Feed aggregator

CoinThief Bitcoin Trojan Found on Popular Download Sites

Threatpost for B2B - Tue, 02/11/2014 - 19:01

Phony Bitcoin ticker apps hosted on popular sites Download.com and MacUpdate.com are fronts for the OSX/CoinThief Trojan, which was built to steal Bitcoin wallet credentials and keys, and to date has drained a small number of accounts.

SecureMac lead developer Nicholas Ptacek said new variants of the Trojan targeting Mac OS X users were found on the sites and also include a browser extension for Firefox. Previous versions of CoinThief spread through a GitHub page that has since been taken down and included extensions for Safari and Google Chrome only.

The price ticker apps for Bitcoin and Litecoin are called Bitcoin Ticker TTM (To The Moon) for Mac and Litecoin Ticker. Both have been available on the sites since December; the app on Download.com was downloaded 57 times and the MacUpdate app was downloaded 356 times, Ptacek said. While the Download.com link is still available, the link on MacUpdate was disabled by the site, Ptacek said.

Efforts to contact Download.com were unsuccessful, Ptacek said.

“The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store,” Ptacek said. “At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com.”

The previously discovered versions of CoinThief installed browser extensions for Safari and Chrome that monitored browser traffic and watched for log-in attempts on pre-loaded Bitcoin exchanges such as Mt. Gox and BTC-e, and wallet sites such as blockchain.info. The extensions, meanwhile, are generically named “Pop-up Blocker,” and arrive with an equally generic description that wouldn’t raise suspicions with the user or security researchers.

Aside from the Firefox extension in this variant, the payload is similar, Ptacek said. In addition sniffing out log-in attempts, it also targets and tries to modify Bitcoin-Qt, stealing addresses and private keys from the sync client.

“This variant actually appears to be an earlier build of the malware, as it is missing much of the code obfuscation employed in the variant we previously analyzed,” Ptacek said.

Two days ago, SecureMac reported its discovery of CoinThief on GitHub. Researchers found StealthBit, which pretended to be an app used to send and receive payments on Bitcoin Stealth Addresses. The attackers hosted source code and a pre-compiled version of StealthBit on code repository; both however were not a match. The pre-compiled app contained the CoinThief malware not present in the source code. Ptacek said the malware connected to a remote server where it sent stolen data.

“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,”  SecureMac said on its site on Monday.

Ptacek said the remote server was registered in Australia via bitcoinwebhosting[.]net, but appeared to be hosted elsewhere. The remote server was located at www[.]media02-cloudfront[.]com, with a current IP address of 217[.]78[.]5[.]17, but it appears to be down at this time, Ptacek said.

Facebook Fixes Instagram CSRF Vulnerability to Keep Private Profiles Private

Threatpost for B2B - Tue, 02/11/2014 - 18:03

Until last week, some parts of the API that Instagram uses were vulnerable to a cross-site request forgery (CSRF) attack, something that could have put photos users thought were private, out in the open.

It took almost six months but Facebook, the photo sharing application’s parent company, patched the flaw last Tuesday.

Barcelona-based security researcher Christian Lopez Martin, who found the vulnerability last August and detailed the vulnerability on his personal blog yesterday, claims he almost didn’t catch it at first.

Martin initially scoured the application’s website looking for bugs but couldn’t find a vector that allowed him to inject code. It wasn’t until Martin started to root around the app’s mobile versions that he realized a big difference between the way the two handle privacy. The Android and iOS apps allow users to select whether or not their images are kept private while the website does not.

Martin, who spent most of his time trying to break the Android version of the popular app, discovered that when a person goes to change their privacy settings on Instagram, its API doesn’t control the user agent of the user’s request. Requests like setting a user’s profile to public (set_public) or private (set_private) did not use a security token.

Of course, when sites use security measures like secret, user-specific tokens, it can usually help thwart attacks, especially those of the CSRF variety.

To test, Martin wrote a simple CSRF proof of concept to exploit the weakness on the web. By simply getting a user who was logged in via a browser whose profile was private to click on a payload, Martin could make that user’s profile public. Martin claims he “wanted more” though and with an easy tweak was able to reverse his code, replacing “set_public” to “set_private,” making it so he could set any users’ profile that was public to private.

It took a lengthy e-mail chain between Martin and officials at Facebook and Instagram but the matter was finally resolved on February 4 last week.

Facebook has made it so that going forward any attempts to use this attack vector will result in “Fail, Login_Required,” according to the researcher.

“All new sessions are differentiated between mobile and web at login time so the web-based sessions have full CSRF protection enabled using secret security tokens and the mobile-based sessions have CSRF protection using user-agent control and a reCAPTCHA that forces the user (victim) to interacting with the mobile user interface.”

While Martin received a bug bounty from Facebook for his troubles in December, he discovered a potential way to bypass Facebook’s fix in January. Having obviously formed a rapport with the researcher, a week and a half later, Facebook wrote Martin back, confirming the hole had finally been patched, closing his report.

Encryption at Times a Detriment to Honest Policing

Threatpost for B2B - Tue, 02/11/2014 - 15:49

PUNTA CANA -The use of surveillance tactics by law enforcement in the performance of precisely targeted criminal investigations is still widely accepted and supported by much of the global public. The water gets murky and support evaporates altogether when allegations emerge that law enforcement is deploying blanket-style surveillance to spy on everything everywhere all the time.

This line of reasoning is widely held on both ends of the spectrum. On the one end, cryptography expert and privacy advocate Bruce Schneier said as much – though certainly not for the first time – in a panel discussion at Kaspersky Lab’s Security Analyst Summit (SAS) yesterday. Way on the other side of the spectrum, General Keith Alexander, the director of the National Security Agency and supervisor of what may be the most thorough surveillance apparatus ever conceived, echoes the same sentiment nearly every time he is asked to speak about his agency’s surveillance efforts.

Troels Oerting is the head of the emerging European Cybercrime Centre (EC3), a joint cybercrime task force under the authority of Europol, and he said essentially this in a briefing at the Kaspersky Lab Security Analyst Summit as well. Where Oerting differs from nearly everyone though, is that he was forthright enough that he is concerned about encryption.

As companies react to surveillance revelations, he said, they are increasingly adopting strong encryption and making it harder for people of his ilk to do honest, well-meaning police work.

Unfortunately, he explained, we live in an increasingly complicated world. Within five years, he went on, there will be some 40 billion devices transmitting various sorts of information about us over the Internet. As the concept of cybercrime as a service has emerged, the barrier for entry into cybercrime has lowered significantly and the ease with which almost anyone can make illicit money online has increased dramatically.

IPv6 is unimaginably massive and will only complicate matters further. The number of things that can connect into this new Internet with unique IP addresses is so vast that Oerting attempted to demonstrate by counting on his fingers the number of times he would need to multiply one billion by one billion in order to arrive at the exponentially dizzying number.

Admitting that the police can’t combat cybercrime alone, he asked the audience who is in charge of the Internet. Attendees called out all the usual suspects: the United States, the National Security Agency, the users. But the reality, Oerting claims, is that the Internet Corporation for Assigned Names and Numbers (ICANN), the non-governmental organization tasked with assigning IP addresses to machines and Web properties, wields the most power.

Behind one domain, he said, you can park tens of thousands of IP addresses. This makes the work of law enforcement incredibly difficult and is among the reasons why law enforcement must rely on cooperation from ICANN to sort out what data belongs to which people.

“I don’t believe we can protect ourselves out of this,” he said. “We need to hunt down the wolves.”

He went on:

“We like to put people in jail, because this is our job.”

The EC3 is a work in progress. It is designed to be a joint cybercrime task force with various national, private, and academic partners in the Internet security and finance sectors. It’s expansion is well under way, but it’s efforts are to prevent, protect, disrupt, and recover against intrusions, financial theft, and child pornography will kick off in earnest sometime in the next two years.

Six countries will allocate resources to the EC3, likely with help from the FBI. The EC3, he said, will create and pursue their own cases and investigations utilizing intelligence gathering and sharing to pro-actively fight cybercrime.

In terms of cybercrime, Oerting suggested that there is no such thing as too much law enforcement. He brushed off the idea that there would be investigational competition between Europol and Interpol, telling the audience that there is more than enough cybercrime for all law enforcement agencies to share.

Oerting’s presentation painted a grim picture of the challenges that law enforcement faces in the cyber space, but he is ultimately optimistic:

“We will get it right,” he said, “and humanity will survive the Internet.”

Microsoft Adds Critical IE Patches Under the Wire

Threatpost for B2B - Tue, 02/11/2014 - 15:19

The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday’s advance notification and added two more bulletins to the February 2014 Patch Tuesday security updates, including the first IE rollup of 2014.

IE had patched monthly for close to a year until the January security bulletins were released, and eyebrows were raised again last Thursday when there was no mention of an IE update.

Today, however, Microsoft reversed course with MS14-010, which patches 24 vulnerabilities in the browser, including one that has been publicly disclosed. No active exploits have been reported, Microsoft said.

All of the vulnerabilities enable remote code execution, and affect versions of IE going back to IE 6 on Windows XP up to IE 11 on Windows 8.1. More than 20 CVEs involving memory corruption vulnerabilities in IE were addressed along with a cross-domain information disclosure vulnerability, an elevation of privilege vulnerability and a memory corruption issue related to VBScript that is addressed in MS14-011.

A IE user would have to be lured to a website hosting an exploit for the vulnerability in the VBScript scripting engine in Windows. The engine improperly handles objects in memory, Microsoft said, and an exploit could corrupt memory and allow an attacker to run code on a compromised machine.

“To go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,” said Tyler Reguly, manager of security research at Tripwire. “Either way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.”

Colleague Craig Young cautions that a number of the IE vulnerabilities can be combined to gain admin access on compromised machines.

“Without any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today,” Young said.

As promised, Microsoft did patch a remote code execution vulnerability, MS14-008, in its Forefront Protection for Exchange 2010 security product. Microsoft said it removed the offending code from the software.

“I’m sure a lot of people will call attention to the Forefront Protection for Exchange patch this month. However when Microsoft, the people with the source code, tells us they can’t trigger the vulnerability in a meaningful way, I intend to believe them,” said Tripwire’s Reguly. “I suspect we’ll wake up tomorrow and beyond pressing apply, we’ll forget this was even released.”

Microsoft stopped updating Forefront for Exchange as of September 2012, but will support it with security updates for another 22 months

“This should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application,” said Russ Ernst of Lumension. “Administrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.”

The final critical bulletin, MS14-007, is another remote code execution bug in Direct2D, which can only be triggered viewing malicious content in IE. Direct2D is a graphics API used for rendering 2-D geometry, bitmaps and text, Microsoft said. This vulnerability affects Windows 7 through Windows 8.1.

Microsoft also released three bulletins rated important that patch privilege elevation, information disclosure and denial of service vulnerabilities.

  • MS14-009 patches two publicly disclosed bugs in the .NET framework that could allow an attacker to elevate their privileges on a compromised machine.
  • MS14-005 handles a vulnerability in Microsoft XML Core Services that could lead to information disclosure if the victim visits a malicious site with IE.
  • MS14-006 addresses a denial-of-service vulnerability in Windows 8, RT, and Server 2012, that has been publicly disclosed. An attacker would have to send a large number of malicious IPv6 packets to a vulnerable system to exploit the bug, and the attacker must be on the same subnet as the victim.

Microsoft also sent out an update that officially deprecates the use of the MD5 hash algorithm. Digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program are from now on restricted.

“Certificates with MD5 hashes should no longer be considered safe,” said Dustin Childs, group manager, Microsoft Trustworthy Computing. “We’ve given our customers six months to prepare their environments, and now this update is available through automatic updates.”

Adobe Patches Critical Vulnerabilities in Shockwave

Threatpost for B2B - Tue, 02/11/2014 - 14:52

Adobe joined Microsoft in releasing security patches today, sending out a fix for its Shockwave Player. The patch repairs critical vulnerabilities in the platform that could allow an attacker to remotely takeover an affected system.

According to a post on its Product Security Incident Response Team (PSIRT) blog the vulnerabilities (CVE-2014-0500 and CVE-2014-0501) in question affect all versions of Shockwave on Windows and Macintosh machines. The update will graduate version 12.0.7.148 to version 12.0.7.149.

While Adobe notes that it hasn’t discovered any attacks using the vulnerabilities in the wild, it is still encouraging users to update as soon as possible.

Specific details regarding the vulnerabilities are unclear but Adobe did give a tip of its cap to Liangliang Song, at Fortinet’s FortiGuard Labs for reporting the issue.

It’s the second critical vulnerability Adobe has patched so far this month.

It was just a week ago today that Adobe released an out-of-band patch for its Flash Player software. That update addressed a remote code execution vulnerability that was being executed in the wild that could have opened a user’s computer up to attack. According to Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov the vulnerability stemmed from a password-grabbing Trojan that was taking aim at Chinese organizations.

Attacking ICS Systems ‘Like Hacking in the 1980s’

Threatpost for B2B - Tue, 02/11/2014 - 13:48

PUNTA CANA–Here’s how nuts the world of ICS security is: Jonathan Pollet, a security consultant who specializes in ICS systems, was at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went home, got his laptop, returned and was able to debug the software, find the problem and fix it and get the ride going again.

And here’s how nuts the state of building automation security is: Terry McCorkle, an ICS and automation security researcher, was doing an assessment of a building’s security and was able to access its automation system over the Internet. He accessed the HVAC system and from there was able to pivot to the lighting and surveillance system. He then found the access control and energy management system and was eventually able to unlock the doors, turn off the IP cameras, open the parking garage door modify the access-control database.

“It’s like hacking in the 1980s and 1990s,” said Pollet, founder of Red Tiger Security, in a talk at the Kaspersky Security Analyst Summit here Tuesday.

Security researchers like McCorkle, Billy Rios and others have been hammering ICS, SCADA and PLC vendors on the abject lack of security in their products and systems for a few years now. Some vendors have responded, but in many cases, problems such as complete lack of authentication, failure to use encryption and lack of monitoring go unaddressed, even after researchers report them. In that way, it’s much like the way IT software and hardware vendors handled security and vulnerability reports in the 1990s. Many would ignore them, hoping the researchers would move on.

That didn’t turn out very well for the large software vendors, and it’s not going so well for their counterparts in the ICS and automation worlds, either. Pollet said that the reasoning he hears from manufacturers about why they don’t have better security in their hardware and applications don’t really add up. Saying that protocols aren’t ready or that security is difficult to build in aren’t legitimate excuses.

“All these excuses aren’t really excuses,” he said. “With the current software and hardware we have, there’s no reason we can’t have these systems secured.”

Pollet said that in the PLC and ICS world, what might drive better security is demands from users. That’s what accelerated the process in the desktop software world for vendors such as Microsoft, and Pollet said users need to speak up now in order to get vendors motivated to improve their security.

“All the changes we’ve gotten over the years have been user-driven. Now the users have to ask for security,” he said. “The first vendor that starts to offer some of these security features, there will be a domino effect. So it’s up to us to make sure we ask for it. The market will respond.”

McCorkle, who spoke after Pollet’s talk at SAS, said there’s a need for some standard practices for security in that world. Talking about the response to the Target breach, which began with the compromise of an HVAC automation system at the company, McCorkle said the vendor’s answer that it complies with standard industry practices doesn’t ring true.

“I’ve never seen a standard from any integrator of any kind that’s about security,” he said. “There are no standards or practices.”

 

NTP Amplification Blamed for 400 Gbps DDoS Attack

Threatpost for B2B - Tue, 02/11/2014 - 13:21

For those of you who thought the infamous Spamhaus distributed denial-of-service attack set an ugly bar for the volume of spurious traffic sent at a target, gird yourself for worse.

A massive DDoS attack, reaching at its peak 400 Gbps of bad traffic, was detected late yesterday against a number of servers in Europe, according to traffic optimization firm CloudFlare. CEO Matthew Prince tweeted several times with scant details about the attack against an unnamed customer.

“Someone’s got a big new cannon,” Prince said. “Start of ugly things to come.”

The peak of the attack surpassed the Spamhaus DDoS attacks of last March, which topped out at 300 Gbps, which at the time were three times the size of DDoS attacks carried out against leading U.S. banks and financial services institutions.

The attackers took advantage of weaknesses in a core piece of Internet infrastructure known as Network Time Protocol (NTP) to amplify the volume of attacks.

US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks.

Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

Attackers are able to query NTP servers for traffic counts using the victim’s spoofed source address. In return, the response is much larger than the original request, and with enough vulnerable NTP servers returning requests, a website and/or services are quickly overrun with traffic.

“Because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks,” US-CERT said in its January advisory where it also advised that webhosts either disable the monlist feature, or upgrade their NTP servers to version 4.2.7 which disables the feature.

These types of high-volume attacks, whether related to NTP or open DNS resolvers, have impacted numerous industries from gaming to manufacturing to financial services. Experts say enterprises are deploying better defenses to shield themselves and critical services from DDoS attacks, which could be one reason for the volume increase. Another could be that attackers are going overboard with hundreds of Gbps to distract from their real goal which could be financial fraud or intellectual property theft.

Arbor Networks’ most recent Worldwide Infrastructure Security Report indicates far more of these volumetric attacks were reported than in past years, but they are still outliers. Yet successful temporary takedowns of large banks and high-profile organizations such as Spamhaus and others prove to the underground that techniques such as NTP amplification attacks and the use of open DNS resolvers have merit.

“Spamhaus made people aware of the threat of reflection amplification attacks. It does appear attackers have learned to leverage the infrastructure available on the Internet  to help them in attacks,” Arbor Networks’ Darren Anstee said.

Arbor’s report also said that few companies have security staff dedicated to infrastructure such as DNS and locking down those and related services. Coupled with the availability of open DNS resolvers, that presents a problem for high-value targets.

“If you’ve got open DNS resolvers you can use and if you’ve got a botnet that can generate a good volume of traffic and point it at a list of open DNS resolvers, you can use those resolvers to amplify the capabilities you have for your botnet,” Anstee said, adding that attackers can get a 30x improvement with amplification in some cases. “Unfortunately, it’s not that hard; the know-how is available.”

Detecting Car Hacks

Threatpost for B2B - Tue, 02/11/2014 - 12:13

PUNTA CANA–The car that you drive every day isn’t really a car. It’s mostly a collection of small computers with a bunch of wires and metal and plastic attached. And like any other computer, the ones in your car can be hacked, as researchers Charlie Miller and Chris Valasek have demonstrated in recent months. That’s the easy part, as it turns out. Implementing an effective detection system for their attacks may wind up being far more difficult.

The idea that the on-board computers in vehicles can be hacked isn’t a new one. Researchers have been taking advantage of weaknesses in the electronic control units (ECU) for several years now. Miller and Valasek last year published a detailed paper showing a series of new attacks they developed that enabled them to control the steering, braking and other functions in some cars while they were driving.

One of the ways that they were able to take control of the systems in the cars was by sending large numbers of controller area network (CAN) packets to the system. The idea is to have their packets win a race to the computer so that the ECU accepts their instructions rather than the legitimate ones. Miller and Valasek said that detecting their attacks is simple and easy to do.

“As long as you’re sitting on the network, detecting these things is so easy and you can shut them down,” said Valasek, director of security intelligence at IOActive. “You know what the car should be doing. It’s always spitting out information.”

One straightforward method for detecting their attacks would be simple anomaly detection. The system could check for unusually large numbers of packets and alert the driver. Or if it saw diagnostic packets showing up while the car was in motion–something that wouldn’t happen under normal circumstances–it would raise the alarm. The problem, though, is that auto manufacturers aren’t very keen on putting anything that isn’t completely necessary into their vehicles. The auto business has tiny margins and is brutally competitive, so adding more cost to a vehicle is frowned upon.

“Auto manufacturers don’t like adding complexity to their cars,” Valasek said after he and Miller delivered a talk on the topic at the Kaspersky Security Analyst Summit here Tuesday. “If you’re trying to tell them to change the architecture, you’d get massive pushback.”

Despite a huge amount of press around their car-hacking exploits, Miller and Valasek have had virtually no contact with the manufacturers. They haven’t been asked to help design detection or prevention systems for their attacks or even to explain them in detail to the manufacturers. And auto manufacturers are loathe to discuss their future product plans, so it’s unclear whether there are any protection methods on the horizon.

“We have no idea what they’re doing. They could be building something,” Miller said. “But it could be years down the line.”

Five OAuth Bugs Lead to Github Hack

Threatpost for B2B - Tue, 02/11/2014 - 11:53

A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a “simple but high severity exploit” that gave him unfettered access to users’ private repositories.

Bangkok-based researcher Egor Homakov – inspired to poke around the site after learning about its new bug bounty program last month – discussed the bugs in a blog entry on his site on Friday.

Github went on to fix the vulnerabilities “in a timely fashion” according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program’s short time, for his work.

The main problem lies in the site’s Gist OAuth functionality.  Gists are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.

The first vulnerability in Github Homakov noticed was that he could bypass its redirect_uri validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.

In fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.

This – the second bug – could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client’s callback to log in under the victim’s account.

Homakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he’s nicknamed an Evolution of Open Redirect vulnerability the code sending request is sent to an image request which Homakov can then use to then log into the victim’s account and secure access to private gists.

Gists are static pages and can even allow users to embed their own images, or at least image code. In this situation there’s a certain way the code can point to a suspicious URL and acquire the victim’s code.

Once in, Homakov found that the client reveals the victim’s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.

Since Gist falls under the Github umbrella, Homakov found the client approves any scope it’s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, “all in stealth-mode,” because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.

Homakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes public keys in March 2012 and a problem with the way the site handles cookies last March.

Github kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov’s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities “fit so nicely together,” impressing Github.

Controversial LinkedIn Intro Service to Shut Down

Threatpost for B2B - Mon, 02/10/2014 - 16:38

LinkedIn announced on Friday it was shuttering its four-month-old Intro service which stirred up a privacy meltdown shortly after its release in October.

Intro was an integrated service for iOS which sat as a proxy between the built-in iOS mail client and the user’s email provider. Intro would intercept all IMAP and SMTP messages and insert an Intro bar into email messages; the bar acts as a shortcut to the sender’s LinkedIn profile and provides options for connecting with that person over the LinkedIn network.

On Friday, LinkedIn announced it will shut down Intro on March 7, though it said it is going to continue to develop services to bring LinkedIn to a user’s inbox. The company also announced it was shutting down Slidecast, its service that enables users to upload and view one another’s presentations, as well as ending support for the LinkedIn app on iOS devices before version 6.

Intro immediately raised eyebrows among security and privacy experts who were curious about its native behaviors and ability to circumvent the protections built into the native iOS mail client. In particular, experts cited concerns over corporate email policy violations, broken cryptographic signatures and the creation of a central collection point for government surveillance efforts.

Analysts at security consultancy Bishop Fox were the most vocal, initially saying that Intro pushed a security profile to the iOS device alongside the Intro app, raising red flags that a new security profile could allow an outsider to wipe the device, modify configurations, install apps and more.

Bishop Fox said LinkedIn’s Intro bar changed the content and structure of messages and feared that could impact the security of a message.

“Cryptographic signatures will break because LinkedIn is rewriting your outgoing emails by appending a signature on the end,” Vinnie Liu and Carl Livitt said. “This means email signatures can no longer be verified. Encrypted emails are likely to break because of the same reason—extra data being appended to your messages.”

LinkedIn quickly refuted those claims, emphasizing that Intro does not alter an iPhone or iPad’s security profile, instead Intro was isolated onto a separate network segment at LinkedIn. Services were hardened reducing exposure to third-party monitoring and tracking, and that every line of credential hardening and mail parsing/insertion code was reviewed by security consultancy iSEC Partners and pen-tested by LinkedIn’s internal analysts, said senior manager for information security Cory Scott.

“We worked to help ensure that the impact of the iOS profile is not obtrusive to the member,” Scott said in October. “It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro Web endpoint through a Web shortcut on the device.”

Realistic Risk Assessment Key to Security Management

Threatpost for B2B - Mon, 02/10/2014 - 15:42

PUNTA CANA – Although it may not be the most thrilling part of a security team’s job, the idea of operational risk assessment and management is perhaps the most important aspect of organizational security.

Steve Adegbite, senior vice president in charge of enterprise information security program oversight and strategy at the banking giant Wells Fargo, pointed out in his talk at the Kaspersky Security Analyst Summit here that online banking security is essentially predicated on the ideas that evolved during hundreds of years of brick and mortar physical security.

For sure, the means required to securely store potentially valuable bits of data on a network or database or server are very different than the means by which an early human may have hid in a cave to avoid being eaten by a bear. However, Adegbite’s presentation suggested that these sorts of risk assessments – the ones that have kept humans alive for hundreds of thousands of years – are exactly the kinds of logical progressions corporations should follow to protect sensitive data.

“Operational risk management is a key component of any security practice,” Adegbite wrote in a synopsis of his briefing. “This principle has been exercised since the dawn of time when cave men weighed the outcome of certain scenarios… [such as the] risk of hunting that wild animal to eat or having that wild animal eat him.”

It’s not enough though to merely understand the information your company holds, how and why and to whom it is valuable, and the threats to the integrity of that data. Companies need to understand that zero-days are an unfortunate inevitability of technology and that their security measures will eventually fail. Even if an organization has the perfect risk model, they are still vulnerable to the one, uncontrollable factor: humans.

Beyond this, people and attack techniques and defensive technology change over time. The way we build software, Adegbite explained, has changed dramatically over time. Coding from 10 or even five years ago is insecure now, which is why Adegbite believes it is unacceptable when organizations say “this is just the way we do things.”

If you fall in love with your risk management plan, Adegbite said, and think it is perfect, you are missing the point of a risk management plan. Risk management plans should be designed to fail. His point is that failure in the realm of security is inevitable, but with a competent risk plan, organizations can fail better, limiting an incident’s effect on a business’s reputation and bottom line.

“Your risk model is never going to always work,” said Adegbite.

When the risk management plan fails, companies need to look at why it failed, and make it better.

Adegbite said that these analyses are measured with cost: how much money are we willing to lose before we spend the money to stop losing money in this way? Or, on the flip-side of that coin, how much are we willing to invest in order to prevent future losses. In this way, Adegbite told the audience that banks are adopting some of the attitudes that Wall Street traders have had toward failure for years, namely a willingness to take bigger risks in the pursuit of better payoff. Of course, in this case that payoff is better security that could potentially save organizations money down the line.

Blog: The Careto/Mask APT: Frequently Asked Questions

Secure List feed for B2B - Mon, 02/10/2014 - 14:46
The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007.

‘Our Threat Model Has Changed’

Threatpost for B2B - Mon, 02/10/2014 - 14:31

PUNTA CANA–The golden era of bulk surveillance through the acquisition of phone records and other data from telecommunications companies may already be fading, but the larger threat to privacy and security is just beginning to emerge: the use of legal tools and coercion to get around encryption and other safeguards.

One of the main results of the NSA revelations has been that many of the major Web companies–including Google, Yahoo and others–have begun turning on encryption by default on their main properties. This has been a long time coming and it has happened mainly after a lot of public pressure from privacy advocates. But these efforts have been accelerated in the wake of revelations that the NSA has been gathering unencrypted communications between data centers owned by major tech companies.

Chris Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union, has been one of the loudest voices pushing for more encryption on the Web and pressuring companies to roll out SSL by default on their Web properties.

“The say that Google turned on SSL by default was probably a pretty bad day for the NSA,” he said. “But until we have end-to-end encryption, the FBI can still go to Google [and demand user data].”

The use of encrypted links for email services such as Gmail helps protect large swaths of communications, but Soghoian said that it only goes so far.

“If you take these companies at their word, they don’t provide bulk data. They don’t provide data on a million people at once, which is something that the backbone providers do,” he said during a talk at the Kaspersky Security Analyst Summit here Monday. “If you take them at their word, a world in which our communications are encrypted to and from Google is a world in which the government can’t do wholesale surveillance. That may be an end for now to bulk surveillance, but governments are going to have to respond.”

That response has already begun, in fact. One portion of it is the use of court orders and other legal methods to gain access to users’ data, whether at a service provider or elsewhere. This has been happening for years, long before Edward Snowden had ever leaked a single document. But Soghoian said that the government is changing the way it uses these tools and how often.

“Our threat model has changed. The APT powers of my government and your government and the Chinese government are not the biggest power. The most powerful tool the Department of Justice has is not the ability to hack but the ability to coerce,” Soghoian said. “You can fix the hack but you can’t patch away the coercion.”

As an example, Soghoian pointed to the Lavabit case. The company was a secure email provider used by Edward Snowden and its founder Ladar Levison refused to comply with an FBI order to turn over the SSL keys for his company to aid the FBI’s investigation into Snowden’s actions. He ended up shuttering the company and is fighting in the courts more requests that he hand the FBI the keys that would decrypt all of the Lavabit users’ emails, not just Snowden’s. Soghoian said the fact that the government is willing to go that far to get the emails of one user is concerning.

“We should assume the powers the government is seeking in the Lavabit case will be used elsewhere,” he said. “The precedent that the government can go to a private company and demand the keys to the kingdom to get at one user’s data threatens the entire Internet.”

To address the new threat model, Soghoian urged developers and engineers and security teams to build surveillance-resistant systems.

“We have to design our software and systems so that they can be resistant to this kind of coercion,” he said. “The software we built ten years ago, the software we built two years ago, was not built with this threat in mind.”

New ‘Mask’ APT Campaign Called Most Sophisticated Yet

Threatpost for B2B - Mon, 02/10/2014 - 14:03

PUNTA CANA–A group of high-level, nation-state attackers has been targeting government agencies, embassies, diplomatic offices and energy companies with a cyber-espionage campaign for more than five years that researchers say is the most sophisticated APT operation they’ve seen to date. The attack, dubbed the Mask, or “Careto” (Spanish for “Ugly Face” or “Mask”) includes a number of unique components and functionality and the group behind it has been stealing sensitive data such as encryption and SSH keys and wiping and deleting other data on targeted machines.

The Mask APT campaign has been going on since at least 2007 and it is unusual in a number of ways, not the least of which is that it doesn’t appear to have any connection to China. Researchers say that the attackers behind the Mask are Spanish-speaking and have gone after targets in more than 30 countries around the world. Many, but not all, of the victims are in Spanish-speaking countries, and researchers at Kaspersky Lab, who uncovered the campaign, said that the attackers had at least one zero-day in their arsenal, along with versions of the Mask malware for Mac OS X, Linux, and perhaps even iOS and Android.

“These guys are better than the Flame APT group because of the way that they managed their infrastructure,” said Costin Raiu, head of the Global Research Analysis Team at Kaspersky. “The speed and professionalism is beyond that of Flame or anything else that we’ve seen so far.”

Raiu revealed the details of the Mask attack campaign during the Kaspersky Security Analyst Summit here Monday.

Interestingly, the Kaspersky researchers first became aware of the Mask APT group because they saw the attackers exploiting a vulnerability in one of the company’s products. The attackers found a bug in an older version of a Kaspersky product, which has been patched for several years, and were using the vulnerability as part of their method for hiding on compromised machines. Raiu said that the attackers had a number of different tools at their disposal, including implants that enabled them to maintain persistence on victims’ machines, intercept all TCP and UDP communications in real time and remain invisible on the compromised machine. Raiu said all of the communications between victims and the C&C servers were encrypted.

The attackers targeted victims with spear-phishing emails that would lead them to a malicious Web site where the exploits were hosted. There were a number of exploits on the site and they were only accessible through the direct links the attackers sent the victims. One of the exploits the attackers used was for CVE-2012-0773, an Adobe Flash vulnerability that was discovered by researchers at VUPEN, the French firm that sells exploits and vulnerability information to private customers. The Flash bug was an especially valuable one, as it could be used to bypass the sandbox in the Chrome browser. Raiu said the exploit for this Flash bug never leaked publicly.

While most APT campaigns tend to target Windows machines, the Mask attackers also were interested in compromising OS X and Linux machines, as well as some mobile platforms. Kaspersky researchers found Windows and OS X samples and some indications of a Linux versions, but don’t have a Linux sample. There also is some evidence that there may be versions for both iOS and Android. Raiu said there was one victim in Morocco who was communicating with the C&C infrastructure over 3G.

Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Raiu said that after the post was published, the Mask operators rolled up their campaign within about four hours.

However, Raiu said that the attackers could resurrect the operation without much trouble.

“They could come back very quickly if they wanted,” he said.

Mac Trojan Steals Bitcoin Wallet Credentials

Threatpost for B2B - Mon, 02/10/2014 - 12:25

A small number of Bitcoin wallets have been raided by a newly discovered Trojan that gobbles up credentials used to guard the digital currency.

OSX/CoinThief.A was found in the wild by a security consultancy specializing in Apple security called SecureMac; the malware was spreading on GitHub via a malicious app, which has since been removed from the code repository.

“At this time we’ve seen multiple reports on Reddit and other Bitcoin forums with users indicating that they’ve fallen victim to the malware, but we do not yet know the full scope of the malware distribution,” SecureMac lead developer Nicholas Ptacek said. “As news of this malware spreads, more victims will probably come forward.”

A Reddit discussion about the incident seems to link the author of the app called Stealthbit used to spread CoinThief to a previous attack targeting Bitcoin credentials carried out through an app called Bitvanity. The author of CoinThief went by the handle trevorscool or Thomas Revor, while the Bitvanity GitHub account was registered to a Trevory. The person posting said the Bitvanity app lifted more than 20 Bitcoins—an approximate value of $14,000 USD.

“The malware author tried to take down the malicious binary from Github yesterday, and possibly didn’t realize that it would still be available from the commit history,” Ptacek said. “At some point in the afternoon, the entire Github page for StealthBit was 404′ing, but we are not sure if the malware author deleted his account, or if the page was taken down by Github.”

StealthBit pretends to be an app used to send and receive payments on Bitcoin Stealth Addresses. Instead, when victims install it, their web browsing traffic is monitored by the Trojan, which sniffs out login credentials for Bitcoin wallets.

“At this time there does not appear to be any vulnerability that the malware is exploiting, but rather it is a classic case of social engineering,” Ptacek said. “The infected users thought they were installing an app to send and receive payments on Bitcoin Stealth Addresses, but the app did more than was advertised when it installed the malware. Since the user was intending to install the app, Gatekeeper warnings wouldn’t have been effective at stopping those users from running the app.”

The consultancy said the CoinThief Trojan is a dropper that installs browser extensions on Safari and Chrome running on OS X. The extensions keep tabs on Web traffic from the browsers and watches for log-in attempts on pre-loaded Bitcoin exchanges such as Mt. Gox and BTC-e and wallet sites such as blockchain.info. The extensions, meanwhile, are generically named “Pop-up Blocker,” and arrive with an equally generic description that wouldn’t raise suspicions with the user or security researchers.

“Additionally, the malware appears to monitor specific file locations on disk, checking to see when they are modified. Analysis of this malware is still in the early stages, so more information is likely to come to light moving forward,” Ptacek said.

The attackers hosted the source code and a precompiled version of the app on GitHub, SecureMac said. The source code and app, however, were not a match. The pre-compiled app contained malware not present in the source code and infected OS X users with CoinThief. Not only does the malware watch Web traffic, but it connects to a remote command and control server where it sends the stolen credentials and also receives updates from the attackers.

“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,”  SecureMac said on its site.

Ptacek said the remote server was registered in Australia via bitcoinwebhosting[.]net, but appeared to be hosted elsewhere. The remote server was located at www[.]media02-cloudfront[.]com, with a current IP address of 217[.]78[.]5[.]17, but it appears to be down at this time, Ptacek said.

Apple’s security restrictions make it highly unlikely the malware would have made its way onto the Apple App Store. Also, there is no indication of a mobile component of this Trojan for iOS devices.

“The Trojan only works on OS X, and we haven’t seen any indication of the presence of an iOS version,” Ptacek said. “Furthermore, due to the security restrictions Apple has built into iOS, this malware would not be able to function on iOS.”

Bugging the Bug Market

Threatpost for B2B - Mon, 02/10/2014 - 11:46

PUNTA CANA–The Microsoft bug bounty program, started last year as a way to encourage researchers to develop new offensive and defensive techniques, has been a success so far and the company is looking for new ways to expand it in the future. Katie Moussouris, the security strategist at Microsoft responsible for the program’s creation, said that while rewarding researchers for innovative work was a key goal, causing some turbulence in the vulnerability market was also part of the plan.

Moussouris had been working on the bounty program for some time before she was able to launch it last year, and she had paid close attention to the way that not just other bounty programs work, but also how the legitimate vulnerability market operates. Vulnerability buyers and sellers for years have operated mainly underground, but that has changed in the last couple of years as companies such as VUPEN and others have made bug sales into a booming business. Microsoft’s products always are at the top of the list for both attackers and security researchers, and Moussouris wanted to find a way to get valuable offensive techniques in Microsoft’s hands rather than in the hands of vulnerability brokers or attackers.

“We’re never going to outbid the black market. This is about using existing levers to disrupt the vulnerability economy,” Moussouris said in a talk at the Kaspersky Security Analyst Summit here Monday.

Security researchers who once had limited options for making money from their vulnerability work now have a broad spectrum of choices. Depending on their contacts and other factors, researchers can sell bugs to any number of government agencies, defense contractors or third parties. Bug bounty programs provide another option, but they’re typically far less lucrative. Microsoft wanted to make that option more attractive by offering bounties of up to $100,000 for novel offensive techniques that can bypass the exploit mitigations in the latest version of Windows. The company already has paid one bounty and recently expanded the field of eligible participants to include forensics teams and incident responders.

There are more potential additions to the Microsoft bounty program, Moussouris hinted during her talk, but did not provide any new details.

Moussouris said that the pool of researchers capable of finding qualifying bypass techniques is relatively small, and the subset of that group who are willing to submit them to Microsoft is even smaller.

“There are probably only a thousand people worldwide who could do this kind of work,” she said, “And there’s probably only a few hundred who would work with Microsoft.”

There has been quite a lot of discussion in the security industry about exploit sales and potential regulation of the market. But Moussouris says she thinks that would be a mistake.

“I tell governments that I don’t them to regulate exploits because you’ll blind me,” she said. “You’ll make it so the only way I can find out about new attacks is when they hit customers.”

The Internet is Broken–Act Accordingly

Threatpost for B2B - Fri, 02/07/2014 - 16:19

PUNTA CANACostin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab’s Global Research and Analysis Team has been doing for the last few years, and he has first-hand knowledge of the depth and breadth of the tactics that top-tier attackers are using.

So when Raiu says he conducts his online activities under the assumption that his movements are being monitored by government hackers, it is not meant as a scare tactic. It is a simple statement of fact.

“I operate under the principle that my computer is owned by at least three governments,” Raiu said during a presentation he gave to industry analysts at the company’s analyst summit here on Thursday.

The comment drew some chuckles from the audience, but Raiu was not joking. Security experts for years have been telling users–especially enterprise users–to assume that their network or PC is compromised. The reasoning is that if you assume you’re owned then you’ll be more cautious about what you do. It’s the technical equivalent of telling a child to behave as if his mother is watching everything he does. It doesn’t always work, but it can’t hurt.

Raiu and his fellow researchers around the world are obvious targets for highly skilled attackers of all stripes. They spend their days analyzing new attack techniques and working out methods for countering them. Intelligence agencies, APT groups and cybercrime gangs all would love to know what researchers know and how they get their information. Just about every researcher has a story about being attacked or compromised at some point. It’s an occupational hazard.

But one of the things that the events of the last year have made clear is that the kind of paranoia and caution that Raiu and others who draw the attention of attackers employ as a matter of course should now be the default setting for the rest of us, as well. As researcher Claudio Guarnieri recently detailed, the Internet itself is compromised. Not this bit or that bit. The entire network. We now know that intelligence agencies have spent the last decade systematically penetrating virtually every portion of the Internet and are conducting surveillance and exploitation on a scale that a year ago would have seemed inconceivable to all but the most paranoid among us.

Email? Broken. Mobile communications? Broken. Web traffic? Really broken. Crypto? So, so broken.

It would be understandable, even natural, for most casual observers to have grown so completely overwhelmed by the inundation of stories about government surveillance and exploitation techniques that they tuned it out months ago. Why get worked up about something you can’t change? It’s like getting mad at cake for being delicious.

And that’s exactly the attitude that attackers want. Indeed, they depend on it. Complacency and indifference to clear threats are their lifeblood. Attackers can’t operate effectively without them.

The best response, of course, isn’t panic or indulging the urge to throw your laptop out the window and drop off the grid, as tempting as that might be. Rather, the best course of action is to follow Raiu’s simple advice. You’re being watched at all times; act accordingly.

Image from Flickr photos of Lyudagreen.

HVAC Integrator’s ‘Billing’ Connection Led to Target Breach

Threatpost for B2B - Fri, 02/07/2014 - 14:33

The heating, ventilation and air conditioning contractor linked to the Target breach said its data connection to the giant retailer was “exclusively for electronic billing, contract submission and project management,” the company’s president and owner said yesterday.

Ross E. Fazio said in a statement that his company, Fazio Mechanical Services, was also compromised and that it is cooperating with Target and the Secret Service in the investigation of the breach that spanned most of the Christmas shopping season and resulted in the loss of 40 million payment cards and the personal information of 70 million individuals.

Fazio also squashed initial speculation that his company remotely monitors and manages Target’s environmental controls such as heating, cooling and refrigeration.

“Like Target, we are a victim of a sophisticated cyber attack operation,” Fazio said. “Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.”

Fazio Mechanical Services is based in Sharpsburg, Pa., and specializes in supermarket refrigeration systems. Legitimate credentials providing access to the Target corporate network were stolen from Fazio Mechanical Services, sources told Krebs on Security.

Fazio’s declaration that it does not remotely monitor energy consumption and remotely manage temperatures for Target debunks theories that the hackers had bridged the HVAC system and pivoted from there to the corporate network. Hackers were able to upload RAM scraping malware to point of sale systems and exfiltrate stolen payment card data via a server inside the Target firewall to the attackers’ remote server.

While some security experts questioned why there wasn’t better segmentation between the two networks if this were the case, industrial control system security experts on the SCADASEC mailing list said that many building automation networks often are integrated with corporate networks. One post describes a typical environment where a workstation is tasked with managing a building automation system and a DSL line connects it to the Internet.

“It happens all the time,” said Billy Rios, director of vulnerability research and threat intelligence at Qualys. “We’ve done assessments where we exploit an Internet-facing HVAC system and pivot to the corporate network. Pivoting from the HVAC system to the corporate network is really trivial; it’s designed to be a bridge like that.”

Large retailers such as Target are perfect examples of this scenario where a third-party integrator is hired for environmental control, which is generally done remotely over the Internet rather than sending technicians on-site, said Rios, a long time SCADA and ICS pen-tester who has reported dozens of building management system vulnerabilities to the Industrial Control System Computer Emergency Response Team (ICS-CERT).

An integrator’s job is to install equipment, and often it’s done without much consideration for cybersecurity. Rios said there are no centralized security standards they are required to adhere to with regard to remote access.

“Every HVAC integrator is doing their own thing; there’s no control,” Rios said. “They put in remote access the way they want to put it in. Sometimes these guys just bring in a cable modem and the organization doesn’t realize the bridge to the Internet exists. Pivoting becomes trivial at that point. Some of the stuff we’ve seen is appalling.”

One such example Rios said was the reuse of common passwords by an integrator for all its customers.

“This way, the technician knows one set of credentials that gets them into all their customers,” Rios said. “If one organization gets compromised, the chances are all of them are going to get compromised. These are super common problems and it’s totally crazy.”

Another issue plaguing building management systems is that often they don’t fall under the auspices of IT management, rather facilities or operations. Many of these systems are embedded and are running Windows or Linux and they’re hardly ever monitored by security tools such as antimalware or egress filtering.

“When you see some of these systems taken out of facilities and turned over into IT, they turn on the security stuff and see they’ve been compromised, that a system is reaching out to different IP addresses or stuff is out of date,” Rios said.

“We’ve seen this coming for a long time, and there’s still a long way to go,” Rios said. “Integrators have to get their act together; vendors have to get their act together; and end users have to understand the threat. It’s a three-legged stool and until we get all three legs working together, we’re going to have a lot of problems.”

Data Leaks Patched in EE Brightbox Routers; CSRF Vulnerability Remains

Threatpost for B2B - Fri, 02/07/2014 - 12:06

Everything Everywhere has released patches for a pair of vulnerabilities discovered by a UK researcher, but have yet to fix a risky cross-site request forgery flaw that could result in traffic sent from the home and small business router being redirected to a malicious site.

Scott Helme, an engineer in the UK, said he has since found more serious vulnerabilities and disclosed them to the popular networking gear manufacturer.

“I’ve yet to publish details as EE have only been aware for around a week,” Helme told Threatpost. Helme informed EE of his original findings in November and went public with them after EE promised patches in December but had failed to deliver.

Helme published details of a number of serious security issues in the routers; EE has 700,000 customers in the UK. The vulnerabilities could make it trivial to steal not only device credentials, but a user’s ISP login data. The BrightBox router also leaks sensitive device and user data to other clients on the network, including WPA and WEP keys, SSID lists and keys, the MD5 hash of device admin credentials and the user’s ISP log-in information.

Helme discovered the vulnerabilities after monitoring the traffic coming and going from his home device. Starting with a lack of TLS encryption on the log-in page for the router, things only got worse as Helme dug deeper. Using a debugging program, he found a CGI JavaScript file that contained his credentials in clear text along with a number of other configuration variables. The risk is compounded because, he said, the device leaks information to any client on the network allowing anyone to bypass restrictions in place on the Wi-Fi network.

“The device now protects the CGI folder and doesn’t leak credentials,” Helme said. “The risk remaining is the CSRF which means an attacker could potentially change the DNS servers for example and then intercept all of your internet traffic.”

EE is rolling out firmware updates that patch the credential vulnerabilities to customers. Helme said his device was patched over his broadband line, but the company would not send him the patch file. He said EE told him the deployment should be done by the end of February.

“Two of the three were patched it seems due to time constraints. They released what they had and are working on the CSRF,” Helme said. “This hasn’t been confirmed, it’s just what I’ve gathered from their emails.”

Helme told Threatpost in January there were no anti-cross site request forgery protections in place on the router. He was able to exploit that situation and conduct a replay attack to control the device and gain admin access. He also found a way to bypass the protections in place guarding remote management capabilities.

“With a little CSRF, I can enable remote management on your router and steal all of your sensitive data like WPA keys, ISP credentials and the md5 hash of your admin password over the Internet. Once I’ve cracked the hash I can login and do just about anything I like with your device or not bother with any of that and just call EE to cancel your internet connection,” Helme said.

Governments Need to Discuss Use of Cyber Weapons

Threatpost for B2B - Thu, 02/06/2014 - 17:48

PUNTA CANA–Attacks on critical infrastructure have been grabbing headlines for years now, long before sophisticated operations such as Stuxnet and Flame hit the scene. But we’re probably still in the early stages of the evolution of such attacks, and the use of so-called cyber weapons in these operations is likely going to increase in the near future, Eugene Kaspersky said.

“I’m afraid very soon we’re going to see more attacks on critical infrastructure,” Kaspersky said during a keynote speech at Kaspersky Lab’s Industry Analyst Summit here Thursday.

Kaspersky, the founder and CEO of the company, has spoken often in the past about the issue of nation states and government-backed groups deploying sophisticated malware against one another, and he stressed again Thursday that he views the development of cyber weapons as a serious danger.

“Cyber weapons are the worst innovation of the twenty-first century,” he said. “We depend on computers for everything. There’s a boomerang effect. Because it’s malware, it can come back to you. There are many reasons why cyber weapons are a bad idea.”

Defining what constitutes a cyber weapon is a difficult task, and is made all the more complicated by the question of attribution. Would Stuxnet have qualified as a cyber weapon if it had been created and deployed by a private group rather than a government? It’s hard to say. And determining with any degree of certainty who is responsible for a given attack is notoriously difficult.

But Kaspersky said that it’s the attacks between various governments that have him most concerned. A number of major governments have acknowledged publicly that they have dedicated groups–military or otherwise–whose mission is offensive cyber operations. The United States has had offensive units in both the military and intelligence agencies for a long time, as have other governments. How they utilize those groups is a major issue in the security industry, as well as the political realm right now.

Kaspersky emphasized that he believes world governments will have to sit down together eventually and hash out the issue of cyber weapons and whether they should be used at all.

“Governments sooner or later will talk to each other and agree not to use cyber weapons,” he said.

Kaspersky also said he’s concerned about the erosion of trust in the Internet and its components that has resulted from the leaks of NSA intelligence-gathering methods in the last year. He said he can see a situation in which various nations use the revelations as a justification for fragmenting the Internet.

“I’m afraid that nations,because of this trust erosion, will invest more in national segments of the Internet. That’s good for local companies but I’m afraid the international evolution of cyberspace will slow down,” he said. “I don’t like this. It’s a bad idea to fragment the Internet and increase distances between nations. I’m afraid this is a very, very bad idea.”

Syndicate content