One zero-day down, one to go.
As expected, Microsoft did today patch a zero-day in its GDI+ graphics component (MS13-096) reported more than a month ago after exploits were spotted in the wild. The fix was one of 11 security bulletins—five critical—released as part of the December 2013 Patch Tuesday security updates.
Another zero-day, one affecting only Windows XP users, still remains unpatched despite active exploits targeting the vulnerability, which is found in the NDProxy driver that manages the Microsoft Telephony API. The attacks depend on a second vulnerability to deliver the exploit against an XP machine. Microsoft recommends turning off NDProxy as a mitigation until a patch is available.
While there were five critical bulletins released today, experts urge IT administrators to also prioritize an ASLR bypass vulnerability that was patched today and rated “important” by Microsoft.
MS13-106 takes care of an Office vulnerability that is being exploited in the wild, Microsoft said. Attackers hosting a malicious exploit online can trigger the vulnerability in the hxds.dll that enables a bypass of ASLR or Address Space Layout Randomization, a security feature in Windows that mitigates memory corruption exploits.
“The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer,” Microsoft said in its advisory. “The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.”
ASLR bypasses have been more frequent this year, and have been rolled into a number of exploit kits. Introduced in Windows Vista, ASLR hampers the reliability of exploits by negating an attacker’s ability to predict where machine instructions will exist in memory. ASLR is particularly effective against buffer overflow attacks.
“This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the ‘ms-help:’ protocol handler,” said Craig Young, security researcher at Tripwire. “Until today, the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).”
Admins will also have to contend with yet another cumulative update for Internet Explorer. MS13-097 patches a number of remote code execution vulnerabilities in the browser, all the way back to IE 6. IE has been patched almost monthly this year and has been front and center in numerous targeted attacks.
Microsoft also patched a critical bug in its Authenticode signing algorithm that is being exploited. MS13-098 allows remote code execution if a user is enticed to run an application that contains a malicious and signed portable execution file. The patch modifies how the WinVerifyTrust function handles Windows Authenticode signature verification for PE files, Microsoft said.
“Attackers have been abusing installers from legitimate software makers to install malware. These installers are configured in a way to dynamically download code extensions that are not checked for correct signatures, and attackers have found a way to piggyback on that mechanism,” said Qualys CTO Wolfgang Kandek, who added that the patch prepares the system for a more stringent integrity check that prevents such exploits. Microsoft also issued a separate security advisory regarding the Authenticode patch, that after June 10, 2014 it will no longer recognize non-compliant signed binaries.
The two remaining critical bulletins, MS13-099 and MS13-105, patch remote code execution vulnerabilities in Microsoft Scripting Runtime Object Library and Exchange Server respectively. Three of the four Exchange vulnerabilities addressed in the bulletin, it’s worth noting, are publicly disclosed. The most serious is in the WebReady Document Viewing and DLP features of Exchange Server, Microsoft said.
The remaining bulletins—rated “important”—address one remote code execution bug, three privilege escalation issues and an information disclosure vulnerability:
- MS13-100 patches a remote code execution vulnerability in Microsoft SharePoint Server; an attacker would have to be authenticated to the server to exploit the vulnerability. A successful exploit would enable an attacker to run code in the context of the W3WP service account on the SharePoint site.
- MS13-101 fixes a privilege elevation issue in Windows Kernel-Mode Drivers. An attacker would have to log onto a system and run a malicious application to exploit the bug.
- MS13-102 is a patch for a vulnerability in the LRPC Client that would allow an attacker to elevate their privileges on an LRPC server. Doing so would allow an attacker to install programs, manipulate data or create accounts. Valid credentials are needed to exploit this bug.
- MS13-104 is a fix for an information disclosure vulnerability in Microsoft Office. Successful exploits could give an attacker access tokens used to authenticate a user on a SharePoint or Office server site.
Microsoft also sent out an advisory that revokes the digital signatures for nine private, third-party UEFI modules for Windows 8 and Windows Server 2012 machines. These modules would be loaded during a UEFI Secure Boot, if it is enabled.
Telecommunications giant AT&T has come under fire from privacy advocates after it acknowledged that it will not publicly disclose any of its dealings with the National Security Agency.
The company claimed that protecting customer privacy is at the crux of its decision not to share government requests in a letter to the U.S. Securities and Exchange Commission.
The letter, right, penned by the company’s legal counsel, is electing that the issue not be brought up at AT&T’s annual shareholder meeting next spring.
Shareholders, along with representatives from the ACLU, have been rallying for the company to publish a transparency report, much like those recently produced by Facebook, Twitter and Google, to clear the air around exactly what – and how much – customer information it shares with the government.
AT&T’s letter however argues that kind of information isn’t anyone’s business, especially its users or shareholders, arguing that it’s “a core management function” and “an integral part of AT&T’s day-to-day business operations.”
It goes on to say that disclosing such information could jeopardize the company’s legal strategy, noting several pending lawsuits that require the company to “provide personal information to other entities, such as government agencies, credit bureaus and collection agencies.”
While the letter more or less wholly rejects the concept of a transparency report, AT&T notes that if it were to produce one, it would be limited to the company’s responses to law enforcement requests for information and not information regarding the government’s surveillance activities.
Verizon and AT&T shareholders issued letters (.PDF) in November asking the companies to “publish semi-annual reports, subject to existing laws and regulation, providing metrics and discussion regarding requests for customers’ information by U.S. and foreign governments.”
Those letters cited a controversial June Wall Street Journal article that claimed AT&T “provided millions of U.S. customers’ call records to the U.S. National Security Agency (NSA),” and encouraged the company to follow in the footsteps of major Internet companies that have begun publishing similar transparency reports.
Both companies scored poorly on the Electronic Frontier Foundation’s “Who Has Your Back?” report card, issued back in May. The annual report, which culls major communication and social media companies’ stances on data privacy, points out that both companies fail to tell their users about data requests, fail to publish law enforcement guidelines and will not fight for its users’ privacy rights in court.
Meanwhile, public opposition to AT&T has begun to pick up steam in the wake of its stance.
A petition started by the San Francisco ACLU office urging both companies to be more transparent with what it does with user information has gathered nearly 32,000 supporters in the few days since AT&T’s statement.
“We’re working with our friends at SumOfUs to rally thousands of AT&T and Verizon customers and potential customers and prove to these giant telcos that their silence is putting their public image and bottom line at risk,” reads the petition.
AT&T is understandably absent from a list of eight companies: AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo, who formed a coalition yesterday, Reform Government Surveillance, calling for the reform of the government’s surveillance activities going forward, post-NSA revelations.
*AT&T image via mrbill‘s Flickr photostream, Creative Commons
Adobe published two security bulletins today, resolving a pair of vulnerabilities in both Shockwave and Flash Player.
The Shockwave security update applies to versions 18.104.22.168 and earlier on Windows and Mac OS X and addresses a pair of memory corruption vulnerabilities (CVE-2013-5333 and CVE-2013-5334) that could give an attacker the ability to execute code remotely. Adobe awarded this bug a priority rating of 1, meaning that attackers are likely targeting it – or soon will be targeting it – in the wild.
Adobe also pushed out security updates for versions 11.9.900.152 and earlier of its Flash Player on Windows and Mac OS X and for versions 22.214.171.1247 and earlier for Linux systems. The updates address a type confusion vulnerability (CVE-2013-5331) and a memory corruption vulnerability (CVE-2013-5332), each of which could enable remote code execution, causing crashes, and potentially giving an attacker control of affected machines.
“Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” Adobe says in the bulletin announcement. “Adobe Flash Player 11.6 and later provide a mitigation against this attack.”
Adobe is recommending that users of the following:
- Users of Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.9.900.170.
- Users of Adobe Flash Player 126.96.36.1997 and earlier versions for Linux should update to Adobe Flash Player 188.8.131.522.
- Adobe Flash Player 11.9.900.152 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.9.900.170 for Windows, Macintosh and Linux.
- Adobe Flash Player 11.9.900.152 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.9.900.170 for Windows 8.0
- Adobe Flash Player 11.9.900.152 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 11.9.900.170 for Windows 8.1
- Users of Adobe AIR 184.108.40.2060 and earlier versions for Windows and Macintosh should update to Adobe AIR 220.127.116.110.
- Users of Adobe AIR 18.104.22.1680 and earlier versions for Android should update to Adobe AIR 22.214.171.1240.
- Users of the Adobe AIR 126.96.36.1990 SDK and earlier versions should update to the Adobe AIR 188.8.131.520 SDK.
- Users of the Adobe AIR 184.108.40.2060 SDK & Compiler and earlier versions should update to the Adobe AIR 220.127.116.110 SDK & Compiler.
Adobe is considering the Flash bugs in Windows and Mac OS X highest priority, while Linux Flash bug and the Adobe Air vulnerabilities are only receiving priority ratings of three, meaning that it is unlikely that attackers will target these bugs.
Adobe acknowledges Liangliang Song and Honggang Ren from Fortinet for finding the Shockwave bugs and David D. Rude II of iDefense Labs Attila Suszter of Reversing on Windows blog for finding the Flash bugs.
Mozilla has released a major new version of Firefox, which includes fixes for more than a dozen security vulnerabilities as well as an important change that makes all Java plugins click-to-play be default. This feature prevents those plugins from running automatically on Web pages, which helps protect users against some Web-based attacks.
The modification to the way that Firefox 26 treats plugins is a significant security benefit for users, especially those who may not be aware of the security issues that plugins can cause. Attackers will use vulnerabilities in plugins such as Java, Flash or Silverlight to compromise users who visit a site that has content that is automatically rendered by those extensions. Mozilla began the process of changing the way that Firefox treats plugins earlier this year, but this is the first time that the change has shown up in the final version of the browser.
“Even though many users are not even aware of plugins, they are a significant source of hangs, crashes, and security incidents. By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly,” Mozilla’s Benjamin Smedberg said earlier this fall about the upcoming change to Firefox’s handling of plugins.
Java has been a particular favorite of attackers in recent years, thanks to its long tail of security issues and ubiquity on the Web. Making all Java plugins click-to-play means that users will now have to explicitly choose to play a plugin anytime they encounter one. Other browsers, such as Google Chrome, give users the option of enabling click-to-play, as well.
In addition to the change to plugin behavior, Firefox 26 also has patches for a number of vulnerabilities, including five critical ones. A major fix in the new browser is Mozilla actively revoking trust in an intermediate certificate issued by the Agence Nationale de la Sécurité des Systèmes d’Information in France. The certificate was used to issue certificates for several of Google’s domains by mistake. Google researchers detected the issue and revoked trust for the certificate, as well, and notified other browser vendors. Mozilla officials said they don’t believe that the mistake put any users in danger, outside of the certificate authority’s network.
“An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to the subordinate CA’s internal network,” Kathleen Wilson of Mozilla said.
The other security fixes in Firefox 26 include:
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.
The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a http://www.securelist.com/en/blog/8139/CVE_2013_3906_another_0_day_for_Microsoft_Office . We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.
The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1.
With the depths of domestic government surveillance still not fully realized, secure communications capabilities are at a premium, especially for the privacy conscious.
Already, we’ve seen some services such as Lavabit and Silent Circle’s Silent Mail shudder operations rather than hand over decryption keys to the government that would enable snooping over their respective users. Both companies realized shortcomings in their products’ email encryption capabilities that made it impossible for them to keep to their promises of preserving user privacy. Since then, however, the two companies have joined forces in what they’re calling the Dark Mail Alliance, an effort to develop an open protocol and architecture for private email.
In the meantime, while secure email may be a challenging hill to climb, secure end-to-end encrypted text messaging has been a bit easier to conquer, with successful systems, for example, storing encryption keys on the user’s device keeping them away from the NSA’s reach. And now, given an announcement yesterday, encrypted messaging is within reach of millions of Android mobile device users.
Open WhisperSystems announced that its TextSecure protocol will be integrated as part of the CyanogenMod OS-level SMS app, bringing encryption to 10 million users; CyanogenMod provides aftermarket firmware for Android devices.
Open WhisperSystems cofounder Moxie Marlinspike, right, said in the announcement it was important to have this be a seamless, transparent integration for the user, who would now be able to send encrypted text messages in as simple and reliable fashion as before. He also said this is just the first step toward providing secure communications capabilities to the masses, and that an end-to-end encrypted communications client for Apple iOS is in the works, as is a TextSecure browser extension.
“This effort marks the beginning of our transition to the data channel as a TextSecure transport, which should hopefully open up a host of ongoing opportunities,” Marlinspike said. “Soon we will have a truly cross platform seamless asynchronous messaging system built on open protocols and open source software, with an already massive user base.”
Unlike Silent Circle’s secure text messaging client Silent Text, for example, TextSecure does not require both ends of the conversation to have the client installed, nor are encryption keys stored with OpenWhipser Systems. Instead, they are kept on the user’s device.
Marlinspike said the native CyanogenMod SMS client was modified to support the TextSecure protocol, and that TextSecure for CyanogenMod runs on the TextSecure V2 protocol and supports forward secrecy and the 3DHE agreement for deniable messages.
“If an outgoing SMS message is addressed to another CyanogenMod or TextSecure user, it will be transparently encrypted and sent over the data channel as a push message to the receiving device. That device will then decrypt the message and deliver it to the system as a normal incoming SMS,” Marlinspike said. “The result is a system where a CyanogenMod user can choose to use any SMS app they’d like, and their communication with other CyanogenMod or TextSecure users will be transparently encrypted end-to-end over the data channel without requiring them to modify their work flow at all.”
Marlinspike said too that the recipient device does not have to be on in order for messages to be sent.
“The user doesn’t have to initiate a key exchange and wait for a round trip to complete, or know that the recipient is ‘online,’” he said.
Microsoft announced yesterday that it will complement the two-factor authentication it enabled for account holders in April with additional security features designed to deny account hijacking and unauthorized access.
Windows PC and mobile users, along with Outlook, SkyDrive, Xbox, Skype and other Microsoft services users will soon have three new capabilities to further prop up their accounts.
The most novel may be a dashboard view that presents a user with a log of recent activity, such as log-in attempts—including failed attempts—as well as the addition or deletion of security information and the type of device and browser used for a particular activity. Location is displayed on a map, as well as timestamp data.
“You know best what’s been happening with your account – so the more we give you tools to understand what’s happening, the better we can work together to protect your account,” wrote Eric Doerr, a group program manager at Microsoft. “For example, a login from a new country might look suspicious to us, but you might know that you were simply on vacation or on a business trip.”
Users who determine there has been suspicious or unauthorized activity can click on a “This wasn’t me” button that will then display steps the user can take to secure their accounts.
In addition, users who have already enabled two-factor authentication will be able to generate a recovery code to access their accounts without having to use the information provided during the setup of two-factor.
“Because two-step verification setup requires two verified pieces of security information, like a phone number and email address, it will be a rare occasion when both options fail, but in the event they do, we’ve got you covered,” Doerr said.
Microsoft said that any account user will be add a recovery code to their account, but users will be able to request only one recovery code at a tme; requesting a new one cancels the old one, Doerr said.
“Your recovery code is like a spare key to your house,” Doerr said. “So make sure you store it in a safe place.”
The final new feature users may expect is additional management of security notifications, such as password resets. Users will be able to select, for example, whether they want security notifications send to an email address or a mobile device via text message.
Microsoft account holders have had two-factor authentication at their disposal since April. Users are asked to provide two pieces of security information that Microsoft stores; the user will enter a password, for example, and then have a code sent to their mobile device as a second authenticator.
Microsoft also released an Authenticator app for Windows Phone; the app is built on a standard authentication protocol meaning that it could be used on other Web-based services such as those offered by Google, Dropbox and others.
Eight massive technology companies including Facebook, Apple and Google make up a new coalition calling for a reform of surveillance practices, which the companies say are undermining trust in not only their respective services, but of the Internet as a medium for communication and commerce.
The group, joined under the banner Reform Government Surveillance, co-authored an open letter to President Barack Obama and the U.S. Congress that says the surveillance of Americans in the name of national security undermines freedom.
“The balance in many countries has tipped too far in favor of the state and away from the rights of the individual—rights that are enshrined in our Constitution,” the companies wrote.
This is not the first time AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo have locked arms in protest of the National Security Agency’s activities since they were revealed starting in June in a series of documents by former NSA contractor Edward Snowden.
The tech giants have repeatedly petitioned Congress and the Attorney General for greater freedom to quantify the number of court orders—in particular those issued by the secret Foreign Intelligence Surveillance Court—requiring them to share user data with the government. Currently, National Security Letters can only be reported in bulk and in buckets of 1,000. The companies argue that just clouds transparency efforts.
The group urged government to adopt five principles it explains on its website, starting with limits on the government’s ability to compel service providers to disclose user data and stop bulk collection of Internet communication. It also calls for intelligence agencies to operate under a clear, transparent legal framework that includes independent reviewing courts, which is currently not the case with FISC.
In addition to again requesting permission to publish the number and nature of government requests for data, the group asks government to allow data to cross borders without having to worry about legal loopholes that enable government to access data stored outside the country.
Finally, the tech companies ask that governments work together to avoid conflicting laws and develop transparent legal frameworks under which governments agree to operate when it comes to requests for user data.
“Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information,” Facebook CEO Mark Zuckerberg said. “The US government should take this opportunity to lead this reform effort and make things right.”
For their part, most of the companies in question have ramped up their efforts to encrypt data and connections between data centers that were tapped by the NSA. A recent study by the Electronic Frontier Foundation of the encryption practices of a number of leading technology companies and Internet service providers showed varying levels of encryption deployments. Most, for example, already deploy HTTPS be default on all services—Yahoo is a laggard in this area, though it has announced that it will do so early in 2014. Notably fewer have deployed either HSTS or Perfect Forward Secrecy, which experts are becoming more vocal about it becoming a common accepted practice.
“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information,” said Google CEO Larry Page. “This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world.”
Recent revelations just add to the gravity and depths of the NSA’s surveillance activities; the Washington Post, for example, reported last week that the agency collects five billion cell records a day.
“People won’t use technology they don’t trust,” said Brad Smith, Microsoft General Counsel. “Governments have put this trust at risk and governments need to help restore it.”
Microsoft trumpeted its disruption of the ZeroAccess peer-to-peer botnet late last week, but some experts are holding off on scheduling a celebratory ticker-tape parade.
With numerous successful takedowns of botnets with a centralized command and control infrastructure in its back pocket, Microsoft may have missed on its first crack at a P2P botnet. Security company Damballa, for one, is reporting that Microsoft targeted only the click-fraud component of the botnet and not the custom communication protocol used by ZeroAccess to distribute configuration files and new commands. Attackers, researchers say, can simply issue new configuration files to the botnet and resume operations in a relatively short amount of time.
As for the click-fraud component, Damballa researchers say that approximately 62 percent of that part of the infrastructure seems to be up and running.
“Even without updates being sent across the P2P channel, the botnet’s monetization was largely unaffected,” wrote Damballa chief scientist Manos Antonakakis and Yacin Nadji, a Ph. D. candidate at the Georgia Institute of Technology in a blog post.
Nadji told Threatpost this morning that the attackers could be up and running against shortly, needing only to acquire additional servers and domain names, then updating a text file with the new information, adding that the amount of effort required to send new configuration files is much cheaper for an attacker than rebuilding from scratch.
“If you disable the click-fraud component without disrupting the peer to peer infrastructure, the botnet masters just have to use the existing peer to peer infrastructure to send updates to say ‘Ok, don’t use this click fraud infrastructure any more, use this new one,” Nadji said. “It doesn’t eliminate the botmasters’ ability to communicate with its infected peers, so if they had asked anyone’s opinion in the security community who is familiar with this botnet, they would have been able to say this is not going to do anything.”
Peer- to-peer botnets such as ZeroAccess, Kelihos, and versions of Zeus have proven difficult to keep in check; compromised bots talk to each other rather than to a central server. Often they employ custom protocols for communication that must be decrypted before they can be analyzed. Researchers have in the past had a rough go analyzing peer to peer botnets, or even enumerating their size.
A paper released earlier this year examined these features as well as botnets’ resilience to sinkholing, injection attacks and other disruptive methods used against other botnets. According to the paper, ZeroAccess maintains its peer lists by updating them every few seconds and merging previous lists, keeping the 256 most recent peers.
ZeroAccess has been around since 2009, evolving from a platform that pushed malware to a money-making botnet. According to Microsoft and Europol, it has infected nearly two million computers all over the world and cost online advertisers upwards of $2.7 million each month. Nadji said that taking over a peer-to-peer botnet is time consuming and difficult, largely because you’d have to not only understand the custom communication protocol and encryption being used, but then you would have to advertise yourself as a node on the network and send faulty information to other bots to slowly take it over.
“Even in this case, you would have to worry about reactive botmasters. If they’re able to see if this behavior is happening on the network, they may be able to counter it in some ways,” he said.
Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the FBI, and the application networking and security firm A10 Networks to take down ZeroAccess. Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit.
Nadji hopes to see better collaboration between not only technology companies, but law enforcement and academia to combat peer to peer botnets.
“We’ve seen some good cases (Conficker) where people from people from academia, industry and law enforcement were all working together to combat a serious threat,” Nadji said. “Those are the ones most likely to be successful. With peer to peer botnets, there needs to be a lot more work in understanding how we can effectively disable these. If (ZeroAccess takedown) was a more collaborative effort, I think we would have said ‘Hey, wait a minute, we need to handle this better if we’re actually taking down this botnet.’”
Google last week revoked digital certificates for some of its domains that had been fraudulently signed by an intermediate certificate authority with links to France’s cyber-defense agency.
The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) claims that the spoofed Google certificates were signed by mistake and that the error had no security impact on either the French government or the general public.
“As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the [Infrastructure Management Trust Administration],” ANSSI officials published in a bulletin on their website.
Google says it first noticed the unauthorized digital certificates late on Dec. 3 and immediately updated Chrome’s certificate revocation list to block all certs issued by the intermediate authority. Google then informed the ANSSI and the other major browsers about the bad cert as well.
The bad certs were not signed by the ANSSI directly but by an intermediate authority whose certificates were signed by the ANSSI. Certificates issued by intermediate CAs are automatically trusted by browsers if the browsers already trust the root CA that signed intermediate CA’s certificate. In other words, the ANSSI issued a certificate to the offending intermediate CA, granting that intermediate CA permission to carry the full authority of the root CA, which in this case was the ANSSI. It was then the intermediate CA that created a fake certificate spoofing the one that establishes a secure connection with the Google domains in question.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network,” Google security engineer Adam Langely wrote on Google’s Online Security Blog. “This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this.”
Google says that it’s actions addressed an immediate security problem for its users.
“Since our priority is the security and privacy of our users, we are carefully considering what additional actions may be necessary,” Google warned.
The ANSSI says that the whole infrastructure management trust administration (IGC/A) process is under review to ensure that “no incident of this kind will ever happen again.”
It is well known the SSL certificate system that establishes trust online is seriously flawed. In an attempt to better the situation, Google initiated the Certificate Transparency project, which is aimed to eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates. Google called this incident a serious breach and says it underscores the need for better certificate transparency.
As 2013 comes to a close, security experts are looking back at the major stories and developments of the year, including the Edward Snowden NSA leaks and major malware attacks. In this video, Vitaly Kamluk of Kaspersky Lab examines the biggest security news of 2013 and talks about the lasting effects they may have.
If you’re still wondering when the future will get here, stop looking to the skies for flying cars and look down at your iPhone the next time you walk into an Apple store. The company has just kicked off a new in-store tracking initiative that uses Bluetooth to push offers and notifications to customers as they wander through the aisles looking at Beats headphones and One Direction phone cases.
Known as iBeacon, the system uses Bluetooth Low Energy (BLE) to push notifications to users in the store who are carrying iOS 7 devices with the Apple Store app installed. Users must allow the app to track them in order to receive the notifications, but once that option is enabled, a user might find herself receiving offers for a short-term discount on a particular product or an upgrade to a new iPhone.
The technology behind iBeacon is somewhat similar to near-field communications (NFC) in that it transmits information over short distances, but it has some significant differences, as well. The iBeacon system relies on a network of wireless transmitters installed in various environments–such as Apple stores or malls or ballparks–that can send customized offers and other information to devices that have specific apps installed. So, for example, a user who walks into Yankee Stadium with the MLB app installed–which is iBeacon-enabled–could get an interactive guide to the stadium or information on food and drink specials at various concession stands.
This is the kind of location- and context-aware advertising and tracking that privacy advocates have been concerned about for many years now. The current generation of smart phones all come with the GPS technology built in that enables some kinds of tracking, but the iBeacon system is a separate animal. It can be used for many different functions and users need to allow their apps to track them in order for the kind of use cases like the Apple Store experience to work.
The iBeacon system and others like it could be expanded for use in a number of other environments, as well, such as public transportation systems, public buildings or other areas.
Microsoft’s crusade against botnets raged on yesterday as the Redmond, Wash., computer giant and a coalition of law enforcement agencies and Internet security companies disrupted the notorious ZeroAccess botnet.
ZeroAccess, or Sirefef as Microsoft likes to call it, is a malware platform that targets all major browsers and search engines. It’s two primary functions are to hijack search results, redirecting users to malicious websites hosting information stealing and other malware, and to commit click-fraud. In the past, ZeroAccess has demonstrated a proclivity for Bitcoin mining as well.
Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the FBI, and the application networking and security firm A10 Networks to take down ZeroAccess, which has reportedly infected some two million machines and costs online advertising firms nearly $3 million per month.
Back in the good old days (2010), a botnet take down was as simple as sink-holing the operation’s command and control server and ceasing its operations. At least in part because of this, many contemporary botnet handlers have moved to a peer-to-peer botnet architecture. This distributed botnet design means that the cybercriminals operating ZeroAccess could remotely control the botnet from tens of thousands of different infected machines. Thus, shutting ZeroAccess down required a cocktail of legal and technical measures.
Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit.
Meanwhile outside the U.S., Europol shut down 18 malicious IP addresses and worked in conjunction with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures of computer servers associated with the fraudulent IP addresses.
“This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits,” said Troels Oerting, head of the EC3.
Microsoft and its partners realistically note that their actions against ZeroAccess are unlikely to shut the botnet down altogether. However, the legal and technological measures taken, they believe, will significantly disrupt ZeroAccess, prevent victim machines from contributing to its illicit behavior, and likely cause the botnet’s operators to rebuild.
“If the hacker community has not yet taken notice, today’s disruption of the ZeroAccess botnet is another example of the power of public-private partnerships,” FBI Executive Assistant Director Richard McFeely said. “It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law enforcement partners — in this case, Europol — to shut down malicious cyberattacks and hold cybercriminals accountable for exploiting our citizens’ and businesses’ computers.”
Siemens has patched a serious remotely exploitable vulnerability in its SINAMICS S/G ICS software that could enable an attacker to take arbitrary actions on a vulnerable installation without having to authenticate.
The vulnerability affects all versions of the Siemens SINAMICS S/G products with firmware versions earlier than 4.6.11. ICS-CERT, a pat of the Department of Homeland Security, said in an advisory that it is not aware of any public exploit attempts against this flaw, but that’s no reason to delay patching. An authentication bypass vulnerability for a product such as SINAMICS S/G, which is used to control the operations of drives in industrial facilities, could be a very useful tool for an attacker.
“Siemens has identified an authentication bypass vulnerability in the SINAMICS S/G product family. Siemens has produced a firmware update that mitigates this vulnerability and has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow an attacker to access administrative functions on the device without authentication,” the ICS-CERT advisory says.
“The affected product, SINAMICS S/G family, is used to control a variety of drives, especially in mechanical engineering and plant construction. In addition, SINAMICS S/G family interacts with motion controllers that are used to coordinate synchronous operations or complex technology functions.”
The vulnerability is considered quite easy to exploit, and Siemens said that organizations that are running vulnerable versions of the software should install the updated firmware, versions 4.6.11 and 4.7. The company also recommends that customers not provide public access to the SINAMICS interface over the network.
“As a general security measure Siemens strongly recommends to protect network access to the interface of SINAMICS S/G with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment,” the Siemens advisory says.
Image from Flickr photos of Surber.
Microsoft will, next week, patch a zero-day vulnerability in its GDI+ graphics component being exploited in targeted attacks in the Middle East and Asia.
The zero day has sat unpatched since it was made public Nov. 5; Microsoft did release a FixIt tool as a temporary mitigation. The patch is one of 11 bulletins Microsoft said today it will release as part of its December 2013 Patch Tuesday security updates; five of the bulletins will be rated critical.
Microsoft did confirm, however, that a zero day in the NDProxy driver that manages the Microsoft Telephony API on Windows XP systems will not be patched. That zero day is also being exploited in the wild alongside a PDF exploit of a patched Adobe Reader flaw.
The GDI+ vulnerability is found in several versions of Windows and Office and enables an attacker to gain remote-code execution, but only on Windows Vista, Windows Server 2008, and Office 2003 through 2010. The vulnerability exists in the way the GDI+ component handles TIFF images. Microsoft said an attacker would have to entice a victim to preview or open a malicious TIFF attachment or visit a website hosting the exploit image.
Tuesday’s critical patches address remote code execution vulnerabilities in a number of Microsoft products, including not only Windows and Office, but Lync, Internet Explorer and Exchange. Vulnerabilities in SharePoint, Lync, SingnalR and ASP.NET are among those rated important by Microsoft. Those vulnerabilities are primarily privilege escalation issues as well as an information disclosure bug.
This will be the last scheduled release of security updates from Microsoft for the year. It looks like Tuesday’s updates will bring the 2013 count to 106 bulletins, up sharply from 83 last year, according to Qualys CTO Wolfgang Kandek. Microsoft had similar numbers of bulletins in 2011 (100) and 2010 (106).
“Regarding 0-days, Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,” Kandek said. “We believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures.”
The XP zero-day, meanwhile, will likely be left for the January 2014 Patch Tuesday updates. The vulnerability is a privilege escalation vulnerability and allows kernel access.
FireEye researchers said they found the exploit in the wild being used alongside a PDF-based exploit against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely, the company said.
Microsoft recommended deleting the NDProxy.sys driver as a workaround; the mitigation, however, will impact TAPI operations.
“System administrators everywhere must have made Microsoft’s naughty list because this holiday ‘gift’ is clearly a lump of coal,” said Tyler Reguly, technical manager of security research and development at Tripwire. “Microsoft is wrapping up the 2013 patch season with anything that was laying around. Someone should tell Microsoft they forgot to include the kitchen sink.”
The pesky Dexter point-of-sale malware, discovered more than a year ago, remains active primarily in Russia, the Middle East and Southeast Asia, while its cousin Project Hook is finding similar success in the United States, prompting experts to sound an alarm as holiday commerce ramps up.
Researchers at Arbor Networks last month found two servers hosting the Windows-based malware, heralding newly active campaigns.
Dexter and Project Hook differ from more traditional point-of-sale attacks which rely on skimmers physically installed on endpoints, or phishing emails luring users on Windows machines hosting the PoS software. Instead, the malware is injected into files hosted on Windows servers before scraping credit card numbers as they’re entered via the PoS system.
Arbor Networks senior research analyst Curt Wilson said the two new Dexter servers were found in November; law enforcement as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) were informed. Wilson said during a two-week period when Arbor researchers were monitoring activity on the servers, they saw 533 infected endpoints call back to the command and control infrastructure.
“The way the attackers had the server set up, we saw credit card data posted to the site,” Wilson said. “The attackers were clearing the log files periodically, so there’s no telling how long these campaigns have been ongoing.”
Arbor identified three versions of Dexter: Stardust, which is likely the original version; Millenium; and Revelation. Revelation is likely the latest version and it is capable of moving stolen data not only over HTTP as previous versions, but also over FTP, a first for POS malware, Wilson said. Wilson added that Arbor researchers have not been able to determine how the initial infections are happening. The two command servers, he said, are no longer online.
Dexter was discovered more than a year ago and reported by researchers at Seculert, who reported at the time that campaigns were claiming victims at big retail operations, hotels and restaurants. At the time there were victims in 40 countries, most of those in the U.S. and the United Kingdom.
“Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data,” Seculert CTO Aviv Raff wrote in a blogpost last December. “This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.”
Point-of-sale systems present hackers with a target-rich environment. The systems are often reachable online and are usually guarded with default or weak passwords that are child’s play for a brute force or dictionary attack. The last two Verizon Data Breach Investigations Reports have identified small retailers and hospitality providers as the primary victims in such opportunistic attacks because of limited security resources.
Wilson said some of the victimized machines were not dedicated PoS servers; one in particular was also hosting a physical security management system that ran access control and card reader software.
“The data being exfiltrated that we’ve seen suggests that the compromised machines are doubling up functions and running point of sale on a machine doing something else. PoS machines should be dedicated, locked down and have special policies applied to it,” Wilson said. “That’s a bad practice to pile so much on one system. An attacker with access to credit card data would also have access to anything else the management system has access too.”
Wilson said that the initial infections could be happening either via phishing emails luring victims to sites hosting Dexter or Project Hook, or the attackers are taking advantage of default credentials to access these systems remotely.
“With the holidays, there’s going to be more PoS activity and a higher volume of transactions. Now would be a good time to fortify security,” Wilson said. “The basics should cover this. There are IDS signatures written for this malware, and there are indicators of compromise floating around; basic antimalware should catch the process-injection techniques used here.”
Meanwhile, Ars Technica reported today the discovery of the first botnet targeting point-of-sale systems. A Los Angeles security company called IntelCrawler found the botnet which had infected close to 150 Subway sandwich shops stealing 146,000 credit card numbers.
An attack on the computer networks of banking giant JP Morgan Chase & Co. may have exposed sensitive information belonging to 465,000 prepaid cash-card holders, according to a Reuters report.
JP Morgan said the attack targeted Web servers handling its Ucard program in mid-September and that the company has since remedied the underlying flaws that led to the breach and contacted law enforcement. The bank admitted to Reuters that attackers pilfered “a small amount” of data, but that they believe no user Social Security numbers, dates of birth, or email addresses were taken.
Troublingly, the Reuters report indicates that the information potentially exposed was not encrypted at the time of the attack, though JP Morgan claims it generally does encrypt its customers’ personal information.
Company spokesperson Michael Fusco told Reuters that JP Morgan spent the months following the attack determining which customers may have been affected and which data may have been compromised. The company is contacting those customers. He reportedly declined to disclose any technical details of the attack.
The breach reportedly affected some two percent of JP Morgan’s 25 million UCard holders, according to Fusco. Corporations apparently buy UCards from JP Morgan and issue them as payments to their employees while government agencies use them to issue tax refunds and to pay unemployment and other benefits.
As is standard operating procedure at this point, the bank is offering three years of credit monitoring services to those affected.
In response to the growing set of revelations about the NSA’s surveillance methods and alleged compromise of some large technology vendors’ services, Microsoft is taking a number of steps to try and reassure customers about the integrity of the company’s offerings and to greatly expand the use of encryption across its services.
Microsoft said that in the next few months it will be improving and expanding its use of encryption, specifically in its cloud services such as Azure, Outlook.com and Office 365. The company recently announced that it would be improving the encryption services on Office 365, but this new initiative goes well beyond that effort. Microsoft will be implementing Perfect Forward Secrecy on its cloud service and also will be moving to 2048-bit keys. This applies to data in transit between customers and Microsoft’s servers, but it also will be applied to information moving among the company’s data centers.
Microsoft said that these new security measures will be in place by the end of 2014, and some of them are in effect right now. The company also will be encrypting customer data at rest in its data centers.
“Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we’re committed to moving quickly. In fact, many of our services already benefit from strong encryption in all or part of the lifecycle. For example, Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers. In other areas we’re accelerating plans to provide encryption,” Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft said.
Microsoft officials, like their counterparts at Google, Yahoo, Apple and other tech giants, have spent much of the last six months dealing with a number of allegations in media reports of the Edward Snowden NSA leaks. The most damaging reports have alleged that these companies have provided direct access to their servers for the NSA, something all of them have denied. Recent revelations have shown that the agency is actually tapping into undersea fiber cables that move generally unencrypted data between data centers around the world. This revelation has angered engineers at Google and led the company to accelerate some of its existing plans to encrypt those data links.
While Microsoft’s moves to encrypt more customer data will provide better protection for customers, there is more that the company could be doing to give basic security to its millions of users, said Chris Soghoian, principal technologist at the American Civil Liberties Union. Soghoian has been urging Microsoft and other companies to turn on SSL by default on their Web properties for years and said that there a number of outstanding issues Microsoft needs to resolve to make these moves more significant.
“Bing still doesn’t offer SSL as an option. So will they finally change that? One of the things they said in this announcement is that they’ll be using best-in-class encryption, but that means more than just an algorithm. It means things like HSTS [HTTP Strict Transport Security] and certificate pinning,” he said. “Is Microsoft going to use certificate pinning in Internet Explorer?”
Certificate pinning allows browsers to define which certificate is associated with a specific Web property, as a defense against man-in-the-middle attacks that employ spoofed certificates. HSTS is a header that tells users’ clients that a given Web server only wants to accept secure connections.
In addition to the encryption changes, Microsoft also said it will be reinforcing the legal authorities that it uses to protect customer data that the company stores. The company notifies corporate and government customers when it receives a request for a customer’s data, and Smith said Microsoft will continue to do this in the future.
“Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision,” Smith said.
But, Soghoian questioned why these same protections aren’t being extended to individual consumers whose data the government may seek.
“What about their regular customers? Forcing a gag order forces the government to go before a judge on something that they wouldn’t have to otherwise,” he said. “It’s really helpful to force the issue before an independent third party.”
Smith said Microsoft also plans to open so-called transparency centers in several locations around the world to enable government customers to inspect Microsoft’s source code for backdoors. The company has been allowing limited access to its source code for several years now, but will be expanding that in the near future.
“We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors. We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products,” Smith said.