Like most major Web and software companies, Facebook receives a lot of bug reports. And since the company started its bug bounty program, security researchers have become even more interested in looking for vulnerabilities in the Facebook ecosystem. But, as one researcher learned recently, not all bugs are created equal, and Facebook doesn’t like people messing with its users–or its executives.
That researcher, Khalil Shreateh, discovered a bug in the Facebook platform that enabled him–or any other user–to post comments on the walls of other users who aren’t their friends. That shouldn’t be possible under normal circumstances, so Shreateh reported the problem to Facebook through its bug bounty program, hoping to earn a reward from the company. Instead, the company told him that the issue wasn’t a vulnerability. So Shreateh went a step further and demonstrated the technique by posting a message to the wall of Facebook founder Mark Zuckerberg.
That got Facebook’s attention. But it didn’t get him a reward. Instead, Facebook temporarily disabled his account and told him he had violated the company’s terms of service, so he wasn’t eligible for a bug bounty. As it turns out, Shreateh is going to get a lot more than the $500 or so he would’ve gotten from Facebook.
On Aug. 19, after details of the incident became public, Marc Maiffret, a well-known security researcher and CTO of BeyondTrust, started a crowdfunding campaign to get Shreateh a reward for his work. As of Aug. 23, that campaign has raised more than $12,000 and Maiffret is in the process of transferring the funds to the researcher.
“I hope this has raised awareness of the importance of independent researchers. I equally hope it has reminded other researchers that while working with technology companies can sometimes be frustrating, we can never forget the greater goal; to help the Internet community at large, just as that community has helped donate over ten thousand dollars to Khalil within a day,” Maiffret said in a statement on the fund-raising site.
The episode with Facebook and Shreateh isn’t the first time that a researcher and a company have been at odds over the value of a bug and whether it qualifies for a reward. In May, PayPal officials butted heads with a teenage German security researcher who reported a cross-site scripting flaw to the company. PayPal acknowledged the flaw, but refused to pay a reward to 17-year-old Robert Kugler, saying that he was too young to qualify, because participants are required to have a valid PayPal account, and the minimum age for that is 18. PayPal officials also told Kugler that another researcher had reported the same bug before Kugler did.
Image from Flickr photos of epsos.de.
VMware has fixed a privilege-escalation flaw in two of its major products that could allow a local attacker to gain root privileges on a vulnerable machine. The bug affects VMware Workstation and Player on certain Linux platforms.
The vulnerability, which VMware patched on Thursday, does not enable an attacker to jump from the host operating system to the guest OS or vice versa, which mitigates some of the seriousness of the bug. VMware said that the problem affects its products running on Debian-based systems.
“VMware Workstation and Player contain a vulnerability in the handling of the vmware-mount command. A local malicious user may exploit this vulnerability to escalate their privileges to root on the host OS. The issue is present when Workstation or Player are installed on a Debian-based version of Linux.” the VMware advisory says.
“The vulnerability does not allow for privilege escalation from the Guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System.”
The vulnerability affects VMware Workstation 9.x and 8.x and also Player 5.x and 4.x. VMware said that customers can also work around the vulnerability by removing the setuid bit from vmware-mount.
Image from Flickr photos of Ferran Rodenas.
In the wake of a parade of problems with certificate authorities and attackers using stolen digital certificates, both Google and Mozilla are poised to enforce new rules in their browsers for how long end-entity certificates should be trusted.
The changes will begin taking effect at the beginning of 2014, at least in Google Chrome, and will result in the browser no longer trusting any certificate that’s more than 60 months old. Mozilla also is considering a similar move for its Firefox browser. The change is the result of the adoption of the CA/Browser Forum Baseline Requirements, a document that lays out a long list of requirements for the operation of a certificate authority and issuance of certificates. The requirements specify that CAs should not issue any certificates with a validity period longer than five years.
In a message Aug. 19 on the CA/B Forum mailing list, a Google employee said that the company is planning to comply with this rule in Chrome and Chrome OS beginning in 2014 with Developer and Beta channel builds, eventually moving to the Stable channel sometime during the first quarter.
“These checks, which will be landed into the Chromium repository in the beginning of 2014, will reject as invalid any and all certificates that have been issued after the Baseline Requirements Effective Date of 2012-07-1 and which have a validity period exceeding the specified maximum of 60 months. Per the Chromium release cycle, these changes can be expected to be seen in a Chrome Stable release within 1Q 2014, after first appearing Dev and Beta releases,” Ryan Sleevi of Google said in the message.
“Our view is that such certificates are non-compliant with the Baseline Requirements. Chrome and Chromium will no longer be considering such certificates as valid for the many reasons that have been discussed previously on this list.”
Mozilla developers also have begun the process of making the same change to Firefox, creating an entry in its Bugzilla change system.
Certificate authorities have had a rough go of it for the last couple of years, beginning with the attacks on Comodo and DigiNotar and following with the use of stolen digital certificates in a number of pieces of malware recently. One of the results of the attacks on CAs is that the browser vendors end up being the ones who have to clean up the mess, removing trust for compromised certificates and helping to make sure users aren’t harmed by attackers using the bad certificates. The new restriction on the validity period of certificates won’t solve those problems, but it is a move to help limit the practice of continuously reissuing certificates once they’ve been approved.
Cisco has again pushed out an update for its Unified Communications Manager product, fixing several vulnerabilities that if left unpatched could lead to a denial of service attack, allow attackers to modify data or execute arbitrary commands, among other problems.
The problems exist in versions 7.1, 8.5, 8.6, 9.0 and 9.1 of the company’s popular VoIP processing system and there are no workarounds, according to an advisory from Cisco.
The company’s Product Security Incident Response Team (PSIRT) adds that it isn’t aware that any of the vulnerabilities are being maliciously exploited.
The DoS vulnerability is present on all of the versions listed above. On 7.1 all an attacker would have to do is send a malformed registration message to the device to trigger the vulnerability. On the other versions an attacker could rapidly send UDP packets to ports on the device and trigger the vulnerability due to an insufficient rate limiting of traffic on the device’s Session Initiation Protocol (SIP) port.
All of the of the versions also feature a buffer overflow vulnerability stemming from insufficient bounds checking. An authenticated, remote attacker could exploit that vulnerability by overwriting a memory buffer on a device and let them corrupt data, disrupt services and run arbitrary commands.
Patches are available on for all three versions (7, 8 and 9) of the software although 8.5 users are explicitly being asked to upgrade to 8.6 to ensure they fix all the issues.
While these are the first vulnerabilities identified in UCM since May, Cisco has had a busy summer patching up flaws in its other products. The company pushed fixes for a variety of networking products in June and earlier this month fixed a remotely exploitable bug in its Telepresence system.
Newly declassified documents released in response to a Freedom of Information Act request by the EFF show that the secret Foreign Intelligence Surveillance Court in 2011 declared that the National Security Agency’s techniques for collecting upstream Internet communications was unconstitutional and illegal. The court opinion provides a unique insight into the kind of techniques that the NSA uses to conduct its surveillance and the court’s views of the agency’s increasingly aggressive collection of data, including domestic communications.
The opinion of the FISC, handed down in October 2011, shows that the court was concerned about the way that the NSA was attempting to minimize the chances of collecting wholly domestic communications, as well as the agency’s mounting number of misrepresentations about the scope of its collection efforts. In the opinion, which was released Wednesday and it heavily redacted in some sections, FISC judge John D. Bates says that the NSA’s efforts to minimize the collection of domestic communications were deficient and violated the Fourth Amendment.
“NSA’s minimization procedures, as the government proposes to apply them to MCTs as to which the ‘active user’ is not known to be a tasked selector, do not meet the requirements of 50 USC § 1881 a(e) with respect to retention and; NSA’s targeting and minimization procedures, as the government proposes to apply them to MCTs as to which the ‘active user’ is not known to be a tasked selector are inconsistent with the requirements of the Fourth Amendment,” the order says in part.
The MCTs referenced in the order are “multi-communication transactions”, a vague term that refers to the collection of things such as the contents of a person’s webmail inbox in the form of a screenshot, which shows the timestamps, senders and other data for the emails. In a conference call with reporters on Wednesday, an unnamed government attorney said that the MCTs present specific problems for the NSA when it comes to separating domestic and foreign communications.
“Those are all transmitted across the Internet as one communication, even though there are 15 separate emails mentioned in them. And for technological reasons, NSA was not capable of breaking those down into their — and still is not capable — of breaking those down into their individual components,” the attorney explained, according to a partial transcript from the EFF.
The FISC opinion and order cover a large number of different elements that the government is trying to get the court to either approve or renew. In most of the cases, the court approved the government’s petitions, finding that the government’s techniques meet the constitutional requirements. The thing that sticks out, though, is the court’s tone of alarm about the NSA’s increasing number of problems properly representing the scope of its collection efforts. In a footnote in the opinion, Bates says that the NSA has had three separate misrepresentations in less than three years up to that point in 2011.
“The Court is troubled that the government’s revelation regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program,” the footnote says.
The EFF, which filed the FOIA request to declassify the opinion and order, said that the release of the opinion is a milestone.
“Release of the opinion today is just one step in advancing a public debate on the scope and legality of the NSA’s domestic surveillance programs. EFF will keep fighting until the NSA’s domestic surveillance program is reined in, federal surveillance laws are amended to prevent these kinds of abuse from happening in the future, and government officials are held accountable for their actions,” Mark Rumold of the EFF said in a blog post.Image from Flickr photos of Abir Anwar.
The Food and Drug Administration (FDA) has issued a series of guidelines regarding the regulation of radio frequency (RF) technology in medical devices, moves that if put into practice, could eventually help shore up the increasingly vulnerable medical device security model.
In a 24-page document (.PDF) issued last Tuesday, the agency laid out potential plans for devices that can be implanted in or worn on the body for use in hospitals, homes, clinics laboratories and blood establishments.
The document encourages manufacturers to consider which parts of their devices use wireless technology and to assess the risk associated with RF wireless technology before it’s implemented in their devices.
As expected, the document advocates the protection of wireless data transmission when it comes to medical devices, hoping to deter data corruption and interference from rogue transmitters. When these data streams are disrupted there should be a default, secure, backup mode of communication.
“The correct, timely, and secure transmission of medical data and information is important for the safe and effective use of both wired and wireless medical devices and device systems,” the report claimed.
When it comes to layers of security, the FDA encourages manufacturers to “include protocols that maintain the security of the communications while avoiding known shortcomings of existing older protocols,” and to use the latest “up-to-date wireless encryption.”
Much like a similar set of guidelines the FDA issued on medical devices earlier this summer, the agency considers their document as a set of general recommendations that will get device manufacturers heading down the right path when it comes to securing their products.
Those warnings, released in June, more so addressed the security of defibrillators, insulin pumps and pacemakers, devices that have all made their way into headlines as of late after being found to be vulnerable to attacks.
While medical device security has been a burgeoning field over the last few years, the industry lost one of its biggest innovators last month after Barnaby Jack, a researcher who developed a way to send remote commands to pacemakers and tweak certain kinds of insulin pumps, died shortly before the Black Hat security conference where he was to present new research on security bugs in implantable devices.
The latest document from the FDA is surely a step in the right direction, but as they acknowledge in the paper, there are a number of hoops to jump through. Other agencies, including the FCC, which is in charge of overseeing the basic tenets of wireless technology, would also have to sign off on any security regulations, not to mention the hurdles stemming from any potential safety issues.
Software vendors often give intentionally vague and boring names to the updates they use to fix security vulnerabilities. The lamer the name, the less attention it may attract from attackers looking to reverse-engineer the patch. There was one patch in Microsoft’s August Patch Tuesday release earlier this month that fit that bill, MS13-059, Cumulative Security Update for Internet Explorer. But hidden inside the big fix was a patch for a vulnerability that enabled a one-click escape of the IE sandbox.
The vulnerability was discovered by researcher Fermin J. Serna, a former Microsoft security engineer, and it takes advantage of the way that IE handles some command line options in certain conditions. Serna found that the ElevationPolicy in IE will treat the Microsoft Diagnostic Tool (msdt.exe) as a medium-integrity process if the user requests it to do so. In IE, Protected Mode is the sandbox that is designed to prevent attackers from being able to use one bug in a low-level process to compromise the machine.
“Funny thing is that CreateProcess() has a hook inside the LowIL IE process and if you try to CreateProcess(“msdt.exe”) it will get brokered to the IE Medium IL one and applied the Elevation policy there. Some sanitization happens to most of the parameters for security reasons (do not create a Medium IL process where the process token is too unrestricted),” Serna wrote in a blog post explaining the bug.
“The vulnerability here is that msdt.exe (that due to its elevation policy will run as medium IL outside of any sandbox) has some interesting command line options. Concretely this one: /path .diagpkg file | .diagcfg file —-
Specifies the full path to a diagnostic package. If you specify a directory, the directory must contain a diagnostic package. You cannot use the /path parameter in conjunction with the /id, /dci, or /cab parameter.”
Serna said that using the vulnerability, he could cause the msdt.exe process to display some strings that he controls to the user. If the user clicks the continue button on the dialog box, his code will run and he’s escaped the sandbox in the browser. He said that executing the attack would be trivial under the right conditions.
“Assuming you have code execution at the sandboxed process though some other bug (let’s say the common use after free problem all browsers suffer) then it is not easy but trivial. This sandbox escape vulnerability is not a memory corruption that can fail but a logical one that does not fail. The only requirement is the attacked user has to click a “continue” button on a dialog with attacker controlled messages. This is the reason for a one click versus a full 0 click where the user does not see anything,” Serna said via email.
Image from Flickr photos of NetDiva.
It has been a rough few months for the National Security Agency, and specifically for its director, Gen. Keith Alexander. The leaks of details of NSA surveillance programs by former contractor Edward Snowden have taken over the news cycle this summer and put the agency’s business out in the open. Then, when Alexander spoke at Black Hat last month, he was heckled and booed as he defended the NSA’s programs. Now, there’s a petition, on the White House’s own Web site, to have Alexander removed from his position.
The petition is on the We the People section of the White House site, which allows citizens to create petitions to address a specific issue. If a petition receives enough support, it will be reviewed by the White House. The petition to remove Alexander was posted Aug. 20 and seeks to have him removed from his position as director of the NSA because the agency “has lost its way under his leadership”. Citing the recent stories in the Washington Post about the agency’s alleged collection of data on Americans, the petition is seeking 100,000 signatures.
“As the Washington Post reports, General Alexander’s NSA is an agency which flagrantly disregards privacy rules and oversteps its legal authority on a regular basis,” the petition says.
“Historically, directors of the agency have been replaced on average every 4 years. Alexander has held his post for an unprecedented 8 years. We believe this has contributed to the lack of objectivity and custodial oversight. The agency has lost its way under his leadership, and it is time for a change.”
Alexander has been under fire from all directions in recent months as the leaks from Snowden have mounted and questions about the NSA’s surveillance programs have followed. In June, Alexander was called before the Senate Appropriations Committee to face tough questions about his agency’s activities and whether they were illegal or unconstitutional.
“I do think what we’re doing does protect Americans’ civil liberties and privacy,” Alexander said during the hearing. “To date, we have not been able to explain it because it’s been classified. How can we explain it and still keep the nation secure? That’s the issue in front of us.”
In addition to running the NSA, Alexander also is in charge of the U.S. Cyber Command, the military unit tasked with defensive and offensive security operations.
The Poison Ivy remote access Trojan may be old, but it’s not losing favor with nation states that continue to make it the center piece of targeted attacks.
Three groups of hackers, reportedly all with ties to China and possibly related in terms of their funding and training, are currently managing campaigns using the RAT to steal data from organizations and monitor individuals’ activities.
Researchers at FireEye said the three campaigns target different industries yet share some of the same builder tools, employ passwords written in the same semantic pattern, and use phishing emails in their campaigns that are written in English using a Chinese language keyboard.
So much for the notion of targeted, persistent attacks requiring zero-day malware.
“There is a noticeable infrastructure built around using this tool; it’s clear they’ve trained a number of people to use and operate it,” said Darien Kindlund, manager of threat intelligence at FireEye. “It’s effective and there’s no need to change their tactics, which is why they’re still using it.”
Kindlund said, however, that enterprise security managers and operations teams can become complacent when it comes to Poison Ivy, dismissing it as a crimeware tool and missing its potential to still infect many machines as it moves laterally looking for more vulnerable machines or data it targets.
“What’s easy for these threat actors is they’re using easy-to-use tools that are point-and-click and it becomes easy to blend in with crimeware groups, easy to blend into the noise and discount their presence when a defender identifies a Poison Ivy infection,” Kindlund said. “They might remediate a single infected machine rather than think it’s one of 50 compromises and a large-scale infection. That gives the adversary more time to change tactics and move laterally to other systems, making it harder to detect.”
Another reason Poison Ivy still finds favor with attackers is that, unlike Gh0stRAT or Dark Comet, it’s difficult to detect when Poison Ivy beacons out to its command and control infrastructure in order to receive more instructions.
“Compared to Gh0stRAT, which uses zlib compression to obfuscate communication out, if a network operator sees that traffic beaconing out, it’s easy to decode that traffic to figure out what walked out door,” Kindlund said. “Poison Ivy uses Camellia encryption, which makes it more difficult to figure out what walked out the door.”
The three attacks currently are fundamentally familiar. The first, named admin@338 for the password used by the attacker, targets international financial firms that specialize in the analysis of global or country-specific economic policies. It uses malicious email attachments to infect endpoints with Poison Ivy, which then downloads additional malware to steal intelligence in order to monetize insider information to make a market play or for geo-political reasons, Kindlund said.
The second attack, named th3bug for its password, spiked last year, FireEye said. It focuses on higher education and international health care and high tech firms in order to steal intellectual property or new research that has yet to be published by a university team. Most of these are watering hole attacks where a regional website frequented by the targets is compromised and exploit code is injected onto the victim’s machine that redirects them to Poison Ivy.
The third attack, dubbed menuPass, has been the most active of the three and dates back to 2009, spiking last year. It targets the defense industry and international government agencies trying to steal military intelligence. Spear phishing campaigns include attachments infected with Poison Ivy that are meant to look like a purchase order or price quote that would be fairly specific to the victim, Kindlund said.
“They’ve done their homework and looked at the trust relationships of the target—who does this defense contractor do business with—and spoof an email from that partner and send an email through that channel,” Kindlund said. “These three groups have ties back to China; they all use a separate command and control infrastructure, but all three have a backend presence in that country.”
Meanwhile, the company is releasing a free tool based on the open source ChopShop kit developed by MITRE Corp. The module is Poison Ivy specific, similar to other modules built for Gh0stRAT and will allow a security or network operations person to decode Poison Ivy traffic.
*Poison Ivy image via uwdigitalcollections‘ Flickr photostream, Creative Commons
Spammy websites distributing adware as Java or other kinds of software updates are nothing new but researchers have recently noticed two sites pushing that malware to users through sites that leverage Google’s App Engine.
Both sites were started just over a week ago and make use of the appspot.com address, a domain Google runs to help its users develop and deploy applications, according to Jason Ding, a research scientist at Barracuda Labs.
In a post on the company’s research blog, Ding describes the two sites, java-update[.]appspot[.].com and [http]://updateplayer.appspot.com. The first models itself after a free Java download site and as Ding notes, looks remarkably similar to Oracle’s official Java site. Links on that site will eventually trigger a download of “setup.exe,” which will try to install and drop Solimba adware onto the machine.
The second URL also drops what appears to be Solimba on infected machines, except instead of trying to trick users into downloading Java, they attempt to convince users that their media player needs to be updated. After the user is duped into downloading it, they download the same “setup.exe.”
According to Barracuda, both sites, which are still online, route users through a series of redirects, through several private websites – hs1dmr.com, hs4dmr.com and down324.com – that were registered with GoDaddy in June and July, before downloading the adware. Whoever set up those sites is passing them through Google’s App Engine to hide their suspicious-sounding URLs.
Adware, the bloated software that thrives on plaguing its users with ads, continues to be a problem in darker corners of the Internet.
Solimba was famously last seen in 2012 zipped with malware that promised users it would install the then-new Windows 8 onto machines via a browser window. The adware is usually bundled on top of malware and in some cases – like this one and the Windows 8 scam – passed off as a fake media player or Java update.
There are 25 fresh security patches in the newest version of Google Chrome, including fixes for a number of high-severity vulnerabilities. Chrome 29 also includes a number of performance enhancements.
Google regularly pushes out new versions of its browser every few weeks, and sometimes will only have a handful of security fixes. Chrome 29 is the exception to this, providing a huge number of vulnerability fixes. Three of the fixes in Chrome 29 are for use-after-free vulnerabilities, each of which earned the finder a $1,000 bug bounty.
The list of bugs fixed in Chrome 29 includes:
- [$1337]  High CVE-2013-2900: Incomplete path sanitization in file handling. Credit to Krystian Bigaj.
- [$500]  Low CVE-2013-2905: Information leak via overly broad permissions on shared memory files. Credit to Christian Jaeger.
- [$1337]  High CVE-2013-2901: Integer overflow in ANGLE. Credit to Alex Chapman.
- [$1000]  High CVE-2013-2902: Use after free in XSLT. Credit to cloudfuzzer.
- [$1000]  High CVE-2013-2903: Use after free in media element. Credit to cloudfuzzer.
- [$1000]  High CVE-2013-2904: Use after free in document parsing. Credit to cloudfuzzer.
Chrome users should update their browsers as soon as possible to protect against attacks using these vulnerabilities.
An attacker, who may have gotten the information from the database of a third party, claims to have access to the OAuth login tokens and secrets for every Twitter user. He has posted more than 15,000 of the entries online and claims that he can now access the account of any user he wishes. Twitter officials, however, say no accounts have been compromised.
The OAuth tokens and secrets are used as a method of authentication for third-party apps that access Twitter. The tokens and secrets could allow an attacker to access a user’s account without the need for her password. The OAuth tokens and secrets have been posted on a data-sharing site called Zippyshare.
Twitter officials say that they have looked into the reported attack.
“We have investigated the situation and can confirm that no Twitter accounts were compromised,” a Twitter spokesman said.
The attack is supposedly the work of an attacker known as Mauritania Attacker, who has been linked with pro-Islamic operations in the past. Security researchers say that the data that has been posted online appears to have come from a third-party app. It’s not clear which app is involved, but a source with knowledge of the situation says the app has been suspended by Twitter.
Image from Flickr images of West McGowan.
Old malware tricks never really die, they just get recycled and passed down to the next generation of attackers. The latest technique to get run through the wayback machine is the use of the right-to-left override character in Unicode, a tactic that enables malware authors to hide the real name of a malicious executable or, in a recent case, a registry key.
Malware writers have been using the RLO technique for many years, as it’s a simple and effective method for disguising the names of their malicious files. Typically, attackers will try to make their malware appear to be something benign, such as a music player or setup file for a popular application. The RLO technique helps then accomplish this goal.
Here’s how it works: Malware authors give a malicious file a name that is somewhat close to a legitimate file name, and append an extension such .exe. But hidden in the file name will be a Unicode character that will reverse the order of the characters that follow it. So, for example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg” when the Unicode character is used after the word “malware”. Security researchers and malware analysts have known about this technique for a long time, but it’s beginning to resurface. Researchers at Microsoft have seen new malware samples that are attempting to impersonate the Google service that keeps software updated on users’ machines, and the malware is using the RLO technique in order to look like a legitimate registry key.
The malware in question is known as Sirefef, which is about a year old. It uses the RLO method to trick users into thinking that the entries it puts into the infected machine’s registry are legitimate ones.
“The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation,” said Raymond Roberts of Microsoft.
When the Sirefef malware infects a new machine, it creates a registry entry that looks identical to the legitimate Google Update service. Even clicking on the entry to view its properties will show what appears to be a legitimate entry, aside from some odd-looking characters in the path of the executable. However, looking at the registry entry without Unicode support will reveal the problem. The Sirefef registry entry will show up as “etadpug” and the key will contain a slew of random characters rather than the description of the legitimate Google Update service.
“This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not,” Roberts said. “It may make it difficult for someone doing a cursory check to determine if they are infected.”
A member of Facebook’s security team acknowledged over the weekend that the group could have taken further steps to verify a vulnerability initially brought to their attention by an independent security researcher last week but that the company largely adhered to its bug disclosure policy.
That flaw, discovered by Palestinian independent security researcher Khalil Shreateh, allowed him to post to any user’s Facebook wall, regardless of whether the users was his friend. Shreateh emailed Facebook’s security team after finding the flaw last week but failed to fully get the team’s attention.
Shreateh went on to use the bug to post a message on the wall of Facebook CEO Mark Zuckerberg to prove its validity.
“Dear Mark Zuckerberg, First sorry for breaking your privacy and post to your wall, I has no other choice to make after all the reports I sent to Facebook team,” read the post, which has since been removed.
Facebook security team member Matt Jones took to Y Combinator’s Hacker News site yesterday explaining that in essence both parties could’ve handled the situation better.
Jones acknowledged that the Facebook team should’ve asked Shreateh for additional bug reproduction techniques during their exchange. Shreateh included a video on his blog post that further broke the vulnerability down – but apparently failed to include that in his first email to Facebook.
“We should have pushed back asking for more details here,” Jones wrote on Hacker news, later suggesting that while Shreateh’s English wasn’t great, it wasn’t an obstacle and but a challenge the security team is used to dealing with.
According to his blog post, Shreateh initially demonstrated his vulnerability by posting an Enrique Iglesias music video on a friend of Mark Zuckerberg, Sarah Goodin’s wall. Shreateh had hoped his actions would get Facebook’s attention but instead the security team wrote back saying it simply wasn’t a bug.
It was after this that Shreateh moved onto Zuckerberg’s account, which wound up being one of the mistakes he’d make.
“Exploiting bugs to impact real users is not acceptable behavior for a white hat,” Jones wrote, adding that the way Shreateh reported the bug disqualified him from receiving some sort of payout for it.
As part of Facebook’s bug bounty disclosure policy, the company urges users to “make a good faith effort to avoid privacy violations,“ to use a test account while investigating vulnerabilities and to “not interact with other accounts without the consent of their owners,” none of which Shreateh did, according to Jones.
“We welcome and will pay out for future reports from him (and anyone else!) if they’re found and demonstrated within these guidelines,” Jones added at the end of his post.
Facebook first launched its bug bounty program back in 2011 and in the last two years the social networking giant has paid out more than $1 million to more than 329 researchers. Researchers from UC Berkeley found earlier this year that bug bounty programs, at least with Google and Mozilla, can be as much as 100 times more cost-effective for finding security vulnerabilities.
If Shreateh had used a dummy account and better explained the vulnerability, this may have been more quietly addressed. Staying away from Zuckerberg’s account probably would’ve helped too – as Shreateh reports that his post got his account disabled – although eventually re-enabled – shortly after.
The issue brings to mind a story from earlier this year where PayPal refused to pay a bug bounty to 17-year old researcher Robert Kugler after he discovered a cross-site scripting (XSS) flaw in the popular e-commerce site. While there was a fair bit of confusion at first why PayPal rejected the bug, the company ultimately acknowledged that Kugler didn’t qualify for an award because he wasn’t old enough to have a verified account on the site.
While it remains to be seen if companies will adopt a looser stance towards how they accommodate security researchers going forward, in this case it looks as if Facebook is sticking to their guns, adamant that Shreateh didn’t follow the rules.
Microsoft has re-released one of the August security patches for Windows Server 2008 in order to fix a regression issue that would cause some servers to stop working. The MS13-066 patch was released again Monday after Microsoft discovered the problem last week.
The patch in the MS13-066 update fixes a vulnerability Active Directory Federation Services that could enable an attacker to cause a denial-of-service condition on a vulnerable server under the right circumstances.
“This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance,” Microsoft said in the original bulletin.
The vulnerability affects several versions of Windows Server 2008, as well as Windows Server 2003 and Windows Server 2012. However, the regression issue that caused the re-release of the patch only affected Server 2008 installations. Customers that run affected versions should reinstall the patch.
“Microsoft rereleased this bulletin to announce the reoffering of the 2843638 update for Active Directory Federation Services 2.0 on Windows Server 2008 and Windows Server 2008 R2. The rereleased update addresses an issue in the original offerings that caused AD FS to stop working if the previously released RU3 rollup QFE (update 2790338) had not been installed; the rerelease removes this requirement. Furthermore, in creating this rerelease, Microsoft has consolidated the fixes contained in the two original updates (2843638 and 2843639) into a single 2843638 update. Customers who already installed the original updates will be reoffered the 2843638 update and are encouraged to apply it at the earliest opportunity. Note that when the installation is complete, customers will see only the 2843638 update in the list of installed updates,” the update says.
It’s not unheard of for Microsoft to reissue patches, and it typically occurs when there’s an unforeseen error like this one that ends up breaking another service or feature.
The Internet is a big thing. Or, more accurately, a big collection of things. Figuring out exactly how many things, and what vulnerabilities those things contain has always been a challenge for researchers, but a new tool released by a group from the University of Michigan that is capable of scanning the entire IPv4 address space in less than an hour.
There have been a handful of Internet-wide scans done by various organizations over the years, but most of them have not had a security motivation. And they can take days or weeks, depending upon how the scan is done and what the researchers were trying to accomplish. But the new Zmap tool built by the Michigan researchers has the ability to perform an Internet-wide scan in about 45 minutes while running on an ordinary server. The tool, which the team presented at the USENIX Security conference last week, is open-source and freely available for other researchers to use.
To demonstrate the capabilities of Zmap, the Michigan team, which comprises J. Alex Halderman, an assistant professor, and Eric Wustrow and Zakir Durumeric, both doctoral candidates, ran a scan of the entire IPv4 address space, returning results from more 34 million hosts, or what they estimate to be about 98 percent of the machines in that space. Zmap is designed specifically to bypass some of the speed obstacles that have slowed down some of the previous large-scale scans of the Internet. The researchers removed some of the considerations for machines on the other end of the scan, for example assuming that they sit on well-provisioned networks and can handle fast probes. The result is that the tool can scan more than 1,300 times faster than the venerable Nmap scanner.
“While Nmap adapts its transmission rate to avoid saturating the source or target networks, we assume that the source network is well provisioned (unable to be saturated by the source host), and that the targets are randomly ordered and widely dispersed (so no distant network or path is likely to be saturated by the scan). Consequently, we attempt to send probes as quickly as the source’s NIC can support, skipping the TCP/IP stack and generating Ethernet frames directly. We show that ZMap can send probes at gigabit line speed from commodity hardware and entirely in user space,” the researchers say in their paper, “Zmap: Fast Internet-Wide Scanning and Its Security Implications”.
“While Nmap maintains state for each connection to track which hosts have been scanned and to handle timeouts and retransmissions, ZMap forgoes any per-connection state. Since it is intended to target random samples of the address space, ZMap can avoid storing the addresses it has already scanned or needs to scan and instead selects addresses according to a random permutation generated by a cyclic multiplicative group.”
That stateless scanning, the researchers said, allowed Zmap to get both faster response times and better coverage of the target address space. As for practical applications of the tool, the researchers already have found several. In the last year, the team ran 110 separate scans of the entire HTTPS infrastructure, finding a total of 42 million certificates. Interestingly, they only found 6.9 million certificates that were trusted by browsers. They also found two separate sets of mis-issued SSL certificates, something that’s been a serious problem in recent years.
The Zmap team also wrote a custom probe to look for the UPnP vulnerability that HD Moore of Rapid 7 discovered in January. After scanning 15.7 million devices, they found that 3.3 million were still vulnerable. That bug can be exploited with a single packet.
“Given that these vulnerable devices can be infected with a single UDP packet , we note that these 3.4 million devices could have been infected in approximately the same length of time—much faster than network operators can reasonably respond or for patches to be applied to vulnerable hosts. Leveraging methodology similar to ZMap, it would only have taken a matter of hours from the time of disclosure to infect every publicly available vulnerable host,” the researchers say in the paper.
Dennis Fisher talks with Rich Mogull of Securosis about his days as a teen wannabe hacker, his meandering path through Navy ROTC, software development, near miss with medical school, mountain rescues and his life as a security industry analyst.
If you’ve run an internal phishing exercise, chances are you may have used Jigsaw, an open source penetration testing tool that enables security teams to automatically generate email address combinations from a minimal amount of public information.
As with other open source security and networking tools such as Metasploit, Nessus and Nmap, cybercrime groups have been known to pervert them for harm. Such may be the case with Jigsaw, which researchers at RSA Security’s FraudAction team said they’ve seen being used in active attacks.
Jigsaw is a Ruby script-based email enumeration tool that accesses the Jigsaw business directory. It generates email addresses in one of four popular naming conventions from information available in the database. The Jigsaw directory, meanwhile, is a cloud-based real-time database that is primarily crowdsourced; more than 27 million business contacts and four million company profiles are in the directory, which is maintained by more than one million users. It’s a rich hunting ground for cybercriminals, and an important tool for pen-testers and enterprise security teams assessing the awareness of employees to the dangers of email-based spam and phishing campaigns.
RSA principal malware scientist Christopher Elisan said researchers from its fraud intelligence team saw a version of Jigsaw being used in attacks. Elisan said that new features added to the tool last November enhance the granularity of business contact data returned in the final output, such as a target’s username, as well as the addition of HTTPs support for database requests.
The Jigsaw tool is intuitive. A user simply enters a search argument such as a their target company name and the tool returns all of the companies it has knowledge of with that name plus the number of employees listed, and the company’s Jigsaw directory ID. Knowing the ID, an attacker, for example, can get much more granular and find employee names per department, for example, based upon what’s available in the directory. The attacker then supplies the tool with a domain name of the company and the Jigsaw tool generates a list of possible email addresses.
“One thing the directory doesn’t have is the employee’s email address,” Elisan said. “What Jigsaw does is generate email addresses for you. The way it does that is that it uses four common formations used by companies as log-ins and attaches those to the supplied domain name.”
Since an attacker may not know the target company’s particular email convention, the Jigsaw tool will generate a list of email addresses using either first letter and last name, first name dot last name, first name first letter of last name, and last name first letter of first name appended to the domain name supplied.
“All of the information is displayed to the attacker who can save it to a CSV file that will contain an employee’s name, department and crafted email addresses based on the formats added to the domain,” Elisan said. “The CSV file is then fed into an automated system. That list also comes with a configuration file that can be fed into a botnet.”
Royce Davis, one of developers of Jigsaw, said that organizations need to think hard about the information they share online and in other forums.
“In the case of the Jigsaw database, I do not believe companies are intentionally providing their information. I believe the records are harvested from business cards which get handed out like candy at various conferences and public gatherings,” Davis said via email to Threatpost. “What I have shown with my tool is that an attacker doesn’t need to necessarily obtain a user’s email address. Simply obtaining their first and last name is often enough to craft a valid email address. For this reason I would recommend that companies become more creative with their username conventions. For example, the first and last initial combined with a unique identifier could look like ‘email@example.com.’ This would be much more difficult to guess then the more traditional ‘firstname.lastname@example.org.’ ”
Davis said that Jigsaw has been used in hundreds of sanctioned phishing exercises.
“I tend to receive positive feedback from other pen-testers. I think this is because Jigsaw makes it easier for them to harvest email addresses to be used for their email phishing exercises,” Davis said. “Additionally it helps to provide clients with a sense of how much information about their company is out there on the internet.”
Davis added that he was unaware of anyone who had taken his code and written a malicious tool.
“I wrote Jigsaw as an open source penetration testing tool. The initial concept came from a colleague who already knew of the Jigsaw.com database and simply wanted a tool to perform the tedious steps of pulling information automatically,” Davis said. “A hammer and nails are regularly used to build houses and keep families warm. Hammers can also be used as deadly weapons. As with the hammer, I’m glad that so many people were able to get such positive results from the tool.”