Sunday, 25 December 2016

DirtyCow and Drammer vulnerabilities "hijack Android devices"

The vulnerabilities are known colloquially as DirtyCow (CVE-2016-5195) and Drammer (CVE-2016-6728). While they are unrelated, they both represent a real risk to Android users as individuals have already published proof-of-concept exploit code online for both vulnerabilities, thus minimizing the time attackers would need  to understand and develop their own exploits from scratch. Additionally, industry researchers have already seen attackers using DirtyCow  to exploit Linux-based systems in the wild.


Given that the CVEs and the POC code are publicly available, enterprises should see this as a concern. If an attacker roots a device, she has full control over it, which means she may also be able to collect sensitive data from the device. If the victim is an employee, that may mean company information is being leaked. Having visibility into the kinds of apps, rooted devices, or outdated software running on the corporate network is critical.

DirtyCow

The vulnerability extends back nine years and affects all versions of Android including the latest Android 7.0 Nougat. While Linus Torvalds created and released a patch for the Linux Kernel – which Android uses – the patch has not been released as a security update for Android users yet.

DirtyCow is an easy vulnerability to understand and proof-of-concept exploit code is already in the wild, available to researchers and attackers alike. . We expect to to see this issue patched in the November 2016 Android Security Update at the earliest.

Drammer

The second vulnerability, called Drammer and discovered by VUSec, is the first time the Rowhammer vulnerability has been applied to ARM-based devices, in this case Android devices. Drammer is a hardware bug that can manipulate memory it doesn’t control by reading or “hammering” a row in memory to effectively induce another spot in memory to have its bit “flip” or change value. If an attacker does this hammering enough times, he or she can control which space in memory it points to so that a device can eventually be compromised and rooted. Drammer likely works on all versions of Android including the latest, but the mileage may vary.

Patches

They have banned the Drammer POC app from the Google Play Store. Lookout customers are protected from this test app. Our investigation revealed that the banned POC app published by the academic researchers is not overtly malicious, but it does exploit the vulnerability and has been observed to cause local denial-of-service on failed exploit attempts.

Enterprises should use a mobile security partner to gain awareness into the apps running on their employees’ devices and to receive timely alerts when one of those apps is risky or malicious.

Indian arrested in US for cyber attack

An Indian-origin teenager has been arrested in the US for carrying out a cyber-attack that swamped Arizona's emergency services with several bogus calls, an incident he claimed was a non-harmful joke gone wrong. Meetkumar Hiteshbhai Desai was taken into custody after the Surprise Police Department, Arizona, notified the Sheriff's Office of more than 100 hang-up 911 calls.

The Maricopa County Sheriff's Office arrested the 18-year-old, accusing him of carrying out a cyber-attack on the 911 system, according to a Sheriff's Office statement. Desai was booked into a Maricopa County jail on suspicion of three counts of computer tampering.

Interference with critical infrastructure could have disrupted the 911 system in the Phoenix area and potentially other states, The Arizona Republic reported. Investigators traced the calls and discovered they originated from a link posted to Twitter, according to the statement.

The link was to a site named "Meet Desai" and its domain was hosted out of San Francisco. When the link was clicked, it continually called 911 and would not let the caller hang up. Peoria police and the MCSO also received a large number of calls, and the volume had the potential to shut down 911 service across Maricopa County, the Sheriff's Office said. MCSO detectives identified 'Meet' and took him in for questioning last Wednesday.
"Meet claims that his intention was to make a non-harmful, but annoying bug that he believed was 'funny'," the Sheriff's Office statement said.

Desai told investigators that he was approached by an online friend with a bug. Desai then tweaked the bug so it would add pop-ups, prompts to open e-mail applications and activation of automatic telephone dialling on iOS devices, all via coding that Desai wrote himself.

Desai told sheriff's detectives that he was interested in programmes, bugs and viruses that he could manipulate and change. Desai said Apple Inc., the hardware and software company, would pay and credit him for discovering such bugs and viruses. The MCSO cyber crimes unit executed a search warrant and seized multiple items at Desai's residence that will be forensically examined, the Sheriff's Office said.