Threatpost for B2B
UPDATE: A Turkish hacking group compromised and defaced over the weekend the website of OpenSSL, an open-source SSL and TLS encryption implementation resource.
The website Zone-H is hosting a mirror of the defacement, in which the hacking group responsible for the attack posted the following message: “TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _.”
OpenSSL posted an advisory on its website yesterday confirming the compromise and announcing that the source repositories are verified and unaffected.
“Initial investigations show that the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration,” OpenSSL has since written on their site. “Steps have been taken to protect against this means of attack in future.”
Little is known about the hacking group claiming responsibility for the defacement other than that the group is reportedly known as TurkGuvengli. In the defacement, the group seems to express its support for OpenSSL.
A successful attack targeting OpenSSL is concerning because the core mission of the volunteer-run service is to implement strong encryption for whichever Web-properties and services are interested in bolstering their security. If what is known now about the attack remains true, namely that it had no impact on OpenSSL’s code repositories, then it seems that the attack was little more than a site defacement.
“The source repositories have been checked and they were not affected” OpenSSL wrote. “Other than the modification to the index.html page (which was restored a few minutes after we became aware of the attack) no changes to the website had been made.”
OpenSSL is promising to release more details about the hack once they complete their investigation. We will update this story with any details as they become available.
It’s that most wonderful time of the year, the time when everyone with access to an email machine puts together a list of the best or worst of whatever happened in the last 12 months. In the computer security world, there is no doubt that such a list would find NSA stories in places one through infinity times infinity. So rather than trying to rank the NSA revelations on any sort of scale, we’ve put together an admittedly simplified list of some of the more interesting NSA-related stories to emerge in 2013.
Least Surprising NSA Capability: Breaking/Subverting Crypto
A major part of the agency’s mission since its inception has been the development of cryptographic capabilities, both on the offensive and defensive sides of the fence. In this, it is the technological and logical descendant of the Black Chamber and the Office of Strategic Services, which operated nearly a century ago. Breaking and making ciphers has been a vital part of intelligence for thousands of years, and the advent of computer-based cryptography has had a profound effect on both of those functions. The NSA has been involved in the development of new protocols and cryptosystems for decades and it employs an unknown but presumably rather large cadre of cryptographers and mathematicians who also work on defeating existing systems. There have been suspicions, rumors and dark jokes about the agency having backdoored any number of encryption algorithms and products floating around the security industry for a long time, and some of the most outlandish of those conjectures have now been revealed as truth. The NSA reportedly subverted the development of a random-number generator known as Dual EC_DRBG that is used in a number of prominent crypto products. That maneuver gave the agency secret access to the affected products and caused RSA to warn developers to use a different RNG and even prompted NIST to issue guidance telling people to avoid Dual EC_DRBG, too. In addition, the NSA also developed a number of unspecified capabilities to defeat SSL, something that is perhaps even more worrisome. As concerning as these revelations are, they shouldn’t come as much of a surprise, given the NSA’s mission, its massive budget and its highly specialized staff of scientists, cryptographers and security experts. It’s what they do, and they’re really, really good at it.
Most Surprising NSA Capability: Defeating the Collective Security Prowess of Silicon Valley
Some of the earliest leaks to emerge from the Edward Snowden cache described a program called PRISM that granted the NSA “direct access” to networks run by Google, Yahoo, Microsoft and many other companies. That direct access was quickly interpreted to mean that those companies were giving the agency data links to their servers through which the NSA could collect traffic on targets. The affected companies quickly rose up and denied this, and only later was it revealed that “direct access” came in the form of tapping undersea cables that carry unencrypted traffic between data centers around the world. That revelation triggered an immediate response from Google, Microsoft and Yahoo, who said that they would be encrypting that traffic in the near future, and some engineers from Google also had some choice words for the NSA’s in-house hackers. In the words of Google’s Mike Hearn, “The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.”
Weirdest NSA Revelation: The Fort Meade Spy Tools Wish Book
The oddest bit of information to come out of the NSA drama was saved for the end of the year. Just this past weekend, Germany’s Der Spiegel reported the existence of a an internal catalog of hardware and software tools that the agency can provide. This is the Sears & Roebuck catalog of attack tools. Shoppers, which likely include internal NSA departments as well as other intelligence agencies, can buy malware for infiltrating various firewalls and routers, as well as more exotic products. “Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million,” Der Spiegel reported. Q would be jealous.
Most Interesting Quotes on the NSA Drama
“Trust the math. Encryption is your friend.” — Bruce Schneier in The Guardian
“Software is almost always broken, but standards — in theory — get read by everyone. It should be extremely difficult to weaken a standard without someone noticing.” — Matthew Green on the subversion of NIST standards
“We need to know what the hell has been going on here…There’s something totally crazy about this.” — journalist Carl Bernstein on the allegations that NSA has monitored the phones of European leaders
“That stealing your stuff thing, we did a lot of that [at the NSA]. Actually, I’d like to think we’re number one. But we stole stuff to keep you safe.” — Michael Hayden, former NSA director, speaking days before the first of the Snowden leaks emerged
“I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,” — U.S. District Court Judge Richard J. Leon in a ruling on the NSA metadata program
“We want to demonstrate that we have a front door, that we have transparency and we take it seriously. This is a huge step forward, and there’s more we have to do in terms of pushing information to the press.” — Gen. Keith Alexander, director of the NSA
Most Interesting People to Emerge From the NSA Story: Jacob Appelbaum and Matthew Green
The cast of characters who have been involved in various pieces of the NSA theatrics is staggering. From journalists to politicians to cryptographers to world leaders to judges to systems administrators in Hawaii. Each has played a part in the drama, but the most consistently interesting and informative people involved in one way or another have been Appelbaum and Green. Appelbaum is a long-time fixture in the security community, well-known for his activism on human rights and anonymity. But as part of the analysis of the Snowden documents, he has also written some of the stories on the revelations, including as a co-author of the piece in Der Spiegel on the NSA catalog. Green, a research professor at Johns Hopkins University, has produced some of the more illuminating and thoughtful analysis of the documents, especially when it came to the technical bits involving encryption and the NSA’s capabilities against various protocols and cryptosystems. If you need to know how to think about what’s going on and what it all means, you won’t find better sources than Appelbaum and Green.
Further reading: A Few Thoughts on Cryptographic Engineering
After claiming the makers of SnapChat repeatedly ignored their disclosures over a period of four months, Gibson Security recently published the full details of a pair of bugs in the photo and video sharing application. One could give an attacker the ability to connect phone numbers with usernames on a massive scale, while another could enable the creation fake accounts.
The researchers claim their exploits impact the latest version of SnapChat on the iOS and Android operating systems.
The so-called “find_friends” exploit essentially gives any logged in user the ability to enter a random (or not so random) U.S. phone number and figure out if there is a SnapChat account associated with that number.
This is the bug that Gibson Security claims to have disclosed to SnapChat back in August. The researchers claim that SnapChat has done nothing to fix the issue in the meantime.
With a little quick math, the researchers claim they could burn through 292 million standard, U.S.-style phone numbers in a month with their specially made python script and a virtual server. Whichever of these hundreds of millions of numbers are associated with a SnapChat accounts would be known to the attacker running the script.
The second exploit, though the researchers claim it is less of an exploit and more an issue with lax registration controls, could allow anyone to create account with two simple requests: “/bq/register” and “/ph/registeru.”
Gibson Security researchers told ZDNet that malefactors could potentially use the second, mass registration exploit to create thousands of accounts in order to disseminate spam and other bad things.
Regarding the friend finding exploit, they also told ZDNet’s Violet Blue, who broke the story on Dec. 25, that an attacker could leverage the very public SnapChat API along with their exploit to easily pair registered numbers and the usernames associated with them – whether those user accounts are private.
SnapChat is a photo and video sharing service whose selling point is that shared photos and videos are ephemeral. Once a ‘Snap’ is opened by the recipient, it is viewable for ten or so seconds before disappearing forever. Because of this, SnapChat reputedly used as a mechanism for for sharing lewd photos. Of course, the claim that the photos are temporarily viewable is dubious at best. Recipients can easily take a screenshot of a snap and there are even applications that allow recipients to save snaps altogether. Beyond that even, reports emerged in October that the company was sharing data with law enforcement when compelled to do so, further stressing the claim that all photos are deleted.
A federal court today shot down a challenge by the American Civil Liberties Union (ACLU) to the National Security Agency’s bulk phone metadata collection program, determining that the spy agency’s actions are legal.
The ruling by U.S. District Court judge William Pauley contradicts a Dec. 16 D.C. District Court ruling that the collection program likely violated the Fourth Amendment.
Pauley’s ruling today was framed in the context of changes made to intelligence gathering post-Sept. 11, and the need to find terrorists among streams of disconnected data.
“This blunt tool only works because it collects everything,” Pauley wrote. “If plumbed, such data can reveal a rich profile of every individual as well as a comprehensive record of people’s associations with one another.”
The challenge was filed by the ACLU in June shortly after the first documents taken by NSA whistleblower were published and reported on in the Guardian. Since then, the depths of NSA surveillance have been revealed, including a dragnet that sweeps up not only foreign intelligence, but connections to those targets in U.S., including Americans with no suspected ties to terrorism.
The NSA has also been accused of subverting the development of encryption standards, tapping connections between data centers hosted by large Internet providers such as Google and Yahoo, and having direct access to data housed at ISPs, among many other revelations.
Judge Pauley said in his ruling at the Snowden revelations of Foreign Intelligence Surveillance Court orders has stirred not only public debate by litigation. He found the telephony metadata program to be lawful with a caveat.
“The question of whether that program should be conducted is for the other two coordinate branches of government to decide,” he wrote.
The ACLU filed its suit on June 11 seeking a preliminary injunction to halt bulk collection; the suit, which was subsequently dismissed today, named Director of National Intelligence James R. Clapper, NSA Director Keith Alexander, Secretary of Defense Charles Hagel, Attorney General Eric Holder and others.
“There is no evidence that the Government has used any of the bulk telephony metadata it collected for any purpose other than investigating and disrupting terrorist attacks,” Pauley wrote in his ruling. “While there have been unintentional violations of the guidelines, those appear to stem from human error or the incredibly complex computer programs that support this vital tool. And once detected, those violations were self-reported and stopped.”
The ruling two weeks ago that declared the program likely violated the Fourth Amendment granted a preliminary injunction barring the collection of data belonging to two individuals who asserted the NSA collection program violated their expectation of privacy.
The ruling issued by Judge Richard J. Leon of the U.S. District Court for the District of Columbia prevented the NSA from collecting any more records pertaining to defendants Larry Klayman and Charles Strange and also required the agency to destroy any records it already has relating to those two Verizon customers. Leon also stayed his injunction pending an appeal by the government.
“I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval,” Leon wrote in his ruling.
Target confirmed this morning that encrypted PIN data was stolen in the Black Friday data breach that exposed 40 million accounts to fraud.
Spokesperson Molly Snyder said the ongoing forensics investigation confirmed that PIN data was accessed as well, contrary to previous claims made by the retail giant.
“We remain confident that PIN numbers are safe and secure,” Snyder said in a statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
The breach was reported Dec. 18 by website Krebs on Security and the company later confirmed that hackers had access to the company’s network starting the day before Thanksgiving until Dec. 15.
Since the breach, further reports from blogger Brian Krebs have surfaced that debit and credit card numbers stolen from Target have been seen for sale on underground forums by the millions. Krebs identified one such underground retailer as Rescator, a cards dealer operating on a Russian forum lampeduza[.]la.
The fear is that if the attackers have the PIN data and are able to crack the encryption securing those credentials, they will be able to clone debit cards and steal money from ATM machines.
Target, meanwhile, said it does not have access to the encryption key used to secure the PIN data, nor was it stored on its systems.
“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” Snyder said. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
Snyder said PIN data is encrypted at a retail location’s keypad with Triple-DES encryption and that data remains encrypted over the wire until it reaches its payment processor. Attackers would have to have compromised the point-of-sale system and intercepted the PIN data before it is encrypted in order to have accessed it.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Snyder said.
Target has also brought in the U.S. Secret Service and U.S. Dept. of Justice to investigate the breach, along with an unnamed third-party computer forensics firm. On Monday, state attorneys general met via conference call with Target general counsel Tim Baer and plan a follow up call Jan. 6. The state AGs were made aware of a number of phishing and other scams in circulation regarding stolen Target data and informed consumers that Target will launch a dedicated resource on its corporate website that will host information pertinent to the breach.
The breach affects only those customers who shopped at physical Target locations, and consumers nationwide are affected; online shoppers at Target.com apparently are not impacted. The attackers made off with track data, or personal information stored on the magnetic strips on credit cards.
Reuters, meanwhile, reported on Tuesday that Santander Bank and JPMorgan Chase lowered the limits on how much cash can be withdrawn from ATMs, an indication, experts said, that the PINs were stolen as well.
EBay is vulnerable to a hack that would allow an attacker to hijack an account and make unauthorized purchases from the victim’s account that would be difficult to disprove.
The vulnerability was discovered and reported to eBay in August, and despite three separate communications from the online auction and marketplace that the code in question was repaired, the site remains susceptible to exploit.
U.K. consultant Paul Moore of Cresona Corp., the same researcher who reported a serious issue with the Santander Group online and mobile banking applications, found the vulnerability and submitted details to eBay nearly five months ago. Threatpost requested comment from eBay on Tuesday, but that email was not answered.
“I’ve given up asking eBay. The intention now is to raise awareness with as many people as possible,” Moore said via email. “The addition of one-click payments via Paypal mean it’s now more urgent than ever, as attackers can use linked Paypal accounts to purchase goods, even without knowing the user’s Paypal username or password. With the initial exploit being carried out by the affected user’s PC, it’d be difficult to disprove they weren’t responsible for any action which followed.”
Moore’s initial communication to eBay was Aug. 5 and the last Nov. 16, reporting again that the site remains vulnerable to cross-site request forgery (XSRF) despite eBay’s insistence the issue was resolved. His exploit allows an attacker to change the victim’s contact information, including address and phone number, and then use a loophole in the password reset process to redirect the reset to the contact information entered by the attacker.
“Absolutely nothing has changed. There are no CSRF tokens in the headers, DOM or cookie jar, so the original exploit from four and a half months ago still works,” Moore said, adding that another software engineer, Scott Helme, tested the exploit and his account details were changed so that Moore could have logged in as his friend.
Moore’s exploit does not require local access to work. A victim would just need to be lured to a website hosting the exploit via a link on eBay or social media, or in an email; Moore’s hack looks for an active eBay session, otherwise it fails.
If the victim does have an open eBay session, Moore’s attack, called XSRF Router, exploits the XSRF vulnerability and delivers a payload that changes the user’s address, zip code and phone number in order to request a password reset without ever needing the user’s original log-in credentials. Cross-site request forgery attacks exploit the trust a website has in a user’s browser, which stores cookies in order to verify a user’s identity and maintain a log-in. EBay’s profile update form lacks a particular field that when paired with an active cookie makes it vulnerable to XSRF, Moore said.
“Without an XSRF token (which ensures the genuine site delivered the form by linking a unique token with you personally), the form is no different to any other on the web,” Moore said. “As such, it can be pre-populated and submitted by anyone. If you happen to be logged in at the time, your profile can be updated simply by visiting another web site.”
The key for the attacker is the password reset. The reset form asks the user two answer two of three fields: the secret question, zip code and phone number. However, the password reset will still be sent to the victim and not the hacker; the key is to sneak in through a second help page that asks the user to enter a valid phone number where eBay will deliver a four-digit PIN enabling to the new number entered by the attacker via the exploit.
“The hacker submits a fake form which changes your contact telephone number, runs a password reset and waits for the phone to ring. Time required to hijack an account… [less than] 1 minute,” Moore wrote on his blog.
An attacker would not have legitimate access to the victim’s eBay account without ever having to steal the user’s original credentials. Once in, they could view a history of their eBay activity, create a similar listing from another phone account and buy it using the stolen account, Moore said, adding that if the victim’s PayPal is linked to a bank account, those funds could be quickly drained.
“It’s going to be very difficult to prove your innocence too. After all, the initial request came from your machine, you‘ve purchased something you were genuinely interested in, eBay recently contacted you on your telephone number and you‘ve left good feedback,” he said. “It’s highly likely that eBay have other security procedures in place but rest assured, the money will be long gone. You may get it back directly from eBay, but you’re going to struggle to explain how they managed to gain access to your account from your own PC.”
The purpose of the Trojan, identified by Zscaler as JS/Exploit-Blacole.em, is simply to redirect users to other sites. The immediate redirection leads to hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1 and then on to hxxp://fukbb.com/.
An examination of the initial redirect’s source code revealed that the site is merely a stepping stone that leads users to the second redirect. Oddly, the final destination site does not host any malicious content at the moment. However, a VirusTotal analysis performed by Zscaler and Threatpost suggests that the site is a suspicious one that has been associated with malware-related activities in the past.
An Israeli security researcher from the Ben-Gurion University of the Negev’s Cyber Security Labs claims to have uncovered a serious security flaw in Samsung Knox.
Knox is a security- and privacy-centric platform built into certain Samsung devices running Android. The Knox architecture, tailored for enterprise and government users, is designed in part to compartmentalize device data between personal and professional use.
Mordechai Guri, a Ph.D. student at BGU, discovered the flaw in Samsung’s flagship Galaxy S4 device. According to a report on the university’s website, the bug could give an attacker the ability to intercept communication data between Knox’s secure container and the files outside of it. For now, the flaw appears to only affect Galaxy S4 devices.
By design, Knox’s container feature should keep all data inside the container separate from any data outside of it. Apps within the container can access certain information outside the container – depending on user configuration and settings. Apps outside the container, on the other hand, should never be able to access information stored by apps and folders within the container.
Ideally, if a phone becomes infected with malware or compromised in some other way, all the data within the container should be protected. The flaw, Guri claims, can be used to bypass Knox’s security mechanisms.
“To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big ’hole‘ exists and was left untouched,” Guri wrote. “The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands. We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately.”
A Samsung spokesperson downplayed the flaw, telling the Wall Street Journal that an ongoing internal investigation revealed that the vulnerability is not as serious as the researchers claim.
“To solve this weakness, Samsung may need to recall their devices or at least publish an over the air software fix immediately. The weakness found may require Samsung to re-think a few aspects of their secure architecture in future models” said Dudu Mimran, the Chief Technology Officer of BGU’s Cyber Security Labs.
The Pentagon green-lit Samsung Knox-enabled Android devices for use on military networks back in May. The secure platform is still under review by the military, but, if it is approved, may soon be allowed for use within the Department of Defense. Full Pentagon approval would be a serious step forward for the Android operating system, which is an increasingly popular target among attackers as its share of the mobile operating system marketplace continues to grow.