Security

Security (2)

Thursday, 21 July 2016 06:28

HTTPOXY VULNERABILITY

Written by

if you are running your website on a VPS, then you need to be aware of the HTTPOXY vulnerability, and take immediate steps to prevent it from attacking your server.

What is the HTTPOXY Vulnerability?

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now.

What can happen if my web server is vulnerable?

If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

  • Proxy the outgoing HTTP requests made by the web application
  • Direct the server to open outgoing connections to an address and port of their choosing
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy

httpoxy is extremely easy to exploit in basic form. Luckily, if you  are affected, easy mitigations are available.

 

 

 

A signalling system called ss7 - used by virtually all  mobile phone companies worldwide to connect between networks has a vulnerability, enabling cyber criminals and government agencies to listen to phone calls, read your texts, and find your location just by knowing your phone number and there is nothing that an end user can do to protect themselves against it. The increasing use of SMS codes to authorise changes to bank accounts & payments, two-step authentication for websites, means that yet another authentication method has been compromised.

What does SS7 do?

SS7 allows mobile phone networks to exchange the information needed for passing calls and text messages between each other and to ensure correct billing. SS7  also allows users on one network to roam on another network or in another country.

What can access to SS7 enable hackers/governments to do?

Cybercriminals and security agencies can transparently forward calls, giving them the ability to record or listen in to them;  read SMS messages sent between phones, and track the location of a phone.

Who is affected by the vulnerability?

Anyone with a mobile phone could be vulnerable, providing the mobile network or its connected networks.

What’s being done about it?

Since the exposure of security holes within the SS7 system, certain bodies, including the mobile phone operators’ trade association, the GSMA, have set up a series of services that monitor the networks, looking for intrusions or abuse of the signalling system.

What are the implications for users?

One of the biggest dangers is the interception of two-step verification codes that are often used as a security measure when logging into websites, email accounts or banking where verification codes are sent  via text message.

Banks and other secure institutions also use phone calls or text messages to verify a user’s identity, which could be intercepted and therefore led to fraud or malicious attacks.

What can I do to protect myself from snooping via SS7?

There is very little you can do to protect yourself beyond not using the services.  For text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s iMessage, Facebook’s WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network, protecting them from surveillance.

For calls, using a service that carries voice over data rather than through the voice call network will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.

Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.

Why is the current situation?

Security holes within SS7 were first uncovered by security researchers, and demonstrated at Chaos Communication Congress hacker conference in Hamburg in 2014.  In 2015 the hacking of Italian surveillance software vendor Hacking Team highlighted the continuing use of the SS7 system in government and criminal snooping. German researcher Nohl demonstrated by remotely surveilling a US congressman in California from Berlin for CBS’s 60 Minutes that has brought SS7 under the spotlight once again. Congressman Ted Lieu has called for an oversight committee investigation into the vulnerability.

×
Help Us
Get Better
Invalid Name Invalid Email Address Invalid Mobile Invalid characters in Messages
Please help us improve, leave some feedback on our site, products, or products you'd need that we don't provide. We promise to respond to all feedback.