A security researcher discovered a simple vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone who knows a subscriber’s phone number to download that user’s SMS message history, including the numbers of the people he communicated with.
The vulnerability, which has been resolved now, resulted from a failure of the Verizon Web app to check that a number entered into the app actually belonged to the user who was entering it. After entering the number, a user could then download a spreadsheet file of the SMS activity on a target account. Cody Collier, the researcher who discovered the vulnerability, said he decided right away to report it to Verizon because he is a Verizon customer and didn’t want others to have access to his account information.
“I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn’t want my account information to exposed in such way,” Collier said via email.
In his explanation of the attack, Collier said that simply modifying the subscriber’s phone number in the URL would give an attacker access to the SMS history for the targeted account. So, for example, a URL like the one below could be modified to include any other valid Verizon Wireless number, giving the attacker the ability to download a CSV file of the texts to and from the user’s phone. A sample URL would look like this:
Modifying the digits at the end, which represent the subscriber’s phone number, would grant the attacker access to whatever account he chose. The vulnerability has some similarities to one that was discovered and exploited on AT&T’s site in 2010, leading to the exposure of personal information belonging to more than 100,000 iPad owners. Andrew Auernheimer, also known as Weev, gave the data to a media site and eventually was convicted of identity fraud and other crimes, and is serving more than three years in prison.
However, Collier said he doesn’t see any comparisons between what he found and what Auernheimer did, specifically because Collier disclosed his findings to Verizon immediately and didn’t go public with the information until the flaw was fixed.
“This was reported in responsible disclosure, so I don’t see how this is being compared to Weev who had malicious intent,” Collier said.
Image from Flickr photos of Eric Hauser.
Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the grassroots effort to audit the TrueCrypt source code, the Apple iMessage security model and Yahoo enabling SSL by default.http://threatpost.com/files/2013/10/digital_underground_129.mp3
The group behind Apache have pushed out a new version of Struts, fixing two issues in the framework that were giving developers difficulties over the past several weeks.
The Apache Software Foundation posted version 184.108.40.206 of the framework online Tuesday. The release fixes an access control vulnerability and fixes a problem with the parameter “action: prefix” that existed in a previous build.
The broken access control vulnerability was thought to be fixed in 220.127.116.11 but contained a bug in the mapping mechanism that could be used to bypass security constraints. The vulnerability was discovered by two researchers at Huawei’s Product Security Incident Response Team but has been fixed in 18.104.22.168. Two constants were added that now prevent those bypasses.
The problem with “action: prefix” is actually an old problem too. It popped up last month after it was reported on WooYun, a third party Chinese platform for reporting security bugs. It was discovered that on 22.214.171.124 manipulating parameters prefixed with “action:”/”redirect:/”redirectAction:” could lead to remote command execution.
Since the broken access control vulnerability has been given an important security rating, anyone who uses the framework is being encouraged to download the updates. 126.96.36.199 is available in either the full distribution, or in one of three separate distributions: the library, source, example and documentation portions.
Struts is an open source framework used by developers to create Java-based web apps.
The sanctity of the dev/random random number generator used in the Linux kernel has been a hot-button issue for more than a month. A petition posted to change.org in September to remove RdRand from dev/random, for example, was met with fury from Linus Torvalds who called the developer who posted it “ignorant,” suggesting not so nicely too that the developer learn more about cryptography.
Now a host of researchers from New York University and Northeastern University have cast doubt on the two Linux pseudo RNGs overall, dev/random and dev/urandom. In a paper released this week, “Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is Not Robust,” the researchers explain attacks that demonstrate inherent weaknesses in the respective algorithms, and also propose what they say is a simpler and more efficient PRNG.
“We show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs,” the researchers wrote in their paper. “These attacks against the Linux PRNG show that it does not satisfy the ‘robustness’ notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.”
This is not the first time hardware-based security operations have been challenged in the academic world. Most recently, a team of researchers demonstrated how they were able to insert malware onto a chip, yet to detection mechanisms, the chip appears to be unchanged. They did so by changing the dopant polarity of transistors, leaving wiring and other circuitry untouched; dopant is added to semiconductors enabling it to conduct electricity.
The PRNG attacks against dev/random take issue with the randomness of the numbers being generated and how the PRNG could be manipulated in order for a third party to be able to guess or view a key. This is exactly the issue that forced RSA Security’s hand with regard to the Dual EC DRBG algorithm. RSA recommended to developers to stop using the RNG for fear that it might be compromised in some way by an intelligence agency. RSA’s recommendation came on the heels of a similar missive from NIST; Dual EC DRBG is the default random number generator for a number of RSA products including the BSAFE crypto libraries and RSA key management product RSA Data Protection Manager.
While there are no immediate fears the Linux PRNG in dev/random is compromised, the researchers do painstakingly look at the behavior of the entropy estimator and the mixing function used to refresh its internal state, the paper said.
“We have shown vulnerabilities on the entropy estimator due to its use when data is transferred between pools in Linux PRNG,” the paper said; the researchers, as a result, recommend that the functions of a PRNG do not rely on such an estimator.
VMware has released a slew of patches that fix vulnerabilities in a number of its products, including vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX and ESXi. Some of the flaws can lead to authentication bypass or denial of service on affected products.
The most serious vulnerability is a bug in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploitable, the affected product must be deployed in an Active Directory environment, VMware said.
“vCenter Server when deployed in an environment that uses Active Directory (AD) with anonymous LDAP binding enabled doesn’t properly handle login credentials. In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account,” the advisory says.
“The issue is present on vCenter Server 5.1, 5.1a and 5.1b if AD anonymous LDAP binding is enabled. The issue is addressed in vCenter Server 5.1 Update 1 by removing the possibility to authenticate using blank passwords. This change in the authentication mechanism is present regardless if anonymous binding is enabled or not.”
There also is a session fixation vulnerability in the vSphere Web Client Server through which an attacker could gain privilege escalation. Exploiting the vulnerability requires some knowledge of the target user’s session, however.
“The VMware vSphere Web Client Server contains a vulnerability in the handling of session IDs. To exploit this vulnerability, an attacker must know a valid session ID of an authenticated user,” the VMware advisory says.
The vulnerability in ESX and ESXi is a flaw in hostd-vmdb that could allow an attacker to cause a denial-of-service condition. In order to exploit this flaw, an attacker would need to intercept and modify the management traffic. The company also updated a number of third-party libraries, including OpenSSL, in several of its products.
The grassroots movement to audit TrueCrypt, the popular open source encryption tool, is gaining steam with tens of thousands of dollars already raised to fund the effort to not only professionally review the source code behind the tool, but also to legally review the custom license governing its use.
TrueCrypt has been downloaded more than 28 million times and is lauded as easy-to-use software that does its job of encrypting files, disk partitions, or entire devices. It’s “grandma-friendly” as one expert puts it, but there are plenty of worrisome aspects that users and security experts have looked past until now. For instance, it’s not publicly known who is on the development team behind TrueCrypt. Also, the most common TrueCrypt packages are downloadable binaries for Windows that cannot be compared to the original source code; those binaries behave differently than versions compiled from source code, experts say. With revelations of new NSA surveillance dropping almost weekly, paranoia and conspiratorial thinking is giving way second thoughts about even the most trusted software.
“I’m really glad this audit is going to happen,” said Chris Soghoian, principal technologist with the American Civil Liberties Union. “TrueCrypt is too important to have this little transparency.”
Cryptography experts such as Matthew Green of Johns Hopkins University in Baltimore agree about TrueCrypt’s importance and the need to put it on “better footing” in terms of its trustworthiness. Green and Kenn White, a security researcher, helped get IsTruCryptAuditedYet off the ground. To date, the crowdfunded project has raised more than $36,000 and Green and White have begun seeking recommendations on firms that can review the software’s integrity. While that decision could be made within a couple of weeks, a full audit may not be complete until early next year.
“I started to look into it and I found that unlike pretty much all the other [open source security tools], it is made by this phantom, anonymous group of people who have this weird license they came up with,” Green said. “ It’s not an insult to them or that I think they’re doing something bad, it’s just that their software is really good and it’s really widely used and so it deserves to be on better footing nowadays.”
The most concerning thing leading people in some corners to wonder whether TrueCrypt has been backdoored—or whether the Windows binary has—is that the last 65,024 bytes of the header is filled with random values; the Linux version fills the header with zero encrypted bytes. What are those encrypted bytes? Without an audit it’s difficult to know exactly because there’s no way to prove the Windows binary is related to the source code.
“It’s based on the same code, so it’s kind of mysterious as to why would you have two separate chunks of code in your code base that do different things depending on whether you’re Windows or Linux,” Green said. “And so, the question is why would you do that? How do we ensure that is not an encryption of your key? We can ensure that by looking at the code and saying ‘Yeah, definitely it’s not a backdoor, it’s just random bytes.’ So there seems to be a few places where—nobody is saying there’s a backdoor—but there are behaviors that don’t make a lot of sense and we’d like to rule out the possibility.”
The possibility exists that the random bytes could be the encryption of something sensitive, and in the case of a TrueCrypt volume, that could be the password. If the software were backdoored, it could be that whomever did it, encrypted the password and other relevant information so that it looks like random bytes under a key known only to a third party.
“What we want to do is go through the source code very carefully, make sure there are no problems like that and get it built from the source and all these questions go away and nobody has to worry about backdoors or anything,” Green said. “We would know the code is good and the binary that comes from the code is good, the end.”
This isn’t the first time TrueCrypt has come under some scrutiny. In 2006, Red Hat and Debian declared it forbidden for its respective distributions because of the wonky license governing it; the chief criticism being that it opened users to litigation, White said. The license spells out a number of things that cannot be done with the software, yet fails to clarify what can be done with it. Experts like Green and White have not been able to determine whether it was written maliciously, or by parties without much experience in writing licenses. Two years later, the license was reviewed and updated, and several points were addressed, but not enough to satisfy its critics.
“There were still several clauses in it that said if you’re not sure you’re in compliance with the license, you can’t use the software,” White said. “It’s like a meta-clause. From our perspective, the question isn’t whether it can be distributed through Red Hat or Debian, but if we fork the code to a mirror site, can we be sued?”
White said there has been the equivalent of back-channel communications with the anonymous folks behind TrueCrypt to bring them to the table, in particular on licensing questions. He also said well-respected intellectual property experts have begun looking at the license again.
“TrueCrypt is really good, somebody spent a lot of time and put a lot of love into TrueCrypt,” Green said, adding the caveat that whoever is behind the project has built the dominant open source encryption tool, one that likely cannot be replaced any time soon regardless of what the audit turns up. “Wouldn’t it be nice to rule out that kind of conspiracy theory possibility that maybe there’s something else going on?”
Snapchat cleared up any doubts users may have had about the privacy surrounding images sent back and forth on its photo messaging service when the company confirmed this week that it has shared some images with law enforcement.
Snapchat, started in 2011, has gained popularity over the last year – especially among teenagers – by allowing users to send each other images that disappear from devices after a set amount of time.
350 million snaps, or images, are exchanged on the service daily.
In a blog entry on Monday, Micah Schaffer of Snapchat’s Trust and Safety team wrote that on certain occasions the company has had to forward users’ unopened images to law enforcement.
This probably won’t come as a surprise to privacy-minded folks, especially in light of recent NSA surveillance revelations and the litany of requests for data that have been sent to companies in charge of managing user information like LinkedIn, Google and Yahoo.
Schaffer acknowledges that the Electronic Communications Privacy Act of 1986 “obliges” the company to disclose users’ information.
Schaffer also confirmed that since May of this year at least a dozen of the search warrants Snapchat has received have led the company to produce unopened snaps for law enforcement. Schaffer writes that in some cases, like when law enforcement is deciding whether it wants to issue a search warrant, Snapchat has been forced to hold on to users’ images longer than they may have requested.
From a security standpoint, the main gist of Snapchat is that the company deletes images users sent from their servers, or really Google’s cloud service App Engine, after users open them. Images that aren’t opened by users will remain on the server until they’re deleted after 30 days.
A debate erupted earlier this year over whether Snapchat really deletes their users’ images and whether it’s possible to rebuild expired snaps using metadata stored on devices. Mobile researcher Alan Hickman argued in May that images aren’t really deleted, they’re just hidden. While Snapchat didn’t exactly agree with Hickman’s claims, it did assert that “it’s not impossible to circumvent the Snapchat app and access the files directly,” adding that users should keep in mind data retention “before putting any state secrets in your selfies.”
Schaffer tried to assuage user concerns this week by reiterating that while it has sent users’ unopened images to law enforcement, only two people, himself and application co-founder Bobby Murphy, have access to the tool that can retrieve the images.
For a company still relatively in its infancy, this is probably the closest to a transparency report users are going to get from Snapchat. If nothing else, it’s probably a step in the right direction that the company is providing clarity to users that Snapchat is not above the law and for all intents and purposes, content that is meant to be kept private isn’t always.
The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency.
The iMessage system is Apple’s proprietary text system, which works only among iOS devices. It uses a series of servers owned by Apple that receive and forward messages. Those messages are sent via Apple’s PUSH notification service, which keeps an IP connection open all the time to check for new notifications and display messages. Each iPhone, iPod or other iOS device serves as a PUSH client, and they communicate with Apple’s servers over SSL. The researchers found that while that basic framework makes sense from a security point of view, there are a number of issues with the iMessage system.
One major issue is that Apple itself controls the encryption key infrastructure use for iMessage, and has the keys for each individual user. The upshot of this is that Apple has the ability to read users’ messages if it so chooses. The researchers who looked at iMessage, known as Pod2g and GG, said that there is no evidence that Apple is in fact reading users’ iMessages, but it’s possible that the company could. Users’ AppleID passwords also are sent in clear text to the Apple servers.
“What we are saying: Apple can read your iMessages if they choose to, or if they are required to do so by a government order. As Apple claims, there is end-to-end encryption. The weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages,” the pair, who work for Quarkslab, wrote in a long analysis of the iMessage protocol.
“Also remember that the content of the message is one thing, but the metadata are also sensitive. And there, you rely on Apple to carry your messages, thus they have your metadata.”
Because the iMessages go through Apple’s servers, they essentially have a man-in-the-middle position on all of the communications among those devices. The company uses proper encryption to protect the communications, but the Quarkslab researchers discovered that Apple does not use certificate pinning for iMessage, meaning that the system is open to a MiTM attack by outside attackers. During their research, Pod2g and GG were able to create a new certificate authority, add it to an iPhone keychain and then proxy the SSL communications to and from the device. Certificate pinning is the process of associating a given host with a specific certificate. That way, if a browser or other client encounters a certificate for a host that isn’t the expected one, it can reject it and warn the user of the problem. Google, for example, use certificate pinning for many of its Web properties.
“I guess they just didn’t get around to it. There’s no great reason, I think they just didn’t do it. The Twitter app does, which is kind of ironic because Twitter isn’t typically handling your sensitive information,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University.
The lack of certificate pinning for iMessage is troubling, the researchers said, as it opens the door for attackers to create a forged CA, and if they can get it onto a device or devices, proxy all of the supposedly encrypted communications. This is especially problematic in enterprise environments that employ Apple’s iPhone Configuration Utility, which enables enterprises to manage iPhones centrally. An attacker could install his CA at enrollment on all of the target devices.
“All communications to Apple’s servers are made through a secure SSL tunnel. We do not need to know what protocol is used or how packets are forged. The first thing we want to try when we see that is adding a certificate to perform a MITM. We were actually very surprised it worked as easily, which means there is no certificate pinning. We created a fake CA, and added it to the iPhone keychain. Then, we could [proxy] communications much more easily. When a SSL communication arrives to the proxy, we generate a certificate signed by the newly added CA, and everything becomes unencrypted,” the researchers said.
The researchers put together several scenarios through which an attacker could intercept iMessage transmissions through a MiTM attack. They also developed a tool called iMiTMProtect that can defeat certain of these attacks on OS X devices. Green of Johns Hopkins said that there are other methods that Apple could have used for the key infrastructure to avoid some of these problems.
“Companies like Silent Circle do real end-to-end key management and OTR (Off the Record) messaging. So all of these instant message things that use OTR-like protocols , they do end to end key establishment. The idea there is that the two parties establish keys without any central directory. And then what you’re supposed to do is either compare a key fingerprint over another phone line or you’re supposed to check – Silent Circle has an authentication string – so you’re supposed to read this string back and forth over the phone. That is the alternative way. That is the de-centralized version of this where you don’t have to trust Apple or some centralized server. And maybe that’s too hard for some people, but a lot of people will use OTR; it’s pretty easy to use. It certainly wouldn’t be so hard to add something like that as an optional feature for security-conscious people into iMessage. Definitely you can do better,” Green said.
Yahoo is being second-guessed more today than a mediocre baseball manager.
Two days after announcing it would finally turn SSL on by default for its email users starting in January, the company is getting a halfhearted pat on the back from the security industry, which can’t help but ask: “What took you so long?”
Yahoo is the last holdout among major Internet companies to encrypt communications by default, years behind Google, and many months behind Microsoft and Facebook, for example. It’s been close to a year since SSL was offered as an option for users and one can’t help but think that changes in executive management, layoffs and poor earnings have forced Yahoo to kick security down the priority ladder.
Yahoo refused yesterday a request for an interview, and instead it stood behind a prepared online statement from a senior VP of communication products for comments on the situation. Experts however, aren’t pulling punches.
“I would say [SSL encryption] is something users should expect and demand, and developers should consider normal and standard to do,” said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation. “I think consensus is changing toward this.”
Often, companies need a swift kick in order to move major security projects along. Credit card providers were nudged along by endless data breaches starting in 2005 before demanding encryption be used for payment systems; this eventually gave way to the Payment Card Industry Data Security Standard. Google had its SSL plans under way before the infamous Aurora breach in 2010 forced it to accelerate SSL on by default in Gmail. And now in the age of surveillance, better known as the Summer of Snowden, Yahoo has finally jumped aboard.
Not that anyone is quick with a standing ovation.
“This massive delay demonstrates Yahoo’s complete disregard for the privacy of its customers,” said Chris Soghoian, principal technologist and senior policy analyst with the American Civil Liberties Union. “The threat is real. Whether the entity monitoring is the NSA or an identity thief at Starbucks, it has long been known that tools exist to allow interception.”
Soghoian has lobbyed Internet companies about enabling SSL by default since 2009 when he sent Google CEO Eric Schmidt a pointed letter on the subject. He said the idea was to try to convince a leading Internet company to take the first leap and then others would follow. His thinking was correct because soon after Google enabled SSL by default, Twitter, Microsoft and Facebook followed suit.
“Yahoo is the last big communications company to protect its services with SSL. It definitely should not have taken this much time,” Soghoian said. “Yahoo does not prioritize security. Its’ clear from the CEO on down; (CEO) Marissa Mayer has said she doesn’t use a PIN on her smartphone. This is not a company that prioritizes neither privacy nor security. In many ways, it spends more money subverting privacy because Yahoo has been at the forefront of weakening the DNT (Do Not Track) standard.”
The crux of the matter, however is that surveillance is pretty straightforward for the intelligence or hacker communities without encryption. Yesterday, news broke of another Snowden leak in which it was revealed that the NSA is able to capture millions of email and instant messenger address book contacts. Close to 450,000 Yahoo address books, the documents said, were collected in a typical day, compared to tens of thousands for Gmail, Hotmail or Facebook by comparison, making Yahoo the biggest target by far.
The EFF’s Schoen said he has seen the tide start to shift, especially with some startups deploying SSL from the moment they offer a service to customers. But he cautions that companies that do so take care to encrypt an entire site, not just pages that handle credit card transactions, for example. Research such as SSL Strip from Moxie Marlinspike demonstrates that it is possible to hop on an HTTP network stream, look for HTTPS links and essentially manipulate those links and redirect them to HTTP pages controlled by the attacker.
“There are challenges to converting an existing service,” Schoen said. “Some are rolling HTTPS from the outset, which is nice. We’re starting to see people try to articulate the idea that this is the industry standard or expected norm.”
It is, however, a minimal standard. Technologists say there is more that Internet giants can do to protect communications. Perfect Forward Secrecy, for example, is a conversation starter; it guarantees that if a master encryption key is ever compromised, sessions would remain private. HSTS or HTTP Strict Transport Security, is another option where a browser header instructs a browser to use SSL only; Twitter and PayPal are two places where HSTS is used regularly.
Schoen said that enabling Perfect Forward Secrecy requires computational resources and additional costs, but he also said that those were some of the same arguments companies used as a counter to enabling HTTPS. However, Schoen said, computers are getting faster and there’s less of a CPU resource burden today than a half-dozen years ago.
“There’s been a lot of speculation about Moore’s Law and how long that curve will last,” Schoen said. “But as long as we are on the curve for the time being, cryptography that seemed so intensive may not be so if we look again. Five or six years ago, that might have seemed like a huge computational burden, but today that might not be because CPUs are a lot faster.”
Yahoo, like the mediocre baseball manager, can’t win for losing. Tough financial times may have forced them to layoff engineers in the past few years, forcing the company to re-prioritize its to-do list and put revenue-generating projects at the top of the list.
“It isn’t something that takes five minutes to deploy; it does cost money,” Soghoian said of these additional measures. “But if you’re going to operate an email service in 2013, you need to keep it secure and if you’re not interested in keeping communication secure and private, then you shouldn’t be in the email service business. Other companies are willing to do that. Google operates a profitable email service that is encrypted. Yahoo should too. But Yahoo does not care and thought its customers would not notice.”
Three-quarters of the world’s attack traffic emanates from source IP addresses in Indonesia and China, according to Akamai’s latest quarterly State of the Internet report. The report is a deep dive into traffic trends crossing the Cambridge, Ma.-based company’s network during the second quarter.
Attacks from Indonesia are on the rise, almost doubling from Q1 from 21 to 38 percent and dethroning China, whose attack traffic checked in at 33 percent, down slightly from 34 percent in Q1. The Pacific rim really reigned supreme when it came to attacks – along with South Korea and Taiwain, the region accounted for just over 79 percent of all observed attacks according to the firm’s studies.
The U.S. checked in at 6.9 percent, also a drop – but like China, a relatively negligible one.
On the whole, the company witnessed attacks coming from 175 different countries – some of those attacks, like those of the denial of service (DoS) variety, jumped, 318 in Q2, a 54 percent increase from Q1.
“There is a very real possibility this trend will continue, and perhaps even accelerate, as the current geopolitical environment heats up over events in Syria and elsewhere in the world,” the report said.
That makes a grand total of 526 DDoS attack reports Akamai has received so far this year, a number that at this point will likely surpass last year’s total of 768 reports. While a large chunk of those reports came from the Americas, Akamai notes reports from Asia tripled in the second quarter, a statistic that correlates with an uptick in attacks on smaller, business services companies in the region.
“The rise in attacks in the enterprise vertical were primarily driven by a series of attacks on business services customers in the Asia Pacific region,” reads one part of the report.
When broken down the enterprise sector saw the biggest jump in these attacks, increasing from 72 reported in Q1 to 134 in Q2 while commerce and media & entertainment came in second and third.
While the first section of the report deals with security and denial of service statistics, other portions discuss the Syrian Electronic Army’s (SEA) attacks on media outlets over the summer, the ongoing exhaustion of IPv4 addresses worldwide, and a rise in mobile data traffic.
The company drew its information from its Intelligent Platform, a cloud-based infrastructure that monitors attacks, connection speeds and other internet statistics globally throughout the year.
A trio of researchers have uncovered 25 security vulnerabilities in various supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols.
The researchers, Adam Crain, Chris Sistrunk, and Adam Todorski–though Todorski has not yet been credited with finding any of the disclosed bugs–are conducting this research with a sponsorship from Automatak, a firm – started by Crain – that provides security support for the makers and maintainers of the sorts of ICS and SCADA equipment that control much of the world’s critical infrastructure and industrial machinery.
Thus far, the researchers have published the details of just nine vulnerabilities, each of which is remotely exploitable, though they claim that they have discovered another 16 bugs, but the details of those flaws are pending as they communicate with the affected vendors. Every publicly disclosed bug appears to have been acknowledged and fixed by the vendor, though that does not mean that the maintainers of vulnerable systems have installed the patches.
All their research is part of Project Robus. Deriving its name from the Latin noun for a source of strength, the project is an ongoing search for zero day vulnerabilities in SCADA and ICS software. Despite it’s responsibility for controlling much of the world’s critical infrastructure and industrial processes, SCADA and ICS protocols are notoriously vulnerable to exploit, a particularly concerning reality given human reliance on water and power plants.
Specifically, Crain and Sistrunk uncovered two bugs in IOServer. An improper input validation vulnerability in its DNP3 Driver software and another in the same piece of software’s master station. Each bug could potentially cause an infinite loop if an attacker were to send a maliciously crafted TCP packet. The only way out of the loop would be to perform a manual restart.
The pair also found a DNP3 input validation issue in Schweitzer Engineering Laboratories’ real-time automation controllers exploitable under similar conditions. An attacker could send the device into in infinite loop, and, depending on device settings, its controllers may have to reload configuration settings upon restart.
Crain and Sistrunk also determined that they could send a specially crafted TCP packet into Kepware Technologies’ DNP master driver for the KEPServerEX communications platform by exploiting yet another input validation vulnerability. The result, again, would be an infinite loop but also a denial of service condition. The system would require a restart in order to recover. Essentially the same vulnerability exists in DNP master driver for the TOP server OPC server, multiple Triangle MicroWorks’ products, some with third-party components, and MatrikonOPC SCADA DNP3 OPC server.
The last two bugs exist in SUBNET Solutions’ SubSTATION Server software and Alstom’s e-terracontrol software. Each vulnerability could give an attacker the ability to impact the availability of the respective products.
The potential impact of all of these bugs obviously depends on the configuration settings of the equipment.
The researchers discovered these flaws using a customized smart fuzzer that they will give the public access to as an open source tool in March.
Automatak claims it discloses vulnerabilities to the vendor and ICS-CERT, working with the affected vendors to validate patches and improve testing.
Lavabit, the now-shuttered secure email provider that has become something of a rallying point for privacy advocates and security experts in the ongoing NSA surveillance saga, is giving its former users until Thursday night to change their passwords on the service. They will then have a short window to download their email archives and get to their account data.
Ladar Levison, the founder of Lavabit, in August decided to make the dramatic move of shutting down the service rather than giving the government broad access to his users’ data. The FBI, in the wake of the Edward Snowden leaks of NSA surveillance methods, went to Levison with a court order demanding the SSL keys for the company’s service. Rather than comply, which Levison said would have spelled death for the Lavabit service anyway, he decided to shut down the secure email system. The Department of Justice was not pleased, to say the least, but Levison has held out and recently filed an appeal of the court order.
In the meantime, Levison secured a new certificate for the Lavabit site, and has notified users that they have until Thursday at 7 p.m. CDT to go to the new site and change their passwords. After that, they then will have a few days to go in and download their archived emails and other data.
“Due to concerns about the continued integrity of customers’ passwords, we are offering a short window of five days in which users can change their password before we allow anyone to download an archive of their stored emails,” a statement on the new Lavabit site says.
“Since the SSL certificates formerly used to protect access to Lavabit have been compromised, we recommend manually validating the serial number and fingerprint your computer received before using this website.”
Levison said that the shutdown of Lavabit has affected him, as well, as he was a user of the service himself and had spent years building the company.
“This comes in the wake of the abrupt shutdown of Lavabit this past August, wherein many were left without a way to access their sensitive data. For those who used Lavabit’s email service, they were left without a way to access information after the shutdown. When asked about how his users felt about the loss of personal data, Mr. Levison said ‘I’m in the same boat as them. I used my Lavabit email account for 10 years. It was my only email account’,” the statement said.
Image from Flickr photos of Richard-G.
On Tuesday, for the first time, Java security updates were included with the quarterly Oracle Critical Patch Update – and just as quickly, Java wasted no time elevating itself as the top concern for Oracle admins and security experts.
Of the 51 Java patches released, 50 allow for remote code execution and 20 were given the highest criticality rating by Oracle.
“The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations,” said Qualys CTO Wolfgang Kandek.
Users are urged to immediately upgrade Java to version 7 update 45; Java 6 installations are also vulnerable to close to a dozen critical vulnerabilities, experts said, adding that users should avoid enabling the plug-in altogether, or isolate Java 6 machines.
“Ideally, users will disable Java plugins unless it is specifically needed and then run it only in a browser which you only use for those one or two sites that require the plugin,” said Ross Barrett, senior security engineer at Rapid7. “Otherwise, run Java in the most restricted mode and only allow signed applets from white-listed sites to run.”
Java 6, however, is no longer supported by Oracle and security patches are not being developed.
“The recommended action for Java 6 here is to upgrade to Java 7 if possible,” Kandek said. “If you cannot upgrade, I would recommend to isolate the machine that needs Java 6 running and not use it for any other activities that connect it to the Internet, such as e-mail and browsing.”
Experts remind users too that the latest Java updates also include code-signing restrictions and pop-ups warning users that unsigned Java applets pose a security risk and that they won’t execute automatically by default.
On the server side, CVE-2013-5782 and CVE-2013-5830 were patched. The vulnerabilities were found in Oracle JRockit, the Java virtual machine built into its Oracle Fusion Middleware.
“Besides the Java patches, nothing else jumps out as particularly interesting,” Rapid7’s Barrett said.
Overall, there are 127 patches in the Oracle CPU that touch most of the Oracle product line. Aside from the Java vulnerabilities, the only other bug approaching the same level of criticality is in MySQL Enterprise Monitor, but it is not a remote execution bug. MySQL Enterprise Monitor is a real-time management interface that watches over MySQL databases for performance, availability and security.
Database managers should be aware of four patches for Oracle RDBMS, all of which are remotely exploitable, though Kandek points out that Oracle databases are not exposed to the Internet.
There are 17 patches for Oracle Fusion Middleware, a dozen of which are remotely exploitable. The Outside In document viewing component of Fusion used also in Microsoft Exchange installations is also patched in this update. The feature gained some attention with the August Microsoft Patch Tuesday updates. An attacker could gain remote access by enticing a user to open a malicious file with Outlook Web Access.
Oracle also released a dozen patches for its Sun product line, including a bug in Sun’s SPARC server management module that could give an attacker access to a number of important management features.
The remaining patches address security vulnerabilities in Oracle Enterprise Manager Grid Control, a number of Oracle business applications including Supply Chain, PeopleSoft, Siebel and iLearning, Industry, Financial, and Primavera apps.
Yahoo, one of the last email holdouts to implement SSL by default, announced it will do so in January.
The company has been criticized as one of the few remaining giant Internet companies for its delay in turning on encryption by default for its web-based email users. It will now do so on Jan. 8, a year to the date from when it first gave users the option of using an SSL connection for email sessions.
The lag is noteworthy for Yahoo, which is more than three years behind Google’s default implementation of SSL for Gmail. Users of Microsoft’s Outlook.com webmail service have had SSL enabled by default since July 2012 while Facebook made it the default this February.
Yahoo refused a request for an interview on the delays, and instead pointed Threatpost to an online statement made by senior VP of communication products Jeffrey Bonforte.
“Our teams are working hard to make the necessary changes to default https connections on Yahoo Mail, and we look forward to providing this extra layer of security for all our users,” Bonforte said in the statement.
Yahoo’s decision to offer SSL as an option earlier this year was made public shortly after a November 2012 letter from a number of advocacy groups co-signed a letter to CEO Marissa Mayer urging her to implement HTTPS by default, calling transport encryption a fundamental security requirement. The group, which included representatives of the Electronic Frontier Foundation, American Civil Liberties Union, Tibet Action Institute, Reporters without Borders and many more, made it clear the decision not only put privacy at risk, but endangered lives.
“Unfortunately, this delay puts your users at risk, which is particularly disturbing since Yahoo! Mail is widely used in many of the world’s most politically repressive states. There have been frequent reports of political activists and government critics being shown copies of their email messages as evidence during interrogation sessions, underscoring the importance of providing basic measures to protect the privacy of e-mail,” the letter said.
The news comes a day after the Washington Post reported on a new set of leaked documents from NSA whistleblower Edward Snowden. The latest revelation concerns the NSA’s collection of email contact lists and buddy lists from a number of instant messaging services in order to map relationships between foreign surveillance targets and their online connections.
The Post report paints a snapshot of collection activity over the course of a single day in which the NSA collected close to 450,000 Yahoo email addresses and tens of thousands from other services such as Hotmail, Facebook and Gmail. The Post said secret arrangements with foreign telecommunications companies led to this aspect of the NSA’s surveillance activities, most of it happening overseas but still likely snaring millions of American’s contact details.
The registrar for the Metasploit and Rapid7 websites, both of which were victims of a DNS hijacking attack on Friday, was not duped by a spoofed change request sent via fax as it originally reported.
Instead, a Register.com employee likely fell victim to a social engineering scam that resulted in the loss of the employee’s legitimate credentials that were used to infiltrate the registrar and manipulate the DNS settings for both sites.
The homepages for Metasploit and Rapid7 pointed to a website reportedly belonging to a pro-Palestine hacker collective going by the name KDMS. The group hijacked the sites and visitors were greeted with a note claiming responsibility for the attacks and similar DNS hijackings carried out against other security companies.
A Rapid7 spokesperson said that Register.com updated the company today, adding that the original report was unintentionally communicated by Register.com.
“We’re waiting to receive the report from Register.com and we don’t know exactly when we’ll get it (though obviously we’re hoping for it as soon as possible),” Rapid7 said in a statement sent to Threatpost. “Once we have the information, we will absolutely share what we can to help educate others so they can protect themselves from the same threats.”
Rapid7 chief security officer and Metasploit creator HD Moore said via a stream of tweets on Friday morning that the DNS hijacking was quickly resolved and cautioned others working with Register.com to check their respective DNS records because the group claiming responsibility likely had the ability to redirect any domain with that registrar.
The attack on Register.com capped off a busy week of similar attacks against registrars. KDMS claimed responsibility for an attack against Network Solutions, a large U.S.-based domain registrar and hosting provider. A number of security companies working with Network Solutions suffered similar DNS hijackings and had traffic redirected to a KDMS-controlled domain.
A similar attack was carried out against Leaseweb, though it was originally reported that the registrar was compromised via an exploit of a vulnerability in WHMCS client and billing software used by the company. That was quickly refuted by Leaseweb in a statement on its website; Leaseweb said the attackers obtained a domain administrator password and used the credentials to access the registrar.
The WHMCS bug, which has been patched, was used to attack Pure VPN. Attackers were able to reach the VPN provider’s user database and send out a mass email that said the service was to be shut down and some customers could soon be hearing from law enforcement.
“Further and thorough audit on our VPN systems has confirmed that there was absolutely no breach on the VPN network and throughout the incident our VPN service continued to operate securely,” PureVPN cofounder Uzair Gadit wrote in an email to customers. “No technical usage data was compromised and since we do not store users activity logs, our users are hereby assured of full anonymity and security throughout.”
There is a trio of high-risk security vulnerabilities in Google Chrome that have been patched in a new version of the browser released on Tuesday.
The vulnerabilities all are use-after-free bugs, and Google paid a total of $5,000 in rewards to researchers who discovered and reported them. Google also said that there were several security issues found by the company’s internal security team, which it doesn’t typically break out into individual flaws.
The new version of Chrome is sort of an atypical release for Google. The company updates the browser quite often, but many of the releases include a larger number of security fixes than version 30.0.1599.101 released today. The full list of vulnerabilities fixed in this version are:294456] High CVE-2013-2926: Use after free in editing. Credit to cloudfuzzer. [$2000] High CVE-2013-2927: Use after free in forms. Credit to cloudfuzzer. Users should update their browsers as soon as possible to avoid attacks against these vulnerabilities.
D-Link is in the process of developing a patch for a serious security vulnerability in some of its older routers that essentially functions as a backdoor. The bug, discovered by a security researcher and publicized over the weekend, enables a remote user to log into an affected router as an administrator and take whatever actions he pleases.
The vulnerability is about as serious as they come, especially considering that the routers affected by it are consumer-grade devices that likely are plugged in and then left alone for years at a time. The security researcher who discovered the flaw, Craig Heffner, was reverse engineering a version of the D-Link firmware and came across an interesting string in the code. After looking at the code for a while and researching what it could possibly be doing, he discovered that if an attacker had his user agent set to a certain string, he could log into the router’s admin panel and make any number of changes.
“In other words, if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings,” Heffner wrote in a blog post about the bug.
Why the backdoor is present in the routers is a major question. Hardware manufacturers in the past, when confronted with similar questions, have said that they sometimes include such functionality for remote support or as a debugging mechanism during the development process and then mistakenly forgot to remove it. Heffner said that another researcher, Travis Goodspeed, suggested a possible reason for the presence of the D-Link backdoor.
“The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something,” Heffner said.
The affected D-Link routers are:
The company reportedly is working on a firmware patch for the vulnerability that will be available by the end of the month. D-Link manufacturers a wide variety of wireless routers for home and small office environments. Until a new version of the firmware is available, security experts recommend that users with affected models ensure that their wireless networks have WPA2 enabled and use random passwords.
Image from Flickr photos of Mark Turnauckas.
Faced with the untenable decision of becoming what he called a “listening post” for the FBI, Lavabit founder Ladar Levison said he had an ethical obligation to his customers and the community to shut down the secure email service used by NSA whistleblower Edward Snowden.
Levison, who this week filed an appeal of the court order demanding the SSL keys that would unlock all the traffic coming in and out of his company’s network, gave a wide-ranging interview with CBC Radio’s The Current program. He told the Canadian show that his company’s fate was sealed the day the FBI showed up on his doorstep looking for help because if he had turned over the keys in secret to the federal authorities and was found out, Lavabit’s customers would have fled.
Levison said he believes there are three things that should be held scared and above all else remain confidential: system passwords, encryption keys and source code.
“They were demanding those encryption keys. They were demanding the password to my business’ identity and once they had it, they could masquerade as my business and intercept everything coming in and out of my network: passwords, credit card numbers, user names, email content, instant messages, all of that was secured by this set of encryption keys,” Levison said.
Levison said the FBI wanted to monitor all of his customers’ movements, not just Snowden’s, whose name has been redacted from court documents as the FBI’s target. The comment merits note because this week during a CATO Institute daylong program on NSA surveillance, ACLU principal technologist Chris Soghoian said companies such as Lavabit, secure messaging provider Silent Circle and secure backup specialists SpiderOak, are differentiated by the privacy and security features in their products.
“The U.S. is a leader in small businesses providing secure communications services,” Soghoian said during a panel discussion. “When the U.S. government compels a Lavabit to comply, it’s a death sentence. Comply, and your reputation is destroyed. Secure communication services are under threat. We should want this part of the economy to grow.”
Levison reiterated during the CBC interview that he did not want to subvert the trust his company had built with its users by turning over the keys in secret and being forced by law to keep quiet about it, even though he believed the FBI was exceeding its statutory authority in demanding Lavabit’s SSL keys.
“I’ve had people tell me that the government describes it as a gap in their surveillance network,” he said of secure messaging providers such as Lavabit. The government even described its frustration with the Tor anonymity network in Snowden documents, in particular a NSA presentation called “Tor Stinks,” released by the Guardian last week. “You’re one of the few services left in the U.S. they are not actively monitoring,” Levison said he was told. “They wanted to close that gap in their surveillance network. But because of the way it was designed, the only way to close that gap was to put a monitoring device on my network and demand my encryption keys. Couple that with the ferocity with which they wanted it kept secret made it even more bothersome.”
Levison said this saga began in May when an FBI agent left a business card on his door along with a note asking him for a meeting. Levison and the agent exchange emails and Levison said the FBI wanted to ask questions about his service, streamlining the process of serving subpoenas and getting him enrolled in Infragard.
Lavabit was a POP or IMap email service provider offering free service along with a paid version that also offered secure storage that included encryption of email messages. He said the FBI wanted to conduct surveillance on the unnamed customer—Levison said he did not know who Snowden was at the time—and wanted the ability to intercept not only his password but content, record it and send it back to their servers.
“When the FBI first approached me with a court order on June 28, they told me they were going after content, passwords and metadata,” Levison told CBC. “Only when I got a lawyer did I realize they had a right only to the metadata. In fact, I was going to add code that would log metadata daily and turn that over to them. The FBI declined the offer and continued to pursue my SSL keys.”
Levison said the FBI wanted to collect metadata and more information on their own from his company’s network, and refused to give him the transparency he requested that they were collecting data only on this one specific customer.
“They said ‘Give us your private information and trust us,’” Levison said. “And that’s not a tenable position for me.”
Wired reported today on Levison’s appeal to the 4th U.S. Circuit Court of Appeals and also has the full 42-page document available on its website.