Threatpost for B2B
When hackers breached Adobe in October and spilled millions of its customers’ IDs and encrypted passwords, it was all but certain the attack would result in a wave of subsequent phishing attacks.
It wasn’t exactly clear how soon the attacks would come or what form they’d come in, but after two somewhat quiet months it looks like attackers are finally beginning to focus their efforts on a concerted campaign.
The software company sounded the alarm about a new strain of phishing attacks in a blog post Friday warning customers that it was aware of a campaign involving emails “purporting to deliver license keys for a variety of Adobe offerings.”
While Adobe was a bit vague with its warning, it still encouraged users to delete any questionable emails immediately and not to download any attachments or click on any hyperlinks in the emails, especially those of the suspicious variety.
The warning, which was relayed on the company’s Product Security Incident Response Team (PSIRT) blog, also directs users to a page Adobe set up shortly after the breach to help customers spot phishing attacks.
Meanwhile, researchers at both Cisco and MX Lab write they’ve spotted some of the emails in the wild and claim the subject lines vary from email to email. “Download your adobe software,” “Download your license key,” “Thank you for your order” and “Your order is processed” are apparently all subject lines being used in this scam by attackers, according to a post by MX Lab last Thursday
The rest of the email, or at least the one Cisco found, reads as so:
Thank you for buying Digital Publishing Suite, Professional Edition Digital Publishing Suite software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
Naturally the text tries to get unsuspecting customers to open an attached .zip file, which in turn contains a malicious .exe file. That file, of course, will go ahead and install malicious code, along with a series of Trojans, onto the system in question.
In what many experts were calling one of the worst breaches in U.S. history – at least before last week’s Target debacle – hackers made off with the personal information of some 38 million odd Adobe users along with the source code for the software company’s design products Acrobat, ColdFusion and Photoshop.
Adobe initially reported somewhere around three million encrypted credit cards and accompanying login data was pilfered from the its servers, yet a cache of information later analyzed by security reporter Brian Krebs, discovered “tens of millions” of accounts have been put at risk.
The breach later made its way to Facebook, who were forced to reset some of its users’ passwords and passwords because they were the same as some compromised in the breach.
Microsoft is declaring the ZeroAccess botnet dead.
Two weeks after obtaining a court order to disrupt the botnet’s ability to carry out click-fraud, assistant general counsel Richard Boscovich of Microsoft’s Digital Crimes Unit said late last week that the botmasters behind ZeroAccess had abandoned ship.
Microsoft’s takedown was quickly questioned by experts who said that while Microsoft may have temporarily disrupted the criminals’ ability to carry out click-fraud, malware distribution, and other malicious activities, it did not impair the peer-to-peer botnet’s communication protocol. As expected, the attackers were able to issue new configuration commands to bots under their control and resume operations.
Boscovich, however, said Microsoft and its partners in this operation, Europol’s Cybercrime Center and Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, were able to monitor this activity, identify and track down new IP addresses used in fraud schemes under the new configuration. The German BKA led the charge in this respect less than 24 hours after the disruption began, Boscovich said.
“After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message ‘WHITE FLAG,’ which we believe symbolizes that the criminals have decided to surrender control of the botnet,” Boscovich said. “Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.”
Damballa researcher Yacin Nadji was one of the more outspoken critics of Microsoft’s approach. Today he told Threatpost he doesn’t believe the WHITE FLAG message is an indication of surrender.
“As far as we can see, the P2P communication channel is still operational. The ‘WHITE FLAG’ message simply shows that the botmasters can communicate with the infected hosts at their leisure,” Nadji said. “Given all the media attention focused on ZeroAccess now, immediately re-engaging in fraudulent activities is probably not in the botmasters’ best interest. The point remains that, until the P2P network is disrupted, the botnet can resume malicious activities at any time.”
If Microsoft is correct, ZeroAccess is one of the first peer-to-peer botnets to be shut down in such an effort. In the past, Microsoft has led efforts to squash botnets such as Kelihos and Nitol using a similar coordinated effort with U.S. and international law enforcement. Those botnets, however, worked off of a centralized and command and control infrastructure and the good guys were able to key in on a relatively small number of command servers.
Communication in a peer-to-peer botnet, however, is much different. Usually, attackers write a custom protocol that supports communication between bots; through this channel, updates and configuration changes are shared, rather than with a single point of failure. Researchers in the past have had a difficult time enumerating peer-to-peer botnets, much less taking them down. A research report presented earlier this year said P2P botnets were resilient to sinkholing and other research and takedown methods. ZeroAccess, according to the paper, updated its peer lists automatically every few seconds and would communicate only through the 256 most recent peers.
“P2P networks are more complex to design, implement, and maintain than a centralized infrastructure and they may still be vulnerable to attacks,” said Dr. Brett Stone-Gross, a senior security researcher with Dell SecureWorks and one of the paper’s authors. “There are also ways to harden a centralized botnet to make it more resilient to takedown efforts, so P2P may not be worth the additional effort.”
Stone-Gross said at the time of the ZeroAccess disruptions that there were advantages and disadvantages to Microsoft’s approach, and that click-fraud operations could be quickly restarted or repurposed.
“It is very easy for the attackers to restore click-fraud capabilities,” he said. “They can simply push new click-fraud modules (or other types of malware) and configuration files through the P2P network whenever they choose.”
Microsoft, the EC3, FBI, and the application networking and security firm A10 Networks cooperated on the disruption of ZeroAccess, reported on Dec. 6. Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
Statistics from Microsoft and Europol estimate there were nearly two million compromised computers at the disposal of the ZeroAccess botmaster, who was collecting close to $3 million monthly in fraudulent advertising.
One of the key tenets of the argument that the National Security Agency and some lawmakers have constructed to justify the agency’s collection of phone metadata is that the information it’s collecting, such as phone numbers and length of call, can’t be tied to the callers’ names. However, some quick investigation by some researchers at Stanford University who have been collecting information voluntarily from Android users found that they could correlate numbers to names with very little effort.
The Stanford researchers recently started a program called Metaphone that gathers data from volunteers with Android phones. They collect data such as recent phone calls and text messages and social network information. The goal of the project, which is the work of the Stanford Security Lab, is to draw some lines connecting metadata and surveillance. As part of the project, the researchers decided to select a random set of 5,000 numbers from their data and see whether they could connect any of them to subscriber names using just freely available Web tools.
The result: They found names for 27 percent of the numbers using just Google, Yelp, Facebook and Google Places.
That result came with next to no effort. So the researchers decided to go up a notch and spend a little time and see how many more they could find.
“What about if an organization were willing to put in some manpower? To conservatively approximate human analysis, we randomly sampled 100 numbers from our dataset, then ran Google searches on each. In under an hour, we were able to associate an individual or a business with 60 of the 100 numbers. When we added in our three initial sources, we were up to 73,” said Jonathan Mayer and Patrick Mutchler in a blog post explaining the results.
Things get even more interesting when they invested a little money in their search.
“How about if money were no object? We don’t have the budget or credentials to access a premium data aggregator, so we ran our 100 numbers with Intelius, a cheap consumer-oriented service. 74 matched. Between Intelius, Google search, and our three initial sources, we associated a name with 91 of the 100 numbers,” they wrote.
The researchers also released an update to the Metaphone app that now enables instant feedback for users, giving them a quick view of how closely they’re connected to other Metaphone users and how many businesses they’ve been in contact with.
Image from Flickr photos of Ron Bennetts.
The accumulation of hundreds of leaked documents and formerly secret operational methods used by the NSA in the last six months has led to a bit of a numbing effect, with some new leaks being met with a shrug of indifference. But the latest and most explosive entry in that ledger–the report that the spy agency paid RSA Security $10 million in 2004 to implement a compromised random-number generator as the default in one of its key products–has shaken the security community and sent shockwaves through the industry that may be felt for years to come.
The allegation surfaced Friday in a story by Reuters that asserted that the NSA had a secret contract with RSA through which the security company agreed to make Dual EC-DRBG the default random number generator in its BSAFE crypto library. BSAFE is a key component used by developers in a number of products. In September, the news broke that Dual EC-DRBG had been compromised during the development process at NIST and deliberately weakened by the NSA so that the agency would have the ability to break products that incorporate it. In the wake of that revelation, RSA officials advised their customers to stop using Dual EC-DRBG and choose another RNG, and NIST also issued guidance that advised against using Dual EC-DRBG.
The implications of RSA, one of the foundational technology providers in the security industry, knowingly agreeing to make a compromised random number generator the default choice for its customers are troubling not just for the company itself but for its customers and the security of the Internet, as well. If true, it would mean that the company had set up its customers’ products to fail and given the NSA the ability to compromise them at any time, without users’ knowledge.
While NSA has remained mum on the allegation, RSA officials on Sunday issued a carefully worded response, saying that the company had “never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”
The company was independent at the time of the introduction of Dual EC-DRBG into BSAFE in 2004, but was later acquired by EMC for $2.1 billion. RSA officials said in the statement that the decision to use Dual EC-DRBG was done for valid technology reasons and that there were several other RNGs available to users in BSAFE, as well.
“Recent press coverage has asserted that RSA entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation,” the RSA statement says.
“We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.”
The RSA-NSA allegations have been a prime topic of conversation in the security community since the story broke, and some experts say that the issue, combined with other recent surveillance revelations, could deal a major hit to the level of trust that users have in the Internet.
“We no longer know who to trust. This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix,” cryptographer Bruce Schneier wrote in a post on the allegations.
Image from Flickr photos of Michael Himbeault.
One by one, the telecommunications giants at the heart of the NSA surveillance scandal are relenting to shareholder pressure and public demands for them to publish reports on government requests for user data.
On Friday Verizon and AT&T announced their intent to begin producing transparency reports in 2014 after in the past investing time and effort in denouncing some of the technology companies that have regularly provided insight into their compliance with warrants from the government.
Google, Facebook, Twitter, LinkedIn and others have done quarterly or semi-annual transparency reports, some going back two or three years. Yet Verizon and AT&T refused to cave; Verizon went so far as to label the reports from some tech companies as grandstanding. Both telcos also said shareholders had no standing on which to demand such reports.
Things changed quickly, however, after the White House Review Group on Intelligence and Communications Technologies made a number of reform recommendations to the National Security Agency’s surveillance programs. The first revelation from the Edward Snowden documents in June was that the NSA was collecting phone call metadata records, purportedly from non-U.S. citizens. The dragnet, however, was also sweeping up Americans’ records, including those of citizens not suspected of terrorism or considered a threat to national security.
AT&T and Verizon said they will publish semi-annual transparency reports starting next year. AT&T general counsel Wayne Watts reiterated the company will continue to review government and court orders for customer data for the lawfulness and propriety, and said his company does not allow a government agency to connect directly to the AT&T network. Watts also said AT&T would not publish requests related to national security.
“Any disclosures regarding classified information should come from the government, which is in the best position to determine what can be lawfully disclosed and would or would not harm national security,” Watts said.
The companies are permitted by law, however, to report only aggregate totals of subpoenas, court orders and warrants, as well as the number of customers affected. National Security Letters, however, are another matter. Companies are not allowed to report specifics on those requests other than in ranges of 1,000. Tech companies such as Google, Facebook and others have joined together to petition the government for permission to be more specific about National Security Letters, and that the permissible ranges do little to enhance transparency.
“AT&T’s failure to push for the right to fully and accurately inform the public about our government’s actions is extremely disappointing, and we urge AT&T to reconsider its position,” wrote Nate Cardozo and April Glaser, staff attorney and activist respectively, at the Electronic Frontier Foundation. “With transparency reports, companies have the opportunity to deepen their consumers’ trust by being open about how governments around the world collect and use our private data,”
The timeliness of AT&T and Verizon’s decision coincides with Google’s latest transparency report, which pointed out that requests from the government jumped 18 percent in the first six months of this year and that Google complied with requests for U.S. users’ data 83 percent of the time. In all, Google received 25,879 requests for user data in the first six months of 2013 covering more than 42,000 total accounts. The company produced some data in 65 percent of those requests, for all governments; the data turned can vary from a name or email address to message content and IP address data.
The volume of government requests to Google for user data is continuing to increase, something that should come as no surprise in the current climate. In its latest transparency report, the company said that it received more than 25,000 requests for user data in the first six months of 2013, an increase of about 18 percent.
As is normally the case, the huge majority of the requests that Google received through June of this year came from the United States, with 10,918 requests. Interestingly, India came in with the second-most requests, with 2,691. Germany, France and the U.K. rounded out the top five. The number of requests in which Google handed over some of the data demanded by the government is quite high, especially with regard to U.S. requests, where Google provided data in 83 percent of requests.
The kinds of data that Google, and other companies that move and store similar kinds of user information, must disclose to law enforcement agencies can vary quite a bit, depending upon the kind of request or order it receives. It can range from simple name, email and phone number information to email content, private message content and IP address data. Google and many of its peers have petitioned the government in recent months for the ability to publish more information about the kinds of requests they get for user data, specifically National Security Letters. Right now, companies are only permitted to disclose those numbers in ranges of 1,000.
NSLs are special orders served by the FBI on companies that require the recipient to produce data as part of a national-security related investigation. They are secret and typically the recipient isn’t permitted to disclose that it has even received an NSL. Google, Yahoo and Facebook have asked the government to allow them to publish specific numbers of NSLs.
In all, Google received 25,879 requests for user data in the first six months of 2013 covering more than 42,000 total accounts. The company produced some data in 65 percent of those requests, for all governments.
Google’s new report, published this week, also includes quite a bit of data on malware distribution, phishing sites, attack sites and compromised sites. One of the key pieces of this puzzle is the Safe Browsing API that Google publishes and is used by all of the major browsers. The system scans large chunks of the Web constantly, looking for various kinds of malicious sites and incorporating the results into the browsers’ security warnings to users. For example, of the more than 35 million sites in the U.S. scanned during the reporting period, less than one percent were found to be hosting malware. By comparison, six percent of the 275,000 sites scanned in Canada were hosting malware and in Myanmar–which you may know as Burma–only one site was found hosting malware.
UPDATE: The math in this and other reports was simply tabulated incorrectly.
New American presidents often are measured by what they accomplish in their first 100 days. By that yardstick, the crew behind the CryptoLocker ransomware have been a raging success. The unknown group of attackers have already infected between 200,000 and 250,000 systems worldwide and likely raked far greater than $30o,ooo in ransom to date, according to researchers at Dell SecureWorks CTU, who published a deep analysis on the malware this week.
In a blog posted Wednesday, Keith Jarvis, a Senior Security Researcher with Dell SecureWorks, discussed the history of CryptoLocker and described how the malware is able to encrypt its victims’ files until they pay a ransom, usually around $300.
While all of the research is an interesting read, it’s especially noteworthy that the analysis has finally given us an idea how many computers have been infected since the malware surfaced shortly after the beginning of September.
It was reported the malware was sent to “tens of millions” of online banking customers in the U.K. in November but at the time it wasn’t certain just how many machines had actually opened the malicious attachment and were legitimately infected.
Now it’s clear that somewhere between 200,000 and 250,000 systems have been infected globally in the threat’s first 100 days, with the bulk of the attacks targeting machines in the United States.
CryptoLocker infections have surged over the last few months with officials from the US-CERT and the U.K.’s National Crime Agency’s National Cyber Crime Unit warning computer users in their regions about CryptoLocker infections in October and November, respectively.
While both nations sounded the alarm, it was the U.S., at least from October 22 to November 1, that saw the lion’s share of infections. The United States saw 22,360 infections, accounting for a staggering 70.2 percent of the total infections over that time period. Great Britain came in a distant second with almost 2,000 infected systems, or about 5.5 percent of total infections.
As expected, the jump in infections coincided with a barrage of spam from the Cutwail botnet. Attackers used emails sent out in October by botnets like Cutwail as vehicles for malware like Zeus Gameover that distributed and delivered CryptoLocker.
CryptoLocker infections have faded somewhat over the last week or so though, and allowed the U.S. and the U.K. to more or less even up with each other. From December 9 to December 16, the United States tallied 24 percent of all infections while the U.K. accounted for 19 percent of all infections.
While it was already established that CryptoLocker relies on multiple payment platforms — electronic methods like MoneyPak, CashU, Ukash and Paysafecard — to facilitate ransom, it wasn’t until October that it was discovered that the malware had also begun accepting Bitcoin, the all-the-rage-these-days digital crypto-currency, to let users decrypt their files.
SecureWorks estimates that if the malware creators had actually cashed in the 1,216 BTC (Bitcoin) they collected over this period they could’ve made $380,000. Since Bitcoin conversion rates fluctuate wildly though, that’s a far cry from what they could’ve earned if they had held onto it until today. The attackers’ Bitcoins could fetch around $980,000 currently according to Jarvis, who used the current weighted price of $804/BTC in his calculations.
Jarvis stresses that this is still a “conservative estimate” though and goes on to note that a tiny fraction of CryptoLocker victims, only 0.4%, actually pay the ransom.
At that rate however it’s likely that the CryptoLocker gang managed to convince at least 1,000 or so victims to pay up. At $300 a pop, that’s a cool $300,000 the attackers earned in just over 100 days, a profit they’ve clearly managed to conceal.
“Based on the duration and scale of attacks, they also appear to have the established and substantial ‘real world’ infrastructure necessary to ‘cash out’ ransoms and launder the proceeds,” Jarvis said, crediting the attackers’ prowess.
Dennis Fisher talks with Brian Donohue, Threatpost’s Washington, D.C. writer, about the new report from the NSA reform panel and whether any of the recommended changes will ever be implemented.http://threatpost.com/files/2013/12/digital_underground_138.mp3
A presidentially appointed, five member panel issued a more than 300-page report yesterday calling for nearly 50 recommendations for changes in the way that the National Security Agency conducts its increasingly public and controversial sweeping surveillance programs.
The entire report hinges on the oft-repeated notion that the country must strike a healthy balance between two adversarial desires; the necessity of maintaining constant vigilance in the face of international terrorism and other threats, and the hope that such protections will not erode the United Nations-recognized universal human right to personal privacy.
More specifically, the writers of the report urge its readers to carefully consider the following four principles:
- The United States Government must protect, at once, two different forms of security: national security and personal privacy.
- The central task is one of risk management; multiple risks are involved, and all of them must be considered.
- The idea of “balancing” has an important element of truth, but it is also inadequate and misleading.
- The government should base its decisions on a careful analysis of consequences, including both benefits and costs (to the extent feasible).
From the very beginning, the U.S. government has justified its surveillance programs by claiming its only intention is to target non-U.S. citizens for intelligence gathering. They have claimed there is no value in blindly collecting the email and other communications of U.S. citizens. Oddly, much of the media’s coverage has focussed not on the ethics of mass spying in general, but rather on the collateral impact such practices may have U.S. citizens. Beyond that, there have been constant accusations that NSA statements do not reflect reality, and that the communications-data of U.S. citizens are indiscriminately swept into the NSA dragnet as well.
Refreshingly, the report attempts to give equal consideration for those surveilled at home and abroad:
“We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons.”
Each time the NSA would like to monitor the communications of a non-U.S. person, the reports urges that it must be authorized by duly enacted laws or properly authorized executive orders; it must be directed exclusively at protecting national security interests; it must not be directed at illicit or illegitimate ends (such as the theft of intellectual property); it must not target any non-U.S. person based solely on that person’s views, religious, political, or otherwise; it must not disseminate irrelevant information; and it must be subject to careful oversight and transparency.
The panel consisted of Richard Clark, one-time deputy Central Intelligence Agency director Micheal Morell, former Chicago Law School dean and American Civil Liberties Union advisory board member Geoffrey Stone, legal scholar and former administrator of the Office of Information and Regulatory Affairs Cass Sunstein, and privacy law expert from the Georgia Institute of Technology Peter Swire.
Broadly speaking, regarding the collecting of information related to the communications of U.S. citizenry, the panel suggests several significant changes. First, an end to default metadata collection. Such information, they claim, should be stored privately – by companies or other third-party groups, but not by the NSA or the government directly. Second, the panel endorses more stringent protections of communication-data between U.S. and non-U.S. citizens. Third, they call for more limitations on the ability of the Foreign Intelligence Surveillance Court to compel the disclosure of data from third-parties to the government, both through National Security Letters and other means. Lastly, the group calls for legislative action aimed at promoting transparency on the part of the government and also those companies that receive government requests for data.
In order to curb frivolous data collection, the panel advises that the president create a new process, requiring highest-level approval of all sensitive intelligence requirements and the methods that the intelligence community will use to meet them. Those involved in this process should consider whether the information they seek to collect is truly valuable in the context of national security. They should also discuss the aims and means of their surveillance of foreign citizens and governments with the relevant leaders of closely allied nations.
The panel also calls for a number of organizational NSA reforms: they believe that the NSA director should be a Senate-confirmed position and urge the president to seriously consider appointing a civilian as the next director. However, that’s unlikely, given that the White House recently confirmed that the NSA director will retain oversight of Cyber Command, too, a military position. Furthermore, they argue the NSA should be clearly designated as a foreign intelligence organization, thus differentiating between the organizations responsible for offensive and defensive operations. Other missions (including that of NSA’s Information Assurance Directorate) should generally be assigned elsewhere. The head of the military unit, US Cyber Command, and the Director of NSA, they claim, should not be a single official. The report also asks for the creation of a public interest advocate to sit in on all FISC hearings.
Lastly, the report argues that the U.S. Government should take substantial steps toward bolstering international communication security.
“The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage. Among other measures relevant to the Internet, the US Government should also support international norms or agreements to increase confidence in the security of online communications.”
As for the information that meets the stated criteria and is collected by the government, the report says it must be better protected. They say the government should altogether eliminate the use of for-profit companies in the process of conducting personnel investigations and that the government needs to reexamine its system of security clearances, including the implementation of continual monitoring for individuals with high-level clearances.
Former NSA research scientist and current CTO of Immunity Inc., Dave Aitel, wrote in an analysis of the NSA report on his Daily Dave email list that the security clearance system is clearly and obviously broken, but he asserts that this document’s recommendations fail to address the real problems with that system and ultimately will not fix it. The real issue, he says, everywhere in the intelligence community is one of resources. As in all American companies, he writes, there is simply a shortage of qualified technical people.
The splitting of Cyber Command from the Information Assurance Directorate, Aitel says, would further exacerbate this lack of talent by restricting the mobility of skilled workers from positions in one division to position in the other.
One aspect of the report that hasn’t received as much attention as the bits about surveillance reform is the section on the purchase and usage of zero days. The panel says that it’s usually in the best interest of Americans for the government to fix bugs rather than use them for offensive purposes, an assertion that Aitel disputes.
“It is demonstrably true,” Aitel writes in his analysis, “that the IC fixes vulnerabilities in both government and commercial systems that it deems a great threat – but the document describes a process that would unilaterally disarm our offensive teams for no clear defensive benefit. Likewise, the US Govt does not always have the intellectual property rights to 0days that would allow it to disclose them to a vendor – and should it start ignoring the agreements with its supply chain, the supply chain (which may be individuals, companies, other governments, other parts of the USG, academic institutions, etc.) will quickly find other customers.
“The paper states without any supporting evidence ‘In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection.’ This is demonstrably not true since without these vulnerabilities a large segment of extremely valuable targeted collection would go blind and fixing all USG known vulnerabilities does not necessarily decrease the risk from running buggy commercial software.”
*Antenna image via Rikard Fröberg‘s Flickr photostream, Creative Commons
On the same day that a panel of experts delivered a report to the United States president recommending sweeping changes to the way that the National Security Agency collects, handles and stores intelligence, the United Nations unanimously adopted a resolution calling for the protection of users’ right to privacy and emphasizing their right to be free from online surveillance.
The action by the U.N. comes in response to the avalanche of documents and information that have been made public since June regarding the capabilities and methods of the NSA and some of the intelligence agencies in other countries, including the United Kingdom and Canada. Documents leaked by former NSA contractor Edward Snowden have revealed the agency’s metadata collection program, the PRISM Internet traffic collection system and many others, which, taken together, form a picture of large-scale surveillance of Internet users’ movements and activities. The leaks have disturbed many in the privacy and human rights communities, especially, and have been the catalyst for calls for intelligence reform and greater oversight of what’s being collected and stored.
The resolution passed by the U.N. condemns the sweeping surveillance of innocent citizens of member states and demands that they “respect and protect the right to privacy, including in the context of digital communication.”
The resolution is the work of representatives from Germany and Brazil, and Navi Pillay, the U.N. high commissioner for human rights, said that the operations revealed by Snowden have emphasized the importance of ensuring that basic human rights, including the right to privacy, extend to the online world.
“Snowden’s case has shown the need to protect persons disclosing information on matters that have implications for human rights, as well as the importance of ensuring respect for the right to privacy,” she said.
“The right to privacy, the right to access to information and freedom of expression are closely linked. The public has the democratic right to take part in the public affairs and this right cannot be effectively exercised by solely relying on authorized information.”
The resolution also requires that Pillay put together a report on the protection of the right to privacy online, particularly in the context of mass surveillance, and deliver it to the General Assembly. The measure, which the United States lobbied to modify, also asks member states to look at their intelligence and data-collection programs with an eye on privacy and see wether modifications are needed.
Image from Flickr photos of PAVDW.
Dennis Fisher and Mike Mimoso discuss the happenings in the security world of late, including the latest NSA revelations, the odd DGA Changer malware and the response of attackers to the death of Blackhole.http://threatpost.com/files/2013/12/digital_underground_137.mp3
A trio of scientists have verified that results they first presented nearly 10 years ago are in fact valid, proving that they can extract a 4096-bit RSA key from a laptop using an acoustic side-channel attack that enables them to record the noise coming from the laptop during decryption, using a smartphone placed nearby. The attack, laid out in a new paper, can be used to reveal a large RSA key in less than an hour.
In one of the cleverer bits of research seen in recent years, three scientists from Israel improved on some preliminary results they presented in 2004 that revealed the different sound patterns that different RSA keys generate. Back then, they couldn’t figure out a method for extracting the keys from a machine, but that has now changed. The research, which involves Adi Shamir, one of the inventors of the RSA algorithm and a professor at Weizmann Institute of Science, and two other academic researchers from Tel Aviv University, lays out a method through which an attacker can use a smartphone placed near a laptop to record the sounds generated by the machine during a decryption process using the GnuPG software.
“In this paper we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away,” the researchers said in the paper, “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis”, published Wednesday.
The attack relies on a number of factors, including proximity to the machine performing the decryption operation and being able to develop chosen ciphertexts that incite certain observable numerical cancellations in the GnuPG algorithm. Over several thousand repetitions of the algorithm’s operation, the researchers discovered that there was sound leakage they could record over the course of fractions of a second and interpret, resulting in the discovery of the RSA key in use.
“We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption. We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer, within an hour, by analyzing the sound generated by the computer during decryption of chosen ciphertexts. We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer, and using a sensitive microphone from a distance of 4 meters,” the paper says.
To test their attack, the researchers performed it against GnuPG using OpenPGP messages containing their chosen chiphertext. OpenPGP will, in some cases, automatically decrypt incoming email messages.
“In this case, an attacker can e-mail suitably-crafted messages to the victims, wait until they reach the target computer, and observe the acoustic signature of their decryption, thereby closing the adaptive attack loop,” the researchers said.
Their attack works against a number of laptop models and they said that there are a number of ways that they could implement it, including through a malicious smartphone app running on a device near a target machine. They could also implement it through software on a compromised mobile device of through the kind of eavesdropping bugs used by intelligence agencies and private investigators.
The developers of GnuPG have developed a patch for the vulnerability that the Israeli researchers used, implementing a technique known as blinding. The patch is included in version 1.4.16 of GnuPG. Shamir and his co-authors, Daniel Genkin and Eran Tromer, said that they also could perform their attack from a greater distance using a parabolic microphone and may also work with a laser microphone or vibrometer.
Image from Flickr photos of Tess Watson.
UPDATE – TJX and Heartland Payment Systems may soon have company atop the list of the worst retail data breaches in U.S. history after reports surfaced that Target Corp. was breached around Black Friday and millions of credit and debit cards were stolen.
Target confirmed the breach this morning and in a statement said 40 million credit and debit cards were accessed starting the day before Thanksgiving and that hackers had access to the company’s systems until Dec. 15. Target said the issue has been resolved and the company is working with law enforcement and had hired a forensics firm to help with the investigation. It is also working with financial services organizations and credit card companies in order to notify affected customers.
“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” said Gregg Steinhafel, Target chairman, president and chief executive officer. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”
Krebs on Security reported Wednesday afternoon that the breach began on or around Nov. 29, Black Friday, the kickoff to the Christmas shopping season and could have lasted as long as Dec. 15. The Wall Street Journal also reported on the breach, corroborating many of the same facts.
The breach affects only those customers who shopped at physical Target locations, and sources told blogger Brian Krebs that nearly all Target locations in the U.S. could be involved. Online shoppers at Target.com were not impacted, sources said.
Few details are available, but it appears the hackers made off with track data, or personal information stored on the magnetic strips on credit cards. It’s unclear whether PIN numbers were stolen as well, but if they were, ATM cards could be replicated and used to withdraw money.
Sources told Krebs that the breach could be among the largest retail breaches in U.S. history.
More than 45 million credit cards were stolen in the TJX hack; in 2010 Albert Gonzalez of Miami was sentenced to 20 years in prison for his orchestration of the breach. He was also sentenced in the Heartland Payment Systems breach which involved tens of millions more credit card numbers stolen from a number of retailers.
The TJX hack is the poster child of retail data breaches. Gonzalez’s ring was on the TJX network for as long as two years and affected customers who shopped in any of TJX Company’s retail operations going as far back as 2003 until December 2006.
This article was updated at 7 a.m. with comments from Target Corp., and clarifications throughout.
The arrest of alleged hacker Paunch and the subsequent dismantling of the Blackhole Exploit Kit operation has cybercrime groups scrambling to find another automated means of delivering exploits.
In the meantime, some are settling for old-school tactics that include infected email attachments and an increased investment in the social engineering used to entice users into double-clicking and executing the malware stored in the attachment.
The most recent evidence of this comes from a major cybercrime group reliant on the Cutwail botnet to send out spam that had been fiddling with a relatively new exploit kit called Magnitude before deciding to go the direct-attachment route.
Researchers at Websense said that since Paunch’s arrest, reported in early October, the company has captured emails with links that used to redirect to Blackhole now redirecting to Magnitude and others redirecting to phishing pages with American Express, work from home and diet remedy themes.
Apparently, however, Magnitude didn’t serve the attackers’ needs sufficiently as more and more samples included direct attachments, said director of research Alex Watson.
“That gives us an interesting look at the criminal community that leaves you open to speculate why they experimented with Magnitude and then moved away,” Watson told Threatpost. While the group was using Blackhole, the number of Cutwail messages containing malicious URLs was markedly higher than post-Blackhole when the number of emails containing infected ZIP files shot up.
“The overall levels of malicious activity have stayed somewhat consistent, but I would say the success of campaigns since moving to direct attachments and things like that is dramatically lower,” Watson said. “We’ve seen slightly more sophisticated social engineering attacks that are more convincing to users, but not nearly the same success rates they had when Blackhole was available for use.”
Cutwail is one of the most established spam botnets and most prolific, sending at one point, millions of spam messages daily. It was two million compromised machines strong and used to distribute spam and financial malware targeting not only credit card data but credentials. The Cutwail emails often included links that would lead victims to sites hosting Blackhole, which would then inject downloaders for other malware such as ZeroAccess or Zeus.
The arrest of Paunch and the Blackhole takedown has turned cybercrime economics on its ear in some parts. Attackers have been forced to find other avenues to recover lost revenue.
“They’ve had to put more work into the social engineering and having sophisticated-looking emails to get users to click,” Watson said. “A second thing we’ve noticed is an increased aggressiveness with malware installations on computers that are compromised.”
Where attackers would be satisfied with leaner attacks because the volume provided by Blackhole web injections was so high, that’s now changed.
“Often we’ll see a Pony downloader which will steal credentials, which will then download Zeus, which will then download Cryptolocker, all in the matter of a couple of minutes,” Watson said. “So you’re looking at very aggressive installation of malware on computers that are targeted, which could be another way of making up lost revenue due to not infecting as many machines.”
Compromised computers are more than ever cash cows for attackers, some of whom invest significant money in purchasing exploit kits such as Blackhole. When that goes away, a number of infection vectors go away with it. Some of that dynamic has given rise to ransomware in recent months, in particular Cryptolocker, which encrypts files on shared drives in return for a ransom. Other malware variants have taken to anonymity networks such as Tor or I2P to hide communication and hopefully preserve the longevity of their enterprise.
Ransomware, however, gives an attacker an immediate shot at collecting a payout, Watson said.
“With Cryptolocker, I think there have been some cases where it’s been very successful,” he said. “If you look smaller companies that don’t have really strong controls around file sharing or backup, and those businesses that don’t really have an established disaster recovery plan would be vulnerable to this.”
Researchers at Arbor Networks have identified a new DDoS bot with a fancy for ferrets.
Following a clue in a tweet, researcher Dennis Schwarz found Trojan.Ferret, including a command and control panel with some insight into targets. To date, a relatively small number of malware samples and command and control servers have been uncovered, Schwarz said, indicating that the full scope of the campaign is not clear yet.
“Some of the targeted site types [are] real estate companies, electronics shop, a wedding dress shop, a Panamanian politician, and a news site,” Schwarz told Threatpost. Victims have been found in the Netherlands, Russia, the United States and Germany.
Trojan.Ferret is written in the Delphi programming language and includes a number of self-preservation capabilities, including UPX packing, string obfuscation, anti-virtual machine and anti-debugging measures, self-modifying code and process hollowing.
The fact that the samples captured by Arbor Networks are written in Delphi indicates a likely Russian origin, Schwarz said.
“There exists a malware stereotype that if it’s written in Delphi, it’s of ‘Russian’ origin,” Schwarz said. “Empirically, it tends to pan out. I have a theory that when the current generation of ‘Russian’ malware authors (or who they base their code on) was going through their computer science curriculums that Delphi was the language of choice. So, that’s what they know and that’s what they’re comfortable with.”
Schwarz said that the malware author’s choice of Delphi also helps keep it viable.
“For a reverse engineer, the major disadvantage of Delphi is that it is a very messy language to disassemble,” he said. “It’s almost an art separating the wheat from the chaff.”
Trojan.Ferret uses two obfuscation methods, both combining base64 and XOR encryption to mask what’s happening under the covers. Different encryption keys are used for different parts of the malware code base, Schwarz said, adding that one method is used mostly to encrypt strings in the malware code, while the other hides communication back and forth with the command and control server.
Command and control communication is done over HTTP, and the bot comes equipped with a phone-home capability as well as a number of commands. The particular server infiltrated by Arbor is in Ukraine.
Schwarz’s research so far has identified 18 commands with this bot, most of them flood commands used to overwhelm websites with fraudulent traffic. Other commands download bots on infected computers, send updates to either all bots, specific bots or just bots running on particular operating systems. There are also removal commands.
“For the DDoS commands, I would say Ferret implements the core set of floods,” Schwarz said. “Missing from the command set are the standard suite of application layer attacks such as Slowloris, Apache Killer, and RUDY.”
Schwarz gained access to the command and control panel and learned from the dashboard—in addition to the author calling bots “ferrets,” that there are close to 3,000 compromised machines out there and the attackers know how many are active within any 24-hour or seven-day period.
Image courtesy Arbor Networks
Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing a DGA tactic that enables the malware to change the seed it uses to generate the random domains.
Domain-generation algorithms are used by malware to generate new, random domains rapidly that the malware can use for command and control. The idea is to avoid having static C2 domains that are easy targets for security researchers and law-enforcement agencies looking to take down the command infrastructure that the attackers use to communicate with infected machines. DGAs often are seen in botnets, but have become fashionable for more mundane malware as well in recent years. After infecting a new machine, the DGA Changer malware, as Seculert has named this piece of software, sends a variety of data back to the attackers, including the OS information, the DGA seed, the version of Adobe Flash running on the machine and whether the malware is running in a virtual machine.
Aviv Raff, CTO of Seculert, said that after digging into the malware used in the PHP.net attack, it appears that the malware also uses some more conventional tactics, but likely is just the first stage of a more extensive attack.
“We have first noticed the DGA changing capability on the same day of the php.net attack. However, there might have been different variants of the this downloader without this new technique, used by the same attackers, beforehand,” Raff said.
“This is most probably a pay-per-install service, which instead of selling by region, it targets specific organizations.”
Seculert researchers said that there are DGA Changer infections around the world, but that most of them so far have been found in the United States. What the malware is going to do in the future remains to be seen, but researchers say that the ability to change the DGA seed is a good indication that there’s more to come.
“Strangely, DGA.Changer doesn’t appear to be downloading anything of value yet. In fact, the only thing it has downloaded so far is a file that…you guessed it…does absolutely nothing. Our speculation is that the adversaries behind DGA.Changer are likely selling bots on a pay-per- install basis from specific companies, and installing other malware only on their machines,” they said in a blog post.
“Why would adversaries deploy a malware which downloads nothing, on a site used by software developers, and then engineer it so that it can receive commands from a C2 server to change the DGA seed? It makes no sense – and that worrisome. Not all adversaries are geniuses, but they typically have an agenda. We have no doubt that this is only the beginning of the DGA.Changer story.”
Security weaknesses on the Santander Group BillPay website and mobile banking application have been addressed by the financial services organization’s developer Headland after they were exposed less than a week ago.
U.K. consultant Paul Moore of Cressona Corp., reported a number of serious vulnerabilities on the Santander website and mobile application; Santander Group recently acquired Sovereign Bank in the United States and has 718 branches nationwide serving 1.7 million customers. The vulnerabilities included weaknesses in the online app that made it susceptible to man-in-the-middle attacks, denial-of-service attacks and older protocols opening it up to a number of other attacks.
Moore said last Friday that Santander and Headland had resolved all outstanding issues aside from a weak password storage flaw that requires code and database changes by the development agency, he said.
Moore noted a number of problems, most worrisome were improperly installed SSL certificates guaranteeing the encryption and security of online transactions. A vulnerability scan showed that the Web app did not support a number of baseline SSL protocol implementations including secure session renegotiation, TLS compression, Forward Secrecy, Strict Transport Security; it did, however, support the outdated RC4 encryption algorithm that a number of experts have urged organizations to move away from.
Moore also discovered issues with password storage; the app had initiated a maximum length of 50 characters per password, indicating it may not be hashing passwords securely. Moore attempted a password reset, but instead was offered a reminder email in which his password was delivered in plain text.
The site also suffered from a serious cross-site scripting vulnerability on a payment gateway hosted under the BillPay website that allowed attackers to inject content at will, including fake payment forms or other hacks that would lead to a loss of data or funds.
As for the mobile app, Moore said he was able to, using the tool Fiddler, run a man-in-the-middle attack against himself that captured his credentials. The app failed to alert to a phony SSL certificate generated by the Fiddler tool and executed the log-in. The same scenario was true for the Santander Group’s mobile business app.
On the plus side, Moore said Santander Group and Headland resolved the issues within 72 hours of them being reported. The SSL implementation was addressed first with support for RC4 removed. Also, support for insecure renegotiations was removed. Shortly thereafter, those fixes were followed with a resolution of the SSL certificate issues.
“There’s an unnecessary root anchor which will increase handshake latency but from a security standpoint, it’s much safer. Not class-leading, but good enough,” Moore said, adding that the vulnerable mobile apps were still reachable on Google Play. “It should also be noted that Santander have investigated and resolved the vast majority of issues within 72hrs of this article going live. Although it doesn’t allay my concerns completely, it certainly helps restore faith in their approach to security.”
The Tor network may provide a lead-lined cover for Internet users seeking a measure of privacy online, but it also has proven to be an attractive shelter for attackers.
A number of malware campaigns have been able to successfully maneuver on Tor, using the anonymity network as a communication infrastructure that hides stolen data and malicious instructions as they’re sent between bots and the command and control server.
However, the fact that we’re hearing more about these campaigns running on Tor also means they’re being found out.
The latest to be exposed has been nicknamed Chewbacca by researchers at Kaspersky Lab’s Global Research and Analysis Team. Chewbacca finds running processes on compromised computers, reads process memory, drops a keylogger and is able to move that information off of infected machines.
Marco Preuss, director of the Kaspersky research team in Europe, said this malware is not available in public underground forums, unlike others such as Zeus; Kaspersky researchers recently found a 64-bit version of the infamous banking malware that uses Tor as a communication highway.
“Maybe this is in development or the malware is just privately used or shared,” Preuss wrote on the Securelist blog. “It seems that Tor is attracting some criminals to host their infrastructure, as it promises more ‘security’ for C&Cs – but this holds drawbacks.”
Because of the encryption securing communication on Tor between multiple proxy hops, hackers must contend with additional complexity and latency on the network. Also, hackers running a botnet on Tor run a greater risk of being found out because the addition of copious amounts of traffic could slow down the network and alert watchers that something is amiss.
This is exactly what brought down the Mevade botnet. Researchers speculate the Mevade gang moved the botnet to Tor to hamper takedown attempts by law enforcement, but all they did was spike Tor traffic literally overnight, alerting Tor handlers to the illicit activity.
Kaspersky researchers did not reveal how they discovered Chewbacca, nor the extent to which it has spread. The malware is a PE32 executable compiled with Free Pascal 2.7.1; its 5 MB file includes the Tor executable. The malware, once executed, drops as spoolsv.exe into the victim machine’s startup folder. It then launches its keylogger and stores all keystrokes to a log created by the malware, Preuss said.
It then relies on two php scripts extract information from the infected computer and send it to the attacker, although as of now, only one is functioning.
Preuss said that the command and control server is also hosted on a Tor .onion domain. The front end of the server is a log-in interface overlaying an image of Chewbacca from Star Wars. Kaspersky detects the Chewbacca Trojan as Trojan.Win32.Fsysna.fej.
It’s likely there are additional malware campaigns operating on Tor; recent research activity has uncovered not only the 64-bit version of Zeus and Mevade, but also an exploit kit known as Atrax that not only steals data from browsers, but can also launch denial-of-service attacks and carry out Bitcoin mining.
Tor isn’t the only option for attackers. Russian criminals were using a different darknet called I2P, or the Invisible Internet Project, as a communication protocol for the i2Ninja financial malware. I2Ninja is similar to other banking Trojans in that it has HTTP injection capabilities, email, FTP and form grabbers, but it also promotes 24/7 support for a price.
*Chewbacca image via Pierre Guinoiseau‘s Flickr photostream, Creative Commons.
Dennis Fisher talks with Ron Deibert of the University of Toronto and Citizen Lab about his group’s research into cyber espionage campaigns, the surveillance landscape and his recent book, Black Code.http://threatpost.com/files/2013/12/digital_underground_136.mp3
Apple updated its Mac OS X Mavericks platform yesterday with a number of security fixes for the Safari browser and WebKit layout engine.
The operating system update will move users to OS X Mavericks version 10.9.1. It appears that the broad operating system release is merely a repackaging of a bulletin fixing a single vulnerability in Apple’s Safari browser and a second bulletin addressing eight vulnerabilities in the Cupertino, California-based company’s WebKit rendering engine.
The Safari patch fixes CVE-2013-5227, which was reported to Apple by Niklas Malmgren, a front-end developer for the mobile payments firm Klarna AB. The vulnerability relates to a bug in Safari’s autofill feature that was pushing usernames and passwords into a subframe from a domain separate from the main frame containing the field where such information should have been entered. In other words, the Safari browser was leaking user credentials to an unexpected site with its autofill feature. Apple fixed the problem by improving the browser’s origin tracking system.
The WebKit bulletin resolves CVE-2013-2909, reported by Atte Kettunen of the Oulu University Secure Programming Group, CVE-2013-5196, 5917, and 5225, reported by the Google Chrome security team, CVE-2013-5228, reported by the Keen Team working alongside H-P’s Zero-Day Initiative, and CVE-2013-5195,5198, and 5199, each of which was reported internally by Apple. The vulnerabilities represent a series of memory corruption flaws in the WebKit layout engine. These vulnerabilities can be exploited on unpatched machines if users visit a maliciously crafted site, which can in turn lead to unexpected application termination or arbitrary code execution. They resolved these issues by implementing better memory handling.