, the attack that previously would take 240 years could bring success in just 120 years, and then in just 12 years, and then in just 2 years. So, as soon as you find out the attack would take not two centuries but two months, you can start worrying.<\/p>\n<p>So the story is as follows: Three years ago a cryptographist from Intel, Jesse Walker, assumed that by 2015 a practical SHA-1 collision attack would take 2<sup>11<\/sup> server-years (a weird typical estimation unit based on a typical server).<\/p>\n<p>Thanks to cloud services like Amazon EC2 you might even calculate a cash equivalent of the infrastructure necessary to crack the hash. With $700,000 available, you can, theoretically, get the method of forging a digital signature in a relevantly short time.<\/p>\n<p>But this estimation dates back to 2012. That means even then SHA-1 was not rendered that reliable, but only rich governments actors could have afforded to crack the algorithm.<\/p>\n<p>Quite understandably, such organizations aren\u2019t in a hurry to publicly report their success in battling cryptography. So, it\u2019s paramount now to assess when this \u2018tool\u2019 becomes available to some deep-pocketing cybercriminals that surely exist.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023945\/security-week-42-dog.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10281 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023945\/security-week-42-dog.jpg\" alt=\"A sad dog\" width=\"1280\" height=\"686\"><\/a><\/p>\n<p>Recently, a group of researchers from universities in the Netherlands, Singapore and France published a white paper covering the methods of optimizing the process needed to calculate the collision. Would an attacker be armed with their findings, the practical collision attack would cost just $75,000 (In Amazon\u2019s units) and would take just 49 days.<\/p>\n<p>It could happen even quicker, provided sufficient funds. Bruce Schneier, a renowned cryptographist, assumes that the 2012 estimation considered only <a href=\"https:\/\/en.wikipedia.org\/wiki\/Moore%27s_law\" target=\"_blank\" rel=\"noopener nofollow\">Moore\u2019s Law<\/a>, whereas it never took into account the improvement of the attack algorithm (like using GPUs for computation due to their high processing power and affordability). It\u2019s impossible to present an accurate estimation of the effects the algorithm optimization would bring.<\/p>\n<p>Here comes the traditional question: do this research and this estimation practically mean a real threat? Well, not necessarily. How are such \u2018vulnerabilities\u2019 exploitable in the wild? There is a nice <a href=\"http:\/\/www.theregister.co.uk\/2014\/11\/05\/md5_hash_collision\/\/\" target=\"_blank\" rel=\"noopener nofollow\">example<\/a> based on a less secure MD5 algorithm: we take two different files (in this case, photos of rock stars), perform a series of modifications on one of them and, as a result, get absolutely identical hashes for two absolutely different images.<\/p>\n<p>Are there any real-life examples? A notorious cybercampaign, <a href=\"https:\/\/securelist.com\/blog\/incidents\/33002\/flame-replication-via-windows-update-mitm-proxy-server-18\/\/\" target=\"_blank\" rel=\"noopener\">Flame<\/a>, used this method to sign a malicious file with a valid (at that time) Microsoft digital certificate. Or, more precisely, the signature was forged, but the hashes matched. <a href=\"https:\/\/threatpost.com\/what-have-we-learned-flame-malware-061512\/76701\/\/\" target=\"_blank\" rel=\"noopener nofollow\">Independent estimations<\/a> prove that such trick, which exploited an even less reliable algorithm, would have cost an actor from $200,000 to $2,000,000, which is damn expensive!<\/p>\n<p>So, what about SHA-1? The algorithm has been around since 1995. Even back in 2005, it was clear the algorithm was not the most reliable of all. Considering the latest estimations, practical SHA-1 collision exploits are still a very distant future, whereas SHA-1 is steadily eliminated as an end-of-life technology and replaced by more reliable hashing algorithms.<\/p>\n<p>By 2017 key browser developers will have deprecated SHA-1. It is time they sped up: since the costs of a potential collision attack went down from $2,770,000 to as low as $100,000 in just three years, what could happen in a year\u2019s time?<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Security<\/a> Experts Urge Web Owners to Upgrade From Insecure <a href=\"https:\/\/twitter.com\/hashtag\/SHA1?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#SHA1<\/a> Algorithm: <a href=\"http:\/\/t.co\/K9jq9bITlC\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/K9jq9bITlC<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/SSL?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#SSL<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"http:\/\/t.co\/ZDCZUYlwD7\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/ZDCZUYlwD7<\/a><\/p>\n<p>\u2014 AT&amp;T Cybersecurity (@attcyber) <a href=\"https:\/\/twitter.com\/attcyber\/status\/653942042805051392?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 13, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Meanwhile, the research of SHA-1 vulnerabilities is of pure scientific value. Figuring out potential consequences is a process as vague as finding out that a human flew to space based on a single news stating \u201cOn April 12, 1961, 250 tons of rocket fuel combusted above a Kazakhstan desert.\u201d We\u2019ll live, we\u2019ll see.<\/p>\n<p>A fun fact: the proper name of what we call \u2018hash\u2019 is \u2018digest\u2019 or \u2018message digest\u2019. As it turns to be, you have just read the digest about the digest. Hail recursion!<\/p>\n<h3>Vulnerability in Netgear routers is practically exploitable<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/disclosed-netgear-router-vulnerability-under-attack\/114960\/\/\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. <a href=\"http:\/\/seclists.org\/fulldisclosure\/2015\/Oct\/29\/\" target=\"_blank\" rel=\"noopener nofollow\">Description<\/a> of the vulnerability.<\/p>\n<p>Vulnerability was found in Netgear N300 routers. Here\u2019s another hole in a router, again, \u2013 so different, yet looking quite the same. We have already <a href=\"https:\/\/www.kaspersky.com\/blog\/security-week-36\/9727\/\/\" target=\"_blank\" rel=\"noopener nofollow\">discussed<\/a> a couple of bugs in Belkin routers in one of our previous editions. But as for Netgear, the situation looks quite gloomy.<\/p>\n<p>Let\u2019s open the router\u2019s web interface, type in the password (but a wrong one, since it\u2019s not our router and we don\u2019t know it). Then we are redirected to the Access Denied page. If you try to open the BRS_netgear_success.html page, you\u2026 would not get anywhere, either, but just for a couple of times. Once you try this trick several times, you succeed.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023943\/security-week-42-netgear.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10282 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023943\/security-week-42-netgear.jpg\" alt=\"Vulnerability in Netgear N300 routers found\" width=\"800\" height=\"600\"><\/a><\/p>\n<p>Of course, you \u2018d better be logged in the local network which makes the venture harder. However, if the router feeds public WiFi in a cafe, there is no problem in getting inside the network. And if the owner, out of the blue, decided to open access to the web interface, everything gets tons easier.<\/p>\n<p>By the way, does anyone know why the web access should be open to an outsider? And by that we mean the access to a router itself and not to some instances in the local network. I think there is absolutely no reason to do that and there are many reasons NOT to do that.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Disclosed <a href=\"https:\/\/twitter.com\/NETGEAR?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@Netgear<\/a> Router Vulnerability Under Attack: <a href=\"https:\/\/t.co\/P5s6uItTjn\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/P5s6uItTjn<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/RgFM9SGSGu\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/RgFM9SGSGu<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/652184022597169153?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 8, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>However, the situation with the Belkin router evolved quite lawfully: the vendor was notified, and in two months the company offered a beta of the new firmware. It seemed like everything was good, then the bad news broke: the vulnerability had been already been exploited in the wild.<\/p>\n<p>Compass Security, a Swiss security company, discovered a rogue router with its settings changed: the DNS server did not belong to a service provider, as usual, but to God knows whom. That unknown agent received all DNS requests. The attack server, when researched, happened to have served over 10,000 hacked routers.<\/p>\n<p>https:\/\/twitter.com\/NETGEARhelp\/status\/653682920540999680<\/p>\n<p>A fun fact: Compass Security tried really hard to get response from Netgear for quite a while. When the conversation finally happened, the company even got the beta of the new firmware to run a test. But then, out of the blue, a new player emerged \u2013 a company called Shellshock Labs, published their research without consulting anyone (which is bad).<\/p>\n<p>Of course, it\u2019s kind of cool to name a research company after a <a href=\"https:\/\/www.kaspersky.com\/blog\/what_is_the_bash_vulnerability\/6117\/\/\" target=\"_blank\" rel=\"noopener nofollow\">notorious bug in bash<\/a>, but it does not override the \u2018do no harm\u2019 rule. However, the research by \u2018shellshokers\u2019 helped to understand where the bug came from. The firmware code makes it possible to get access to the web interface without a password just once, during the first launch. To disable this option, the flag should have been there, but it wasn\u2019t. And yes, finally, the firmware was <a href=\"https:\/\/threatpost.com\/netgear-publishes-patched-firmware-for-routers-under-attack\/115006\/\/\" target=\"_blank\" rel=\"noopener nofollow\">updated<\/a>.<\/p>\n<h3>87% of Android devices are insecure<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/researchers-find-85-percent-of-android-devices-insecure\/115030\/\/\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. <a href=\"http:\/\/androidvulnerabilities.org\/\/\" target=\"_blank\" rel=\"noopener nofollow\">The researchers\u2019 website<\/a>, including the rating of device security by vendor.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023941\/security-week-42-lemur.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10283 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023941\/security-week-42-lemur.jpg\" alt=\"A cute big eyed lemur\" width=\"800\" height=\"800\"><\/a><\/p>\n<p>No way! It never happened before and here it comes again! We are talking about another scientific research (thankfully, not as hardcore as the one about SHA-1). Researchers from University of Cambridge did a fascinating thing: They gathered data on 32 critical Android vulnerabilities, then selected 13 most critical ones and checks a massive amount of devices by different vendors to find out whether they are vulnerable.<\/p>\n<p>Here\u2019s how they did it: The developed the Device Analyzer <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=uk.ac.cam.deviceanalyzer\/\" target=\"_blank\" rel=\"noopener nofollow\">app<\/a> to gather telemetric data on the devices which participated in the experiment, including the OS version and the build number. Thus the researchers managed to accumulate data on over 20,000 smartphones.<\/p>\n<p>By counterpoising the OS version and the vulnerability data, the researchers could evaluate the scale of the problem. That\u2019s what they got:<\/p>\n<p>The results were normalized to show that 87% of devices were susceptible to this or that critical vulnerability (in some instances, to more than one bug) at the certain time. Of course, we have to stress the word \u2018potentially\u2019: as we could see from the <a href=\"https:\/\/threatpost.com\/android-stagefright-flaws-put-950-million-devices-at-risk\/113960\/\/\" target=\"_blank\" rel=\"noopener nofollow\">Stagefright<\/a> story, even the most dangerous vulnerability cannot get maximum leverage due to practical limitations.<\/p>\n<p>However, the researchers got even further and developed a scorecard to evaluate the level of \u2018dangerousness\u2019 among different vendors and called it FUM Score. It is based on the time it takes a vendor to react on the disclosure of a new bug and the time it takes to present a final patch.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Researchers find 85% of <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> devices insecure: <a href=\"https:\/\/t.co\/YNbAdZKAAv\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/YNbAdZKAAv<\/a> <a href=\"http:\/\/t.co\/1dYfutssgh\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/1dYfutssgh<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/654692215587864577?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 15, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The winners here are, of course, Nexus devices: they get security patches quicker than anyone. LG occupied the second position and Motorola is the third in this rating. Well, we can hardly call them winners, as all participants are, in fact, losers.<\/p>\n<p>The scorecard takes into account the share of updated devices, which means that, besides a vendor issuing the patch, the user has to update the device, after all. The older the device, the worse: in a separate rating among the 2 to 3-year-old devices the scores are dreadful. Why is that so? The owners never update them, but still use them.<\/p>\n<p>Well, the approach does contain a couple of debatable assumptions and a lot of guesswork, and the findings are somewhat expectable. The researchers say that one of their objectives is to motivate vendors improve the way they deliver security patches. What is important, though, is the means to see that the ecosystem cannot possible be 100% secure.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">New study suggests 85% of Android devices exposed to at least one critical vulnerability: <a href=\"http:\/\/t.co\/vZAtW8JhiS\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/vZAtW8JhiS<\/a><\/p>\n<p>\u2014 Gizmodo (@Gizmodo) <a href=\"https:\/\/twitter.com\/Gizmodo\/status\/654627155771527169?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 15, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Whereas Android, dreadfully segmented, server the most suitable example of an insecure ecosystem, such are abundant. You may stand by your assumption that iOS is more secure, but the first story in our digest about, well, digest, proves that no system is 100% secure, due budget limitations. This is a vital element when choosing the security strategy.<\/p>\n<h3>What else happened:<\/h3>\n<p>Apple <a href=\"https:\/\/threatpost.com\/apple-removes-apps-that-expose-encrypted-traffic\/114992\/\/\" target=\"_blank\" rel=\"noopener nofollow\">purged<\/a> App Store of apps, which helped hackers to expose, hijack, and modify encrypted traffic via installation of root certificates \u2013 for adware blocking or worse things. As far as I understood, new apps with the same capabilities are no more. Why was it possible before then?<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Apple Removes Apps That Expose Encrypted Traffic <a href=\"https:\/\/t.co\/fHQiLSCypy\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/fHQiLSCypy<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/np2fFUmvc8\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/np2fFUmvc8<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/652558957429567490?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>European Aviation Security Agency (EASA) <a href=\"https:\/\/threatpost.com\/european-aviation-agency-warns-of-aircraft-hacking\/114987\/\/\" target=\"_blank\" rel=\"noopener nofollow\">disclosed<\/a> a bug in <a href=\"https:\/\/en.wikipedia.org\/wiki\/ACARS\" target=\"_blank\" rel=\"noopener nofollow\">ACARS<\/a> \u2013 the system used for exchange between the aircraft and the ground station. It goes without saying that it\u2019s quite simple to send a fake message via the system which does not presuppose any packet verification.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">European Aviation Agency Warns of Aircraft Hacking: <a href=\"https:\/\/t.co\/PDcT6J5ENg\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/PDcT6J5ENg<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/planehack?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#planehack<\/a> <a href=\"http:\/\/t.co\/nC1x5JLR0p\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/nC1x5JLR0p<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/652509465900658696?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Of course, the vulnerability does not allow hijacking flight controls, yet it could be used to send a misleading message to pilots. The bug in ACARS <a href=\"https:\/\/conference.hitb.org\/hitbsecconf2013ams\/materials\/D1T1%20-%20Hugo%20Teso%20-%20Aircraft%20Hacking%20-%20Practical%20Aero%20Series.pdf\" target=\"_blank\" rel=\"noopener nofollow\">was discussed<\/a> (in various PDF files) as far back as 2013, but exclusively by security researchers; this time a regulatory body itself raised the issue. Good news!<\/p>\n<h3>Oldies:<\/h3>\n<p>Indicator-734<\/p>\n<p>A dangerous resident virus. It infects .COM files as they are uploaded into the memory. The virus encrypts the beginning of the file using 10h bytes of BIOS. That means the files could be decrypted and run only on a computer running the same version of BIOS. If the beginning of the file cannot be decrypted, the virus blocks the operations of the file (running int 20h), having launched its counters before. Depending on the state of the latter (approximately once in an hour), the virus draws a red cross on the screen with the sign \u2018VINDICATOR\u2019 in the center. The virus hijacks int 1Ch, 21h.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024345\/infosec-digest-32-book1.jpg\"><img decoding=\"async\" class=\"alignright wp-image-9594\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024345\/infosec-digest-32-book1-234x300.jpg\" alt=\"Security Week: Doors without locks, invulnerable Microsoft, disassembler and pain\" width=\"150\" height=\"192\"><\/a><\/p>\n<p><em> Quoted from \u201cComputer viruses in MS-DOS\u201d by Eugene Kaspersky, 1992. Page 70.<\/em><\/p>\n<p><em> Disclaimer: this column reflects only the personal opinion of the author. It may coincide with Kaspersky Lab position, or it may not. Depends on luck.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Konstantin Goncharov explains the bottom line of tech giants\u2019 epic fails in the new edition of cybersecurity news digest.<\/p>\n","protected":false},"author":53,"featured_media":10285,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[14,1195,473,97,1203,596],"class_list":{"0":"post-10278","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-apple","9":"tag-digest","10":"tag-routers","11":"tag-security-2","12":"tag-security-week","13":"tag-sha-1"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/security-week-42\/10278\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/security-week-42\/6148\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/security-week-42\/6345\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/security-week-42\/6325\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/security-week-42\/7108\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/security-week-42\/6836\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/security-week-42\/9370\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/security-week-42\/6284\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/security-week-42\/9276\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/security-week-42\/9370\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/security-week-42\/10278\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/security-week-42\/10278\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/apple\/","name":"Apple"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10278"}],"version-history":[{"count":7,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10278\/revisions"}],"predecessor-version":[{"id":38879,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10278\/revisions\/38879"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10285"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}