10th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 10th week of 2010. I am Jay Johnson and these are the headlines:

1024-bit RSA encryption gets cracked (pause)
Vodafone distributes Mariposa botnet with HTC Magic while
Some critical security holes in the popular web browser Opera have been found (pause)
Energizer Duo USB Battery Charger software has been found to carry a backdoor and Finally
Some information on the latest patches released by Microsoft earlier on Patch Tuesday

And now for this week's newswire details
Since 1977, RSA public-key encryption has protected privacy and verified authenticity when using computers, gadgets and web browsers around the globe, with only the most brutish of brute force efforts (and 1,500 years of processing time) felling its 768-bit variety earlier this year. Computer scientists say they've discovered a severe vulnerability in the world's most widely used software encryption package that allows them to retrieve a machine's secret cryptographic key. The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and Smartphone’s with anti-copying mechanisms. The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device's power supply as it was processing encrypted messages. In a little more than 100 hours, they fed the device enough "transient faults" that they were able to assemble the entirety of its 1024-bit key. The scientists, from the University of Michigan's electrical engineering and computer science departments, said the bug is easily fixed by applying cryptographic "salt" to an underlying error-checking algorithm. The additional randomization would make the attack unfeasible.

(pause)
Viruses and malware are not new to mobile devices, however, in a somewhat startling revelation, Panda Research blog discovered that Vodafone is distributing the Mariposa bot, Conficker and Lineage password stealing malware with HTC Magic phones. The phone, the HTC Magic, runs the Google Android mobile operating system, and is a low-priced handset distributed by Vodafone the infection was found in HTC Magic phone running the Android OS which was supplied by Vodafone Germany based on the screenshots and German language used on the computer of the Panda AV employee. The alert was triggered by Panda Cloud AV, when the phone was plugged into the PC via USB. Malicious code was found in the Autorun files, which automatically runs when a USB drive is connected to a PC. The malware in question was identified as Mariposa bot client, which is run by an unknown guy named "tnls". If users are infected with the virus it will automatically start contacting servers and sending data to them. In addition to the above bot, the researcher also found traces of Conficker virus along with a password stealing malware called Lineage. There were no reports about the phone being affected by the above, but PCs without appropriate protection would definitely be vulnerable to these viruses. It is really startling to see that both Vodafone and HTC allowed these phones to be sold without extensive testing and checks. It is not known as too how many phones are affected, however, it is a safe bet to connect your phone to your PC (with AV running), and running a quick scan on the contents of the phone.

(pause)
Several security experts report a security issue in the Opera web browser. An incorrectly set value in HTTP headers allows attackers to cause a buffer overflow that allows them to execute arbitrary code on a vulnerable system. Secunia has confirmed the hole and says the latest version of Opera, 10.50 for Windows is affected while other versions may be affected. Vupen Security disclosed the buffer overflow bug on Thursday, and the report has since been picked up by others, including Secunia and Sans. The advisories have said the vulnerability is critical because it can be exploited to remotely execute malicious code on end user machines. The vulnerability is confirmed in version 10.5 for Windows. Other versions may also be affected. In the absence of a patch, Opera users are urged to avoid browsing to untrusted Web sites or switch to an alternative browser.

(pause)
There have been a number of interested stories lately especially related to hardware; the latest doing the rounds is this one where a seemingly innocuous USB battery charger has been installing some nasty remote control software onto users systems. The Energizer Bunny keeps going and going, but he picked up a nasty Trojan along the way. The U.S. Department of Homeland Security discovered that Energizer's Duo USB charger left Windows computers open to remote control, thanks to a back door in the product's battery monitoring software. Malware bundled in a charger-monitoring software download package opens up a back door on compromised Windows PCs. The contaminated file is automatically downloaded from the manufacturer’s website during the installation process, not bundled with an installation CD. It’ll be interesting to see how the malicious .dll file got into the software bundle in the first place without any detection. Was it a server/network hack or did it come from wherever the devices were manufactured (the header info in the .dll seems to indicate once again the source is China). Hopefully within the next week or so we’ll hear some more news as to what actually happened, or more likely it’ll be swept under the carpet and we won’t hear a peep.

(pause)
This patch Tuesday has been relatively quiet with Microsoft only issuing two patches, of which, both bulletins they rate as only important. Privately disclosed vulnerabilities in Movie Maker, Movie Producer and Excel could lead to remote code being executed with the same privileges as the current user. Microsoft Office 2004 and Office 2008 for the Mac’s are currently affected by the MS10-017. As such, Mac Microsoft Office users will need to download and install an update to protect themselves. Both the Windows and Office security bulletins are ranked with an aggregate severity rating of Important--meaning that some platforms or configurations may be at lower risk, but taken as a hole the vulnerabilities addressed in the bulletin are considered Important.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.