Threatpost for B2B
The Federal Election Commission (FEC), the government agency that keeps track of money raised each term by candidates and political action committees, is highly vulnerable to intrusions and data breaches according to a recent audit that discovered “significant deficiencies” in the FEC’s IT security program.
The concerns stem from an audit (.PDF) that surfaced online this week administered by Maryland-based Leon Snead & Company earlier this month.
The report notes the FEC must “fundamentally change its governance and management approach and adopt a risk-based IT security program” that meets the best practices laid out by the National Institute of Standards and Technology (NIST).
The audit calls out the FEC for only following NIST best practices “when applicable” and is urging the agency to be more like the Government Accountability Office (GAO), which like the FEC is technically exempt from the Federal Information Security Management Act (FISMA), but still adheres to NIST’s guidelines.
The FEC has asserted that it makes its own discretionary decisions on when to implement “government-wide IT security requirements,” yet the audit, which covered the FEC’s fiscal year ending September 2013, failed to find any semblance of a security review policy at the agency.
The audit follows news earlier this month that Chinese hackers thoroughly compromised the FEC’s networks during the United States government shutdown in October.
Those revelations came in the form of a six-month study by the Center for Public Integrity that culminated with an in depth report on December 17.
While the China hacks aren’t addressed in the audit, they are corroborated when the report acknowledges that servers “have been penetrated at the highest levels of the agency.”
The audit brings up a few other times the agency was attacked, including an occasion in May 2012 when a commissioner’s account was compromised and the computer was infected with malware for an eight-month period. That intrusion could have given attackers access to subpoenas, reports and sensitive financial information but the agency was never able to verify whether any data was stolen.
Outside contractors analyzed the attack in October 2012 and even gave the FEC guidance on how to eliminate future threats yet one year later the audit still found that the agency still hadn’t gotten the ball rolling on implementing the bulk of the recommendations.
The audit gets into a slew of other security concerns for the agency before it’s through, including poor password management (many users have been granted non-expiring passwords) and the agency’s depreciated vulnerability scanning program. Consultants are urging the FEC to address all of the issues in the coming new year.
Researchers demonstrated yesterday at the Chaos Communication Congress in Hamburg that they could write arbitrary code onto various SD memory cards, a hack that could give attackers the ability to perform man-in-the-middle attacks on devices housing the cards, as well as give users access to an inexpensive source of powerful and programmable microcontrollers.
Sean Cross, who goes by the hacker handle of xobs, and Dr. Andrew Huang, aka Bunnie, focused on managed flash devices including microSD, SD, MMC, eMMC, and iNAND devices. These are generally soldered onto the mainboards of smartphones for the purpose of storing operating system and other private user data, according to Huang. Similar vulnerabilities exist in related USB flash drives and SSDs.
More specifically, the researchers examined Appotech’s AX211 and AX215 products.
Flash memory has a number of performance issues, but it’s also inexpensive–0.1 nanodollars-per-bit to be exact. Huang claims that flash memory devices almost always contain bad memory blocks. The manufacturers work around this problem by implementing computation error correction algorithms that essentially create the illusion of perfect data to the user.
Huang explained at the conference that with flash memory you are not really storing your data; what you are storing is a probabilistic approximation of your data.
“The illusion of a contiguous, reliable storage media is crafted through sophisticated error correction and bad block management functions,” Huang explained in a related blogpost. “This is the result of a constant arms race between the engineers and mother nature; with every fabrication process shrink, memory becomes cheaper but more unreliable. Likewise, with every generation, the engineers come up with more sophisticated and complicated algorithms to compensate for mother nature’s propensity for entropy and randomness at the atomic scale.”
Problematically, the algorithms that create this illusion are highly customized depending on the quality of the flash memory in each chip. Because of this, the manufacturers can’t correct the imperfections on the operating system or application level. Instead, they install fairly powerful microcontrollers onto each flash memory disk. In this case, the researchers worked with Intel 8051 microcontrollers.
“It’s probably cheaper to add these microcontrollers than to thoroughly test and characterize each flash memory chip,” Huang wrote, “which explains why managed flash devices can be cheaper per bit than raw flash chips, despite the inclusion of a microcontroller.”
The quality of flash memory chips varies widely from chip to chip. Sometimes companies build the chips with high-quality, new silicon. Sometimes the companies build flawed chips with recycled parts. In either case, these computational error correction algorithms are designed to make up for whatever level of deficiencies are present in the chips.
As the researchers said in their demo, if a company has a 16 GB flash SD card with 14 GB of bad memory blocks, then the manufacturer will apply their ECC algorithm, determine where the bad blocks are located, and sell the chip as a 2 GB SD card.
These microcontrollers must be able to handle vast numbers of hardware abstraction layers in order to accept firmware updates and ultimately process the unique algorithmic requirements of each flash implementation, especially for cases where third parties are handling the chips.
Huang and Cross discovered they could send a “knock” sequence with a manufacturer-designated command they found on a spec-sheet after searching around on the Chinese search engine Baidu. The command itself, followed by ‘A.P.P.O’ (the first four letters of Appotech) initiated the firmware loading mode on the chip. Once that process began, the chip would accept 512 bytes and run that data as code.
In other words, the maker of these particular chips, and likely a whole slew of others, is not adequately securing the firmware update process.
From this point, the researchers reverse engineered the 8051 controller and managed to build new applications for the controller without access to the manufacturer’s documentation.
“Most of this work was done using our open source hardware platform, Novena, and a set of custom flex circuit adapter cards (which, tangentially, lead toward the development of flexible circuit stickers aka chibitronics)” Huang explained on his blog.
The controllers also process SD commands with interrupt-driven callbacks, which the researchers claim are an ideal location to perform man-in-the-middle attacks. These attacks Huang says, would be difficult to detect because there is no standard protocol to inspect the contents of the code running on these microcontrollers.
“Those in high-risk, high-sensitivity situations should assume that a “secure-erase” of a card is insufficient to guarantee the complete erasure of sensitive data,” Huang warns. “Therefore, it’s recommended to dispose of memory cards through total physical destruction (e.g., grind it up with a mortar and pestle).”
In terms of practical attacks, the vulnerability could offer an attacker the ability to eavesdrop. For example, an attacker could program a chip to report a smaller data-capacity than the actual capacity of the chip. While a seller of counterfeit chips may want to do the opposite of this (have the chip report a capacity larger than the actual capacity), a would-be eavesdropper may want to keep a user in the dark about the chip’s full storage capacity in order to sequester data to hidden, not erasable sections of the chip. A chip with more storage than advertised could be programed to secretly copy all its data to a hidden store that would be nearly impossible to remove from a chip other than by physically destroying it.
During the demo, Huang also warned of a potential time-of-check to time of use attack. A knowledgable attacker could present one version of a file for verification and a totally different (read: malicious) file for execution. An attacker could also perform selective modification attacks as well, swapping secure random number generators, binaries, or keys for unsecured ones.
On a less malicious note, Huang writes that the research opens up a cheap avenue for hackers and hardware enthusiasts customize the controllers for heir own purposes.
“An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors.”
You can find a link to the demonstration slides here and watch the actual demo itself below:
One of the revelations from latest Snowden document leaks described how the U.S. National Security Agency was able to intercept Microsoft Windows Error Reporting logs in order to fingerprint machines for potential compromise.
The German publication Der Spiegel says the documents indicated the NSA uses its XKeyscore tool to intercept the Windows crash reports. Making matters worse, the reports are sent unencrypted to Microsoft and Windows machines post-XP have this feature turned on by default. Windows admins must change a Group Policy setting in order to force encryption upon the initial transmission.
Reports of XKeyscore, meanwhile, surfaced in July hours before NSA Director Gen. Keith Alexander delivered the keynote address at the annual Black Hat Briefings in Las Vegas. Whistleblower Edward Snowden shared training materials with The Guardian that instruct agency analysts how to mine the agency’s vast intelligence databases for terrorism targets in the U.S. and abroad.
The crash reports, also known as Dr. Watson reports, are a wealth of system data, similar to what some strains of malware use in targeted attacks in order to identify potential system, network and application weaknesses that can be used to move laterally through an enterprise or government agency network.
Not only are these reports sent when there is a Windows crash, but also when there is a hardware change—and that includes the first-time use of a new USB device, including mobile devices. Researchers at Websense said the reports are sent over HTTP and the information includes the timestamp information, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier.
The Der Spiegel report says the NSA’s Tailored Access Operations (TAO) unit, a team of elite and young hackers, will use these identifiers to monitor for system crashes and learn about potential vulnerabilities that can be exploited.
Microsoft has more than one billion PCs on the planet reporting this information, and according to Websense director of security research Alex Watson, 80 percent do so in the clear. The reports aid Microsoft in improving the user experience but also identify bugs in Windows code that need attention. While IT security teams can leverage this information to understand soft spots on their networks, government agencies and nation state attackers can do the same.
“What these crash reports are—when you get enough of them—they create a blueprint of the applications running on a network that could be used by a skilled adversary to develop or deliver very specific attacks with a low chance of getting detected,” Watson said.
These Windows Error Reporting logs are different from the application crash reports that users are familiar with. For example, when Outlook or Internet Explorer crashes, users are presented with a dialog box and have the option of sending a crash report to Microsoft and asking Microsoft to find a solution. The Windows Error Reporting feature is different and is on by default; admins must opt-out of sending them to Microsoft, Watson said.
“This is for hardware changes or plugging in a USB device—which is considered to be a hardware change—it could be a thumb drive, anything you could think of and that will send that information to Microsoft without requiring that user to click ‘Yes,’” Watson said. “That is assuming the default setting [is on]— that you’re participating in the error program.”
Microsoft can reach back to the computer in question for a memory dump or core dump of the application when it crashed in order to further research the problem. Those requests and transmissions are encrypted using TLS 1.1 or 1.2 if available, protecting any sensitive information stored by Windows or an application such as log-in credentials. The first stage, however, is likely sent in the clear for performance reasons, Watson said.
The risk is, however, not necessarily if an attacker is on your computer or whether the machine is infected; chances are the attacker has already fingerprinted the compromised machine in order to hack it. Where the data is vulnerable is upstream as it’s sent between the machine and Microsoft, for example through a proxy or untrusted ISP used by multinational organizations.
“You would know exactly what applications were running on a network,” Watson said. “You could craft specific exploits or just pick the highest chance of likelihood of success of exploit and get the application and OS environment of your target.”
Watson said he hopes the revelations will raise awareness of the problem—which he believes is low in regard to IT managers being aware of the content of the reports and that they’re sent in the clear. He also hopes to encourage admins to look at these logs as a tool in the fight against advanced threats and use them as means of finding indicators a network has been compromised.
“When you’re executing an attack, there is going to be evidence or collateral damage happening as you move through the network,” Watson said. “You’re forcing a program to crash and then execute code in an order that’s not meant to happening. Exploits generate error report logs so we’ve been doing a lot of research into error report logs that are indicators of an advanced attack versus IE crashing on a webpage it doesn’t know how to render. This could be the first indicator of an attack.”
Websense said it has reported the issue to Microsoft through its MAPP partner sharing program, and added that it is also working with other vendors on similar reporting weaknesses in other massively distributed applications.
“By no means is Microsoft the only culprit that’s leaking information,” Watson said. “A lot of widely deployed applications, browsers and things like that, are at risk of leaking information.”
Cryptographer, developer and activist Jacob Appelbaum took to the pages of Germany’s Der Spiegel and the keynote dais of the 30th Chaos Communication Congress this weekend to deliver a damning expose of the catalog of backdoors, monitoring programs and products that potentially have and could be compromised by the National Security Agency.
Appelbaum’s hour-long keynote, culled from top-secret agency documents provided by Edward Snowden and written about in the German publication, described the scale of surveillance the NSA has and hopes to achieve worldwide.
“Their goal is to have total surveillance of everything they’re interested in. There really is no boundary to what they want to do,” Appelbaum said. “There is only sometimes a boundary of what they are funded to do and the amount of things they are able to do at scale. They seem to do [those things] without thinking too much about it. And there are specific tactical things where they have to target a group or individual, and those things seem limited either by budgets or simply by their time.”
Appelbaum described the intricacies of the agency’s dragnet surveillance system carried out by an elite team of hackers known as the agency’s Tailored Access and Operations unit, or TAO, whose job is to break down or scale digital hurdles standing between the agency and data it wishes to collect, store and analyze, Appelbaum said. The system is threefold, starting with a passive, deep-packet inspection system known as TURMOIL that feeds data into another system called TURBINE that turns loose any number of off-the-shelf or zero-day exploits that are injected into a data stream to compromise a vulnerable machine.
At the hub is a third component known as QFIRE that Appelbaum said uses nodes known as diodes to regionally compromise home routers and other available equipment to inject attacks into packets before they reach their destination, exploiting a race condition.
“For these systems to exist, we have been kept vulnerable,” Appelbaum said, referring to the government’s practice of buying vulnerabilities and exploits from brokers under non-disclosure agreements that the vulnerabilities will be kept from the vendor in question and, as a result, never patched. “The NSA has retarded the process by which we secure the Internet because it has established a hegemony of power in secret to do these things.”
Appelbaum also showed top-secret slides and provided information from documents stolen by Snowden while working as a NSA contractor that describe a number of tools used for surveillance not only to exploit endpoints and networks, but to link contacts between targets, maintain persistence and monitor communication such as phone calls, email and Internet surfing and searches.
Appelbaum also went into more detail about the FoxAcid program, which was first described in October by Bruce Schneier in the pages of the Guardian. FoxAcid matches vulnerabilities found on a particular compromised system with any number of attacks available at the NSA’s disposal. Appelbaum exposed a number of QUANTUM-X tools that include everything from the NSA’s stockpile of zero days, to tools that tamper with security measures such as host-based intrusion detection, to man-on-the-side attacks that exploit the lack of encryption on certain Internet services. He also brought up a program called QUANTUMCOPPER which he equated to the NSA’s version of the Great Firewall of China, except it could interfere with TCP/IP and file uploads and more for the entire planet.
Appelbaum also showed slides describing compromises for server hardware from a number of vendors including Dell and Sun at the BIOS level. He explained the exploits work on a number of platforms, including Windows, Linux, FreeBSD and Sun’s Solaris UNIX OS. By name, he said Dell PowerEdge commodity servers (1850, 1950, 2850 and 2950) are vulnerable to BIOS-level attacks, and HP Proliant servers are vulnerable to another exploit that enables the agency to siphon data. All of these attackers are possible, he said, because the NSA tampers with hardware either in shipping or via physical access.
Mobile exploits were also among the trove of information in the documents, specifically targeting Apple iOS devices and Windows CE devices that allowed for complete compromise of the phones in question.
Appelbaum said the TAO unit is younger than average NSA staff and that the agency has tapped into the geek generation, actively recruiting at hacker conferences such as DefCon where Director Keith Alexander spoke two summers ago. Appelbaum wrote that the TAO unit has units in five states nationwide.
Their activities, meanwhile, have transformed the agency into the most powerful such-organization in the world, Appelbaum said, adding that the majority of U.S. legislators are not skilled enough to adequately discuss and propose solutions.
“Encrypting the Internet ends it all in a sense, but it will come back in another sense,” he said. “We need a marriage of a technical and political solution. We don’t have those two things yet so we’re stuck here. At the moment, I feel the NSA has more power than any one person or agency in the world.”
UPDATE: A Turkish hacking group compromised and defaced over the weekend the website of OpenSSL, an open-source SSL and TLS encryption implementation resource.
The website Zone-H is hosting a mirror of the defacement, in which the hacking group responsible for the attack posted the following message: “TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _.”
OpenSSL posted an advisory on its website yesterday confirming the compromise and announcing that the source repositories are verified and unaffected.
“Initial investigations show that the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration,” OpenSSL has since written on their site. “Steps have been taken to protect against this means of attack in future.”
Little is known about the hacking group claiming responsibility for the defacement other than that the group is reportedly known as TurkGuvengli. In the defacement, the group seems to express its support for OpenSSL.
A successful attack targeting OpenSSL is concerning because the core mission of the volunteer-run service is to implement strong encryption for whichever Web-properties and services are interested in bolstering their security. If what is known now about the attack remains true, namely that it had no impact on OpenSSL’s code repositories, then it seems that the attack was little more than a site defacement.
“The source repositories have been checked and they were not affected” OpenSSL wrote. “Other than the modification to the index.html page (which was restored a few minutes after we became aware of the attack) no changes to the website had been made.”
OpenSSL is promising to release more details about the hack once they complete their investigation. We will update this story with any details as they become available.
It’s that most wonderful time of the year, the time when everyone with access to an email machine puts together a list of the best or worst of whatever happened in the last 12 months. In the computer security world, there is no doubt that such a list would find NSA stories in places one through infinity times infinity. So rather than trying to rank the NSA revelations on any sort of scale, we’ve put together an admittedly simplified list of some of the more interesting NSA-related stories to emerge in 2013.
Least Surprising NSA Capability: Breaking/Subverting Crypto
A major part of the agency’s mission since its inception has been the development of cryptographic capabilities, both on the offensive and defensive sides of the fence. In this, it is the technological and logical descendant of the Black Chamber and the Office of Strategic Services, which operated nearly a century ago. Breaking and making ciphers has been a vital part of intelligence for thousands of years, and the advent of computer-based cryptography has had a profound effect on both of those functions. The NSA has been involved in the development of new protocols and cryptosystems for decades and it employs an unknown but presumably rather large cadre of cryptographers and mathematicians who also work on defeating existing systems. There have been suspicions, rumors and dark jokes about the agency having backdoored any number of encryption algorithms and products floating around the security industry for a long time, and some of the most outlandish of those conjectures have now been revealed as truth. The NSA reportedly subverted the development of a random-number generator known as Dual EC_DRBG that is used in a number of prominent crypto products. That maneuver gave the agency secret access to the affected products and caused RSA to warn developers to use a different RNG and even prompted NIST to issue guidance telling people to avoid Dual EC_DRBG, too. In addition, the NSA also developed a number of unspecified capabilities to defeat SSL, something that is perhaps even more worrisome. As concerning as these revelations are, they shouldn’t come as much of a surprise, given the NSA’s mission, its massive budget and its highly specialized staff of scientists, cryptographers and security experts. It’s what they do, and they’re really, really good at it.
Most Surprising NSA Capability: Defeating the Collective Security Prowess of Silicon Valley
Some of the earliest leaks to emerge from the Edward Snowden cache described a program called PRISM that granted the NSA “direct access” to networks run by Google, Yahoo, Microsoft and many other companies. That direct access was quickly interpreted to mean that those companies were giving the agency data links to their servers through which the NSA could collect traffic on targets. The affected companies quickly rose up and denied this, and only later was it revealed that “direct access” came in the form of tapping undersea cables that carry unencrypted traffic between data centers around the world. That revelation triggered an immediate response from Google, Microsoft and Yahoo, who said that they would be encrypting that traffic in the near future, and some engineers from Google also had some choice words for the NSA’s in-house hackers. In the words of Google’s Mike Hearn, “The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.”
Weirdest NSA Revelation: The Fort Meade Spy Tools Wish Book
The oddest bit of information to come out of the NSA drama was saved for the end of the year. Just this past weekend, Germany’s Der Spiegel reported the existence of a an internal catalog of hardware and software tools that the agency can provide. This is the Sears & Roebuck catalog of attack tools. Shoppers, which likely include internal NSA departments as well as other intelligence agencies, can buy malware for infiltrating various firewalls and routers, as well as more exotic products. “Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million,” Der Spiegel reported. Q would be jealous.
Most Interesting Quotes on the NSA Drama
“Trust the math. Encryption is your friend.” — Bruce Schneier in The Guardian
“Software is almost always broken, but standards — in theory — get read by everyone. It should be extremely difficult to weaken a standard without someone noticing.” — Matthew Green on the subversion of NIST standards
“We need to know what the hell has been going on here…There’s something totally crazy about this.” — journalist Carl Bernstein on the allegations that NSA has monitored the phones of European leaders
“That stealing your stuff thing, we did a lot of that [at the NSA]. Actually, I’d like to think we’re number one. But we stole stuff to keep you safe.” — Michael Hayden, former NSA director, speaking days before the first of the Snowden leaks emerged
“I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,” — U.S. District Court Judge Richard J. Leon in a ruling on the NSA metadata program
“We want to demonstrate that we have a front door, that we have transparency and we take it seriously. This is a huge step forward, and there’s more we have to do in terms of pushing information to the press.” — Gen. Keith Alexander, director of the NSA
Most Interesting People to Emerge From the NSA Story: Jacob Appelbaum and Matthew Green
The cast of characters who have been involved in various pieces of the NSA theatrics is staggering. From journalists to politicians to cryptographers to world leaders to judges to systems administrators in Hawaii. Each has played a part in the drama, but the most consistently interesting and informative people involved in one way or another have been Appelbaum and Green. Appelbaum is a long-time fixture in the security community, well-known for his activism on human rights and anonymity. But as part of the analysis of the Snowden documents, he has also written some of the stories on the revelations, including as a co-author of the piece in Der Spiegel on the NSA catalog. Green, a research professor at Johns Hopkins University, has produced some of the more illuminating and thoughtful analysis of the documents, especially when it came to the technical bits involving encryption and the NSA’s capabilities against various protocols and cryptosystems. If you need to know how to think about what’s going on and what it all means, you won’t find better sources than Appelbaum and Green.
Further reading: A Few Thoughts on Cryptographic Engineering
After claiming the makers of SnapChat repeatedly ignored their disclosures over a period of four months, Gibson Security recently published the full details of a pair of bugs in the photo and video sharing application. One could give an attacker the ability to connect phone numbers with usernames on a massive scale, while another could enable the creation fake accounts.
The researchers claim their exploits impact the latest version of SnapChat on the iOS and Android operating systems.
The so-called “find_friends” exploit essentially gives any logged in user the ability to enter a random (or not so random) U.S. phone number and figure out if there is a SnapChat account associated with that number.
This is the bug that Gibson Security claims to have disclosed to SnapChat back in August. The researchers claim that SnapChat has done nothing to fix the issue in the meantime.
With a little quick math, the researchers claim they could burn through 292 million standard, U.S.-style phone numbers in a month with their specially made python script and a virtual server. Whichever of these hundreds of millions of numbers are associated with a SnapChat accounts would be known to the attacker running the script.
The second exploit, though the researchers claim it is less of an exploit and more an issue with lax registration controls, could allow anyone to create account with two simple requests: “/bq/register” and “/ph/registeru.”
Gibson Security researchers told ZDNet that malefactors could potentially use the second, mass registration exploit to create thousands of accounts in order to disseminate spam and other bad things.
Regarding the friend finding exploit, they also told ZDNet’s Violet Blue, who broke the story on Dec. 25, that an attacker could leverage the very public SnapChat API along with their exploit to easily pair registered numbers and the usernames associated with them – whether those user accounts are private.
SnapChat is a photo and video sharing service whose selling point is that shared photos and videos are ephemeral. Once a ‘Snap’ is opened by the recipient, it is viewable for ten or so seconds before disappearing forever. Because of this, SnapChat reputedly used as a mechanism for for sharing lewd photos. Of course, the claim that the photos are temporarily viewable is dubious at best. Recipients can easily take a screenshot of a snap and there are even applications that allow recipients to save snaps altogether. Beyond that even, reports emerged in October that the company was sharing data with law enforcement when compelled to do so, further stressing the claim that all photos are deleted.
A federal court today shot down a challenge by the American Civil Liberties Union (ACLU) to the National Security Agency’s bulk phone metadata collection program, determining that the spy agency’s actions are legal.
The ruling by U.S. District Court judge William Pauley contradicts a Dec. 16 D.C. District Court ruling that the collection program likely violated the Fourth Amendment.
Pauley’s ruling today was framed in the context of changes made to intelligence gathering post-Sept. 11, and the need to find terrorists among streams of disconnected data.
“This blunt tool only works because it collects everything,” Pauley wrote. “If plumbed, such data can reveal a rich profile of every individual as well as a comprehensive record of people’s associations with one another.”
The challenge was filed by the ACLU in June shortly after the first documents taken by NSA whistleblower were published and reported on in the Guardian. Since then, the depths of NSA surveillance have been revealed, including a dragnet that sweeps up not only foreign intelligence, but connections to those targets in U.S., including Americans with no suspected ties to terrorism.
The NSA has also been accused of subverting the development of encryption standards, tapping connections between data centers hosted by large Internet providers such as Google and Yahoo, and having direct access to data housed at ISPs, among many other revelations.
Judge Pauley said in his ruling at the Snowden revelations of Foreign Intelligence Surveillance Court orders has stirred not only public debate by litigation. He found the telephony metadata program to be lawful with a caveat.
“The question of whether that program should be conducted is for the other two coordinate branches of government to decide,” he wrote.
The ACLU filed its suit on June 11 seeking a preliminary injunction to halt bulk collection; the suit, which was subsequently dismissed today, named Director of National Intelligence James R. Clapper, NSA Director Keith Alexander, Secretary of Defense Charles Hagel, Attorney General Eric Holder and others.
“There is no evidence that the Government has used any of the bulk telephony metadata it collected for any purpose other than investigating and disrupting terrorist attacks,” Pauley wrote in his ruling. “While there have been unintentional violations of the guidelines, those appear to stem from human error or the incredibly complex computer programs that support this vital tool. And once detected, those violations were self-reported and stopped.”
The ruling two weeks ago that declared the program likely violated the Fourth Amendment granted a preliminary injunction barring the collection of data belonging to two individuals who asserted the NSA collection program violated their expectation of privacy.
The ruling issued by Judge Richard J. Leon of the U.S. District Court for the District of Columbia prevented the NSA from collecting any more records pertaining to defendants Larry Klayman and Charles Strange and also required the agency to destroy any records it already has relating to those two Verizon customers. Leon also stayed his injunction pending an appeal by the government.
“I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,” Leon wrote in his ruling.
Target confirmed this morning that encrypted PIN data was stolen in the Black Friday data breach that exposed 40 million accounts to fraud.
Spokesperson Molly Snyder said the ongoing forensics investigation confirmed that PIN data was accessed as well, contrary to previous claims made by the retail giant.
“We remain confident that PIN numbers are safe and secure,” Snyder said in a statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
The breach was reported Dec. 18 by website Krebs on Security and the company later confirmed that hackers had access to the company’s network starting the day before Thanksgiving until Dec. 15.
Since the breach, further reports from blogger Brian Krebs have surfaced that debit and credit card numbers stolen from Target have been seen for sale on underground forums by the millions. Krebs identified one such underground retailer as Rescator, a cards dealer operating on a Russian forum lampeduza[.]la.
The fear is that if the attackers have the PIN data and are able to crack the encryption securing those credentials, they will be able to clone debit cards and steal money from ATM machines.
Target, meanwhile, said it does not have access to the encryption key used to secure the PIN data, nor was it stored on its systems.
“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” Snyder said. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
Snyder said PIN data is encrypted at a retail location’s keypad with Triple-DES encryption and that data remains encrypted over the wire until it reaches its payment processor. Attackers would have to have compromised the point-of-sale system and intercepted the PIN data before it is encrypted in order to have accessed it.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Snyder said.
Target has also brought in the U.S. Secret Service and U.S. Dept. of Justice to investigate the breach, along with an unnamed third-party computer forensics firm. On Monday, state attorneys general met via conference call with Target general counsel Tim Baer and plan a follow up call Jan. 6. The state AGs were made aware of a number of phishing and other scams in circulation regarding stolen Target data and informed consumers that Target will launch a dedicated resource on its corporate website that will host information pertinent to the breach.
The breach affects only those customers who shopped at physical Target locations, and consumers nationwide are affected; online shoppers at Target.com apparently are not impacted. The attackers made off with track data, or personal information stored on the magnetic strips on credit cards.
Reuters, meanwhile, reported on Tuesday that Santander Bank and JPMorgan Chase lowered the limits on how much cash can be withdrawn from ATMs, an indication, experts said, that the PINs were stolen as well.
EBay is vulnerable to a hack that would allow an attacker to hijack an account and make unauthorized purchases from the victim’s account that would be difficult to disprove.
The vulnerability was discovered and reported to eBay in August, and despite three separate communications from the online auction and marketplace that the code in question was repaired, the site remains susceptible to exploit.
U.K. consultant Paul Moore of Cresona Corp., the same researcher who reported a serious issue with the Santander Group online and mobile banking applications, found the vulnerability and submitted details to eBay nearly five months ago. Threatpost requested comment from eBay on Tuesday, but that email was not answered.
“I’ve given up asking eBay. The intention now is to raise awareness with as many people as possible,” Moore said via email. “The addition of one-click payments via Paypal mean it’s now more urgent than ever, as attackers can use linked Paypal accounts to purchase goods, even without knowing the user’s Paypal username or password. With the initial exploit being carried out by the affected user’s PC, it’d be difficult to disprove they weren’t responsible for any action which followed.”
Moore’s initial communication to eBay was Aug. 5 and the last Nov. 16, reporting again that the site remains vulnerable to cross-site request forgery (XSRF) despite eBay’s insistence the issue was resolved. His exploit allows an attacker to change the victim’s contact information, including address and phone number, and then use a loophole in the password reset process to redirect the reset to the contact information entered by the attacker.
“Absolutely nothing has changed. There are no CSRF tokens in the headers, DOM or cookie jar, so the original exploit from four and a half months ago still works,” Moore said, adding that another software engineer, Scott Helme, tested the exploit and his account details were changed so that Moore could have logged in as his friend.
Moore’s exploit does not require local access to work. A victim would just need to be lured to a website hosting the exploit via a link on eBay or social media, or in an email; Moore’s hack looks for an active eBay session, otherwise it fails.
If the victim does have an open eBay session, Moore’s attack, called XSRF Router, exploits the XSRF vulnerability and delivers a payload that changes the user’s address, zip code and phone number in order to request a password reset without ever needing the user’s original log-in credentials. Cross-site request forgery attacks exploit the trust a website has in a user’s browser, which stores cookies in order to verify a user’s identity and maintain a log-in. EBay’s profile update form lacks a particular field that when paired with an active cookie makes it vulnerable to XSRF, Moore said.
“Without an XSRF token (which ensures the genuine site delivered the form by linking a unique token with you personally), the form is no different to any other on the web,” Moore said. “As such, it can be pre-populated and submitted by anyone. If you happen to be logged in at the time, your profile can be updated simply by visiting another web site.”
The key for the attacker is the password reset. The reset form asks the user two answer two of three fields: the secret question, zip code and phone number. However, the password reset will still be sent to the victim and not the hacker; the key is to sneak in through a second help page that asks the user to enter a valid phone number where eBay will deliver a four-digit PIN enabling to the new number entered by the attacker via the exploit.
“The hacker submits a fake form which changes your contact telephone number, runs a password reset and waits for the phone to ring. Time required to hijack an account… [less than] 1 minute,” Moore wrote on his blog.
An attacker would not have legitimate access to the victim’s eBay account without ever having to steal the user’s original credentials. Once in, they could view a history of their eBay activity, create a similar listing from another phone account and buy it using the stolen account, Moore said, adding that if the victim’s PayPal is linked to a bank account, those funds could be quickly drained.
“It’s going to be very difficult to prove your innocence too. After all, the initial request came from your machine, you‘ve purchased something you were genuinely interested in, eBay recently contacted you on your telephone number and you‘ve left good feedback,” he said. “It’s highly likely that eBay have other security procedures in place but rest assured, the money will be long gone. You may get it back directly from eBay, but you’re going to struggle to explain how they managed to gain access to your account from your own PC.”
The purpose of the Trojan, identified by Zscaler as JS/Exploit-Blacole.em, is simply to redirect users to other sites. The immediate redirection leads to hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1 and then on to hxxp://fukbb.com/.
An examination of the initial redirect’s source code revealed that the site is merely a stepping stone that leads users to the second redirect. Oddly, the final destination site does not host any malicious content at the moment. However, a VirusTotal analysis performed by Zscaler and Threatpost suggests that the site is a suspicious one that has been associated with malware-related activities in the past.
An Israeli security researcher from the Ben-Gurion University of the Negev’s Cyber Security Labs claims to have uncovered a serious security flaw in Samsung Knox.
Knox is a security- and privacy-centric platform built into certain Samsung devices running Android. The Knox architecture, tailored for enterprise and government users, is designed in part to compartmentalize device data between personal and professional use.
Mordechai Guri, a Ph.D. student at BGU, discovered the flaw in Samsung’s flagship Galaxy S4 device. According to a report on the university’s website, the bug could give an attacker the ability to intercept communication data between Knox’s secure container and the files outside of it. For now, the flaw appears to only affect Galaxy S4 devices.
By design, Knox’s container feature should keep all data inside the container separate from any data outside of it. Apps within the container can access certain information outside the container – depending on user configuration and settings. Apps outside the container, on the other hand, should never be able to access information stored by apps and folders within the container.
Ideally, if a phone becomes infected with malware or compromised in some other way, all the data within the container should be protected. The flaw, Guri claims, can be used to bypass Knox’s security mechanisms.
“To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big ’hole‘ exists and was left untouched,” Guri wrote. “The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands. We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately.”
A Samsung spokesperson downplayed the flaw, telling the Wall Street Journal that an ongoing internal investigation revealed that the vulnerability is not as serious as the researchers claim.
“To solve this weakness, Samsung may need to recall their devices or at least publish an over the air software fix immediately. The weakness found may require Samsung to re-think a few aspects of their secure architecture in future models” said Dudu Mimran, the Chief Technology Officer of BGU’s Cyber Security Labs.
The Pentagon green-lit Samsung Knox-enabled Android devices for use on military networks back in May. The secure platform is still under review by the military, but, if it is approved, may soon be allowed for use within the Department of Defense. Full Pentagon approval would be a serious step forward for the Android operating system, which is an increasingly popular target among attackers as its share of the mobile operating system marketplace continues to grow.
In its latest Security Intelligence Report, the Microsoft Malware Protection Center (MMPC) determined that the malware encounter rate in Turkey is far greater than that of any other country in the entire world, let alone the other countries among the top 10 in malware infections.
Encounter rate, per the MMPC’s definition, is the percentage of computers that reported at least one detection of malware. Microsoft measured national encounter rates under six categories: miscellaneous Trojans, worms, exploits, Trojan downloaders and droppers, viruses, password stealers and monitoring tools, and backdoors. Turkey is among the leaders or in sole possession of the lead in every category.
Specifically, Turkey’s encounter rate is significantly higher than any other country for miscellaneous Trojans, worms, exploits, and Trojan downloaders and droppers. Turkey is tied for first place with India in the number of viruses it faces. Turkey is tied with Russia and trails closely behind India and Brazil in its rate of infection by password stealers and monitoring tools. Only China is exposed to more backdoor-related threats than Turkey.
Microsoft hypothesized that Turkey’s uncharacteristically high encounter rates by a wide variety of threat types may suggest that cybercriminals are increasingly targeting Turkey for some reason.
In order to test their hypothesis, the MMPC designated that a targeted threat denotes a family of malware with at least 80 percent of its infections in one country. Therefore, targeted encounter rate represents the percentage of computers that reported at least one detection of a targeted malware family. In comparison to other top countries, Turkey is being targeted by miscellaneous trojans, trojan downloaders and droppers, and worms are a far higher rate.
Microsoft does not venture a guess at why cybercriminals may be targeting Turkey. However, the MMPC claims that its theory is further corroborated by a deeper examination of the most widely deployed families of targeted malware in that country. They examined the machine count inside and outside of turkey for the top five families found there. The MMPC found that the Kilm trojan has infected some 235,000 machines, 92 percent of which are in Turkey. The Murkados worm has nearly 170,000 infections, 97 percent inside turkey. The Truado trojan boasts roughly 138,000 infection, 87 percent in Turkey. The Preflayer trojan is present on 97,000 machines, 92 percent of which are located in Turkey. And the Reksner trojan is present on just fewer than 47,000 machines, of which 97 percent are inside Turkey.
The MMPC defines miscellaneous trojans as malware that is self-contained and does not self-replicate. In Turkey, 30.6 percent of machines have experienced such infections. It’s closest competitor in this category is Russia, whose rate is 23.6 percent. The world average is 10.3 percent. In terms of worms, which is defined as malware that send copies of itself through various communication mechanisms, Turkey leads India 21.4 to 18 percent with a worldwide average of 4.7 percent. Exploits include malware that take advantage of software vulnerabilities. Turkey tops India in that category 7.7 to 5.4 percent. The worldwide average is 3.9 percent. For trojan downloaders and droppers – or trojans that download or drop other malware onto already infected computers – Turkey holds the lead at 10.7 percent over Brazil’s 8.7 percent.
Turkey shares the lead with India in virus infections rates at 8.8 percent. Viruses are malware that replicates itself by infecting other files on the host-machine. The worldwide average for virus encounter rates is 2.1 percent.
Turkey is in a tie for third with Russia with 2.5 percent of all machines reporting infections by password stealers and monitoring tools in that county. Brazil leads India 3.2 to 2.8 percent the gloabal average is 1.3 percent. China leads Turkey 3.1 to 2.8 percent with backdoor malware, which is reported by 1.2 percent of computers around the world.
The top 10 countries with the highest encounter rates worldwide are – in no particular order – the U.S., Brazil, Turkey, Russia, India, U.K., China, Mexico, France, and Germany.
VMware has patched a vulnerability in its ESX and ESXi hypervisors that could allow unauthorized local access to files.
“This issue may allow an unprivileged vCenter Server user with the privilege ‘Add Existing Disk’ to obtain read and write access to arbitrary files on ESXi or ESX,” the company said in its advisory released on Sunday.
The vulnerability is exploitable only locally and through vCenter, which is a management platform for other VMware virtualization products. VCenter handles deployment, centralized visibility and management features as well as optimization capabilities.
VMware cautions enterprises running older ESX installations that an unprivileged local user could not only gain read/write access to files, but could modify them with malware that would execute after a host reboot.
“Unpriviledged vCenter Server users or groups that are assigned the predefined role ‘Virtual Machine Power User’ or ‘Resource Pool Administrator’ have the privilege ‘Add Existing Disk,’” VMware said.
The company recommends limiting the number of vCenter users who have the elevated privilege in question until patches can be applied, and that none of the predefined roles are assigned in a default vCenter Server installation.
ESX versions 4.0 and 4.1 are vulnerable, as are ESXi versions 4.0, 4.1, 5.0, 5.1 and 5.5.
VMware also cautions that the patches it released will not remediate the issue if the configrules file in ESX or ESXi has been modified; VMware said this is not a common user scenario. For installations where the file has been modified, a workaround is recommended.
A new set of malware campaigns targeted at Syrian activists, journalists and NGOs has emerged, and security researchers say that the attackers are employing a variety of tactics, including a new OS X Trojan that could be part of a “false flag” operation.
The details of the new round of attacks on government opposition groups in Syria show that, despite attention focused on the problem for the last year or so, attackers are continuing to refine their methods and develop new malware and social engineering tactics. Researchers at Citizen Lab and EFF have been looking at the new malware campaigns, and in a new report they describe a diverse set of attacks that are targeting a variety of people and organizations involved in the anti-government efforts in Syria.
In the past, most of the attacks have fallen into a couple of fairly easily identifiable categories. But now, the groups behind these latest attacks are using a wider variety of tools to compromise their targets, including several remote-access Trojans and the OS X malware.
“Opposition groups continue to be targeted with phishing and malware attacks by pro-Assad hackers, but the attacks are getting curiouser and curiouser,” Eva Galperin, a global policy analyst at EFF, said. “Up until now, the campaigns have all been very similar to one another. Now we’re starting to see attacks that don’t fit into these patterns but seem to deliberately implicate pro-Assad hackers.”
The new report, “Quantum of Surveillance“, shows that there are likely some familiar attackers behind the new operations. There are two specific pieces of malware involved in the attack, njRAT and Xtreme RAT, that are being sent out in targeted phishing emails to groups and individuals involved in the Syrian resistance. They’re both used to exfiltrate data from compromised machines and Xtreme RAT has keystroke logging capabilities. Researchers said that both njRAT and Xtreme RAT have been seen in attacks in Syria before.
Xtreme RAT is being sent in a couple of different emails, one of which contains a ZIP archive of a graphic video of a man being executed. After looking at that campaign, the researchers discovered a second campaign that also was using the same malware.
“Xtreme RAT has long been associated with malware targeted at the Syrian opposition. A week later, we identified a second attack that also deployed Xtreme RAT, again sent as a malicious email attachment. The sender’s address and the attachment title suggested links to the Free Syrian Army and/or the Syrian opposition,” the researchers said in the paper.
The two campaigns use the same command and control infrastructure and the researchers believe that they may be connected to a similar campaign earlier this year.
“Upon examination of the site linked to this attack (http://mrconstrucciones.net/js/), which appeared to have been the hacked site of a Mexican company, we found six malware binaries contained in various file types (.pif, .rar, .zip, and .php). As further evidence that this attack and the previous attack are linked, this directory contained the world-viewable (for a time) identical “video31.zip” file described above,” the researchers said.
“The two pieces of malware we’ve described are similar to the ones analyzed by Citizen Lab in our report from June 2013. The malware uses a command and control server whose domain (http://tn1.linkpc.net:81/123.functions) resolves to the same IP address as the command and control server described in the Citizen Lab report (http://tn5.linkpc.net:81/123.functions). We continue to see malware campaigns pointing to both domains.”
One odd bit of evidence that the researchers uncovered was an OS X Trojan that had been used in attacks as early as September. The malware is mailed out to users in Syria, but the researchers found that, despite speculation in the media, there was no connection between the Trojan and the infamous Syrian Electronic Army attack group.
“Why the attacker would want to associate their malware with the Syrian Electronic Army is unclear, but the preponderance of evidence appears to suggest that this operation is unrelated to campaigns we have been tracking since 2011,” they said.
Image from Flickr photos of Nicolas Raymond.
UPDATE: The domain registrar and Web-hosting company Namecheap has fixed a cross-site request forgery vulnerability in its DNS setup page. According to security researcher Henry Hoggard, the bug could have given an attacker the ability to hijack domain name system servers and redirect incoming traffic.
In an email interview, Hoggard told Threatpost he had no evidence to suggest the vulnerability had been exploited in the wild. However, if there had been an attacker with knowledge of the vulnerability, that person could have redirected incoming traffic away from its intended destination and toward a malicious site under the attacker’s control. This tactic is widely used among cybercriminals seeking to collect log-in information, install malware on victim machines, and perform other malicious acts.
Furthermore, Hoggard claimed in a blogpost announcing the vulnerability, malicious actors could have also exploited the flaw in order to intercept mail exchange records and email communications.
“This would have impacted all customers, which I’m sure is a lot of high profile websites, as Namecheap is one of the most popular domain registrars,” Hoggard said.
According to information on its website, Namecheap services more than 800,000 clients and manages more than three million domains.
Namecheap implemented the vulnerability fix on their end. No user interaction is required to apply the patch.
Hoggard reported the bug the Namecheap in June. It is not clear why the company took so much time to resolve the flaw. Hoggard suggested that the delay may have arisen from organizational problems rather than patching lethargy.
“It took Namecheap just over six months to fix it,” Hoggard said. “I do not know why it took so long, but I had to go through the general customer support ticketing system to report it as I could not find a security contact for them. So that took a lot of time just to find the right person to report it to.”
Namecheap issued a response on their website downplaying the significance of the bug, claiming that no customers had been impacted by the CSRF vulnerability. The registrar said that exploiting the vulnerability, which they monitored from the time it was reported until they fixed it, required very specific criteria.
An attacker attempting to exploit this bug would have to compel his or her victim to open a malicious attachment or follow a link to a website containing malware. The vulnerability is only exploitable if the victim opens a malicious attachment or link while logged into his or her Namecheap account in the same browser. Beyond this, the attacker would have to know the domain of his or her victim.
When hackers breached Adobe in October and spilled millions of its customers’ IDs and encrypted passwords, it was all but certain the attack would result in a wave of subsequent phishing attacks.
It wasn’t exactly clear how soon the attacks would come or what form they’d come in, but after two somewhat quiet months it looks like attackers are finally beginning to focus their efforts on a concerted campaign.
The software company sounded the alarm about a new strain of phishing attacks in a blog post Friday warning customers that it was aware of a campaign involving emails “purporting to deliver license keys for a variety of Adobe offerings.”
While Adobe was a bit vague with its warning, it still encouraged users to delete any questionable emails immediately and not to download any attachments or click on any hyperlinks in the emails, especially those of the suspicious variety.
The warning, which was relayed on the company’s Product Security Incident Response Team (PSIRT) blog, also directs users to a page Adobe set up shortly after the breach to help customers spot phishing attacks.
Meanwhile, researchers at both Cisco and MX Lab write they’ve spotted some of the emails in the wild and claim the subject lines vary from email to email. “Download your adobe software,” “Download your license key,” “Thank you for your order” and “Your order is processed” are apparently all subject lines being used in this scam by attackers, according to a post by MX Lab last Thursday
The rest of the email, or at least the one Cisco found, reads as so:
Thank you for buying Digital Publishing Suite, Professional Edition Digital Publishing Suite software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
Naturally the text tries to get unsuspecting customers to open an attached .zip file, which in turn contains a malicious .exe file. That file, of course, will go ahead and install malicious code, along with a series of Trojans, onto the system in question.
In what many experts were calling one of the worst breaches in U.S. history – at least before last week’s Target debacle – hackers made off with the personal information of some 38 million odd Adobe users along with the source code for the software company’s design products Acrobat, ColdFusion and Photoshop.
Adobe initially reported somewhere around three million encrypted credit cards and accompanying login data was pilfered from the its servers, yet a cache of information later analyzed by security reporter Brian Krebs, discovered “tens of millions” of accounts have been put at risk.
The breach later made its way to Facebook, who were forced to reset some of its users’ passwords and passwords because they were the same as some compromised in the breach.
Microsoft is declaring the ZeroAccess botnet dead.
Two weeks after obtaining a court order to disrupt the botnet’s ability to carry out click-fraud, assistant general counsel Richard Boscovich of Microsoft’s Digital Crimes Unit said late last week that the botmasters behind ZeroAccess had abandoned ship.
Microsoft’s takedown was quickly questioned by experts who said that while Microsoft may have temporarily disrupted the criminals’ ability to carry out click-fraud, malware distribution, and other malicious activities, it did not impair the peer-to-peer botnet’s communication protocol. As expected, the attackers were able to issue new configuration commands to bots under their control and resume operations.
Boscovich, however, said Microsoft and its partners in this operation, Europol’s Cybercrime Center and Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, were able to monitor this activity, identify and track down new IP addresses used in fraud schemes under the new configuration. The German BKA led the charge in this respect less than 24 hours after the disruption began, Boscovich said.
“After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message ‘WHITE FLAG,’ which we believe symbolizes that the criminals have decided to surrender control of the botnet,” Boscovich said. “Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.”
Damballa researcher Yacin Nadji was one of the more outspoken critics of Microsoft’s approach. Today he told Threatpost he doesn’t believe the WHITE FLAG message is an indication of surrender.
“As far as we can see, the P2P communication channel is still operational. The ‘WHITE FLAG’ message simply shows that the botmasters can communicate with the infected hosts at their leisure,” Nadji said. “Given all the media attention focused on ZeroAccess now, immediately re-engaging in fraudulent activities is probably not in the botmasters’ best interest. The point remains that, until the P2P network is disrupted, the botnet can resume malicious activities at any time.”
If Microsoft is correct, ZeroAccess is one of the first peer-to-peer botnets to be shut down in such an effort. In the past, Microsoft has led efforts to squash botnets such as Kelihos and Nitol using a similar coordinated effort with U.S. and international law enforcement. Those botnets, however, worked off of a centralized and command and control infrastructure and the good guys were able to key in on a relatively small number of command servers.
Communication in a peer-to-peer botnet, however, is much different. Usually, attackers write a custom protocol that supports communication between bots; through this channel, updates and configuration changes are shared, rather than with a single point of failure. Researchers in the past have had a difficult time enumerating peer-to-peer botnets, much less taking them down. A research report presented earlier this year said P2P botnets were resilient to sinkholing and other research and takedown methods. ZeroAccess, according to the paper, updated its peer lists automatically every few seconds and would communicate only through the 256 most recent peers.
“P2P networks are more complex to design, implement, and maintain than a centralized infrastructure and they may still be vulnerable to attacks,” said Dr. Brett Stone-Gross, a senior security researcher with Dell SecureWorks and one of the paper’s authors. “There are also ways to harden a centralized botnet to make it more resilient to takedown efforts, so P2P may not be worth the additional effort.”
Stone-Gross said at the time of the ZeroAccess disruptions that there were advantages and disadvantages to Microsoft’s approach, and that click-fraud operations could be quickly restarted or repurposed.
“It is very easy for the attackers to restore click-fraud capabilities,” he said. “They can simply push new click-fraud modules (or other types of malware) and configuration files through the P2P network whenever they choose.”
Microsoft, the EC3, FBI, and the application networking and security firm A10 Networks cooperated on the disruption of ZeroAccess, reported on Dec. 6. Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
Statistics from Microsoft and Europol estimate there were nearly two million compromised computers at the disposal of the ZeroAccess botmaster, who was collecting close to $3 million monthly in fraudulent advertising.
One of the key tenets of the argument that the National Security Agency and some lawmakers have constructed to justify the agency’s collection of phone metadata is that the information it’s collecting, such as phone numbers and length of call, can’t be tied to the callers’ names. However, some quick investigation by some researchers at Stanford University who have been collecting information voluntarily from Android users found that they could correlate numbers to names with very little effort.
The Stanford researchers recently started a program called Metaphone that gathers data from volunteers with Android phones. They collect data such as recent phone calls and text messages and social network information. The goal of the project, which is the work of the Stanford Security Lab, is to draw some lines connecting metadata and surveillance. As part of the project, the researchers decided to select a random set of 5,000 numbers from their data and see whether they could connect any of them to subscriber names using just freely available Web tools.
The result: They found names for 27 percent of the numbers using just Google, Yelp, Facebook and Google Places.
That result came with next to no effort. So the researchers decided to go up a notch and spend a little time and see how many more they could find.
“What about if an organization were willing to put in some manpower? To conservatively approximate human analysis, we randomly sampled 100 numbers from our dataset, then ran Google searches on each. In under an hour, we were able to associate an individual or a business with 60 of the 100 numbers. When we added in our three initial sources, we were up to 73,” said Jonathan Mayer and Patrick Mutchler in a blog post explaining the results.
Things get even more interesting when they invested a little money in their search.
“How about if money were no object? We don’t have the budget or credentials to access a premium data aggregator, so we ran our 100 numbers with Intelius, a cheap consumer-oriented service. 74 matched. Between Intelius, Google search, and our three initial sources, we associated a name with 91 of the 100 numbers,” they wrote.
The researchers also released an update to the Metaphone app that now enables instant feedback for users, giving them a quick view of how closely they’re connected to other Metaphone users and how many businesses they’ve been in contact with.
Image from Flickr photos of Ron Bennetts.
The accumulation of hundreds of leaked documents and formerly secret operational methods used by the NSA in the last six months has led to a bit of a numbing effect, with some new leaks being met with a shrug of indifference. But the latest and most explosive entry in that ledger–the report that the spy agency paid RSA Security $10 million in 2004 to implement a compromised random-number generator as the default in one of its key products–has shaken the security community and sent shockwaves through the industry that may be felt for years to come.
The allegation surfaced Friday in a story by Reuters that asserted that the NSA had a secret contract with RSA through which the security company agreed to make Dual EC-DRBG the default random number generator in its BSAFE crypto library. BSAFE is a key component used by developers in a number of products. In September, the news broke that Dual EC-DRBG had been compromised during the development process at NIST and deliberately weakened by the NSA so that the agency would have the ability to break products that incorporate it. In the wake of that revelation, RSA officials advised their customers to stop using Dual EC-DRBG and choose another RNG, and NIST also issued guidance that advised against using Dual EC-DRBG.
The implications of RSA, one of the foundational technology providers in the security industry, knowingly agreeing to make a compromised random number generator the default choice for its customers are troubling not just for the company itself but for its customers and the security of the Internet, as well. If true, it would mean that the company had set up its customers’ products to fail and given the NSA the ability to compromise them at any time, without users’ knowledge.
While NSA has remained mum on the allegation, RSA officials on Sunday issued a carefully worded response, saying that the company had “never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”
The company was independent at the time of the introduction of Dual EC-DRBG into BSAFE in 2004, but was later acquired by EMC for $2.1 billion. RSA officials said in the statement that the decision to use Dual EC-DRBG was done for valid technology reasons and that there were several other RNGs available to users in BSAFE, as well.
“Recent press coverage has asserted that RSA entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation,” the RSA statement says.
“We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”
The RSA-NSA allegations have been a prime topic of conversation in the security community since the story broke, and some experts say that the issue, combined with other recent surveillance revelations, could deal a major hit to the level of trust that users have in the Internet.
“We no longer know who to trust. This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix,” cryptographer Bruce Schneier wrote in a post on the allegations.
Image from Flickr photos of Michael Himbeault.