Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 18 hours 43 min ago

Threat Modeling, Legos and Dancing Babies

Wed, 02/26/2014 - 15:14

SAN FRANCISCO–The concept of threat modeling has evolved quite a lot in the last few years, moving from an activity that massive software companies such as Microsoft and Google use to anticipate and defend against potential threats to their products to something that many smaller organizations practice. Starting a threat modeling system can seem daunting, but the good news is that there’s no one right way to do it, just the right way for a given organization.

Microsoft has been using some form of threat modeling internally for many years now and the company’s security group has spent a lot of time speaking publicly about the benefits of the practice and advocating for wider adoption of it. Adam Shostack, a program manager in Microsoft’s Trustworthy Computing group, has been one of the main proponents of threat modeling’s use, and he said that he’s reached the conclusion that threat modeling is not one defined set of methods or principles but a fluid and dynamic way of reducing security risks to products and services.

“I now think of threat modeling like Legos. There are things you can snap together and use what you need,” he said during a talk at the RSA Conference here Wednesday. “There’s no one way to threat model. The right way is the way that fixes good threats.”

Security experts often will tell developers that in order to build defensible and resilient products, they need to think like an attacker. That is, look at the product or system the way that a potential adversary would see it, find the weak spots that are ripe for exploitation and correct them. But Shostack said that isn’t exactly the most useful advice.

“Being told to think like an attacker is like being told to think like a professional chef,” said Shostack, who recently published a new book on the topic, Threat Modeling: Designing for Security. “A lot of security people like to cook, but if someone told you to go to the store and buy enough chickens for a restaurant that seats 78 people and turns over three times a night, you’d have no idea what to do.”

As with nearly everything in security these days, there are a number of methodologies, models, checklists and other aids designed to help organizations implement threat modeling. Those tools can be useful and have their places, Shostack said, but none of them should be seen as the perfect answer. Rather, use them as part of the process of putting building blocks in place as you construct a threat modeling program.

“We want to focus on finding good threats. Use your assets and the actions of attackers to make threats real,” he said. “It’s hard to go from a checklist to a broader system. You have to think about threat modeling your software as an end-to-end process.”

Of course, even the best and most well-constructed threat modeling program still has to deal with the most unpredictable and dangerous threat to the product: the end user. Trying to predict how users will misuse, abuse and break a piece of software is a fool’s errand, but Shostack said it’s still up to the professionals to put their products in the best position to survive in today’s environment.

“To tell people that they can’t use their computers for what they want it a battler we’re going to lose over and over again,” he said. “People don’t buy their computers to be secure. They buy them to watch dancing babies.”

 

Avaya to Patch Zero Days That Turn IP Phone into Radio Transmitters

Wed, 02/26/2014 - 13:20

SAN FRANCISCO — Two zero-day vulnerabilities in Avaya’s latest one-X 9608 IP telephones have been discovered and are expected to be patched on Friday by the provider.

Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, will demonstrate an exploit and provide details on the previously unreported vulnerabilities during a presentation, also on Friday at RSA Conference 2014.

Cui has previously discovered zero-days in other network enabled embedded devices. He said the Avaya bugs are remotely exploitable, the exploits are relatively simple, and potentially millions of phones are at risk (Avaya and Cisco are IP phone market share leaders).

“It will absolutely compromise the phone remotely,” Cui said. His presentation will include a demonstration of a worm he wrote that remotely exploits the bug and exfiltrates raw audio data by turning the circuit board into a radio transmitter.

“It will do real-time speech detection and transmit a text transcript,” Cui said.

Dr. Salvatore J. Stolfo, a director at Red Balloon and advisor at Columbia University where Cui is a Ph.D. candidate, said the phone will continue to function as intended, but will also be turned into a listening post.

“With the receiver on the hook, the phone will transmit over the network,” Stolfo said. “You can spy on someone in an office if you are able to inject malcode remotely.”

The exploit, Cui said, bypasses security appliances scanning for malicious outgoing network traffic. He said the same attack is applicable to other embedded network devices such as printers and routers.

Cui and Stolfo said an attacker would be able to pivot from other vulnerable embedded devices on the network as well, again eluding detection by IPS and other security technology. Cui’s worm, for example, begins with a printer exploit of a 2011 firmware vulnerability which replaces the existing code with malicious firmware. An attacker would need to entice the victim to print, for example, an attachment containing the embedded malicious firmware. Once executed, the malware establishes a backdoor and awaits commands; the attacker could scan for other embedded devices such as IP phones and routers listening on the same port.

More than a year ago, Cui demonstrated an attack against a Cisco VoIP phone that also turned it into a listening device. He was able to put code on the phone by installing—and then removing—an external circuit board from the Ethernet port on the phone. Then using his smartphone, Cui was able to spy through the phone even though its Off-Hook switch was enabled. Cui said he was also able to pull of the same attack remotely, without the need for physical access to the device.

Podcast: RSA Wrap-Up – Day 1

Wed, 02/26/2014 - 11:27

Dennis Fisher and Mike Mimoso discuss the happenings on day one of the RSA Conference, including Art Coviello’s keynote and what makes the NSA mad.

http://threatpost.com/files/2014/02/digital_underground_146.mp3

 

The NSA is ‘Not Made of Magic’

Wed, 02/26/2014 - 07:00

SAN FRANCISCO–Of the small pool of people who have seen the Snowden documents, few, if any, are as technically savvy and knowledgeable about security and surveillance as Bruce Schneier. And after reading through stacks and stacks of them, Schneier says that yes, the NSA is extremely capable and full of smart people but “they are not made of magic”.

A cryptographer by training and a security thinker by trade, Schneier has spent many hours reading the Snowden documents and thinking about what they mean, both in terms of the NSA’s actual capabilities and their effect on data security and privacy. Much of the news, clearly, is not good on that front. The NSA has a dual mission: to protect the communications infrastructure of the United States and to eavesdrop on the communications of foreign nations The agency, Schneier said, is very, very good at both of those missions, but it’s the eavesdropping piece that has grown exponentially in recent years as the Internet and mobile devices have became pervasive.

“The NSA has turned the Internet into a giant surveillance platform, one that is robust politically and technologically,” Schneier said during a talk at the RSA Conference here Tuesday. “When you have the budget of the NSA and you have the choice to get the data this way or get it that way, the correct answer is both. Fundamentally the NSA’s mission is to collect everything, and that’s how you have to think about it.”

That collect-everything mentality is enabled by the vast budget, reach and computing power that the NSA has at its disposal. Those advantages allow the agency to not just collect, but store, virtually any amount of data it chooses. But one of the NSA’s other key assets–and perhaps its largest advantage over other intelligence agencies–is its brain power. The agency employs an untold number of top mathematicians and cryptographers and computer scientists, and they all work on solving difficult problems. One of their tasks is overcoming a key obstacle for NSA data collection: encryption.

The NSA is known to be working on an unspecified capability to defeat SSL, and Schneier said that while he hasn’t seen any direct evidence of what that capability might be, there are a number of possibilities.

“My favorite idea right now is elliptic curves. If they know that certain curves are weak they could then try to get algorithms using those curves,” he said.

Other possibilities are some kind of factoring breakthrough, a successful attack on the RC4 cipher, which is known to have some problems already, or a method for exploiting weak random-number generators. But even with all of the resources at its disposal, the NSA currently has a difficult time dealing with encrypted traffic, Schneir said, and that’s something that users should use to their advantage.

“The NSA can’t break Tor and it [ticks] them off. Most crypto drives the NSA batty,” he said. “Encryption works and it works at scale. The NSA may have a large budget than all of the other intelligence agencies combined, but they are not made of magic. Our goal should be to make eavesdropping more expensive. We should have the goal of limiting bulk collection and forcing targeted collection.”

Schneier added that now that many of the NSA’s methods and tools are out in the open, it’s reasonable to expect other agencies, as well as other classes of attackers, to adopt some of them.

“These techniques are spreading. Figure that this is a three to five-year window for cybercriminals to use them,” he said. “Today’s NSA programs are tomorrow’s PhD theses and the next day’s hacker tools. Surveillance is the business model of the Internet.”

 

EMET 5.0 Technical Preview Offers Secure Plug-In Control

Tue, 02/25/2014 - 17:37

SAN FRANCISCO – Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight.

Microsoft’s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those targeted by hackers such as Java and Adobe Flash, are allowed to run by default. The feature is called Attack Surface Reduction, and it’s one of two that Microsoft has made available in a technical preview of EMET 5.0 released today at RSA Conference 2014.

“ASR is going to help a lot of people,” said Microsoft software security engineer Jonathan Ness.

Blocking Java outright, despite some of the dire attacks reported during the past 15 months, isn’t an option for most companies that have built custom Java applications for critical processes such as payroll or human resources. With 5.0, users will have the option to run plug-ins in the Intranet zone while blocking them in the browser’s Internet zone, or vice-versa.

“It gives customers more control over how plug-ins are loaded into applications,” said Ness, explaining users will have the flexibility, for example, to allow  Flash to load in a browser, but block it in an Office application such as Word or Excel. A number of advanced attacks have contained malicious embedded Flash files inside benign Word documents or Excel spreadsheets. Microsoft hopes to use feedback received on the Technical Preview to shape the final 5.0 product.

“Feedback is really valuable, and has helped shape this tool,” Ness said, adding that the release of EMET 4.1 was delayed right before launch to correct a shortcoming pointed out by a beta user. The customer was not pleased with EMET’s automatic termination of applications upon detecting an exploit, rather than having a configuration option available where the event could be logged an analyzed later.

Microsoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.

The second new feature in the EMET 5.0 Technical Preview is a number of enhanced capabilities to Export Address Table Filtering, or EAF+. Ness said EAF+ blocks how shellcode calls are made into EA table filtering.

“With OS functions such as open file or create process, exported code wants to jump into EAF. This filters the shellcode and blocks it if it’s an exploit,” Ness said. “We’re extending that with new filtering (KERNELBASE exports and additional integrity checks on stack registers and limits).”

EMET raises development costs for exploit writers with its memory protections, so much so that the recent Operation SnowMan APT attack included a module that detected whether an EMET library was present and if so, the exploit would not execute itself. Researchers have developed bypasses of EMET’s mitigations, first Aaron Portnoy of Exodus Intelligence last summer, and most recently, researchers at Bromium Labs who developed a complete EMET bypass.

Microsoft’s Ness said improvements to EMET’s Deep Hooks API protections have been rolled into the 5.0 Technical Preview that address the Bromium bypass. Whether it remains on by default in the final 5.0 remains to be seen as application compatibility issues have to be resolved first, Ness said.

Apple Fixes TLS/SSL Bug in OS X Mavericks

Tue, 02/25/2014 - 17:26

Apple today shipped a security update resolving a critical certificate-validation vulnerability in its OS X Mavericks operating system.

Details of the bug, which exists in OS X version 10.9.1 and is resolved by version 10.9.2, emerged on Friday after the company patched essentially the same bug in its iOS mobile operating system.

On unpatched systems, the bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, according to an analysis performed by security researcher Adam Langley. Langley says the problem arose from the way the certificate validation code processed two failures in a row.

“This signature verification is checking the signature in a ServerKeyExchange message. This is used in DHE and ECDHE ciphersuites to communicate the ephemeral key for the connection. The server is saying ‘here’s the ephemeral key and here’s a signature, from my certificate, so you know that it’s from me’,” Langley wrote in his analysis. “Now, if the link between the ephemeral key and the certificate chain is broken, then everything falls apart. It’s possible to send a correct certificate chain to the client, but sign the handshake with the wrong private key, or not sign it at all! There’s no proof that the server possesses the private key matching the public key in its certificate.”

Apple made the update that fixes this and a number of other bugs available a few hours ago. Apple warns that an attacker with a privileged network position can capture or modify data in sessions that should be protected by SSL or TLS on unpatched systems. Apple attributes the issue to a failure on the part of its secure transport mechanism to validate the authenticity of the connection. They claim to have resolved the problem by restoring certain validation steps that had been missing.

Due to the nature of the bug, Langely said certificate pinning – a defensive method that gives browsers the ability to associate a specific certificate with a specific site, thus preventing man-in-the-middle attacks – likely would not have any impact on this flaw, because there is no problem with the certificate itself:

“Because the certificate chain is correct and it’s the link from the handshake to that chain which is broken, I don’t believe any sort of certificate pinning would have stopped this.”

Another group of researchers from the security company CrowdStrike also looked at the code and noted that potential exploits of this vulnerability could include interception of sessions with webmail services, or any other SSL-protected sites.

“Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake,” reads the CrowdStrike analysis. “This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).”

The CrowdStrike researchers said that finding non-encrypted packet data in the SSL/TLS handshake could be indicative of exploit attempts targeting this vulnerability.

Of course, this certificate-validation problem is not the sole security fix issued by Apple today, who is well known for publishing long and pedantic security updates. Other updates include fixes for:

  • a number of Apache vulnerabilities;
  • a memory corruption problem related to the handling of type 1 fonts;
  • a few application sandbox bypasses;
  • the root certificate system;
  • a buffer overflow that could allow for arbitrary code execution in CoreAnimation;
  • a signedness issue in CoreText’s handling of unicode fonts that could lead to arbitrary code execution or unexpected application termination;
  • a credential intercept for anyone using curl to connect to an HTTPS URL containing an IP address;
  • a bug that could allow an attacker to take control of the system clock;
  • an issue in finder that could permit unauthorized access to certain files;
  • a memory leak problem spurred by maliciously crafted JPEGs;
  • an issue with the NVIDIA drivers through which the execution of a malicious application could result in arbitrary code execution within the graphics card;
  • multiple PHP vulnerabilities;
  • a double free bug that existed in QuickLook that could be exploited to result in an unexpected application termination or arbitrary code execution if an attacker dowloaded a maliciously crafted Microsoft Word document;
  • a handful of QuickTime bugs that could lead to application termination or arbitrary code execution;
  • and a whole slew of problems affecting users that have not yet updated to the latest Mavericks iteration of OS X.

You can examine the full security contents of the update here.

 

Latest Instance of Pony Botnet Pilfers $200K, 700K Credentials

Tue, 02/25/2014 - 15:37

Attackers leveraged a Pony botnet controller to not only siphon away a large batch of account credentials but also to make off with over $200,000 in Bitcoin and other virtual currencies over a four month span, according to researchers this week.

It’s the second high profile instance of the Pony botnet seen over the last several months.

The source code for Pony, a botnet management interface, was initially leaked in the summer of 2013. The Trojan, whose sole purpose is to steal private data from infected machines, has been attributed to a sharp rise in data gathering attacks since.

According to a post on Trustwave SpiderLabs’ Anterior blog yesterday the botnet’s latest iteration is much more advanced and while the latest round of attacks only compromised a scant 85 wallets, they yielded roughly $200,000 in crypto-currency including Bitcoins (355), LiteCoins (280), PrimeCoins (33) and FeatherCoins (46).

“Despite the small number of wallets compromised, this is one of the larger caches of Bitcoin wallets stolen from end-users,” Daniel Chechik and Anat Davidi, two researchers with the company rationalized Monday.

The two assert that “it’s only natural” that Pony would begin to start going after people’s virtual wallets.

The Bitcoin theft is in addition to a slew of credentials, over 700,000, that Pony pilfered from September 2013 to January including:

  • 600,000 website login credentials
  • 100,000 email account credentials
  • 16,000 FTP account credentials
  • 900 Secure Shell account credentials
  • 800 Remote Desktop credentials

While 700,000 may sound like a lot, the numbers are actually way down from a separate instance of Pony that SpiderLabs reported in December in which a campaign unearthed two million account credentials. Those usernames and passwords were mostly linked to Facebook, Google, and Twitter along with other social media sites but some were also linked to the ADP payroll service, something Chechik and Davidi warned at the time could “have direct financial repercussions.”

Also unlike the Pony incident in December, Trustwave researchers were able to glean a little more information about the geographical location of its victims this time around. In December the cybercriminals used a reverse proxy to drop the bots but this time the Pony bots interacted with a command-and-control (C+C) server, giving the researchers a much better idea about the campaign’s target. A chunk of the attacks were found taking aim at European users, with sites in Germany, Poland, Italy and the Czech Republic seeing 62 percent of the attacks.

As the following graphic illustrates, after a series of up and down attacks the attackers decided to pull the plug on the most recent campaign at 3 a.m. on January 17.

Still though, Trustwave believes Pony isn’t done infecting users. Speaking to Reuters, Ziv Mador, a security research director with the company claims that while the company was able to disrupt its servers, he believes the crime ring is still operating and will continue to target virtual wallets in the future.

Along with Bitcoin and the currencies listed above, Pony also looks for 30+ different types of virtual currency, including Anoncoin, Fastcoin and Luckycoin to name a few. Trustwave is warning users with unencrypted wallets associated with one of the listed currencies, right, that Pony may be looking for their money.

Chechik and Davidi claim that while it’s difficult to say with certainty that the Bitcoin wallets associated with the attack were necessarily raided, it’s also tough to verify that the transfers associated with them were legitimate. When it comes down to it though, they were compromised in some shape or form.

It’s because of the uncertainty around the compromised wallets – there’s really no way to contact their owners – as a public service, the company has set up a tool to let users know if they’ve been implicated by Pony. Users can input their Bitcoin wallet public key or on another site, their email address, to see if their credentials have been compromised by the most recent campaign.

News of the most recent Pony attack comes in the wake of revelations that the largest and most popular Bitcoin exchange, Mt. Gox, is nearing collapse. Monday saw Mt. Gox’s chief executive resign from the Bitcoin Foundation, the company delete all of its tweets and take its site offline as word began to circulate that the service was expected to file for bankruptcy. Bitcoin loyalists fear the worst amid rumors that the company may have suffered a catastrophic theft to the tune of 744,408 Bitcoins, or $350 million over the last few months.

Experts Urge Conservatism on Crypto Standards

Tue, 02/25/2014 - 15:19

SAN FRANCISCO–Security people are, by nature, cautious and methodical, and that is even more true of cryptographers. And in the current environment, when new adversaries seem to emerge on a daily basis and cryptographic standards are under intense scrutiny, a panel of some of the biggest names in cryptography said more conservatism and caution in the development and deployment of encryption is warranted.

In most years, the cryptographers’ panel at the RSA Conference here is a deep discussion of crypto standards, key lengths and the relative merits of various hash functions. But the bright light that has been shone on the NSA’s activities recently gave the panelists quite a bit more to discuss this year. The panelists, who included Adi Shamir of the Weizmann Institute, Ron Rivest of MIT, Whit Diffie of SafeLogic and Brian LaMacchia of Microsoft Research, had plenty to say about the revelations of the NSA’s reported efforts to undermine crypto algorithms and influence technical standards.

“I was most surprised by the Americans’ deep involvement in this,” said Shamir.

“We’ve had a loss of innocence as we’ve seen what goes on behind the curtains of government,” said Paul Kocher of Cryptography Research, who moderated the panel.

Some of the most damaging and concerning revelations to come from the Edward Snowden leaks have been about the agency’s alleged efforts to weaken some technical standards and crypto algorithms. There are also reams of documents showing the NSA’s work at getting around SSL in various ways, which Shamir said is actually a good sign.

“In all of the documents, there isn’t any indication that they manager to break the mathematics,” he said.

Still, the panelists agreed that the NSA revelations should serve as a reminder to cryptographers and product designers to err on the side of caution when it comes to design choices.

“We should really putting a hefty degree of conservatism in our standards,” said Rivest, who, along with Shamir and Len Adleman, designed the RSA algorithm.

As the events of the last year have shown, standards and technologies that seem to be on solid footing one day can be revealed as weak or compromised the next. LaMacchia, of Microsoft Research, said that the prudent thing is to work under the assumption that at some point, the algorithm you’re designing or using will fail.

“You have to plan for you algorithm to fail. Early on I think we underestimated the effort it takes to move to a new cipher suite,” he said.

 

RSA’s Coviello Calls for Global Surveillance Reforms, Enhanced Privacy Protection

Tue, 02/25/2014 - 14:17

SAN FRANCISCO – RSA Security executive chairman Art Coviello today at RSA Conference 2014 made his first public comments about the security company’s relationship with the National Security Agency, painting the landmark firm as a victim of the spy agency’s blurring of the lines between its offensive and defensive missions.

A Reuters report in December alleged RSA Security was paid $10 million in a secret contract with the NSA to use encryption software—specifically the Dual EC DRBG random number generator—that the spy agency could easily crack as part of its surveillance programs. The deal goes back nearly a decade to 2006, and according to Reuters, represented one third of the company’s crypto revenue at the time.

The bombshell came three months after RSA Security followed NIST’s lead in September and recommended that developers no longer use the algorithm, which has long been considered weak and likely backdoored.

Coviello reiterated that RSA’s partnership with the NSA is a matter of public record, but that circumstances require a re-evaluation of that relationship. RSA, for example, works closely with the NSA’s defensive arm, the Information Assurance Directive (IAD); Coviello said he supports a presidential review group’s recommendation to simplify the NSA’s role as solely a foreign intelligence gathering unit and that the IAD be spun out and managed by another agency.

“When or if the NSA blurs the line between its defensive and intelligence gathering roles, and exploits its position of trust within the security community, then that’s a problem,” Coviello said during his keynote address kicking off the conference. “Because, if in matters of standards, in reviews of technology, or in any area where we open ourselves up, we can’t be sure which part of the NSA we’re actually working with, and what their motivations are, then we should not work with the NSA at all.”

Coviello also called for global reform of surveillance and privacy protections, outlining four principles he urges governments worldwide to consider. Those include the international renouncing of cyberweapons; cooperation between governments to investigate and prosecute cybercriminals; ensure the security of commerce online and the protection of intellectual property; and ensure privacy for individuals.

“All intelligence agencies around the world need to adopt a governance model that enables them to do more to defend us, and less to offend us,” said Coviello, who strongly denounced the use of cyberweapons and said governments should put limitations and bans on them similar to those imposed on nuclear and chemical weapons.

Coviello tried to bring historical context to the Dual EC DRBG controversy, which he said has flipped the industry’s perception of RSA Security to one of being in cahoots with the government rather than leading the charge against it in matters of privacy and protecting infrastructure. Coviello said the landscape changed in the late 1990s when RSA’s crypto patents expired and open source implementations of the famed RSA algorithm became the norm. Rather than fight the trend, Coviello said the company made a decision to lead as a contributor to standards efforts, including NIST and ANSI X9.

Coviello said in the early 2000s, RSA Security supported the moved to the NIST-sponsored Dual EC DRBG, an elliptic-curve algorithm, over hash-derived algorithms. By 2006, NIST had made Dual EC DRBG a standard and RSA made the algorithm the default random-number generator in its BSAFE crypto libraries that were made available to developers and became foundational encryption technology in any number of home-grown and commercial applications. Dual EC DRBG was also the default RNG in its key management product RSA Data Protection Manager. BSAFE is embedded in many applications, providing cryptography, digital certificates and TLS security.

“Given that RSA’s market for encryption tools was increasingly limited to the U.S. federal government and organizations selling applications to the federal government, use of this algorithm as a default in many of our toolkits allowed us to meet government certification requirements,” Coviello said.

Dual EC DRBG had a target on its back going back to 2007 when suspicions were raised by cryptographers Dan Shumow and Niels Ferguson during a presentation at the CRYPTO conference, as well as in an essay by Bruce Schneier who said the inherent weakness in the algorithm “can only be described as a backdoor.”

The knock against the maligned algorithm is that it’s slow and contains a bias, meaning the random numbers it generates aren’t so random. Schneier wrote that the numbers have a relationship with a secret second set of numbers that enables anyone who knows that second set to predict the output of the random number generator.

“To put that in real terms, you only need to monitor one TLS Internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG,” Schneier said. “The researchers don’t know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.”

Coviello said the rapid growth and relative young age of the Internet as a platform for commerce and communication has put us at a crossroads where “norms” are required.

“We are in the midst of chaos and confusion, but if we don’t figure out digital norms and do so quickly, the alternative may be extinction,” Coviello said. “Extinction of the Internet as a trusted environment to do business; extinction as a trusted environment to coordinate research and development; extinction as a trusted environment to communicate with each other.”

After a Turbulent Year, Still Some Optimism in the Security World

Tue, 02/25/2014 - 14:13

SAN FRANCISCO–Despite all of the revelations and accusations and recriminations in the security industry in the last year, Microsoft CSO Scott Charney said he is still optimistic about the industry’s ability to defend users. However, that optimism is tempered by concern about the threats those users face from attackers and governments alike.

The threat landscape is an ever-shifting thing, and the last 12 months have seen a massive change in the way that defenders perceive who their adversaries are. Governments and intelligence agencies have been added to many of those lists, and for companies like Microsoft that work closely with governments around the world, but also have hundreds of millions of corporate and home users, this makes for a precarious situation. They are often asked for user data by law enforcement and other government agencies, through court orders and search warrants and other tools.

However, Charney said Microsoft doesn’t simply hand over data any time it gets a request.

“We have never gotten an order for bulk data, and we would fight an order for bulk data,” Charney said during a keynote speech at the ESA Conference here Tuesday.

Microsoft, Google and other tech giants have in recent months been pushing the United States government for the ability to publish more data on the kinds and volume of government requests they get. The government has relented in part, allowing these companies to become slightly more specific about these requests.

On the other side of the coin, Microsoft also shares its source code with governments around the world, something that Charney acknowledged has raised concerns in some circles, with people questioning whether a government could find a new bug in Windows and use it for its own purposes.

“Is it possible a government could find a bug? Sure. But we do code reviews to look for bugs, too,” he said. “We require them to report bugs they find, but how do you enforce that? By the way, you don’t need the source code to find bugs. People find bugs all the time.”

Addressing the issue of government surveillance and the developments of the last year, Charney said he still has faith in the security community’s ability to respond.

“”We’ve had hard problems before and we have to address them,” he said. “We have to do this while thinking about which actions are appropriate or not.”

TextSecure Sheds SMS in Latest Version

Mon, 02/24/2014 - 19:04

TextSecure, the secure messaging app developed by the encrypted communication provider WhisperSystems, is no longer merely a private short messaging service (SMS) application. According to a blog post penned by WhisperSystems co-founder Moxie Marlinspike, TextSecure is now a private, asynchronous instant messaging application that does not depend on SMS or multimedia messaging service (MMS).

In its latest version – released on Google Play today – encrypted group chat and push messaging capabilities are among the app’s new features. However it also offers end-to-end encryption, forward secrecy, and deniability with little or no user-input.  To be clear, the TextSecure server never stores or has access to any user communication or other data.

“The new TextSecure protocol doesn’t require a round trip key exchange process, eliminates half-open sessions, and is lightning fast – all without compromising forward secrecy or deniability,” Marlinspike writes. “This creates an experience that takes encryption entirely out of the user’s way. A user simply sends a message, and it’s encrypted end to end, every time.”

Like Apple’s iMessage service, when a TextSecure user communicates with another TextSecure user, the service sends messages over a data-network rather than via SMS – the protocol used by most other text messaging services. Under one configuration of the application, users can opt-into allowing TextSecure to fall back to SMS or MMS when they are communicating with users that do not have the TextSecure app. Also like iMessage, the messaging transport method is indicated by a color scheme (green for SMS; blue for data).

Under a second configuration, TextSecure acts more like WhatsApp, only ever communicating over a data-channel and only allowing for TextSecure-to-TextSecure communications.

(Image via WhisperSystems)

At present, there is no iOS version of TextSecure, but Marlinspike says the the app will be available for users of Apple’s various mobile devices in the near future.

The new version also added support for encrypted group chat. In order to maintain the privacy of these group sessions, the TextSecure server neither stores nor has access to group metadata such as lists of group members, the group title, or even the group’s avatar icon.

BitCrypt Ransomware Deploying Weak Crypto

Mon, 02/24/2014 - 16:43

A new piece of ransomware that emerged earlier this month is encrypting its victim’s files with an easily breakable cryptographic algorithm. BitCrypt, as it is known, purports to lock down files with 1024-bit RSA encryption but actually only deploys a much weaker 426-bit key.

According to researchers Cedric Pernet and Fabien Perigaud, the makers of BitCrypt may have accidentally deployed this much weaker encryption algorithm that is incredibly easy to break. So easy in fact, the researchers say they can break BitCrypt’s encryption using a standard computer in a matter of hours. Pernet and Perigauld are a pair of researchers working for Cassidian, the security division of the European Aerospace Defence and Space group.

The researchers first came across BitCrypt after it showed up and encrypted everything on a computer belonging to one of their friends. Research revealed that the domain ‘bitcrypt[dot]info’ was registered on February 3. Presumably, the victims of BitCrypt are directed toward this website, where they are told they must set up a Bitcoin purse and pay 0.4 Bitcoins into the Bitcoin wallet of the person or people responsible for BitCrypt. Once they have done that, there is a set of fields on the website where victims can enter their Bitcoin wallet ID number and their email address. Once the criminals see that they have received a payment from the infected users’ wallet, they can then send off the appropriate encryption key, so that user can then decrypt their files.

Pernet and Perigauld managed to find and analyze a VirusTotal sample of BitCrypt that had been submitted on February 9. BitCrypt claimed to use RSA 1024-bit cryptography.

The researchers then did a bit of reverse engineering and at first glance everything seemed legitimate. While it sought out files to encrypt, the malware ran a watching thread that monitored user activity and blocked any attempt to run taskmgr.exe or regedit.exe. The malware was encrypting any files with the following extensions:

.dbf, .mdb, .mde, .xls, .xlw, .docx, .doc, .cer, .key, .rtf, .xlsm, .xlsx, .txt, .xlc, .docm, .xlk, .text, .ppt, .djvu, .pdf, .lzo, .djv, .cdx, .cdt, .cdr, .bpg, .xfm, .dfm, .pas, .dpk, .dpr, .frm, .vbp, .php, .js, .wri, .css, .asm, .jpg, .jpeg, .dbx, .dbt, .odc, .sql, .abw, .pab, .vsd, .xsf, .xsn, .pps, .lzh, .pgp, .arj, .gz, .pst, and .xl

However, upon decoding one of BitCrypt’s configuration files, it became very apparent that BitCrypt’s writers had failed to deploy the encryption correctly.

“The [decoded] number has 128 digits,” the pair wrote in a blog post, “which could indicate a (big) mistake from the malware author, who wanted to generate a 128 bytes key.”

As it turned out, BitCrypt was deploying RSA-426 encryption rather than 1024. The researchers managed to break that cryptography in 43 hours on a quad-core PC and just 14 hours on 24-core server.

In general, ransomware is a type of malware that encrypts various seemingly important files on the machines of its victims. These scams then asks their victims to make some payment in exchange for the encryption key that would decrypt those files. There is never any guarantee that paying the ransom will decrypt anything.

In September 2013, a particularly potent piece of ransomware called CryptoLocker emerged. While Ransomware is nothing new, CryptoLocker garnered enough attention to become one of those special pieces of malware that gets press attention outside the security industry. CryptoLocker’s efficacy spurred a bit of a surge in new ransomware samples.

For months, weak cryptography has been a hot topic in the security world because of revelations suggesting the the U.S. National Security Agency had allegedly found ways of subverting popular cryptographic algorithms deployed by the big Internet firms to spy on those companies’ users en masse without warrant. This report from Pernet and Perigaud flips that narrative a bit, demonstrating not even cybercriminals are immune from making mistakes with cryptography.

If you’d like to read up on exactly where BitCrypt’s author’s slipped up, you can find Pernet and Perigaud’s technical analysis here.

Bruce Schneier on Surveillance and Trust

Mon, 02/24/2014 - 12:37

Dennis Fisher talks with Bruce Schneier about the differences between bulk and targeted surveillance, the most concerning NSA revelations and making surveillance more expensive for intelligence agencies.

http://threatpost.com/files/2014/02/digital_underground_145.mp3

Researchers Develop Complete Microsoft EMET Bypass

Mon, 02/24/2014 - 09:43

SAN FRANCISCO — Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company’s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.

The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer.

EMET is not meant to be permanent fix, instead it is supposed to terminate or block actions by malware or exploits threatening previously unreported vulnerabilities until a patch is available.

Microsoft is expected to release the latest version of EMET this week during the RSA Conference; Rahul Kashyap, chief security architect at Bromium, said the company has been working closely with Microsoft and expects the vulnerability to be addressed in the new EMET release.

EMET comes with a dozen different mitigations starting with Data Execution Prevention and Address Space Layout Randomization, two key memory protections in Windows, as well as a handful of mitigations against return-oriented programming (ROP), heap spray and SEHOP mitigations, and more.

Kashyap said Bromium’s bypass bypasses all of EMET’s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool.

“We analyzed all of the protections, and took an IE exploit and then we kept on tweaking the exploit payload until we were able to bypass all the mitigations available in EMET,” Kashyap said. “Everything is bypassed in its latest version.”

Kashyap said EMET has raised the bar significantly for exploit writers trying to beat Windows’ protections. Malware writers, such as those behind Operation SnowMan targeting the latest IE zero-day, have taken to adding to modules that scan computers for EMET libraries and will not execute if EMET is installed.

“EMET, like any other tool, needs to know exploitation vectors to be able to block them. We tried to attack that very core, fundamental architectural drawback that most tools today have, which is you need to be detect an exploit in order to protect,” Kashyap said. “In this case, we studied the mitigations available in EMET and then we tweaked a payload to create a new vector variant which could bypass the existing mitigations.”

In a paper released today, DeMott explained that the researchers intended initially to target just the five ROP protections in EMET with a real-world browser exploit. The project grew to include all relevant protections including stack pivot protection, shellcode complete with an EAF bypass and more, DeMott wrote.

“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,” DeMott wrote. “This is true of EMET and other similar userland protections.”

Bromium said its research focused on 32-bit Windows 7 systems running EMET 4.0 and 4.1 (ROP protection is not implemented for 64-bit processes, the paper said.). ROP is an exploitation technique that evolved from ret2lib3, which enables an attacker to inject and execute code by re-using code that already exists. The ROP technique changes executable permissions in memory space, DeMott explained in the paper, in order to execute the attacker’s code located elsewhere. An attacker must chain together a series of processes in order for ROP to succeed.

EMET has been bypassed numerous times before. Researcher Aaron Portnoy, cofounder of Exodus Intelligence, presented a paper during last year’s SummerCon that explained a number of EMET bypasses. Two years ago, a researcher in Iran named Shahriyar Jalayeri reported two bypasses of EMET’s five ROP protections.

You can expect researchers to continue to try to poke holes in EMET. The upcoming Pwn2Own contest at the CanSecWest Conference is offering a $150,000 grand prize to anyone able to bypass EMET running on Windows 8.1 and Internet Explorer 11.

Apple SSL Vulnerability Affects OSX Too

Sat, 02/22/2014 - 09:07

The certificate-validation vulnerability that Apple patched in iOS yesterday also affected Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS.

Researcher Adam Langley did an analysis of the vulnerable code in OS X and said that the issue lies in the way that the code handles a pair of failures in a row. The bug affects the signature verification process in such a way that a server could send a valid certificate chain to the client and not have to sign the handshake at all, Langley found.

“This signature verification is checking the signature in a ServerKeyExchange message. This is used in DHE and ECDHE ciphersuites to communicate the ephemeral key for the connection. The server is saying ‘here’s the ephemeral key and here’s a signature, from my certificate, so you know that it’s from me’,” Langley wrote in his analysis. “Now, if the link between the ephemeral key and the certificate chain is broken, then everything falls apart. It’s possible to send a correct certificate chain to the client, but sign the handshake with the wrong private key, or not sign it at all! There’s no proof that the server possesses the private key matching the public key in its certificate.”

Some users are reporting that Apple is rolling out a patch for his vulnerability in OS X, but it has not shown up for all users as yet. Langley has published a test site that will show OS X users whether their machines are vulnerable.

He points out that because of the nature of the bug, certificate pinning likely would not have had any effect on this vulnerability. Certificate pinning allows clients such as browsers to specify the exact certificate that they associate with a given site, helping to prevent man-in-the-middle attacks. But in this case, there’s no problem with the certificate itself.

“Because the certificate chain is correct and it’s the link from the handshake to that chain which is broken, I don’t believe any sort of certificate pinning would have stopped this. Also, this doesn’t only affect sites using DHE or ECDHE ciphersuites – the attacker gets to choose the ciphersuite in this case and will choose the one that works for them,” Langley said.

Researchers at CrowdStrike also looked at the code, and said that likely attack scenarios could include interception of sessions with webmail services, or any other SSL-protected site, for that matter.

“Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system),” their analysis says.

The CrowdStrike researchers said that finding non-encrypted packet data in the SSL/TLS handshake could be an indication of exploit attempts against this vulnerability.

Apple Fixes Certificate Validation Flaw in iOS

Fri, 02/21/2014 - 17:31

Apple on Friday quietly pushed out a security update to iOS that restores some certificate-validation checks that had apparently been missing from the operating system for an unspecified amount of time.

Apple released iOS 7.06 on Friday and the only content in the update was a small security fix that the company said addressed a problem with the way that iOS handled certificate validation when establishing a secure connection.

“Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps,” the Apple advisory says.

The wording of the description is interesting, as it suggests that the proper certificate-validation checks were in place at some point in iOS but were later removed somehow. The effect of an exploit against this vulnerability would be for an attacker with a man-in-the-middle position on the victim’s network would be able to read supposedly secure communications. It’s not clear when the vulnerability was introduced, but the CVE entry for the bug was reserved on Jan. 8.

“An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS,” Apple said.

Certificate validation is a key step in establishing secure sessions, as attackers often employ techniques that involve spoofing certificates for high-value sites such as Google or Yahoo in the hopes of capturing users’ confidential data, such as user IDs and passwords. If the client doesn’t check to ensure that the certificate presented is in fact valid and issued for the proper site, the security of the connection can’t be trusted.

Dropbox Addresses Government Surveillance with Updated Privacy Policy

Fri, 02/21/2014 - 13:04

The online storage service Dropbox has amended its privacy policy at least in part to better address increased concerns regarding how the service perceives, responds to, and handles government requests for user-data.

The new government data requests principles come as part of broader and fairly standard terms of service and privacy policy update in which the company says it wants to be clearer about the ways it handles user data. As far as government requests for that data are concerned, Dropbox says it plans to be transparent, fight blanket data requests, protect all of its users, and provide trusted services.

On the point of transparency, the company believes it should be allowed to report the exact number of government data requests it receives, the number of accounts affected by those requests, and the laws used by the government to justify such requests. Presently, the company’s transparency report publicizes the number of law enforcement requests it receives and the number of accounts affected by those requests. However, Dropbox – like other tech firms – is limited in its ability to report information about the number of national security letters (NSLs) it receives

In it’s most recent transparency report, the company said it received somewhere between 0 and 250 NSLs. Under their new data request principles, the company says it is continuing to fight for it’s right to be more explicit about the number of NSLs it receives, carefully noting that it may not receive any such letters at all.

Dropbox also shares the widely-held belief that data requests should be limited to specific people involved in targeted investigations. Therefore, the company says it will resist any requests attempting to gather information from large groups of users unrelated to a specific investigation.

“The US government has been seeking phone records from telecommunications companies related to large groups of users without suspicion that those users have been involved in illegal activity,” the company says. “We don’t think this is legal and will resist requests that seek information related to large groups of users or that don’t relate to specific investigations.”

Much of the conversation revolving around the NSA spying revelations has focused on U.S. citizens. If you listen to NSA director Keith Alexander or any other defenders of PRISM and similar programs, they are pretty open about the fact that they have the right to indiscriminately collect information of non-U.S. citizens. Dropbox now stands out in that it says it aims to protect the data of its users, regardless of citizenship.

Beyond that, Dropbox promises its customers that it will do everything in its power to guarantee that the government can not access user information through backdoors, by exploiting security vulnerabilities, or through any means other than established legal process.

Threatpost News Wrap, February 21, 2014

Fri, 02/21/2014 - 11:48

Dennis Fisher and Mike Mimoso preview next week’s RSA conference, discuss the sessions they’re looking forward to covering and what the fallout from the NSA controversy will be during the week.

http://threatpost.com/files/2014/02/digital_underground_144.mp3

Researchers Find SSL Problems in WhatsApp

Fri, 02/21/2014 - 11:08

The Facebook acquisition of mobile messaging service WhatsApp has captivated the tech world this week. Much of that has to do with the massive $19 billion price tag and, to a lesser extent, the incredibly fast rise of the company. But while analysts and customers have been examining the deal, some security researchers decided to look at the security of WhatsApp itself.

WhatsApp is a text and multimedia messaging service that uses the Internet, rather than a cellular data network, as its base. The app grew slowly at first but exploded in the last couple of years and today claims 450 million active users. Security researchers at Praetorian, who have been running a project known as Project Neptune to assess the security of mobile apps, did a limited assessment of the iOS and Android versions of WhatsApp and discovered a number of issues around the way the app uses SSL.

The most serious problem they found was that WhatsApp does not enforce certificate pinning. The use of certificate pinning allows apps to specify a specific certificate that they trust for a given server. This helps defeat a number of attacks, specifically man-in-the-middle attacks that rely on spoofing the certificate for a trusted site. Many of the major Web browsers support certificate pinning now, but its adoption in the mobile world has been somewhat slower. Praetorian found that WhatsApp doesn’t enforce SSL pinning, potentially opening users up to MITM attacks.

“Within minutes, Project Neptune picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk,” Paul Jauregui of Praetorian wrote in an explanation of their test.

“WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services. This would allow the attacker to sniff user credentials, session identifiers, or other sensitive information.”

Jauregui said in an email interview that it is unfortunately quite common to find mobile apps that don’t perform certificate pinning.

“Surprisingly, it’s extremely common to see mobile apps without certificate pinning. This security control is used to counter the ability of an attacker to view and modify all traffic passing between the mobile device and backend server. It can also help protect against certificate authority trust failures during client and server negotiation, which coupled with the support of weak and null (plain text) ciphers—as found to be the case in WhatsApp—is an even bigger red flag,” he said.

The researchers also found a few other less-serious issues, including support for null ciphers, meaning that some data isn’t encrypted at all.

“With Null Ciphers supported, if the client mobile application attempts to communicate to the server using SSL and both parties do not support any common cipher suites—as a result of a malicious intercept—then it would fall back to sending the data in clear, plain text. Supporting Null Ciphers is not something we come across often—it’s quite rare,” Jauregui said.

Mobile app security has lagged behind the security of desktop and Web apps in many respects, as developers have moved to the new platforms and run into many of the same security issues that they encountered years before on the Web. This isn’t the first time that researchers have discovered security problems with WhatsApp. Several years ago it was reported that the app sent data in plaintext, and other researchers found that they could use an API to hijack any user’s account.

Fixing the certificate pinning issue can be done in a variety of ways, and Jauregui said it all depends on what the developers want to do.

“Level of effort can vary depending on how developers choose to implement certificate pinning. Pinning the certificate itself is the simpler way to do it, but it requires more maintenance overtime because developers will have to make changes to the application whenever the cert changes. Another way to do it is by pinning the public key, which can be more difficult. Choosing the best way to go often depends on the frequency in which the certificate itself may change,” he said.

Tinder Patches Vulnerability That Exposed User Locations

Thu, 02/20/2014 - 20:13

Developers with the popular dating application Tinder have fixed a vulnerability that up until last year could’ve allowed users to track other users, thanks to a hole in the app’s API and some old fashioned trigonometry.

Max Veytsman, a Toronto-based researcher with Include Security disclosed the vulnerability Wednesday on the firm’s blog, claiming that before it was fixed he could find the exact location of any Tinder user with a fairly high level of accuracy, up to 100 feet.

Tinder, available on iOS and Android, has been massively popular over the last year. It routinely appears in Apple’s list of most downloaded apps and apparently has been all the rage at this winter’s Olympic games in Sochi, Russia, with reports that many athletes are using it to kill downtime.

The app is a location-aware dating platform that allows users to swipe through images of nearby strangers. Users can either “like” or “nope” images. If two users “like” each another, they can message each other. Location is critical for the app to function — beneath each image Tinder tells users how many miles away they are from potential matches.

Include Security’s vulnerability is tangentially related to a problem in the app from last year wherein anyone, given a little work, could mine the exact latitude and longitude of users.

That hole surfaced in July and according to Veytsman, at the time “anyone with rudimentary programming skills could query the Tinder API directly and pull down the coordinates of any user.”

While Tinder fixed that vulnerability last year, the way they fixed it left the door open for the vulnerability that Veytsman would go on to find and report to the company in October.

Veytsman found the vulnerability by doing something he usually does in his spare time, analyze popular apps to see what he finds. He was able to proxy iPhone requests to analyze the app’s API and while he didn’t find any exact GPS coordinates – Tinder removed those – he did find some useful information.

It turns out before it fixed the problem, Tinder was being very exact when it communicated with its servers just how many miles apart users are from one another user. One part of the app’s API, the “Distance_mi” function tells the app almost exactly (up to 15 decimal points) how many miles a user is from another user. Veytsman was able to take this data and triangulate it to determine a user’s most recent locations.

Veytsman simply created a profile on the app, used the API to tell it he was at a random location and from there, was able to query the distance to any user.

“When I know the city my target lives in, I create three fake accounts on Tinder. I then tell the Tinder API that I am at three locations around where I guess my target is.”

To make it even easier, Veytsman even created a web app to exploit the vulnerability. For privacy sake, he never released the app, dubbed TinderFinder, but claims in the blog he could find users by either sniffing a users’ phone traffic or inputting their user ID directly.

While Tinder’s CEO Sean Rad said in a statement yesterday that the company fixed the problem “shortly after being contacted” by Include Security, the exact timeline behind the fix remains a little hazy.

Veytsman says the group never got a response from the company aside from a quick message acknowledging the issue and asking for more time to implement a fix.

Rad claims Tinder didn’t respond to further inquiries as it does not typically share specific “enhancements taken” and that “users’ privacy and security continue to be our highest priority.”

Veytsman just assumed the app was fixed at the beginning of this year after Include Security researchers looked at the app’s server side traffic to see if they could find any “high precision data” leakage but discovered that none was being returned, suggesting the problem was fixed.

Since the researchers never got an official response from Tinder that it had been patched and since the issue was no longer “reproducible,” the group decided it was the right time to post their findings.