Riseup Security Bulletin October 2017

We are trying something new today. Riseup is sending this general security bulletin to all users in the hopes that it will keep all you amazing people safer. Although your Riseup service is not affected by these vulnerabilities, we feel it is important for you to take action in order to protect your devices and your data on other websites.

Contents:

* Adobe Flash Advisory
* Wi-Fi Advisory

Adobe Flash Advisory


The problem


Adobe Flash is a plugin for most web browsers that allows the browser to display interactive content such as games and videos. In a new vulnerability announced on Monday, Adobe Flash can be tricked by a website you visit or a document you open to allow a remote attacker to take control of your computer.

Who does this affect?


The problem exists in all web browsers that have Adobe Flash, on all operating systems. It also affects Microsoft Office.

By combining this vulnerability with others, an attacker can take total control over your computer, read all your data, capture all your login accounts, spy on you through the webcam, and so on.

What can I do to protect myself?


Disable Adobe Flash immediately. It is a constant source of security holes, and is being discontinued by Adobe.

Until recently, sites like YouTube relied heavily on Adobe Flash. Today, however, you don’t need Adobe Flash in order to use most sites with dynamic content or video. Because of this, you should disable or uninstall Flash entirely. If you have some burning reason you need Adobe Flash, you can also upgrade Flash to the new version without the vulnerability.

Disable Flash

* Chrome: Preferences: Settings > Show advanced settings > Content settings > Flash > uncheck “Allow sites to run Flash”.

* Firefox: Tools: Add-ons > Plugins > Flash > Never Activate.

Uninstall Flash

For instructions on how to uninstall Flash for every browser, see https://www.howtogeek.com/222275/how-to-uninstall-and-disable-flash-in-every-web-browser/

Upgrade Flash

See Adobe’s security advisory for instructions on how to get a patched release of Flash
https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

More information


An attack using this vulnerability in Adobe Flash was observed on October 10 by Kaspersky Lab. The vulnerability was being used to infect the victim’s computer with the FinFisher malware. The group behind the attack is believed to be BlackOasis, aka NEODYMIUM, which historically focuses on targeted attacks against civil society actors in Turkey. BlackOasis is classified as an “advanced persistent threat” and is believed by many researchers to be a customer of the Gamma Group, a German and UK corporation with along history of surveillance and monitoring of activists.

For further reading, see:

http://www.securityweek.com/middle-east-group-uses-flash-zero-day-deliver-spyware

https://threatpost.com/adobe-patches-flash-zero-day-exploited-by-black-oasis-apt/128467/

https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/

https://en.wikipedia.org/wiki/Gamma_Group

Wi-Fi Advisory


There is a new class of attacks against Wi-Fi networks. Most Wifi networks these days use a technology called WPA2 to protect the network from eavesdropping. Researchers found a way to break this.

These attacks allow an adversary within Wi-Fi range to read your network traffic and potentially to also send your device nefarious traffic, depending on what device you are using.

Who does this affect?


Nearly all Wi-Fi devices and operating systems are vulnerable, to varying degrees. This includes nearly all laptops, mobile phones, and Wi-Fi connected devices. In particular, most Android and Linux devices are highly vulnerable.

What is the danger?


There are many attacks that are made possible with this vulnerability. For example:

* An attacker could read your login username and password if not transmitted using HTTPS (encrypted browser connection). Riseup requires HTTPS on all servers — but many services do not.

* An attacker could downgrade your secure HTTPS web browser connection to an insecure HTTP connection, depending on the configuration of the server (Riseup servers are protected against this).

* If you click on a link to download a file, an attacker could attach a virus to that file while it was in transit to your device (in some cases).

What can I do to protect myself?


If you have an Android device, you should disable Wi-Fi and use your telco’s data plan whenever possible. When possible, keep Wi-Fi disabled until an update becomes available for your device.

You should update your devices as soon as possible. Unfortunately, there are not fixes yet for most operating systems or Wi-Fi access points.

The use of HTTPS is always a good idea, particularly now. We recommend that everyone install the browser extension “HTTPS Everywhere” which will automatically switch your browser to use HTTPS when a website supports it. The new Wi-Fi attack makes it much easier for an attacker to try to downgrade your web browsing to use an insecure connection, and the HTTPS Everywhere extension will prevent this for most popular websites. See https://www.eff.org/https-everywhere to install this extension.

The use of a personal VPN is always a good idea, particularly now. A personal VPN encrypts your traffic to the entire internet, while a corporate VPN just encrypts your traffic to the corporate network. To read more about Riseup’s VPN service, see https://riseup.net/vpn

Current update status


Android: There is no fix yet for Android. Devices with Android 6.0 or later are highly vulnerable.

iOS: No update is available yet.

macOS: No update is available yet.

Windows: Update is available.

Ubuntu and Debian Linux: Security patches are available. Run `sudo apt update; sudo apt upgrade`.

Red Hat Linux and Fedora: No fix yet released. See https://access.redhat.com/security/cve/cve-2017-13077 for latest status. You can keep trying to run `sudo yum update` until you see wpa_supplicant get updated.

Access points and home routers: check the website of the manufacturer.

More information


For an updated list of the state of security patches to client operating systems and AP firmware, see: KRACK Megathread. Check back often for updated information. from KRaCK

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/

For more information on the flaw in WPA2, see:

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Advertisements