PUNTA CANA – Although it may not be the most thrilling part of a security team’s job, the idea of operational risk assessment and management is perhaps the most important aspect of organizational security.
Steve Adegbite, senior vice president in charge of enterprise information security program oversight and strategy at the banking giant Wells Fargo, pointed out in his talk at the Kaspersky Security Analyst Summit here that online banking security is essentially predicated on the ideas that evolved during hundreds of years of brick and mortar physical security.
For sure, the means required to securely store potentially valuable bits of data on a network or database or server are very different than the means by which an early human may have hid in a cave to avoid being eaten by a bear. However, Adegbite’s presentation suggested that these sorts of risk assessments – the ones that have kept humans alive for hundreds of thousands of years – are exactly the kinds of logical progressions corporations should follow to protect sensitive data.
“Operational risk management is a key component of any security practice,” Adegbite wrote in a synopsis of his briefing. “This principle has been exercised since the dawn of time when cave men weighed the outcome of certain scenarios… [such as the] risk of hunting that wild animal to eat or having that wild animal eat him.”
It’s not enough though to merely understand the information your company holds, how and why and to whom it is valuable, and the threats to the integrity of that data. Companies need to understand that zero-days are an unfortunate inevitability of technology and that their security measures will eventually fail. Even if an organization has the perfect risk model, they are still vulnerable to the one, uncontrollable factor: humans.
Beyond this, people and attack techniques and defensive technology change over time. The way we build software, Adegbite explained, has changed dramatically over time. Coding from 10 or even five years ago is insecure now, which is why Adegbite believes it is unacceptable when organizations say “this is just the way we do things.”
If you fall in love with your risk management plan, Adegbite said, and think it is perfect, you are missing the point of a risk management plan. Risk management plans should be designed to fail. His point is that failure in the realm of security is inevitable, but with a competent risk plan, organizations can fail better, limiting an incident’s effect on a business’s reputation and bottom line.
“Your risk model is never going to always work,” said Adegbite.
When the risk management plan fails, companies need to look at why it failed, and make it better.
Adegbite said that these analyses are measured with cost: how much money are we willing to lose before we spend the money to stop losing money in this way? Or, on the flip-side of that coin, how much are we willing to invest in order to prevent future losses. In this way, Adegbite told the audience that banks are adopting some of the attitudes that Wall Street traders have had toward failure for years, namely a willingness to take bigger risks in the pursuit of better payoff. Of course, in this case that payoff is better security that could potentially save organizations money down the line.
PUNTA CANA–The golden era of bulk surveillance through the acquisition of phone records and other data from telecommunications companies may already be fading, but the larger threat to privacy and security is just beginning to emerge: the use of legal tools and coercion to get around encryption and other safeguards.
One of the main results of the NSA revelations has been that many of the major Web companies–including Google, Yahoo and others–have begun turning on encryption by default on their main properties. This has been a long time coming and it has happened mainly after a lot of public pressure from privacy advocates. But these efforts have been accelerated in the wake of revelations that the NSA has been gathering unencrypted communications between data centers owned by major tech companies.
Chris Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union, has been one of the loudest voices pushing for more encryption on the Web and pressuring companies to roll out SSL by default on their Web properties.
“The say that Google turned on SSL by default was probably a pretty bad day for the NSA,” he said. “But until we have end-to-end encryption, the FBI can still go to Google [and demand user data].”
The use of encrypted links for email services such as Gmail helps protect large swaths of communications, but Soghoian said that it only goes so far.
“If you take these companies at their word, they don’t provide bulk data. They don’t provide data on a million people at once, which is something that the backbone providers do,” he said during a talk at the Kaspersky Security Analyst Summit here Monday. “If you take them at their word, a world in which our communications are encrypted to and from Google is a world in which the government can’t do wholesale surveillance. That may be an end for now to bulk surveillance, but governments are going to have to respond.”
That response has already begun, in fact. One portion of it is the use of court orders and other legal methods to gain access to users’ data, whether at a service provider or elsewhere. This has been happening for years, long before Edward Snowden had ever leaked a single document. But Soghoian said that the government is changing the way it uses these tools and how often.
“Our threat model has changed. The APT powers of my government and your government and the Chinese government are not the biggest power. The most powerful tool the Department of Justice has is not the ability to hack but the ability to coerce,” Soghoian said. “You can fix the hack but you can’t patch away the coercion.”
As an example, Soghoian pointed to the Lavabit case. The company was a secure email provider used by Edward Snowden and its founder Ladar Levison refused to comply with an FBI order to turn over the SSL keys for his company to aid the FBI’s investigation into Snowden’s actions. He ended up shuttering the company and is fighting in the courts more requests that he hand the FBI the keys that would decrypt all of the Lavabit users’ emails, not just Snowden’s. Soghoian said the fact that the government is willing to go that far to get the emails of one user is concerning.
“We should assume the powers the government is seeking in the Lavabit case will be used elsewhere,” he said. “The precedent that the government can go to a private company and demand the keys to the kingdom to get at one user’s data threatens the entire Internet.”
To address the new threat model, Soghoian urged developers and engineers and security teams to build surveillance-resistant systems.
“We have to design our software and systems so that they can be resistant to this kind of coercion,” he said. “The software we built ten years ago, the software we built two years ago, was not built with this threat in mind.”
PUNTA CANA–A group of high-level, nation-state attackers has been targeting government agencies, embassies, diplomatic offices and energy companies with a cyber-espionage campaign for more than five years that researchers say is the most sophisticated APT operation they’ve seen to date. The attack, dubbed the Mask, or “Careto” (Spanish for “Ugly Face” or “Mask”) includes a number of unique components and functionality and the group behind it has been stealing sensitive data such as encryption and SSH keys and wiping and deleting other data on targeted machines.
The Mask APT campaign has been going on since at least 2007 and it is unusual in a number of ways, not the least of which is that it doesn’t appear to have any connection to China. Researchers say that the attackers behind the Mask are Spanish-speaking and have gone after targets in more than 30 countries around the world. Many, but not all, of the victims are in Spanish-speaking countries, and researchers at Kaspersky Lab, who uncovered the campaign, said that the attackers had at least one zero-day in their arsenal, along with versions of the Mask malware for Mac OS X, Linux, and perhaps even iOS and Android.
“These guys are better than the Flame APT group because of the way that they managed their infrastructure,” said Costin Raiu, head of the Global Research Analysis Team at Kaspersky. “The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far.”
Raiu revealed the details of the Mask attack campaign during the Kaspersky Security Analyst Summit here Monday.
Interestingly, the Kaspersky researchers first became aware of the Mask APT group because they saw the attackers exploiting a vulnerability in one of the company’s products. The attackers found a bug in an older version of a Kaspersky product, which has been patched for several years, and were using the vulnerability as part of their method for hiding on compromised machines. Raiu said that the attackers had a number of different tools at their disposal, including implants that enabled them to maintain persistence on victims’ machines, intercept all TCP and UDP communications in real time and remain invisible on the compromised machine. Raiu said all of the communications between victims and the C&C servers were encrypted.
The attackers targeted victims with spear-phishing emails that would lead them to a malicious Web site where the exploits were hosted. There were a number of exploits on the site and they were only accessible through the direct links the attackers sent the victims. One of the exploits the attackers used was for CVE-2012-0773, an Adobe Flash vulnerability that was discovered by researchers at VUPEN, the French firm that sells exploits and vulnerability information to private customers. The Flash bug was an especially valuable one, as it could be used to bypass the sandbox in the Chrome browser. Raiu said the exploit for this Flash bug never leaked publicly.
While most APT campaigns tend to target Windows machines, the Mask attackers also were interested in compromising OS X and Linux machines, as well as some mobile platforms. Kaspersky researchers found Windows and OS X samples and some indications of a Linux versions, but don’t have a Linux sample. There also is some evidence that there may be versions for both iOS and Android. Raiu said there was one victim in Morocco who was communicating with the C&C infrastructure over 3G.
Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Raiu said that after the post was published, the Mask operators rolled up their campaign within about four hours.
However, Raiu said that the attackers could resurrect the operation without much trouble.
“They could come back very quickly if they wanted,” he said.
A small number of Bitcoin wallets have been raided by a newly discovered Trojan that gobbles up credentials used to guard the digital currency.
OSX/CoinThief.A was found in the wild by a security consultancy specializing in Apple security called SecureMac; the malware was spreading on GitHub via a malicious app, which has since been removed from the code repository.
“At this time we’ve seen multiple reports on Reddit and other Bitcoin forums with users indicating that they’ve fallen victim to the malware, but we do not yet know the full scope of the malware distribution,” SecureMac lead developer Nicholas Ptacek said. “As news of this malware spreads, more victims will probably come forward.”
A Reddit discussion about the incident seems to link the author of the app called Stealthbit used to spread CoinThief to a previous attack targeting Bitcoin credentials carried out through an app called Bitvanity. The author of CoinThief went by the handle trevorscool or Thomas Revor, while the Bitvanity GitHub account was registered to a Trevory. The person posting said the Bitvanity app lifted more than 20 Bitcoins—an approximate value of $14,000 USD.
“The malware author tried to take down the malicious binary from Github yesterday, and possibly didn’t realize that it would still be available from the commit history,” Ptacek said. “At some point in the afternoon, the entire Github page for StealthBit was 404′ing, but we are not sure if the malware author deleted his account, or if the page was taken down by Github.”
StealthBit pretends to be an app used to send and receive payments on Bitcoin Stealth Addresses. Instead, when victims install it, their web browsing traffic is monitored by the Trojan, which sniffs out login credentials for Bitcoin wallets.
“At this time there does not appear to be any vulnerability that the malware is exploiting, but rather it is a classic case of social engineering,” Ptacek said. “The infected users thought they were installing an app to send and receive payments on Bitcoin Stealth Addresses, but the app did more than was advertised when it installed the malware. Since the user was intending to install the app, Gatekeeper warnings wouldn’t have been effective at stopping those users from running the app.”
The consultancy said the CoinThief Trojan is a dropper that installs browser extensions on Safari and Chrome running on OS X. The extensions keep tabs on Web traffic from the browsers and watches for log-in attempts on pre-loaded Bitcoin exchanges such as Mt. Gox and BTC-e and wallet sites such as blockchain.info. The extensions, meanwhile, are generically named “Pop-up Blocker,” and arrive with an equally generic description that wouldn’t raise suspicions with the user or security researchers.
“Additionally, the malware appears to monitor specific file locations on disk, checking to see when they are modified. Analysis of this malware is still in the early stages, so more information is likely to come to light moving forward,” Ptacek said.
The attackers hosted the source code and a precompiled version of the app on GitHub, SecureMac said. The source code and app, however, were not a match. The pre-compiled app contained malware not present in the source code and infected OS X users with CoinThief. Not only does the malware watch Web traffic, but it connects to a remote command and control server where it sends the stolen credentials and also receives updates from the attackers.
“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,” SecureMac said on its site.
Ptacek said the remote server was registered in Australia via bitcoinwebhosting[.]net, but appeared to be hosted elsewhere. The remote server was located at www[.]media02-cloudfront[.]com, with a current IP address of 217[.]78[.]5[.]17, but it appears to be down at this time, Ptacek said.
Apple’s security restrictions make it highly unlikely the malware would have made its way onto the Apple App Store. Also, there is no indication of a mobile component of this Trojan for iOS devices.
“The Trojan only works on OS X, and we haven’t seen any indication of the presence of an iOS version,” Ptacek said. “Furthermore, due to the security restrictions Apple has built into iOS, this malware would not be able to function on iOS.”
PUNTA CANA–The Microsoft bug bounty program, started last year as a way to encourage researchers to develop new offensive and defensive techniques, has been a success so far and the company is looking for new ways to expand it in the future. Katie Moussouris, the security strategist at Microsoft responsible for the program’s creation, said that while rewarding researchers for innovative work was a key goal, causing some turbulence in the vulnerability market was also part of the plan.
Moussouris had been working on the bounty program for some time before she was able to launch it last year, and she had paid close attention to the way that not just other bounty programs work, but also how the legitimate vulnerability market operates. Vulnerability buyers and sellers for years have operated mainly underground, but that has changed in the last couple of years as companies such as VUPEN and others have made bug sales into a booming business. Microsoft’s products always are at the top of the list for both attackers and security researchers, and Moussouris wanted to find a way to get valuable offensive techniques in Microsoft’s hands rather than in the hands of vulnerability brokers or attackers.
“We’re never going to outbid the black market. This is about using existing levers to disrupt the vulnerability economy,” Moussouris said in a talk at the Kaspersky Security Analyst Summit here Monday.
Security researchers who once had limited options for making money from their vulnerability work now have a broad spectrum of choices. Depending on their contacts and other factors, researchers can sell bugs to any number of government agencies, defense contractors or third parties. Bug bounty programs provide another option, but they’re typically far less lucrative. Microsoft wanted to make that option more attractive by offering bounties of up to $100,000 for novel offensive techniques that can bypass the exploit mitigations in the latest version of Windows. The company already has paid one bounty and recently expanded the field of eligible participants to include forensics teams and incident responders.
There are more potential additions to the Microsoft bounty program, Moussouris hinted during her talk, but did not provide any new details.
Moussouris said that the pool of researchers capable of finding qualifying bypass techniques is relatively small, and the subset of that group who are willing to submit them to Microsoft is even smaller.
“There are probably only a thousand people worldwide who could do this kind of work,” she said, “And there’s probably only a few hundred who would work with Microsoft.”
There has been quite a lot of discussion in the security industry about exploit sales and potential regulation of the market. But Moussouris says she thinks that would be a mistake.
“I tell governments that I don’t them to regulate exploits because you’ll blind me,” she said. “You’ll make it so the only way I can find out about new attacks is when they hit customers.”
PUNTA CANA–Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab’s Global Research and Analysis Team has been doing for the last few years, and he has first-hand knowledge of the depth and breadth of the tactics that top-tier attackers are using.
So when Raiu says he conducts his online activities under the assumption that his movements are being monitored by government hackers, it is not meant as a scare tactic. It is a simple statement of fact.
“I operate under the principle that my computer is owned by at least three governments,” Raiu said during a presentation he gave to industry analysts at the company’s analyst summit here on Thursday.
The comment drew some chuckles from the audience, but Raiu was not joking. Security experts for years have been telling users–especially enterprise users–to assume that their network or PC is compromised. The reasoning is that if you assume you’re owned then you’ll be more cautious about what you do. It’s the technical equivalent of telling a child to behave as if his mother is watching everything he does. It doesn’t always work, but it can’t hurt.
Raiu and his fellow researchers around the world are obvious targets for highly skilled attackers of all stripes. They spend their days analyzing new attack techniques and working out methods for countering them. Intelligence agencies, APT groups and cybercrime gangs all would love to know what researchers know and how they get their information. Just about every researcher has a story about being attacked or compromised at some point. It’s an occupational hazard.
But one of the things that the events of the last year have made clear is that the kind of paranoia and caution that Raiu and others who draw the attention of attackers employ as a matter of course should now be the default setting for the rest of us, as well. As researcher Claudio Guarnieri recently detailed, the Internet itself is compromised. Not this bit or that bit. The entire network. We now know that intelligence agencies have spent the last decade systematically penetrating virtually every portion of the Internet and are conducting surveillance and exploitation on a scale that a year ago would have seemed inconceivable to all but the most paranoid among us.
Email? Broken. Mobile communications? Broken. Web traffic? Really broken. Crypto? So, so broken.
It would be understandable, even natural, for most casual observers to have grown so completely overwhelmed by the inundation of stories about government surveillance and exploitation techniques that they tuned it out months ago. Why get worked up about something you can’t change? It’s like getting mad at cake for being delicious.
And that’s exactly the attitude that attackers want. Indeed, they depend on it. Complacency and indifference to clear threats are their lifeblood. Attackers can’t operate effectively without them.
The best response, of course, isn’t panic or indulging the urge to throw your laptop out the window and drop off the grid, as tempting as that might be. Rather, the best course of action is to follow Raiu’s simple advice. You’re being watched at all times; act accordingly.
Image from Flickr photos of Lyudagreen.
The heating, ventilation and air conditioning contractor linked to the Target breach said its data connection to the giant retailer was “exclusively for electronic billing, contract submission and project management,” the company’s president and owner said yesterday.
Ross E. Fazio said in a statement that his company, Fazio Mechanical Services, was also compromised and that it is cooperating with Target and the Secret Service in the investigation of the breach that spanned most of the Christmas shopping season and resulted in the loss of 40 million payment cards and the personal information of 70 million individuals.
Fazio also squashed initial speculation that his company remotely monitors and manages Target’s environmental controls such as heating, cooling and refrigeration.
“Like Target, we are a victim of a sophisticated cyber attack operation,” Fazio said. “Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.”
Fazio Mechanical Services is based in Sharpsburg, Pa., and specializes in supermarket refrigeration systems. Legitimate credentials providing access to the Target corporate network were stolen from Fazio Mechanical Services, sources told Krebs on Security.
Fazio’s declaration that it does not remotely monitor energy consumption and remotely manage temperatures for Target debunks theories that the hackers had bridged the HVAC system and pivoted from there to the corporate network. Hackers were able to upload RAM scraping malware to point of sale systems and exfiltrate stolen payment card data via a server inside the Target firewall to the attackers’ remote server.
While some security experts questioned why there wasn’t better segmentation between the two networks if this were the case, industrial control system security experts on the SCADASEC mailing list said that many building automation networks often are integrated with corporate networks. One post describes a typical environment where a workstation is tasked with managing a building automation system and a DSL line connects it to the Internet.
“It happens all the time,” said Billy Rios, director of vulnerability research and threat intelligence at Qualys. “We’ve done assessments where we exploit an Internet-facing HVAC system and pivot to the corporate network. Pivoting from the HVAC system to the corporate network is really trivial; it’s designed to be a bridge like that.”
Large retailers such as Target are perfect examples of this scenario where a third-party integrator is hired for environmental control, which is generally done remotely over the Internet rather than sending technicians on-site, said Rios, a long time SCADA and ICS pen-tester who has reported dozens of building management system vulnerabilities to the Industrial Control System Computer Emergency Response Team (ICS-CERT).
An integrator’s job is to install equipment, and often it’s done without much consideration for cybersecurity. Rios said there are no centralized security standards they are required to adhere to with regard to remote access.
“Every HVAC integrator is doing their own thing; there’s no control,” Rios said. “They put in remote access the way they want to put it in. Sometimes these guys just bring in a cable modem and the organization doesn’t realize the bridge to the Internet exists. Pivoting becomes trivial at that point. Some of the stuff we’ve seen is appalling.”
One such example Rios said was the reuse of common passwords by an integrator for all its customers.
“This way, the technician knows one set of credentials that gets them into all their customers,” Rios said. “If one organization gets compromised, the chances are all of them are going to get compromised. These are super common problems and it’s totally crazy.”
Another issue plaguing building management systems is that often they don’t fall under the auspices of IT management, rather facilities or operations. Many of these systems are embedded and are running Windows or Linux and they’re hardly ever monitored by security tools such as antimalware or egress filtering.
“When you see some of these systems taken out of facilities and turned over into IT, they turn on the security stuff and see they’ve been compromised, that a system is reaching out to different IP addresses or stuff is out of date,” Rios said.
“We’ve seen this coming for a long time, and there’s still a long way to go,” Rios said. “Integrators have to get their act together; vendors have to get their act together; and end users have to understand the threat. It’s a three-legged stool and until we get all three legs working together, we’re going to have a lot of problems.”
Everything Everywhere has released patches for a pair of vulnerabilities discovered by a UK researcher, but have yet to fix a risky cross-site request forgery flaw that could result in traffic sent from the home and small business router being redirected to a malicious site.
Scott Helme, an engineer in the UK, said he has since found more serious vulnerabilities and disclosed them to the popular networking gear manufacturer.
“I’ve yet to publish details as EE have only been aware for around a week,” Helme told Threatpost. Helme informed EE of his original findings in November and went public with them after EE promised patches in December but had failed to deliver.
Helme published details of a number of serious security issues in the routers; EE has 700,000 customers in the UK. The vulnerabilities could make it trivial to steal not only device credentials, but a user’s ISP login data. The BrightBox router also leaks sensitive device and user data to other clients on the network, including WPA and WEP keys, SSID lists and keys, the MD5 hash of device admin credentials and the user’s ISP log-in information.
“The device now protects the CGI folder and doesn’t leak credentials,” Helme said. “The risk remaining is the CSRF which means an attacker could potentially change the DNS servers for example and then intercept all of your internet traffic.”
EE is rolling out firmware updates that patch the credential vulnerabilities to customers. Helme said his device was patched over his broadband line, but the company would not send him the patch file. He said EE told him the deployment should be done by the end of February.
“Two of the three were patched it seems due to time constraints. They released what they had and are working on the CSRF,” Helme said. “This hasn’t been confirmed, it’s just what I’ve gathered from their emails.”
Helme told Threatpost in January there were no anti-cross site request forgery protections in place on the router. He was able to exploit that situation and conduct a replay attack to control the device and gain admin access. He also found a way to bypass the protections in place guarding remote management capabilities.
“With a little CSRF, I can enable remote management on your router and steal all of your sensitive data like WPA keys, ISP credentials and the md5 hash of your admin password over the Internet. Once I’ve cracked the hash I can login and do just about anything I like with your device or not bother with any of that and just call EE to cancel your internet connection,” Helme said.
PUNTA CANA–Attacks on critical infrastructure have been grabbing headlines for years now, long before sophisticated operations such as Stuxnet and Flame hit the scene. But we’re probably still in the early stages of the evolution of such attacks, and the use of so-called cyber weapons in these operations is likely going to increase in the near future, Eugene Kaspersky said.
“I’m afraid very soon we’re going to see more attacks on critical infrastructure,” Kaspersky said during a keynote speech at Kaspersky Lab’s Industry Analyst Summit here Thursday.
Kaspersky, the founder and CEO of the company, has spoken often in the past about the issue of nation states and government-backed groups deploying sophisticated malware against one another, and he stressed again Thursday that he views the development of cyber weapons as a serious danger.
“Cyber weapons are the worst innovation of the twenty-first century,” he said. “We depend on computers for everything. There’s a boomerang effect. Because it’s malware, it can come back to you. There are many reasons why cyber weapons are a bad idea.”
Defining what constitutes a cyber weapon is a difficult task, and is made all the more complicated by the question of attribution. Would Stuxnet have qualified as a cyber weapon if it had been created and deployed by a private group rather than a government? It’s hard to say. And determining with any degree of certainty who is responsible for a given attack is notoriously difficult.
But Kaspersky said that it’s the attacks between various governments that have him most concerned. A number of major governments have acknowledged publicly that they have dedicated groups–military or otherwise–whose mission is offensive cyber operations. The United States has had offensive units in both the military and intelligence agencies for a long time, as have other governments. How they utilize those groups is a major issue in the security industry, as well as the political realm right now.
Kaspersky emphasized that he believes world governments will have to sit down together eventually and hash out the issue of cyber weapons and whether they should be used at all.
“Governments sooner or later will talk to each other and agree not to use cyber weapons,” he said.
Kaspersky also said he’s concerned about the erosion of trust in the Internet and its components that has resulted from the leaks of NSA intelligence-gathering methods in the last year. He said he can see a situation in which various nations use the revelations as a justification for fragmenting the Internet.
“I’m afraid that nations,because of this trust erosion, will invest more in national segments of the Internet. That’s good for local companies but I’m afraid the international evolution of cyberspace will slow down,” he said. “I don’t like this. It’s a bad idea to fragment the Internet and increase distances between nations. I’m afraid this is a very, very bad idea.”
Hackers broke into at least 34 servers belonging to Comcast yesterday, dumping what appears to be a list of the company’s mail servers, passwords and a link to the root file that contains the vulnerability they used to penetrate the system.
The hacktivist collective NullCrew has claimed to have hacked a handful of corporations over the years, Sony, PayPal, Orange Telecom and Ford just to name a few, and took credit for the attack against Comcast Wednesday, on its official Twitter handle, @NullCrew_FTS.
“Fun Fact: 34 Comcast mail servers are victims to one exploit,” the group boasted yesterday afternoon before posting a Pastebin document full of leaked information as proof.
The compromised mail servers apparently run on Zimbra, a groupware email server client whose Lightweight Directory Access Protocol (LDAP) directory service was the target of the attack.
NullCrew was able to exploit a local file inclusion (LFI) vulnerability in LDAP to secure access to the credentials and passwords.
A LFI vulnerability can allow a hacker to add local files to web servers via script and execute PHP code. OWASP’s definition notes that hackers can take advantage of the vulnerability when sites allow user-supplied input without proper validation, something Comcast is apparently guilty of.
Through the vulnerability, NullCrew was able to access localconfig.xml, a file that contains Comcast LDAP administrative credentials, including LDAP passwords and credentials for MySQL and Nginx.
With the information they could be able to make an API call and then execute a privilege escalation, according to a chat log from a few weeks ago, posted today between two hackers familiar with the vulnerability, _MLT_, formerly of TeaMp0isoN and C0RPS3, also formerly of TeaMp0isoN but now with NullCrew.
The hack is the second that Nullcrew has taken credit for in the past week following telecom company Bell Canada’s announcement that it was breached on Sunday and that more than 22,000 usernames, passwords and some credit card numbers belonging to the phone company’s small business customers had been leaked.
While Bell acknowledged the breach over the weekend, blaming it on an Ottawa-based third-party supplier, NullCrew publicized the company’s insecurities in mid-January, even posting a warning it issued to a company support representative about the vulnerabilities. NullCrew delivered on Saturday, posting a link on Twitter to a Pastebin document, since deleted, full of Bell customer data.
While user information, including five valid credit card numbers, was breached in the Bell attack, Comcast customer information is not expected to be implicated in yesterday’s attack.
Requests for comment directed to Comcast, who have not made a public statement about the hack yet, were not immediately returned on Thursday.
February’s Microsoft Patch Tuesday promises to be a relatively straightforward set of bulletins, but more noteworthy is that it’s the same day Microsoft officially deprecates the MD5 hash algorithm.
Announced last August, Microsoft will officially restrict the use of digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program. The update will be rolled out on Tuesday, but Windows administrators have had six months to download and test the update as to whether it would impact other areas of a company’s respective infrastructure.
Microsoft said in August that the change applies only to certificates used for server authentication, code signing and time stamping. Microsoft also said it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.
The general recommendation is that companies move to a stronger algorithm such as SHA2 or better. MD5—and SHA1—have been broken for some time. Weaknesses in MD5 go back to the mid-1990s and collisions were identified in 2005.
As for Tuesday’s security bulletins, two of the five are rated critical by Microsoft because they are remote-code execution bugs in Windows and Microsoft security software. The other three bulletins are rated important and resolve privilege escalation, information disclosure and denial-of-service flaws in Windows and .NET.
The critical Windows bulletin affects Windows 7, Windows Server 2008 R2, Windows 8 and 8.1., Windows Server 2012 and 2012 R2, as well as Windows RT and RT 8.1. The other critical bulletin affects Microsoft Forefront Protection 2010 for Exchange Server.
“Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month. The second is, not surprisingly, the critical in Windows 7 and later,” said Ross Barrett, senior manager of security engineering at Rapid7. “The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege. Not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”
Tyler Reguly, manager of security research at Tripwire, said the Forefront bug is worth watching.
“While I wouldn’t expect the software to have a huge user base, vulnerabilities affecting email security can be particularly dangerous especially when you consider the current number for phishing and email malware attacks,” Reguly said.
Two of the important-rated bulletins affect Windows all the way back to XP; the other affects Windows 8 and later. Windows XP support ends April 8.
What’s missing this month is a cumulative rollup for Internet Explorer, the first time in close to a year that Microsoft has not issued patches for its browser.
“This month is a very Windows-centric month and, once again, there’s no IE patch in sight,” said Tripwire’s Reguly. “Given the frequency of browser vulnerabilities and how often they are patched, the length of time we’ve gone without an IE patch is rather worrisome.”
Color Twitter unimpressed with the Justice Department ruling that eased a gag order on technology companies and service providers with regard to the reporting of FISA orders and National Security Letters.
Twitter released a transparency report today on government and law enforcement requests for account information, content removal, and DMCA takedown notices. While the reports show a definite increase in government requests for user account information and content, Twitter chose not to report FISA orders, which is unlike what Google, Facebook, Microsoft, LinkedIn and Yahoo did this week.
“While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of – or any – national security requests,” said Twitter manager of global legal policy Jeremy Kessel.
Kessel called the Justice Department ruling a step in the right direction for enhanced transparency between technology companies that manage reams of user data and their customers, but said the ranges of 1,000 requests these companies are allowed to disclose still does not provide sufficient transparency for Twitter’s liking.
“Allowing Twitter, or any other similarly situated company, to only disclose national security requests within an overly broad range seriously undermines the objective of transparency,” Kessel said. “In addition, we also want the freedom to disclose that we do not receive certain types of requests, if, in fact, we have not received any.”
Twitter and the other leading technology and services companies spent much of last summer petitioning the Obama administration and filing lawsuits seeking the right to disclose specifics on requests for customer data related to national security. Those demands were rebuffed until last week when the Justice Department, acting on a directive from the White House related to NSA surveillance changes, bent and offered companies two reporting options. The companies, in turn, dropped their related lawsuits.
The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting.
Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.
The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.
Kessel said the restrictions infringe on the companies’ First Amendment rights to free speech.
“We believe there are far less restrictive ways to permit discussion in this area while also respecting national security concerns,” he said. “Therefore, we have pressed the U.S. Department of Justice to allow greater transparency, and proposed future disclosures concerning national security requests that would be more meaningful to Twitter’s users. We are also considering legal options we may have to seek to defend our First Amendment rights.”
As for today’s report, which excludes national security-related requests, the number of overall worldwide requests for the last two years since Twitter has published these reports has climbed 66 percent. The U.S. government accounts for 59 percent of the requests to Twitter.
For the last six months of 2013, Twitter received 1,410 account information requests, most of those related to criminal investigations; 833 of those came from the U.S. government on 1,323 accounts. Twitter complied and provided information in 69 percent of those requests. Overall, it complied with 50 percent of the requests worldwide.
Content removal requests jumped sharply to 365, up from 60 over the first six months of 2013.
PUNTA CANA–The term APT often is used as a generic descriptor for any group–typically presumed to be government-backed and heavily financed–that is seen attacking high-value targets such as government agencies, critical infrastructure and financial systems. But the range of targets APT groups are going after is widening, as are the levels of talent and financing these groups possess.
One reason for this evolution is that the amount of money that’s required to get into the APT game is no longer prohibitive. Whereas once an aspiring APT crew might need hundreds of thousands or millions of dollars in backing, depending upon their target list and timeline, now smaller, more agile groups can get in on the action for a fraction of that cost.
“The cost of entry for APT is decreasing,” said Costin Raiu, head of the Global Research and Analysis Team at Kaspersky Lab, in a talk on the threat landscape at the company’s Industry Analyst Summit here Thursday. “We’re going to see more surgical strikes and critical infrastructure attacks.”
One example of this phenomenon is the Icefog group. Discovered last fall, the Icefog attackers targeted a variety of organizations and government agencies in Japan and South Korea and researchers believe the group comprised a small number of highly skilled operators who went after select targets very quickly. Raiu estimated that the Icefog campaign probably required an investment of no more than $10,000. By comparison, he said that the NetTraveler campaign likely cost about $500,000, while Stuxnet was in the range of $100 million.
“Icefog is special because it indicates a new trend of cyber mercenaries, maybe five to ten people that are highly skilled,” Raiu said. “They knew what documents they wanted to steal from each machine and they spent only a few minutes on each machine.”
The massive investment required to create, test and deploy the infamous Stuxnet malware, Raiu said, should not be seen as the ceiling for such APT tools.
“If you’re thinking that’s a lot of money, it’s not,” Raiu said. “It’s the cost of several missiles.”
Missiles, of course, can only be used once; APT tools can be deployed any number of times, and by a wide variety of attackers. It’s often the case that tools written by a high-level group will eventually trickle down through the ranks and be used by less-skilled attackers as time passes. That’s part of the democratization process in the attacker community and it’s only going to accelerate.
Dennis Fisher talks with Jeremiah Grossman, the new interim CEO of WhiteHat Security, about taking on the new role, how things have changed since he was CEO 10 years ago and what the biggest challenges will be.http://threatpost.com/files/2014/02/digital_underground_143.mp3
*Image via @biatch0‘s Flickr photostream, Creative Commons
Google has announced it will retool its bounty program and extend its scope to include Chrome apps and extensions branded as “by Google,” including extensions tied to popular products such as Gmail and Hangouts.
According to a post by Google’s Michal Zalewski and Eduardo Vela Nava on the company’s Online Security blog yesterday, the rewards will depend on the permissions and data each extension handles, and the rewards should range from $500 to $10,000.
The move is being done to make sure efforts to keep the extensions secure are rewarded accordingly, something Google believes is relatively easy, providing the company’s security guidelines are followed.
Chrome extensions such as Google Calendar, Google Dictionary, Speed Tracer and Tag Assistant should also fall under Google’s new bounty program.
The two also used the blog to announce that Google has upped the amount of money it will pay to those who contribute to patches for open source projects.
Google announced the experimental rewards program in October in hopes of garnering more insight from the developer community and as a way to improve its Chrome OS and Chrome browser. The program encourages developers to point out bugs in open source projects that are supplemental to Google such as Apache, OpenSSH, OpenSSL and some parts of the Linux Kernel.
Initially the rewards ranged from $500 to $3,133.70.
Now vulnerabilities found in those projects will fetch up to $10,000 for complicated, high-impact improvements, $5,000 for moderately complex patches and between $500 and $1,337 for simple submissions, according to the blog,
These programs continue to be “critical to the health of the internet in recognition of the painstaking work that’s necessary to make a project resilient to attacks,” according to Nava and Zalewski.
Google’s bug bounty programs have become some of the most successful of its kind. Last summer, the Mountainview firm upped the amount of money it paid out for cross site scripting vulnerabilities and bugs in Chromium. The company also announced last summer that it had paid out $2 million in rewards since the program’s inception, a figure that has almost certainly jumped since then.
Per usual, interested parties can submit vulnerabilities to Google via a form on its website.
A damning report on the security of government computers paints an unflattering picture of lax or non-existent patching efforts, poor password policies, configuration errors and a general lack of confidence that exposes critical services and systems to attack.
The report, “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure,” was released yesterday by Oklahoma Republican Sen. Tom Coburn, the ranking member of the Homeland Security and Governmental Affairs Committee. Coburn reiterated the risks to financial markets, emergency response and individuals’ information posed these security issues brought to light in the report—the majority of which can be addressed with basic information security hygiene.
“While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing,” Coburn said.
Coburn pointed the finger at the White House for not holding the agencies accountable for proper cybersecurity policies and enforcement. The report referenced President Obama’s Executive Order, signed one year ago, which promised the government and private sector would collaborate on the directive to secure commercially owned critical infrastructure networks.
“It is appropriate for the White House to envision a federal role in protecting privately-owned infrastructure, particularly when that infrastructure undergirds the nation’s economy and society,” Coburn’s report said. “However, for the country’s citizens and businesses to take the government’s effort seriously, the federal government should address the immediate danger posed by the insecurity of its own critical networks.”
A good amount of ire in the report, which was built off data collected in 40 audits, interviews and reporting on government systems done in a dozen agencies, was reserved for DHS, which in 2010 was tasked with leading the effort to secure government computers.
Despite that responsibility, the White House Office of Management and Budget last year rated DHS below government agency averages for the use of up to date antivirus software and other automated detection programs, as well as a lack of email encryption and security awareness training. It also failed to reach a goal of sending 95 percent of DHS internet traffic through Trusted Internet Connections (TICs), sending only 72 percent.
Two years ago, computers at the National Protection and Programs Directorate (NPPD) which houses DHS cybersecurity, were below proper patching levels and were protected by weak passwords. FEMA and ICE immigration servers had missing patches, and Web applications were also vulnerable to remote attacks. In addition, physical security no-no’s were reported, including a number of passwords found written down on desks, unlocked desks, unlocked laptops, and even credit cards left on desks.
DHS was not alone in its troubles. The Nuclear Regulatory Commission had many of the same password and patching weaknesses, but the report points out a general lack of confidence in NRC’s IT staff. Business owners were buying their own computers and setting up their own networks inside agency offices. Workers were also storing data on nuclear facilities’ cybersecurity programs on unsecured shared drives.
“Just about every aspect of that process appears to be broken at the NRC,” the report said. “Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not.”
Computers at the Internal Revenue Service, which arguably stores the most sensitive information on just about every adult in the United States, are vulnerable to the same weaknesses year after year since 2008, the report said. The General Accounting Office, for example, identified 100 vulnerabilities on IRS machines, including a lack of encryption on data transmitted between offices over the Internet.
The Department of Education, which manages $948 billion in student loans, is vulnerable to remote attack on systems accessible to remote workers. The report also identified lax investigations by the department into reported compromises of accounts; only 17 percent of cases were reviewed. In addition, the department was flagged for weak network monitoring and security to the point where hackers were able to set up a rogue connection on the agency’s network behind the firewall.
The Department of Energy, which suffered two intrusions last year resulting in the theft of personal information on past and present government and contract employees, was another offender. The report cites an audit of Western Area Power Administration which handles power needs for 15 states in the central and western parts of the U.S. All 105 computers tested in the audit lacked proper patching, in addition to having public-facing servers configured with default credentials and poor scanning of systems for vulnerabilities so as not to impact performance of services running on those machines.
The Securities and Exchange Commission was not left out. The report said employees were using personal email accounts, including web-based programs such as Gmail, to send information to and from financial institutions. Laptops storing sensitive information were unencrypted and lacking antivirus software. Laptops belonging to the Trading and Markets team dedicated to cybersecurity contained information on vulnerabilities in exchange computers, as well as networking maps that could have facilitated hacks, the report said.
“The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” the report said. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels—in at least one reported case, at a convention of computer hackers.”