Threatpost for B2B
Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan.
The CVE-2013-3906 vulnerability, disclosed Tuesday by Microsoft, is a remote code execution flaw that involves the way that Windows and Office handle some TIFF files. Microsoft said that attackers who are able to exploit the bug would be able to run arbitrary code on compromised machines. In the targeted attacks seen by researchers so far, attackers are using ROP techniques to exploit the vulnerability and then installing a downloader that pulls down some additional components, including an Office document that is shown to the user as a distraction from what’s going on in the background.
Researchers at AlienVault analyzed the exploit and malware being used in the targeted attacks and found that once the attackers have compromised the machine, they also download a RAR file that includes components that calls back out to the command-and-control server and then downloads a number of malicious components. The malware installs a keylogger, a remote backdoor and a component that steals various files, including XLS, DOC, PPT and PDF files.
The CVE-2013-3906 vulnerability affects Windows Vista and Office 2003-2010 and Microsoft recommended that users running vulnerable versions install the FixIt tool they released Tuesday, which helps prevent exploitation. Installing the EMET toolkit also can protect users against attacks on this vulnerability.
Most of the IPs connecting to the C&Cs used in these attacks are coming from Pakistan, the AlienVault researchers said. Researchers at Kaspersky Lab analyzed the malware and its behavior and found some interesting behavior.
“This is not the first vulnerability in TIFF. The notorious CVE-2010-0188 (based on TIFF too) is widely used in PDF exploits even now. The new 0day uses malformed TIFF data included in Office documents in order to run a shellcode using heap spray and ROP techniques. We have already researched some shellcodes – they perform common actions (for shellcodes): search API functions, download and launch payload. We took a glance at a downloaded payload – backdoors and Trojan-spies. Our AEP technology prevents a launch of any executable file by exploited applications. In this case our AEP protected and continues protecting users too,” said Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky.
Image from Flickr photos of Elliott Brown.
In a new report detailing the number and kind of requests for user information it’s gotten from various governments, Apple said it has never received a request for information under Section 215 of the USA PATROT Act and would likely fight one if it ever came. The company also disclosed that it has received between 1,000 and 2,000 requests for user data from the United States government since January, but it’s not clear how many of those requests it complied with because of the restrictions the U.S. government places on how companies can report this data.
Right now, companies such as Apple, Google and others that issue so-called transparency reports only are allowed to report the volume of requests they get in increments of 1,000. So Apple’s report shows that although it received 1,000-2,000 requests for user data so far in 2013, the number that it complied with is listed as 0-1,000. Apple, along with a number of other companies, including Google and Microsoft, have asked the government in recent months for permission to disclose more specific numbers of requests, including specific numbers of National Security Letters.
“At the time of this report, the U.S. government does not allow Apple to disclose, except in broad ranges, the number of national security orders, the number of accounts affected by the orders, or whether content, such as emails, was disclosed. We strongly oppose this gag order, and Apple has made the case for relief from these restrictions in meetings and discussions with the White House, the U.S. Attorney General, congressional leaders, and the courts. Despite our extensive efforts in this area, we do not yet have an agreement that we feel adequately addresses our customers’ right to know how often and under what circumstances we provide data to law enforcement agencies,” Apple officials said in the report.
As the information regarding the surveillance methods and capabilities of the NSA has piled up in the last few months, many tech companies have become more vocal in discussing the requests they get from government agencies and law enforcement. Google, Yahoo, Microsoft and Apple have found themselves defending their practices and trying to reassure users that they don’t provide direct access to their servers or data links for law enforcement. Although the government has placed restrictions on how much these companies can reveal about the volume and kind of requests they get, Apple included one specific line in its transparency report that goes about as far as is permissible right now.
“Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us,” the report says.
Section 215 is the bit that’s used by the NSA to collect business records such as phone call metadata.
The report also shows data on how many requests Apple has gotten from dozens of other governments, with the highest number being 127 from the U.K. Apple turned over some data in 37 percent of those requests. The next-highest volume of requests came from Spain, which issued 102, in 22 percent of which Apple handed over some user data.
Image from Flickr photos of MrGuyTsur.
Dennis Fisher talks with researcher Dragos Ruiu about his years-long struggle with a group of attackers who have infiltrated his network and are using malware that seems to resist all removal attempts and may have the ability to communicate using sound.http://threatpost.com/files/2013/11/digital_underground_132.mp3
*Dragos image via Gohsuke Takama‘s Flickr photostream, Creative Commons
An Android banking Trojan known as Svpeng has added phishing capabilities to its arsenal, and researchers have spotted it attacking Russian banking clients in what is perceived to be a dry run before it is adapted for other countries.
“Typically, however, cybercriminals first test-run a technology on the Russian sector of the Internet and then roll it out globally, attacking users in other countries,” said Kaspersky Lab researcher Roman Unuchek on the Securelist blog today.
Unuchek said the Trojan, which spreads via SMS spam messages, has new code that checks the language version of the operating system on the victim’s machine in order to tailor its messaging in the proper language. For now, the malware appears to be interested in U.S., German, Belarusian and Ukrainian victims.
Phishing is the big innovation for Svpeng, also known as Trojan-SMS.AndroidOS.Svpeng. Android users in Russia who are infected will be presented with a phishing window upon launching their banking application. The window asks for the victim’s user name and password which is then sent to a centralized server belonging to the attacker.
Unuchek also said the Trojan tries to steal bank card information by layering a phishing window over Google Play when it’s running on the user’s mobile device. The window prompts the user to enter his credit card or bank card information including expiration data and CVC number, which is also gift-wrapped to the attacker’s command and control server.
The malware is also capable of issuing commands to transfer money from the victim’s account to the attacker. Unuchek said it does so by sending SMS messages to numbers belonging to a pair of Russian banks.
“This way it checks if the cards of these banks are attached to the number of the infected phone, finds out the balance and sends it to the malicious C&C server,” Unuchek wrote. “If the phone is attached to a bank card, commands may arrive from the C&C to transfer money from the user’s bank account to his/her mobile account or to the cybercriminals’ bank account. The cybercriminals may then send this money to their digital wallet and cash it in.”
Svpeng may soon break out beyond the Russian borders; Kaspersky researchers have spotted new behavior in the malware, starting the adaptations based on location.
Unuchek said there have been 50 modifications to Svpeng in the three months the malware has been monitored. The attackers are also adamant about keeping the Trojan active; it uses the deviceAdmin Android tool to prevent security products from deleting it. It also prevents the user from disabling deviceAdmin or a factory reset by exploiting a previously unknown vulnerability in Android, Unuchek said.
Microsoft is warning users about targeted attacks against a new vulnerability in several versions of Windows and Office that could allow an attacker to take over a user’s machine. The bug, which is not yet patched, is being used as part of targeted attacks with malicious email attachments, mainly in the Middle East and Asia.
In the absence of a patch, Microsoft has released a FixIt tool for the vulnerability, which prevents exploits against the vulnerability from working. The bug affects Windows Vista, Windows Server 2008 and Microsoft Office 2003 through 2010.
“The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user,” the Microsoft advisory says.
The vulnerability doesn’t affect the current versions of Windows, the company said, and users who are running potentially vulnerable products can take a couple of actions in order to protect themselves. Installing the FixIt tool will help prevent exploitation, as will deploying the Enhanced Mitigation Experience Toolkit (EMET), which helps mitigate exploits against certain classes of bugs.
“The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights<’ Microsoft officials said.
Buying Twitter followers is standard practice for celebrities, politicians, startups, and even so-called social media experts who want to boost their online Q Score.
So it shouldn’t be surprising that hackers have noticed this market opportunity and are building a formidable underground business automating the creation, and selling, of phony Twitter followers.
Fake Twitter accounts are nothing new, but the practice is being refined all the time. Rather than make up people, attackers are taking established Twitter users and duplicating their accounts. The authenticity of the phony accounts is crucial in order to keep these fake accounts live and keep Twitter’s fraud detection capabilities from catching them and turning off the accounts.
“They’re stealing names and appending numbers or letters to your name, copying your profile photo, your bio, your location and start sending out tweets,” said Paul Judge, vice president and chief research officer at Barracuda Networks. “They’re stealing identities and make fake accounts that let them blend in better and seem more credible. They send out these links and someone sees the name, sees the picture and believes it’s you. They’ve stolen trust in you and your reputation by sending out links.”
Barracuda has done noteworthy research on the Twitter underground in the past, and Judge says the evolution of the market is extraordinary, in particular noting that more than 60 percent of new fake accounts being created are using the tactic of duplicating legitimate existing accounts and get better click-through rates on the malicious links they send out.
“There are a few monetization techniques. They’re doing everything from links sending users to sites hosting Web exploit kits to sending links to spam sites hosting affiliate ads, or using the same accounts to sell you fake followers,” Judge said. “They’ve diversified income stream. We’re seeing the same fake account being used for all three.”
Right now, Barracuda research points out there are 52 eBay sellers soliciting phony Twitter followers at an average of $11 per 1,000 fake accounts. That is translating to more than 52,000 followers for each entity buying fake accounts, Barracuda said.
“They’re becoming so profitable in being able to sell these accounts as ‘Fake Followers,’ that the side effect is they’re able to make money without necessarily causing harm,” Judge said. “To some degree, it’s taking some of their attention away from spreading malicious links.”
While Judge said Barracuda doesn’t have good visibility into click-through rates, they do get an indication of profitability from the phony accounts that are used to sell fake followers.
“When you look at a fake account being used to sell itself as a follower, one simple measure of how much business they’re getting is how many accounts they are following; those are their customers,” Judge said. “One thing we’re able to do, for each army of fake accounts, we’re able to look at how many people they’re following, look at the number of unique people they’re following and gauge the level of business they’re having. For some of these, we’re able to see based on the amount they charge per follower, these businesses are generating $20,000 to $30,000 per month on the side of the business just selling fake followers.”
The entire operation is automated, from the quality of the websites they’re using (easy click-to-pay, slick designs) to the scripting that builds armies of fake followers.
“From the APIs Twitter provides, it’s so easy to script interactions with Twitter’s websites, it’s one of the things that made this grow so quickly,” Judge said. “The ease of which you can become a member and start tweeting, it’s a low barrier that makes it so easy for attackers to take advantage of it versus other social networks that are more complicated.”
Judge said more than 90 percent of the tweets are automated and sent through the Twitter website, which is actually a giveaway that something is amiss given that legitimate users send most of their tweets through mobile applications or third-party clients.
“Look at fake ones, there’s a much higher proportion through Twitter’s websites because it’s all scripted,” Judge said. “We’re also able to see different bursts during the day. You’ll often see an account that doesn’t tweet all day and then see minutes where there are tweets and then it disappears for the rest of the day.”
The problem for businesses and consumers, however is that social networks are often the first measure of a businesses or person’s reputation and trustworthiness. That’s what makes this such an appealing avenue for hackers to exploit.
“The disconnect is that the average person things that social media is a measure of popularity, when in reality, all you did was spend $11 for your followers.It’s the equivalent of buying a Zagat review or a five-star rating,” Judge said. “You’re buying accreditation.”
As promised, Yahoo formally kicked off its bug bounty program late last week, aiming to correct what many in the security industry viewed as misstep after it handed out a paltry $12.50 credit to a researcher for discovering a cross-site scripting error.
The company caught flak when in September when it was reported that the $12.50 – a scant prize as it is – came as a discount code that could be used toward Yahoo-branded merchandise like t-shirts, cups and pens from its store.
Yahoo’s Security Director Ramses Martinez addressed the program’s rules in a post to its Developer Network Tumblr Thursday, joking that he hopes the program will “usher in a new, less-shirt-centric era for security at Yahoo.”
Researchers can now officially submit vulnerabilities they find in Yahoo and Flickr-branded apps and websites to the company via bugbounty.yahoo.com.
The laundry list of vulnerabilities eligible for a bounty is about on par with the lists of other websites who recently started programs of their own (Google, Facebook):
- Cross-Site Scripting
- SQL Injection
- Open Redirect
- Remote Code Execution
- Cross-Site Request Forgery
- Directory Traversal
- Information Disclosure
- Content Spoofing
As Martinez acknowledged in early October, the program will reward researchers who discover a previously unknown technical vulnerability and responsibly disclose it. Researchers will be rewarded with between $250 and $15,000 depending on the severity and complexity of the issue. Martinez adds that submissions will be validated 24 hours a day and seven days a week and that members of Yahoo’s security team will personally respond to everyone who submits a bug.
As with most bug bounty programs there’s a little bit of a gray area when it comes to other vulnerabilities that may not fit into a category above. Yahoo promises it will find another way to recognize researchers’ efforts for random vulnerabilities on other Yahoo-branded sites as long as they’re not related to networking protocol issues, social engineering or found in software that is no longer supported.
Much like Facebook does with researchers who responsibly disclose issues, Yahoo will now display the names of those who report vulnerabilities on what it’s calling a “Wall of Fame.”
The company’s lack of best practices was brought to light earlier this fall when High-Tech Bridge a Swiss security firm sent along a series of XSS vulnerabilities to firstname.lastname@example.org. Each one was met with a $12.50 Yahoo store credit.
As expected, the security community was incensed and Yahoo eventually responded, rewarding High-Tech Bridge with $1,000 for the vulnerabilities and after “meetings, emails, new contacts, and tons of discussions ,“ ultimately the formation of the company’s new bug bounty program.
The National Institute for Standards and Technology has taken an important step toward repairing what the National Security Agency has allegedly fractured by initiating a review of its cryptographic standards development processes.
NIST-sponsored algorithms are at the heart of numerous crypto standards used to secure communications and commerce, as well as serving as the foundation for a number of commercial software products.
Revelations from whistleblower Edward Snowden have shone a light on possible NSA subversion of some widely used encryption algorithms, not only casting doubt on the integrity of the technology, but damaging NIST’s stature as a standards body of reckoning. Some Snowden documents, in particular a set published in September by the New York Times, said that the NSA had subverted encryption standards by either deliberately weakening algorithms the agency helped build, or by inserting backdoor code that could give the NSA access to any online communication it chooses.
Matthew Scholl, Deputy Chief of the NIST computer security division, told Threatpost he hopes the outcome of the review is a validation and verification of the processes NIST uses to create crypto standards, likening it to quality assurance and quality control. He added that this type of review doesn’t stray too far from established NIST reviews of its processes, though this one will likely be a bit more public. NIST said it will solicit feedback during the review from the academic crypto community, other standards bodies, the government and international partners, as well as industry partners.
“The damage is broad and deep, not just to NIST but to industry and government at large,” Scholl said. “We are trying to ensure we maintain the confidence of and keep the active participation of external crypto communities in our work. We want to ensure we maintain confidence and trust in what we do and continue to get that participation–which we get when we have confidence and trust.”
The leaks enumerate the depths of NSA surveillance and exposing the subversion of crypto standards has increased skepticism over NSA-sponsored cryptography. The most high-profile infiltration may have been the insertion of backdoor code in the Dual EC-DRBG algorithm; in September, NIST recommended that developers no longer use the algorithm until a review was complete. RSA Security followed suit with a similar recommendation. Dual EC-DRBG is the default random number generator in a number of RSA products, including RSA BSAFE libraries and RSA key management software.
NIST said it is concerned by the NSA leaks because it threatens the integrity of its efforts.
“We strive for a consistently open and transparent process that enlists the worldwide cryptography community to help us develop and vet algorithms included in our cryptographic guidance,” said Donna Dodson, chief of the NIST computer security division. “NIST endeavors to promote confidence in our cryptographic guidance through these inclusive and transparent development processes, which we believe are the best in use.”
Prominent crypto experts such as Matthew Green of Johns Hopkins University told Threatpost in September upon publication of an explosive New York Times article on the NSA’s crypto activities: “The U.S. has had an enormous influence on crypto around the world because we have NIST,” Green said. “You could see people break away from NIST, which would hurt everyone, and move to regional standards. That stuff is a problem.
“We trust NIST because there are a lot smart people there. If you split up into regions, it’s possible things could get less secure,” Green added. “You could end up with more vulnerabilities; standards get weaker the less effort you put into it.”
NIST said the review is in its early stages and that experts involved are still compiling goals, determining which algorithms will be reviewed and how they will be reviewed.
Once complete, we will invite public comment on this process,” Dodson said. “We also will bring in an independent organization to conduct a formal review of our standards development approach and to suggest improvements. Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.”
An audit of the Department of Energy has shown that 29 new weaknesses emerged on the agency’s networks this year in addition to 10 existing that the DoE failed to fix after a 2012 audit.
The audit, undertaken by the Office of Inspector General and the Office of Audits and Inspections, revealed weaknesses in security reporting, access controls, patch management, system integrity, configuration management, segregation of duties, and security management at 11 of the DoE’s 26 facilities. The audit report does not name specific locations or identify specific vulnerabilities.
It found 11 access control deficiencies distributed across eight facilities. The infractions at these locations included sub-par management of user access privileges, inappropriate granting of physical access to sensitive facilities, failure to implement multifactor authentication for remote access, and wide deployment of default or easily guessable log-in credentials on servers or network services.
At five locations, auditors discovered that systems administrators were doing a poor job of implementing software, application, and operating systems patches, leaving department machines exposed to scores of known vulnerabilites. The audit report notes that these are the sorts of weaknesses that gave attackers the ability to steal the personally identifiable information of more than 100,000 individuals stored in those systems earlier this summer.
Six locations housed machines with improperly implemented Web applications, some of which contained poorly conceived validation and user-authentication features in systems that support financial management and other sensitive functions.
Auditors identified five different configuration management weaknesses at three separate locations. IT teams at these locations failed to develop organizational configuration management policies, inconsistently implemented configuration change control procedures, and did not adequately manage application change control procedures.
At one location, the audit revealed that employee roles were neither clearly defined nor regularly followed.
The last weakness listed in the audit relates to proper security training for employees, not all of whom had completed security training. They also failed to report cyber security incidents, maintain a system inventory of such events, and regularly review the logs detailing those events.
Beyond these, the department also failed to issue reports on the security information of the more than 450 contractor-operated systems, which, the report claims, are the same systems that contained most of the vulnerabilities detailed in this and former audits.
The Inspector General’s office is conducting a criminal investigation of the July 2013 attack that exposed the PII of hundreds of thousands of individuals. The results of that inquiry will be made public in a separate report at a later time.
The report issued the following recommendations to DoE staff: correct the weaknesses identified with the implementation of appropriate controls. Ensure that policies and procedures are developed, as needed, and are implemented in accordance with federal and department requirements to adequately secure systems and applications. Ensure that effective performance monitoring practices are implemented to assess overall performance for protecting information technology resources. Fully develop and use plans of actions and milestones to prioritize and track remediation of all cyber security weaknesses requiring corrective actions. And ensure that the department includes information for both federal and contractor systems when reporting the status of performance metrics annually to the Department of Homeland Security.
DoE management received the report, largely agreeing with its findings, and has committed to correcting the weaknesses identified therein.
You can read the full report here [PDF].
Having found some initial success with its first foray into the bug bounty world, Microsoft is expanding the program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild that include new techniques that bypass exploit mitigations in place on the newest version of Windows.
The change is designed to broaden the field of people who can submit new attack techniques to Microsoft, therefore helping the company further secure Windows. In order to qualify for the new program, organizations or individual contributors need to pre-register with Microsoft by sending an email to doa[at]microsoft[dot]com and then submit both a technical analysis of the new technique, as well as proof-of-concept code. Katie Moussouris, senior security strategist at Microsoft, said that the new addition to the bounty program also should allow organizations that are the victims of malware attacks to come forward with contributions.
“The reason we’re asking for proof-of-concept code is that a lot of people may be shy about sharing custom malware samples because there could be identifying information in there,” she said. “We’re interested in the technique. If they want to send us the sample, that’s fine too. We don’t see a lot of new attack techniques, because they’re really rare.”
The Microsoft bug bounty program is different from most vendors’ programs, as it pays out not for individual vulnerabilities but rather for new attack and defensive techniques. The company paid its first $100,000 bounty in October to researcher James Forshaw, who discovered a new technique for bypassing the Windows exploit mitigations. Moussouris said the addition of incident response teams and forensics specialists had been in the works for some time, but the company wanted to wait to announce it until after someone had collected a bounty.
But there’s also another motive for the new bounty: causing havoc in the vulnerability marketplace.
“We’re deliberately doing this to disrupt the existing vulnerability and exploit marketplace,” Moussouris said. “The black market pays much higher prices, but part of what they’re paying for is exclusivity and relying on the technique staying secret as long as possible. I want this to be an incentive for people to blow these ops.”
The idea is to reduce the amount of time that a new technique is useful for attackers, Moussouris said. And this isn’t the end of the changes to the bounty program, either.
“I have some other things up my sleeve,” Moussouris said.
Image from Flickr photos of Pascal.
Apple enabled a feature in its recent OS X Mavericks update that neutered the BEAST cryptographic attacks. BEAST is a two-year-old attack tool that exploits a vulnerability in TLS 1.0 and SSL 3.0 and could lead to an attacker stealing HTTPS cookies or hijacking browser sessions.
Apple’s Safari browser was the lone holdout among major browsers to enable by default a 1/n-1 split that would mitigate the attacks; other leading browsers had turned it on by default by early 2012. The code, meanwhile, has been present since the previous OS X Mountain Lion release but had not been turned on until OS X 10.9 Mavericks.
The 1/1-n split technique stops attackers from being able to guess which initialization vector blocks will be used to mask plaintext data before it is encrypted. Ivan Ristic, director of application research at Qualys, told Threatpost in September that a man-in-the-middle attack would facilitate the ability to predict those blocks and influence what is encrypted. An educated attacker with enough guesses would likely land on the correct block, Ristic said.
He wrote in a blogpost at the time that the BEAST attack would help retrieve small data fragments that would give an attacker some guidance.
“That might not sound very useful, but we do have many highly valuable fragments all over: HTTP session cookies, authentication credentials (many protocols, not just HTTP), URL-based session tokens, and so on,” Ristic said. “Therefore, BEAST is a serious problem.”
With the Mavericks release, however, Ristic said at first he didn’t think the 1/1-n split had been enabled by default. Safari did support TLS 1.2, which Ristic said was an important update, but that alone did not mitigate BEAST attacks because they targeted TLS 1.0 and earlier protocols.
“Client-side support for TLS 1.2 is currently not sufficient because (1) only about 20 percent of servers support this protocol version, and (2), all major browsers are susceptible to protocol downgrade attacks, which can be carried out by active MITM attackers,” he wrote last week.
Ristic did a little hunting and digging beyond the security release notes for Mavericks and looked at some of the source code Apple released as open source and found that the 1/1-n split had indeed been turned on.
“With this, we can finally conclude that BEAST has been sufficiently mitigated client-side, and move on,” Ristic said.
The BEAST tool was released in September 2011 by researchers Juliano Rizzo and Thai Duong at the Ekoparty conference. An attacker using BEAST could decrypt TLS 1.0 or SSL 3.0 sessions on the fly and break into any encrypted browsing session, putting online banking or ecommerce transactions in jeopardy.
Rizzo and Duong said that BEAST exploits a vulnerability dating back to the first incarnation of SSL, a bug that was largely thought to be non-exploitable.
BEAST attacks are ideal in targeted attacks against specific individuals because attackers would need to be in a man-in-the-middle position; BEAST cannot be done on any kind of scale, Ristic said. Also, the source code for BEAST was never released by Rizzo and Duong.
Dennis Fisher talks with Katie Moussouris of Microsoft about her childhood exploits with Commodore 64 programming, ignoring her Barbies, growing up as a hacker, her days as a pen tester and the challenges of working on security at Microsoft.http://threatpost.com/files/2013/11/10_moussouris.mp3
*Microsoft image via Robert Scoble‘s Flickr photostream, Creative Commons
Giant technology companies have been vocal about the need for more transparency with regard to the national security requests for user data they receive. But until now, they’ve stayed out of the political fight to address government surveillance, in particular by the National Security Agency.
Facebook, Google, Apple, Microsoft, AOL and Yahoo co-authored a letter to four lawmakers, members of the House Judiciary Committee, asking for not only the ability to disclose details on National Security Letter requests, but also for surveillance reforms.
“Our companies believe that government surveillance practices should also be reformed to include substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms for those programs,” the companies wrote in the letter, addressed to Chairman Patrick Leahy (D-Vt.), Michael S. Lee (R-Utah), John Conyers Jr. (D-Mich.), and Frank James Sensenbrenner (R-Wisc.).
The letter came days after the latest Edward Snowden leaks that revealed that the NSA has been able to sniff unencrypted traffic moving between Google and Yahoo data centers by tapping overseas fiber optic cables carrying the data between front end servers and the respective companies’ data centers.
The tech giants also threw their support behind the proposed USA FREEDOM Act, a bill introduced by Sensenbrenner that would rein in the NSA’s data collection efforts, bring more transparency to the secret Foreign Intelligence Surveillance Court (FISC) and enable companies to release information related to Foreign Intelligence Surveillance Act (FISA) requests.
In the past few months, these companies have fought hard to ward off the perception that they have been complicit with the NSA—beyond court orders—providing the spy agency with direct access to its servers and users’ data.
“Our companies have consistently made clear that we only respond to legal demands for customer and user information that are targeted and specific,” the letter says. “Allowing companies to be transparent about the number and nature of requests will help the public better understand the facts about the government’s authority to compel technology companies to disclose user data and how technology companies respond to the targeted legal demands we receive.”
Meanwhile, yesterday the Senate Intelligence Committee pushed forth the FISA Improvements Act of 2013, which would enable the bulk collection of phone call metadata data to continue.
“The NSA call-records program is legal and subject to extensive congressional and judicial oversight, and I believe it contributes to our national security,” said committee chairman Sen. Dianne Feinstein (D-Calif.) in a statement. “But more can and should be done to increase transparency and build public support for privacy protections in place.”
Wednesday’s revelation regarding the NSA access to Google and Yahoo data, dated Jan. 9, said that in the previous 30 days, the NSA had processed more than 181 million records, which not only included metadata but email content such as text, audio and video, according to a Washington Post article.
Google chief legal officer David Drummond told the Post that the company has been concerned about the possibility of this type of snooping and has been extending encryption across Google services and such links between data centers.
“We do not provide any government, including the U.S. government, with access to our systems,” he said. “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”
Forget for a moment the impending cryptoapocalypse because of aging and/or subverted encryption standards and algorithms. Microsoft this week put out the word on the scourge that is Windows XP.
The latest Microsoft Security Intelligence Report goes to great pains to encourage users to move off the soon-to-be unsupported version of Windows. The report, reflecting activity collected and monitored by its security tools from January to June, points out that XP computers are six times more likely to be infected than younger, more robust versions of the OS.
“Older software is easier to break into and over time, cybercriminals learn how to bypass mitigations,” said Microsoft spokesperson Holly Stewart. “XP is no different. A good example is DEP (Data Execution Prevention) which was not commonly bypassed when it was released. The utility of that mitigation has degraded year over year.”
DEP and Address Space Layout Randomization (ASLR) are memory protections built into Windows starting with Vista. They’re meant to ward off buffer overflow attacks and frustrate hackers from being able to inject code into predictable areas of memory in the operating system. In 2006, there was one DEP bypass for every 13 vulnerabilities; that’s done almost an about-face as of 2012, Microsoft said, with six bypasses happening for every three CVEs. Hackers have been found ingenious means of beating DEP and ASLR, stringing together exploits for numerous vulnerabilities to bypass these protections and jeopardize data stored on the host machine.
“Newer software is less appealing to cybercriminals,” Stewart said. “Advanced technology is harder to exploit, and there’s been a long list of platform security improvements. XP, however, is not equipped to provide these innovations.”
Microsoft will no longer support XP after next April, meaning it will no longer provide security patches and advisories for vulnerabilities discovered on the platform. Yet according to the latest desktop operating system market share numbers, XP installations trail only Windows 7; Netmarketshare.com says XP is still running on 31 percent of desktops. Windows 7 leads with 46.4 percent.
“From a security perspective, this is a really important milestone,” Stewart said. “Attackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].”
Microsoft is also using a new metric, comparing infection rates with what it’s calling an encounter rate. As explained in the Security Intelligence Report, “encounters” are the number of times one of the companies security tools such as the Microsoft Malicious Software Removal Tool comes up against a piece of malware. Previously, Microsoft would count what it called Computers Cleaned per Mile, or CCM. Thes was the number of computers cleaned for every 1,000 times the MSRT was tripped by a piece of malware.
Using the new metrics, Microsoft demonstrates that XP users running SP3 are six times more likely to become infected than someone running Windows 8 RTM on their machine—9.1 XP computers cleaned per 1,000 versus 1.6 Windows 8 machines. As for the encounter rate, the numbers aren’t too staggeringly different with 16.1 percent of XP SP3 machines reporting an encounter versus 19.1 percent of Windows 7 machines and 12.4 percent of Windows 8 computers.
“The encounter rate gives you an idea of how frequently a customer is exposed to a malware threat,” Stewart said. “We’ve reached a tipping point where this dated architecture can’t be relied upon.”
Researchers from the Microsoft Malware Protection Center (MMPC) have seen a spike in Win/32.Upatre infections in recent months. The trojan compromises host machines through malicious email attachments and, once installed, moves to download different malware from its command and control server.
The spam campaign is distributing Upatre with the following malicious attachments where ‘<variable names>’ can be domains, company, and individual names, or even random letters or words: USPS_Label_<random number>.zip, USPS – Missed package delivery.zip, Statement of Account.zip, <number>-<number>.zip, TAX_<variable names>.zip, Case_<random number>.zip, Remit_<variable names>.zip, ATO_TAX.zip, and ATO_TAX_<variable names>.zip.
Telemetry data indicates that Upatre’s administrators are delivering the trojan with exploit kits targeting Java and PDF vulnerabilities as well.
According to the MMPC, Upatre is primarily a conduit for delivering further malware. Thus far, its favorite delivery is ‘Win32/Zbot.gen!AM,’ a family of malware that steals credentials and potentially cedes control of infected machines to the attacker. More recently, researchers have seen the trojan installing ‘TrojanDropper:Win32/Rovnix.I’ as well. Rovnix writes malicious code the NewTechnologyFileSystem (NTFS) boot sector reportedly injecting code into explorer.exe so that it can download further malware from the domain ‘youtubeflashserver[dot]com’ each time an infected machine restarts.
Upatre is pulling this malware from a number of domains, including mytarta[dot]com, cyclivate[dot]com, pentruder[dot]co[dot]uk, and huyontop[dot]com.
The Zbot malware historically deployed a domain generation algorithm to shake detection as it downloads its updates. The MMPC researchers claim that it too is increasingly downloading other malware, at first a piece of bitcoin-accepting ransomware known as CryptoLock, but later ‘Trojan:Win32/Necurs.A’ as well, a piece of malware about which little is yet known.
Upatre is almost exclusively a U.S. problem, with nearly 97 percent of its infection taking place there. In an extremely distant second, third, fourth, and fifth respectively are the United Kingdom (0.89 percent), Canada (0.46 percent), Australia (0.27 percent), and Japan (0.19 percent).
Dennis Fisher talks with Gary McGraw of Cigital about the progress of the BSIMM software security measurement model and how development organizations are addressing the challenges of securing their software.http://threatpost.com/files/2013/11/digital_underground_131.mp3
The new Dark Mail Alliance formed this week by Lavabit and Silent Circle will offer an open platform for secure email that will use existing protocols and cloud storage as a way to evade surveillance. The new system, which should be available next year, is in some ways a throwback to the pre-Internet days, officials involved in the project said.
The Dark Mail project is a response to the current surveillance climate, one that caused both Lavabit and Silent Circle to close down their previous secure email offerings. Lavabit, which is reportedly the service that NSA leaker Edward Snowden used, shut down its service rather than comply with a request from the FBI for its encryption keys. Seeing the writing on the wall, Silent Circle decided to ceases its own Silent Mail service preemptively soon thereafter.
In the weeks following those closures in August, engineers from Silent Circle began talking with Lavabit founder Ladar Levison and soon hit on the idea of building a new, Web-based secure email platform that would be resistant to surveillance and backdoors. The idea, said Jon Callas, co-founder of Silent Circle, involves sending a short routing message to the intended recipient of the email over a protocol such as XMPP. That message will have a link to a cloud storage location where the user can pick up the actual email. That email will be encrypted and and the key to decrypt it will be included in the routing message.
“It separates the routing and addressing from the actual content of the email,” Callas said. “It makes it so an email, which could be anything from ten characters to a few megabytes, doesn’t have to be pushed all the way down the line and transferred from server to server and make sure everything is safe.”
Callas, a cryptographer and former co-founder of PGP Corp., another secure email provider, said that in some respects, the Dark Mail idea is relying on concepts from the dawn of the Internet age.
“This resembles in a lot of ways things that were done in the pre-Internet days. SMTP has served us well for many years, but it was not designed to be secure at all,” Callas said. “That means there’s all sorts of metadata that can’t be encrypted and sticks around forever. That data ought to be in a log somewhere, not in the email. It’s really trivial for people to pick it up and do metadata analysis on it.
“This is going forward into the past. We want to go back to using things that were used on LANs and update it using crypto. This is going to be an open offering for the Internet. Why not just open it up for everybody? We all decide that it’s better for the world to have an open, non-SMTP way to do email and those of us who are in the email business can offer whatever services we want on that infrastructure. Email was originally done with no security at all and we’ve been dialing it up ever since. Why not start over with high levels of security and let people dial it down if they want?”
Callas said that he hopes the new offering will be available sometime in 2014, but much of that depends on the amount of help the Dark Mail Alliance gets from the rest of the community.
“We view this as, if it’s successful, it will be tweaked by people in various ways, because I don’t expect that our ideas on how to do this are perfect,” Callas said. “I don’t think we’ve solved every problem there is.”
Back in August, Khalil Shreateh, a Palestinian security researcher listing his job status as “unemployee” discovered a bug on Facebook, the world’s largest social network, that gave him the ability to post content on any other user’s timeline. He then did what any entrepreneurial young security researcher would do: he went straight to the top, explaining exactly what he had discovered with a post on the wall of Facebook founder and CEO Mark Zuckerberg.
That’s right, he disclosed the details of his bug by exploiting the flaw in order to post the details of it on the timeline of Facebook’s CEO.
To be clear, Shreateh claims he had attempted multiple times to disclose his bug to Facebook’s White Hat program, but there was a misunderstanding between the two. Apparently Shreateh wasn’t providing enough technical information. Facebook would later confirm the existence of the bug, deactivate Shreateh’s Facebook account, and ultimately award him no bounty for the bug, explaining that he had violated the terms of service with his demonstration.
Surprisingly, the incident was little more than a misunderstanding. Facebook reactivated Shreateh’s account shortly after having deactivated it.
In fact, a Facebook spokesperson told Threatpost via email that Shreateh has since reported more bugs to their White Hat program, following the correct guidelines for these, and receiving bounty payments in turn.
The vulnerability here isn’t an incredibly critical one, but Facebook users should not be able to post content on or even view the walls of anyone other than their friends, unless the user receiving the content has gone into their settings and specifically allowed everyone to post on their wall.
Sheateh disclosed the bug through Facebook’s White Hat program by performing the attack on a seemingly random user. Initially, the security team at Facebook responded to Sheateh telling him that what he found was not a bug, which, Sheateh claims, is why he then had to perform the attack again, publishing a post on Zuckerberg’s timeline to show that there was indeed a vulnerability.
This, of course, is not what most researchers would consider responsible disclosure, which is likely the reason why Sheateh did not receive a bounty payment when Facebook eventually acknowledged the bug.
With new leaks about the extent of U.S. government surveillance coming almost daily, one constant remains among all the deterrents to the NSA’s prying eyes: encryption technology works. As far as we know, the math behind encryption is solid, despite the specter of some unnamed breakthrough made by the spy agency some years ago.
The Snowden documents don’t seem to substantiate this breakthrough as yet; any success the NSA has had in beating encryption may come from subverting NIST standards used to build the technology into products, or companies being legally forced or coerced into handing over the encryption key.
Tangentially, the government continues to try to make a case for the ability to force someone alleged to have committed a crime to decrypt their hard drives and turn over evidence. On a number of previous occasions, the courts have upheld Fifth Amendment protections against self-incrimination in such cases.
In a case starting on Monday in Massachusetts Supreme Judicial Court, an appeal of a previous decision against Leon Gelfgatt, 49, of Marblehead, Mass., an attorney, was indicted in a mortgage fraud scam in which he is alleged to have stolen more than $1.3 million. The government, in trying to make its case against Gelfgatt, tried to compel him to decrypt his hard drive. The judge in the case, however, denied the request saying that such an action would violate the Fifth Amendment.
Digital advocacy group the Electronic Frontier Foundation, along with the American Civil Liberties Union, filed an amicus brief yesterday explaining the Fifth Amendment privilege against self-incrimination prohibits compelled decryption. Hanni Fakhoury, staff attorney with the EFF, wrote in a blogpost that the Fifth Amendment protects an individual from unveiling the “contents of his mind” and that the government through this action would be learning new facts in the case beyond the encryption key.
“By forcing Gelfgatt to translate the encrypted data it cannot read into a readable format, it would be learning what the unencrypted data was (and whether any data existed),” Fakhoury wrote. “Plus, the government would learn perhaps the most crucial of facts: that Gelfgatt had access to and dominion and control of files on the devices.”
The government’s argument is that the decryption is akin to providing the combination to unlock a safe, rather than compelling the production of decrypted files.
“That assertion is incorrect,” the brief says. “Just as encrypting a drive encrypts each and every one of its files, decrypting the drive makes available copies of all of its files.” The contention is that because the data is transformed and scrambled, decryption is more than a key, safe combination or password, the brief said.
In February 2012, a federal appeals court determined that a Florida man’s rights were violated when he was jailed for refusing to decrypt his hard drive. The EFF said this was the first time an appellate court ruled the Fifth Amendment protects against compelled decryption.
The EFF’s Fakhoury told Threatpost that the government has in the past suggested that encryption is used only by criminals to cover their tracks, while failing to point out legitimate business—and personal reasons—to encrypt data such as protecting trade secrets or personal data.
“In the surveillance environment, the need for encryption is especially strong because it often seems that strong technology is our last refuge from the government’s prying eyes,” Fakhoury said. “We’ve seen in all the leaks the government’s effort to undermine web encryption and so we must make sure they can’t undermine the physical device encryption here.”
Google is planning to add a new feature to its Chrome browser that will block malicious downloads automatically, helping to prevent drive-by downloads and the kind of malware that rides along with supposedly legitimate software.
The new addition to Chrome already is in the development queue, appearing in the company’s Canary channel, which is the earliest development release available. The feature is meant to help protect users against the kind of malware that often is installed with users’ knowledge and make changes to their machines or install other malicious components such as keyloggers or Trojans.
With this new feature enabled, Chrome will show users a small notification in the bottom of the browser window, alerting them that a download has been blocked automatically.
“In the current Canary build of Chrome, we’ll automatically block downloads of malware that we detect. If you see this message in the download tray at the bottom of your screen, you can click “Dismiss” knowing Chrome is working to keep you safe,” Linus Upson, vice president of Google, said in a blog post explaining the changes.
“This is in addition to the 10,000 new websites we flag per day with Safe Browsing, which is used by Chrome and other browsers to keep more than 1 billion web users safe.”
Along with the addition of automatic malicious download blocking, upcoming versions of Chrome also will have a feature that will roll back users’ browser settings to the original state at the press of a button. This can help users recover from a malware infection that changes browser settings, resets home pages or prevents users’ from removing a plugin or extension.
“Bad guys trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or—ironically—a supposed security update. These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state,” Upson said.
“We’re taking steps to help, including adding a “reset browser settings” button in the last Chrome update, which lets you easily return your Chrome to a factory-fresh state. You can find this in the “Advanced Settings” section of Chrome settings.”
Image from Flickr photos of F Delventhal.