Threatpost for B2B
Developers behind the Web framework Django have pushed out a new build that fixes a handful of security issues, including a denial of service vulnerability in the framework’s password hasher.
Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 were released over the weekend and users are urged to upgrade immediately according to a blog post by Django developer James Bennett on Sunday.
The main problem with Django – versions 1.6, 1.5 and 1.4 are affected – lies in how it authenticates users and passwords. Django doesn’t store the raw password in its database, it stores a hashed version of it that is computed at each log-in attempt.
It was discovered recently however that attackers can repeatedly submit large passwords and overwhelm Django’s servers in “the expensive computation of the corresponding hashes.” According to Bennett, before this fix, Django didn’t impose a maximum when it came to plaintext password length. Attackers could submit ridiculously long, sure-to-fail passwords and in turn, the framework would have run a lengthy check to verify it.
Bennett notes that using its standard password hasher, PBKDF – part of RSA’s PKCS series, it would take Django about a minute to check a password one megabyte in size. The bigger the password, the longer system resources are tied up. With the new patch, Django fixes this flaw (CVE-2013-1443) and now fails authentication on any password submitted over 4096 bytes.
Bennett notes that for this fix, the developers had to issue and out-of-band patch of sorts. Usually security issues are reported via email but in this case, a third party publicly disclosed the flaw via Django’s developers mailing list. Since the flaw could have potentially impacted what they refer to as live deployments of the framework, the team was forced to issue a release outside of its usual schedule.
Django is an open source web framework, written in Python, that lets developers rapidly produce and maintain Web applications. The functionality is used, in varying extents, on social media sites like Pinterest, Instagram and in work done by the software company Mozilla, among others.
A NASDAQ representative confirmed this morning that a cross-site scripting vulnerability on the exchange’s website discovered by an ethical hacker has been patched.
The issue was reported on Sept. 2 by Ilia Kolochenko, chief executive of High-Tech Bridge, a Swiss penetration testing company. Kolochenko characterized the issue as a relatively simple cross-site scripting vulnerability.
“It’s not something that would shut down the site, but if a good hacker group wanted to hack them, XSS will make that hack simpler for them,” Kolochenko said, adding that it took two weeks for NASDAQ to address the situation and that it did so only after media reports surfaced on the vulnerability.
NASDAQ said it addressed the issue immediately internally.
“We have fixed the vulnerability, and we began working on the issue once it was flagged to us by the High-Tech CEO – we address any and all vulnerabilities identified, whether internally via our standard processes or externally, like the one we received on September 2,” a NASDAQ representative said in an email to Threatpost.
NASDAQ suffered an outage on Aug. 22 that prompted the exchange to shut down for three hours; a software error was blamed. Kolochenko said the outage prompted him to look at the Web platform used by NASDAQ and that he then discovered a Web application vulnerable to cross-site scripting attacks.
“A quick and totally harmless test confirmed an exploitable XSS vulnerability that allows injecting arbitrary HTML and scripting code into NASDAQ.com webpages,” he said in a statement.
NASDAQ said it validated the claim, as it does with all reported vulnerabilities.
“We take all information security matters seriously,” NASDAQ said. “We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets.”
Kolochenko said an attacker could gain access to a protected portion of the NASDAQ environment, such as an administrative portal, and modify content on the site.
“Assuming the hackers know where this [vulnerable] component is located, he has to find someone from NASDAQ who can access it, send him a link pointing to NASDAQ.com that will exploit the cross-site scripting vulnerability,” Kolochenko said. “When the person who gets the link clicks on it, his cookies or other sensitive information will be sent along. The hacker will receive this information and will be able to log in to an admin panel with the victim’s user name and password and can do any modification on the site he wants.”
Kolochenko said the NASDAQ site has no mechanism on which to report security vulnerabilities, something NASDAQ denies, adding that such channels are used regularly. Kolochenko contends that only after two weeks and a barrage of initial media reports over the weekend about his discovery of the vulnerability did NASDAQ move to action.
“I have checked all my email and spam folders and I have never ever received a single email from NASDAQ, a NASDAQ contractor, or anyone related to them,” Kolochenko said. “If NASDAQ insists they replied to me, my question is simple: Why after all the articles about the issue didn’t NASDAQ try to contact me again? No one resent the original contact, notified or replied to me.”
This week, meanwhile, U.S. stock exchanges and Federal regulators agreed to reforms, including a kill-switch mechanism that would shut down trades during emergencies, Reuters reported.
“I stressed the need for all market participants to work collaboratively – together and with the Commission – to strengthen critical market infrastructure and improve its resilience when technology falls short,” said Securities and Exchange Commission chair Mary Jo White.
The decision by the Ninth Circuit Court last week to allow the class-action suit against Google over its collection of WiFi data to continue was welcomed as good news by privacy advocates, but it may have considerable consequences for security researchers who collect such data during legitimate research projects.
The legal dispute over the WiFi data gathered by Google goes back several years and stems from unencrypted payload data collected by the company’s Street View vehicles. The cars drive around taking hi-res photos that show up as images on Google Maps’ Street View feature. During their exploits several years ago, the vehicles also collected data from unsecured WiFi routers, ostensibly as a way to improve the accuracy of their location services. Initially, Google officials said that the cars only were recording the location of the routers, but it soon came out that they also gathered payload data.
A number of groups filed suits against the company, which eventually were consolidated into a class-action suit that’s still winding its way through the federal courts. The most recent decision, which came last week, saw the Ninth Circuit Court deny two motions by Google to dismiss the suit on the grounds that the WiFi transmissions constituted radio broadcasts.
“The panel held that the Wi-Fi network data collected by Google was not a radio communication, and thus was not by definition readily accessible to the general public. The panel also held that data transmitted over a Wi-Fi network is not readily accessible to the general public under the ordinary meaning of the phrase as it is used in § 2511(2)(g)(i). Accordingly, the district court did not err in denying the motion to dismiss on the basis of the Wiretap Act exemption for electronic communication that is readily accessible to the general public,” the decision says.
That means the suit will go forward, but, as the EFF explains, it could also lead to problems for some security researchers who rely on the ability to collect WiFi data for legitimate purposes.
“If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don’t read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal,” Hanni Fakhoury of the EFF wrote.
Researchers will sometimes do large-scale surveys of wireless access points for various projects, and the court’s decision could hinder those kinds of projects. However, the decision also supports the notion that law enforcement agencies still need wiretap orders to capture unencrypted WiFi data.
“That’s good news since wiretap orders are harder to get than a search warrant,” Fakhoury said.
Image from Flickr photos of Sancho McCann.
The U.S. government–particularly the National Security Agency–are often regarded as having advanced offensive cybersecurity capabilities. But that doesn’t mean that they’re above bringing in a little outside help when it’s needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN.
The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN’s services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company’s “binary analysis and exploits service”.
VUPEN is one of a handful of companies that sell software exploits and vulnerability details. The company, based in Montpellier, France, employs a number of security researchers who do original vulnerability research and develop exploits for bugs that they find. That information is then sold to governments and law enforcement agencies. VUPEN officials have said that the company only will sell its services to NATO countries and will not deal with oppressive regimes.
“We only sell to democracies. We respect international regulations, of course, and we only sell to trusted countries and trusted democracies,” VUPEN CEO Chaouki Bekrar said in an interview last year. “We do not sell to oppressive countries.”
In the debates and conversations that have followed the flood of documents leaked by Edward Snowden about the NSA’s intelligence gathering and surveillance programs, there has been an undercurrent of discussion about the agency’s use of software exploits and malware to eavesdrop on targets. The NSA has an in-house team of security researchers and engineers who do their own vulnerability and exploit research, but the publication of the NSA-VUPEN contract shows that the agency also does business with outside zero-day merchants. Government agencies, intelligence organizations and law enforcement are among the larger buyers of software exploits and there are still a relatively small number of companies who sell these wares, although that number is growing.
Several U.S. defense contractors and small, private security companies also sell vulnerability details and exploits. VUPEN is the most visible and vocal of this group and its researchers can be found at most of the top security conferences throughout the year.
Image from Flickr photos of Jim Kelly.
A strain of the Revoyem ransomware, also known as DirtyDecrypt, is aggressively spreading beyond Germany and Great Britain, the first two countries in which it was spotted back in March. A researcher who goes by the handle Kafeine reports on his Malware Don’t Need Coffee website that Revoyem is being aggressively distributed internationally.
Victims are generally infected on pornographic websites with the malware, Kafeine reports in a blogpost. It then takes a turn for the worst, redirecting victims via a TrafficHolder malvertising ad to page hosting child pornography which drops the Styx exploit kit on the victim’s machine and the DirtyDecrypt ransomware locking the victim’s computer and informing the victim they’ve just viewed illegal content.
“This is amplified [because] it’s true, you just viewed illegal content even if you’ve been driven there against your will,” Kafeine said.
Ransomware generally follows a similar pattern, though previous strains of the malware have forgone actually displaying child pornography. The victim’s computer is locked by the malware and displays a banner purporting to be from a law enforcement agency. Sometimes these banners are regionalized, i.e., a U.S.-based infection will display an FBI banner informing the victim they must pay a “fine” in order for their machines to be returned to normal working order.
Kafeine said the DirtyDecrypt ransomware has been spotted in 15 countries including the U.S., Spain, France, Italy and the Netherlands.
The FBI banner displays the victim’s IP address and location as well as the illegal images displayed by the malware before locking the computer. The FBI warning also posts a log of visits from the victim’s IP address, and the charges the victim faces.
“In the case of payment of a fine, all data collected against you will be removed from the evidence base,” reads the final page displayed by the malware, along with payment options from MoneyPak and PaysafeCard.
In the background, the malware is stealing private information from the machine’s browser, disabling Windows Task Manager and installs itself for autorun at Windows startup, an analysis at Malwr.com indicates. A list of domains associated with Revoyem have been posted on Pastebin, all of which have been posted in the past few days.
The BEAST cryptographic attack, once thought to be largely mitigated, has two things conspiring against it to make breaches potentially possible again.
Not only has a server-side mitigation essentially been rendered moot by recent research into the RC4 cryptographic protocol, but Apple has yet to enable by default a client-side mitigation into its Safari browser that would keep BEAST at bay, according to research done by Qualys director of application research Ivan Ristic.
BEAST is an attack tool that targets a vulnerability in TLS 1.0 and SSL 3.0 and was reported in September 2011 by researchers Juliano Rizzo and Thai Duong. They built the BEAST tool, which is capable of grabbing and decrypting HTTPS cookies and hijacking browsing sessions in order to steal credentials and more. Major browser makers, except for Apple, addressed the issue on the client side by implementing a technique known as 1/1-n split. The technique stops attackers from being able to predict the initialization vector blocks that are used to mask plaintext data before it is encrypted.
An attacker with a man-in-the-middle presence in a browser session can predict the initialization vector blocks, see what the encrypted data output looks like and influence what is encrypted, Ristic said. No data can be decrypted, Ristic said, but an educated attacker with enough guesses is likely to land on the correct one.
“Because guessing is not very efficient, the BEAST attack can in practice used to retrieve only small data fragments,” Ristic wrote. “That might not sound very useful, but we do have many highly valuable fragments all over: HTTP session cookies, authentication credentials (many protocols, not just HTTP), URL-based session tokens, and so on. Therefore, BEAST is a serious problem.”
Ristic told Threatpost that browser vendors were quick to deploy the 1/1-n split except for Apple, which encoded the mitigation into its Mountain Lion release more than a year ago, but disabled it by default.
“There is no statement [from Apple] on its intentions or published information on how to enable mitigation if people wanted to,” Ristic said, adding that only experience security-aware people would likely think about enabling this type of defense.
On the server side, the best way to mitigate BEAST had been to enforce RC4 encryption whenever TLS 1.0 is used. However, experts Dan Bernstein, Kenny Paterson, Nadhem AlFardan, Bertram Poettering and Jacob Schuldt published an attack that exploits a weakness in RC4 that could allow an attacker to decrypt the key stream—an issue that’s been known about in the community for 15 years.
“Now that RC4 is weak, we have to begin to take measures to disable it. So therefore, we can no longer mitigate BEAST on the server side,” Ristic said. “As long as Safari remains theoretically vulnerable, we are afraid that any change in browser capabilities may lead to a condition that would enable an exploit to the BEAST attack.”
BEAST attacks are ideal in targeted attacks against specific individuals and attackers would need to carry out a man-in-the-middle attack to exploit the issue; BEAST cannot be done on any kind of scale, Ristic said. Also, the source code for BEAST was never released by Rizzo and Duong.
Ristic also cautions that deploying TLS 1.1 or TLS 1.2 would not address BEAST, regardless of the fact they don’t know carry the same initialization vector weakness as TLS 1.0. Most of the Internet remains on TLS 1.0 and while future browsers will support TLS 1.2, Ristic said they will still be vulnerable to protocol downgrade attacks.
“An active MITM can simulate failure conditions and force all browsers to back off from attempting to negotiate TLS 1.2, making them fall back all the way down to SSL 3,” Ristic said. “At that point, the predictable [initialization vector] design is again a problem. Until the protocol downgrade weakness is fixed, newer protocols are going to be useful only against passive attackers, but not against the active ones.”
Apple pushed a handful of patches late last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.
The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.
Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched up its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the dialog has been removed and the system refuses any revoked package.
The update also resolved the previously reported sudo vulnerability. An attacker could’ve gained root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, has been used before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” reads the security document released in tandem with the patches Thursday.
10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is slated for release at the end of October.
On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.
UPDATE: The popular cloud storage service Dropbox was reportedly undercutting the efficacy of access space layout randomization (ASLR) by failing to enable that feature within the dynamic link libraries (DLLs) it injects into other applications. The company now claims it has resolved the issue.
Graham Sutherland explained in a post last week on codeinsecurity that Dropbox and similar tools tend to extend their functionalities to other programs using shell extensions. In Dropbox’s case, Sutherland says the extensions are likely used to add Dropbox functionalities to the menu that pops up when a user right-clicks a given file. These shell extensions are basically custom-designed DLLs which are loaded into process memory. Dropbox apparently uses two DLL extensions, one for 32-bit systems and another for 64-bit systems.
ASLR is a widely deployed security technique that randomly arranges the locations of key data on machines in order to keep attackers from reliably guessing where particular processes take place. The technique’s primary purpose is to protect machines against buffer overflow attacks.
Sutherland examined that way that Dropbox extended its functionalities to Mozilla’s Firefox Web browser and noticed that the extension DLLs at work there do not have ASLR enabled. More broadly, Sutherland’s findings suggest that Dropbox is arbitrarily injecting DLLs without ASLR enabled into any number of 32- and 64-bit applications and processes.
“This means that any vulnerability in Firefox becomes a lot easier to exploit, since the Dropbox module provides an unrandomised anchor for a ROP (return-oriented programming) chain,” Sutherland wrote on his blog last week.
He went on to explain that this practice causes “significant degradation in the efficacy of ASLR across the entire system,” because an attacker could exploit this by putting some executable code inside the to-be-injected DLL in order to produce an ROP chain that could then be used to execute malicious code on affected machines.
The vulnerability is of particular concern in cases where Dropbox is extending itself into high-risk programs such as browsers and torrent clients, Sutherland claims.
Sutherland notified Dropbox and its has confirmed the existence of the problem to codeinsecurity and are said to be working on a fix. It appears that the company has resolved the problem for 64-bit DLLs but not yet for the 32-bit variety.
“Our engineers are aware of this issue and actively working on fixing it,” Dropbox is quoted as having said in a statement on codeinsecurity. “Unfortunately, I can’t give you an exact timeline that a fix will become available. If you have any additional questions or concerns please let me know.”
A Dropbox spokesperson confirmed the issue in an email interview with Threatpost, saying that the problem has been fixed in the latest forums release.
A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries’ intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ “have been acting against the interests of the public that they are meant to serve.”
The appeal comes a couple of weeks after leaked documents from the NSA and its UK counterpart, Government Communications Headquarters, showed that the two agencies have been collaborating on projects that give them the ability to subvert encryption protocols and also have been working with unnamed security vendors to insert backdoors into hardware and software products. Security experts have been debating in recent weeks which products, standards and protocols may have been deliberately weakened, but so far no information has been forthcoming.
The cryptography researchers in the UK are asking the UK and U.S. governments to reveal which ones are suspect.
“By weakening cryptographic standards, in as yet undisclosed ways, and by inserting weaknesses into products which we all rely on to secure critical infrastructure, we believe that the agencies have been acting against the interests of the public that they are meant to serve. We find it shocking that agencies of both the US and UK governments now stand accused of undermining the systems which protect us. By weakening all our security so that they can listen in to the communications of our enemies, they also weaken our security against our potential enemies,” the letter says.
Published on Monday, the letter is signed by cryptographers from the University of Bristol, University of London, University of Birmingham, University of Luxembourg, University of Southampton, University of Surrey, University of Kent, Newcastle University and University College London. In it, the researchers call on the relevant authorities to publicly name the products and standards that have been weakened in order to inform users which systems they should avoid.
“We call on the relevant parties to reveal what systems have been weakened so that they can be repaired, and to create a proper system of oversight with well-defined public rules that clearly forbid weakening the security of civilian systems and infrastructures. The statutory Intelligence and Security Committee of the House of Commons needs to investigate this issue as a matter of urgency. In the modern information age we all need to have complete trust in the basic infrastructure that we all use,” the letter says.
In the weeks since the documents detailing the NSA’s cryptographic capabilities emerged, further details about exactly which protocols the agency can attack successfully and which standards it may have influenced have been scarce. NIST, the U.S. agency that develops technical standards for cryptography, among other things, as denied accusations that the NSA was able to weaken some of the NIST standards. However, at the same time, NIST officials have issued a recommendation that people no longer use one of the encryption standards it previously published.
“NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used,” the NIST statement says.
The standard in question is an elliptic curve random bit generator, and cryptographers have called into question its integrity in the wake of the latest NSA revelations, mainly because its difficult to tell how the points on the elliptic curve were determined.
“This algorithm includes default elliptic curve points for three elliptic curves, the provenance of which were not described. Security researchers have highlighted the importance of generating these elliptic curve points in a trustworthy way. This issue was identified during the development process, and the concern was initially addressed by including specifications for generating different points than the default values that were provided. However, recent community commentary has called into question the trustworthiness of these default elliptic curve points,” the NIST statement says.
Image from Flickr photos of Elliott Brown.
A Belgian telecom company that handles some of the undersea cables that carry international voice traffic said Monday that its internal network had been compromised sometime in the last few months and malware had planted on some of its systems. Belgacom said the attack only affected its own systems, and not those of customers, and said it has filed a complaint with the Belgian federal authorities about the incident.
The attack reportedly affected a few dozen machines on Belgacom’s network, including some servers, and the company’s CEO said in a press conference that he had no idea how long the malware had been present in the network. There are reports that the intrusion had been active for as long as two years by the time the Belgian company discovered it. Belgacom officials took remediation steps over the weekend to remove the unidentified malware.
“This weekend, Belgacom successfully performed an operation in the light of its continuous action plan to protect the security of its customers and their data and to assure the continuity of its services,” Belgacom said in a statement.
“Previous security checks by Belgacom experts revealed traces of a digital intrusion in the company’s internal IT system. Belgacom has taken all appropriate actions to protect the integrity of its IT system and to further reinforce the prevention against possible incidents.”
Belgacom is the biggest telecom in Belgium and the country’s government is the majority shareholder in the company. The company provides a variety of voice and data services to carriers around the world, including leased capacity on undersea cables that carry large amounts of international traffic through its BICS (Belgian International Carrier Services) offering. That traffic would be a likely target for an attacker. Belgacom officials said that they’re not naming the intruder, but have filed a complaint with the Belgian federal prosecutor about the incident.
“For Belgacom, the protection of the customers and their data is a key priority. At this stage there is no indication of any impact on the customers or their data. At no point in time has the delivery of our telecommunication services been compromised,” the company statement said.
“Belgacom strongly condemns the intrusion of which it has become a victim. The company has filed a complaint against an unknown third party and is granting its full support to the investigation that is being performed by the Federal Prosecutor.”
Image from Flickr photos of Greckor.
Dennis Fisher and Mike Mimoso talk about the news of the last couple of weeks, including the revelations of the NSA’s anti-cryptography capabilities, the botnet making use of Tor and the Kimsuky cyberespionage attack.http://threatpost.com/files/2013/09/digital_underground_126.mp3
The flood of documents regarding the NSA’s collection methods and capabilities that have been leaked this summer has produced thousands of news stories and several metric tons of speculation about what it all means. But for all of the postulating, analysis and reporting, there are still a lot of questions left unanswered in all of this. Let’s try to address some of them.
Can the NSA break the encryption used in HTTPS connections or secure email systems?
For some definitions of “break,” yes. After the overheated reaction to the leak of the documents detailing some of the NSA’s cryptographic capabilities died down, experts took a closer look at the information and began to coalesce around the idea that the agency is essentially doing what it is supposed to do: find ways to defeat encryption. This is done in various ways, including using software vulnerabilities in crypto implementations, man-in-the-middle attacks and perhaps mathematical advances that give the NSA the ability to decrypt some traffic. There are implications in some of the leaked documents that the NSA may have worked to deliberately weaken some cryptographic standards or algorithms, specifically ones approved by NIST, the U.S agency that approves technical standards for the federal government. NIST has denied those allegations, and there are no details right now about which standards are supposedly affected. There are known attacks against some of the more popular ciphers and cryptosystems and some of them are practical. But the easiest way to defeat encryption remains going after anything other than the encryption.
Does that mean I shouldn’t use encrypted email?
No, it doesn’t. Bruce Schneier, who has examined some of the unpublished leaked NSA documents, said that he still trusts the math on which the major encryption algorithms are based. “Honestly, I’m skeptical. Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts,” Schneier wrote. Using secure email is still a good defense against eavesdropping and attacks, even from the most sophisticated adversaries. Schneier and other experts recommend using longer key lengths, such as 2048 or even 4096 bits, as insurance.
Should I consider the Internet to be a hostile environment?
Yes! But that was true long before any of these NSA-related leaks emerged. The Internet is a dirty, nasty place not fit for use by most decent people. In general, it’s safe to assume that the Internet is trying to do you (or your packets) some kind of harm at all times. Act accordingly.
Why does the NSA care about my email?
It’s not you they care about, individually. It’s the plural you that interests them. The NSA’s job is to collect intelligence on foreign threats, mainly terrorists, and analyze it. That intelligence is usually in the form of electronic communications, what’s known as signals intelligence, and thanks to the rise of the Internet and explosion in cell phone usage, there’s now many times more of that traffic to gather than there was just 15 years ago. And a good portion of that traffic is encrypted these days, with major email providers such as Google encrypting their users’ sessions and more and more sites offering SSL connections to users. The NSA is tasked with trying to sift through all of that traffic and find indications of terror or anti-American activity by foreigners. But those foreigners don’t always just communicate with each other, and so sometimes U.S.citizens’ traffic ends up in the net, as well. When that happens, the agency is supposed to discard it in most cases, as the NSA’s mission only applies to non-U.S. persons. But what the leaked documents show is that the agency has been collecting massive amounts of phone metadata and email and Internet traffic involving Americans.
Are they just storing this stuff indefinitely?
That’s not clear right now. Some of the encrypted communications are stored for long periods, in the hope that the NSA may be able to decrypt them at some point in the future. But whether that is happening now using some of the agency’s supposed capabilities against cryptographic algorithms isn’t known.
I read something about the NSA running man-in-the-middle attacks against Google and other companies. What does that mean?
There’s a diagram that’s surfaced online of how this kind of attack may have been done. It’s a pretty basic set-up and is one of many ways that an adversary could conduct a MITM attack on a target. In general, MITM attacks are used to intercept communications between a sender and receiver, and they’re particularly valuable against encrypted traffic. If the attacker can get to the traffic before it’s encrypted and sent off to Google or whatever the destination is, he has essentially defeated the encryption scheme without having to attack the encryption itself. MITM attacks can be accomplished in several ways, including using a spoofed or stolen digital certificate to impersonate a service such as Gmail, or compromising a wireless router that a target is using and intercepting the traffic and using a tool such as SSLstrip to remove the encryption. The diagram in question doesn’t seem to involve the use of a stolen certificate, but rather the ability of the attacker to somehow access a router in the network that’s processing Google requests. Either way, that kind of attack would give the attacker the ability to read communications that the user believes to be secure.
So, is the Internet over?
Not quite yet. But there are apparently a lot more documents coming, so…
*Image above via Mark Turnauckas‘ Flickr photostream, Creative Commons
Security experts are warning Vodafone customers, particularly those in Germany, of a possible increase in phishing attacks after an insider at the telecommunications giant accessed a database and stole personal information on as many as two million customers.
German police have a suspect, adding that customer names, addresses, birth dates and bank account numbers among other types of personal data were accessed, Vodafone Germany said. The company said customer credit card numbers, passwords, PINs and mobile phone numbers were not stolen.
“This attack could only be carried out with high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company,” Vodafone told the BBC.
Vodafone delayed disclosing the breach in order to give authorities time to investigate, it said. A German news agency said the suspect was not a Vodafone employee, but a contractor. The company added it is in the process of informing customers of the breach and the implications may be.
Authorities have not been clear on how long the contractor had access to the database and whether any customer data had been sold or used as of yet. Given the nature of what was taken, it’s likely the data would have some underground value to a spammer or cybercrime gang. Many scams begin with phishing emails that use convincing messaging purportedly from a trusted source to scam users out of passwords, credit card numbers and other sensitive data beyond personal contact information.
Vodafone said in a statement that it had changed administrators’ passwords and any digital certificates issued on their machines. The compromised server, meanwhile, has been wiped, the company said.
“Vodafone advises its customers to take extra care when possible [with] possible telephone or email inquiries in which they are asked to hand over personal information such as passwords or credit card information,” the company said in a statement, adding that Vodafone would not make such requests of its customers.
In this case, it appears only Vodafone Germany customers are at risk. Spam and phishing lists can be divided and sold regionally, by company or even by organization, experts say, facilitating targeted attacks for cybercrime and even nation-state sponsored attacks.
“Most organizational management and security teams understand what spear phishing is. The problem is they do not know how, or do not have the time and resources, to teach people what phishing is and how to detect or defend against it,” said Lance Spitzner, a SANS Institute instructor and proponent of awareness training. “Spear phishing works because people have not been trained on how to detect such attacks. Even if they do fall victim, if people can figure out after the fact they did something wrong and then report it right away, this is still a win.”
*Vodaphone image via tejvanphotos‘ Flickr photostream, Creative Commons.
MEvade, the massive botnet using Tor as a communication protocol, may have moved operations to the network in order to hamper potential takedown efforts, but according to security researchers, the move just served to shine a spotlight on the botnet’s activities.
Rather than hide traffic from bots to command and control servers, moving to Tor by the millions just alerted researchers and Tor’s handlers that something was amiss. The botnet went undetected—possibly for years—and then suddenly because it caused a spike in Tor usage in a matter of days, the botnet was outed.
“A lot of other bot herders have used Tor in the past, but not this extent,” said Mark Gilbert, security researcher at Damballa Labs. “They probably think they were making the botnet safer, but maybe they were not sure of how massive it was or were connecting to Tor entry nodes more often than they should have.”
The attackers decided to hide their control infrastructure on Tor, yet at the same time made their presence on endpoints more obvious, Gilbert said.
“The massive influx of Tor users drew tons of presumably unwanted attention, compared to when it was just SSH traffic exfiltrating data out over port 443,” Gilbert said. “The SSH traffic over 443, through its very obscurity drew more attention than regular http(s) traffic would have from customers who, even when we detected the threat, might otherwise have written it off as ‘just another virus’.”
Gilbert said his company has been monitoring MEvade for most of this year and said its keepers are likely leasing out portions of the botnet for different purposes. Gilbert said the botnet, also known as LazyAlienBikers, isn’t sending out much spam; parts of it are generating revenue pushing adware however. There is also a data exfiltration capability to some of the malware it spreads, which makes sense given that it’s present in 80 percent of the enterprises in which Damballa has monitoring capabilities.
“What they seem to be doing is dividing the botnet for different purposes; the underground commerce seems to work out this way,” Gilbert said. “The malware author, botherder and ad affiliate are usually not the same person. One is good at coding while another is good at laundering money and another is good at identifying customers for stolen data. They build botnets and lease them out for what people are willing to pay.”
Damballa estimates there are as many as five million bots in LazyAlienBikers, most of them in North America, Africa and Asia. In June, Microsoft was among the first to develop a detection signature for MEvade and within two weeks, the attackers changed domain usage tactics, moving to dynamic DNS providers such as No-IP and ChangeIP, likely to support their use of SSH over HTTP ports for communication with command and control and dropping of additional malware.
But by Aug. 19, the botmaster had moved away from SSH over HTTP and onto the Tor network. Moving away from HTTP, Gilbert said, took the botnet off a protocol built for high performance and high traffic volumes, and onto a network with a much smaller number of exit nodes and relays.
“These are very smart guys, but they are misapplying themselves,” Gilbert said. “They’re not looking at the big picture from a business sense and putting themselves in a network engineer’s shoes and figuring out how to balance resilience with evasion.”
Gilbert said botnets, such as Kelihos which has been taken down numerous times by law enforcement and Microsoft, continues to pop up because it has a fallback where it can send out networks and maintain a much more resilient approach.
The botnet, meanwhile, continues to thrive on Tor, even though numbers have dropped a little.
“In the security arms race, sometimes the bad guys screw up too,” Gilbert said. “But you can be sure they’ve taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward.”
Oracle released on Tuesday the Java standard edition version 7 update 40. Java 7u40 includes fixes for a long list of bugs and a number of new features as well.
The most notable security patch appears to be a fix for a plugin deployment bug that failed to block expired certificates for users that were operating at the “very high” security level. You can find the entire list of bugs resolved with this update on Oracle’s bug fixes page.
Oracle is also making two new features available to users with commercial licenses, one called flight recorder and another called mission control. The Java flight recorder feature creates a record of the development process in the Java virtual machine and the mission control feature provides developers with an interface to roll back the clock and access that record, essentially allowing them to revisit any part of the development process. Java SE product manager Aurelio Garcia-Ribeyro explained in a video hosted on Oracle’s website that the features will be particularly useful for fixing bugs that emerge after an application has been deployed.
“The idea is you will be able to find out things that only happen in production,” Garcia-Ribeyro explained. “So there are some bugs that you cannot see because you need to have the application leaking memory for 30 days or something. For those types of bugs, that’s when you need mission control and flight recorder.”
Java SE 7u40 also shipped with a new local security policy. Garcia-Ribeyro explains that Oracle has a problem: though they regularly ship new versions of Java SE that contain new features and vulnerability fixes, many of their enterprise users choose not to install these updates because they are running older applications that may not be compatible with the newer versions of Java SE.
The local security policy will give the administrators at these enterprises the ability to choose which particular applications can access each specific version of the Java runtime environment, allowing them to run old Java versions for old applications and the most up-to-date Java versions for newer applications and limit their exposure to security vulnerabilities.
The latest edition of the JDK has also disabled the “remember this decision” feature that automatically approved self-signed applets. All unsigned and self-signed applets will now need to be approved on a per-use basis.
At first it seems like email spammers relying on old tricks – but a further look into a new campaign spotted by security firm FireEye reveals that the messages are not spreading drive-by downloads or even peddling ordinary PC malware. Instead, attackers are beginning to drop Android malware, in this case FakeDefender, on phones via email.
In this case, the new campaign, relatively young at six days, relies on fake emails that appear to come from the United States Postal Service with messages that read: “USPS Notification: Courier couldn’t make the delivery of your parcel. Reason: Postal code contains an error,” asking users to “Print the Label.”
According to an entry by FireEye’s Vinay Pidathala on the company’s blog earlier this week, users just have to click on the featured link in the email – the print the label link – and the malicious .apk (Android Package File) is downloaded.
Researchers at FireEye went through HTTP requests and found nearly two-dozen URLs serving up the .apk, some disguised as LabelReader.apk.
As the security firm notes, this malware isn’t entirely new. It surfaced earlier this year and is known for deceiving users into “paying for cleanup of other non-existent infections on their device.” As long as the user pays the fee, the phone will purportedly remain uninfected with malware.
After it registers two broadcast receivers, the malware can also intercept incoming and outgoing calls and messages.
In some cases the malware uses different User-Agents to disguise itself – on one machine it can look like a mysterious .apk, but on another machine can masquerade as a .zip file, even something as harmless as “Wedding_Invitation_Chicago.zip,” for example.
While scareware like this can be prevented from being installed on most Android phones – it’s still a relatively new vector for a Android malware campaign, following in the footsteps of sorts of Windows malware.
Android users can disable the “Allow installation of apps from unknown sources” setting in their security settings to prevent mysterious apps from being downloaded. In the same section users can also choose to verify apps, which disallows or warns users before installing malicious apps as well.
It’s a good time to be a security researcher. If you have the time and talent to find vulnerabilities in widely deployed applications, there is a lot of money out there for the taking, and not just from the bug bounty programs and regular exploit buyers.
The latest iteration of the Pwn2Own hacking contest, which has run at the CanSecWest conference in Vancouver for several years, will take place at the Japanese version of the conference in November, and the targets will be the most popular mobile platforms. The prizes for the contest reflect the changing nature of the vulnerability landscape, and the fact that there is far more competition for good vulnerabilities–both out in the open and on the underground–than there has been before.
The targets in the contest include some of the more popular mobile devices on the market, including the iPhone 5, Nexus 4, Galaxy 4, 7 and 10, iPad Mini and BlackBerry z10.
The money available in the mobile Pwn2Own contest at PacSec is significant: $300,000 total, including $70,000 for the first successful exploit against any of the popular messaging services, such as SMS, MMS or CMAS. Exploits that compromise mobile devices via Bluetooth, WiFi, USB or NFC are worth $50,000. On top of that, Google is offering a bonus of $10,000 if one of the exploits compromises Chrome on Android on the Nexus 4 or Galaxy 4.
That’s real money, and in the past, some of the more talented security researchers in the industry have shown up at Pwn2Own to collect large checks from HP, the main sponsor of the contest, and Google. But, as the exploit sales market has exploded in the last couple of years, with government agencies, defense contractors and private buyers ratcheting up the prices, more and more researchers have opted to keep their research private and sell their bugs on the open market rather than use them in a contest. With prices running well into the six figures for browser exploits, it’s no wonder.
“Prices are too low for giving full exploit + sandbox bypass. Price for NFC/USB is good,” Chaouki Bekrar of VUPEN, a seller of exploits to governments, said on Twitter after the announcement for mobile Pwn2Own went out on Thursday.
Bekrar’s team has been a major player at Pwn2Own the last few years, but has avoided entering other contests, such as Google’s Pwnium, because they require the contestants to turn over full details of the vulnerability and exploit, rather than just the crash details. The requirements for mobile Pwn2Own make it clear that the bugs that qualify for prizes would likely draw a much higher price on the open market.
“A successful attack against these devices must require little or no user interaction and the initial vulnerability used in the attack must be in the registered category. The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information, silently calling long-distance numbers, or eavesdropping on conversations,” the rules say.
That class of vulnerability is highly valuable to government buyers, and fewer and fewer researchers appear willing to accept half or a third of what they could get on the open market.
Image from Flickr photos of Sean McMenemy.
WordPress has fixed a number of security vulnerabilities, including one that could lead to remote code execution on vulnerable installations. WordPress 3.6.1 is the new, updated release that contains the fixes and also includes some non-security bug fixes and stability changes.
The most serious security issue fixed in WordPress 3.6.1 is a remote-code execution vulnerability related to the way that the software handles certain PHP objects. The vulnerability was discovered by a researcher named Tom Van Goethem, who reported it to WordPress in April. It took five months for the fix to appear in a WordPress release. The bug has to do with the way that WordPress deals with some serialized input.
WordPress says the change in 3.6.1 will “Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.” The description of the vulnerability from Van Goethem is a bit more detailed.
“Another type of vulnerability that an attacker can exploit when his data is run through theunserialize() function, is “PHP Object Injection”. In this case, object-types are unserialized, allowing the attacker to set all the properties of the object to his choice. When the object’s methods are called, this could have some effect (e.g. removing some file), and as the attacker is able to choose the properties of the object, he might be able to remove a file of his choice,” Van Goethem wrote in an explanation of the bug.
“Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.”
In addition to the PHP vulnerability, WordPress 3.6.1 also includes fixes for two other security vulnerabilities:
- Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website.
- Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.
WordPress also made a change to the software that is designed to make cross-site scripting attacks on WP installations more difficult. The change modifies “security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.”
Dennis Fisher talks with Marc Maiffret about his teenage years as a phone phreaker and BBS denizen, the early years of the vulnerability research scene, the Code Red worm and its aftermath and how the security scene has changed in the past 15 years.http://threatpost.com/files/2013/09/10_maiffret.mp3
For the time being, things on the Korean peninsula may have quieted down politically and militarily. But hackers on both sides continue to take shots at each other.
The latest salvo appears to be coming from North Korea, which has been conducting an extensive espionage campaign against specific targets in the South. Researchers at Kaspersky Lab’s Global Research and Analysis Team have been monitoring a malware attacks targeting government and military think tanks in the South, as well as shipping services company.
The Kimsuky Operation—so-named after the Hotmail email addresses used as drop points for stolen data—so far has targeted data from international affairs research groups at South Korean universities, government defense policy think tanks, the national shipping company of South Korea, and groups supporting Korean unification. All of those targets would be of interest to the North Koreans, researchers at Kaspersky said, adding also that IP addresses involved in the attacks are located in China and the ISPs providing access in these attacks also maintain lines into the North.
Researcher Dmitry Tarakanov wrote in a blogpost on Securelist this morning that the team was ready to ignore these attacks as amateurish until they noticed a public mail server involved as a command and control server in the campaign maintained in Bulgaria, as well as a compilation path string containing Korean hieroglyphs translated to remote shell, attack and completion.
“There are a lot of minimal malicious programs involved in this campaign, but strangely they each implement a single spying function,” Tarakanov wrote.
The malware used in these attacks performs a number of functions that help the attackers spy on victims, harvest data and report it back. Separate modules in the campaign include a keystroke logger, directory listing collecter, HWP document theft, remote control download and execution, and remote control access modules.
Tarakanov said the initial infection points are yet unknown, but speculates that part of the campaign is initiated via spear phishing emails. Victims download a Trojan dropper which is used to download additional malware.
“It does not maintain exports and simply delivers another encryption library maintained in its resource section,” Tarakanov wrote. “The second library performs all the espionage functionality.”
Once the malware is on a victim’s machine, it will, at startup, disable the system firewall and an AhnLab firewall if it’s present; AhnLab is a South Korean security vendor. Windows Security Center is also shut off. The malware then begins communicating to the operator through the Bulgarian free webmail service.
The campaign uses a run-of-the-mill keylogger, a similar format to the Madi Malware, Kaspersky researchers said. As for the directory listing capability, researchers saw one sample collector infected with a virus of Chinese origin known as Viking.
“For the attackers, this is certainly a big failure,” Tarakanov wrote. “Not only does the original spying program have marks of well-known malware that can be detected by antimalware products; moreover the attackers are revealing their secret activities to cybercriminal gangs. However, by all appearances, the attackers noticed the unwanted addition to their malware and got rid of the infection.”
The campaign focuses too on stealing HWP documents; HWP is a file format similar to Microsoft Word and is from the Hancom Office bundle, widely used in South Korea. This particular module, however, does not search for HWP files on an infected computer, but only interacts with those opened by the user and then steals them.
“This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits,” Tarakanov said.
Tarakanov notes too that the malware does not include a custom backdoor, instead the attackers modified a TeamViewer client as a remote control module. Three executables are delivered via email; two are TeamView components and the third is a backdoor loader.