Feed aggregator

More Trouble for Linksys Home, Small Office Routers

Threatpost for B2B - Tue, 02/18/2014 - 14:38

Linksys routers sold to consumers as a home or small office networking box are vulnerable to a simple exploit that could give an attacker remote access to the router. The vulnerabilities are wormable, yet are unrelated to the Moon worm reported last week by the SANS Institute.

Linksys, which was acquired by Belkin a year ago, was notified in July but has yet to deliver a fix, according to researcher Kyle Lovett.

Lovett said Linksys EA2700, EA3500, E4200 and EA4500 routers have an innate weakness through which during installation or upgrade, port 8083 is left open. An attacker would need to merely scan Shodan or another search engine for the open port on the respective models and be dropped into the remote administration GUI, bypassing existing authentication, Lovett said. Up to 30,000 routers have been found in scans, Lovett said. He added that port 443, through which HTTPS traffic passes, also shows as open during setup in order to allow non-volatile RAM (NVRAM) to pass data.

An attacker could then upload malicious code or tamper with configuration settings in order to redirect traffic. The vulnerability, though unconfirmed, appears to be with a number of vulnerable CGI scripts that can be exploited.

“What happens is during installation or upgrade, often times one of the CGI script hangs and doesn’t complete,” Lovett said. “The system then just bypasses the rest of the setup and operates as is.”

Four vulnerable scripts have been identified: fw_sys_up.cgi; override.cgi; share_editor.cgi; switch_boot.cgi.

“The port exploit is just a matter of scanning for an open port,” Lovett said. “Then someone could upload malicious code.”

Lovett reported the bug to Linksys last July and did a partial disclosure a month later to alert users after Linksys failed to produce a fix. Lovett said his last email to the company two weeks ago regarding the vulnerability went unanswered.

An advisory on Bugtraq, meanwhile, warns users not to rely on the router’s GUI to show the true status of remote access; the bug is present regardless of whether remote access is disabled by default.

“In the case of this bug, [remote access] gets switched on because of the CGI issue,” Lovett said. “By default, without the bug occurring, remote access is turned off. Honestly, I just don’t see the benefits of turning on remote access unless there is a very specific need. Most consumers don’t understand that turning that feature on, that they are in fact hosting a web site, which is subject to the same attacks and problems as other full websites.”

The Moon worm, reported last week by the SANS Institute, has also been spreading on Linksys routers. However only one of the products vulnerable to Moon overlaps with the vulnerability reported by Lovett–the E4200. Moon does, however, also exploit a vulnerable CGI script that allows remote access to flawed routers.

Moon connects to port 8080 and using the Home Network Administration Protocol (HNAP) used in Cisco devices, calls for a list of router features and firmware versions, Johannes Ullrich of SANS said. Once it learns what type of router it has infected, it exploits a vulnerable CGI script that allows it to access the router without authentication and begins scanning for other vulnerable boxes. SANS CTO Ullrich said researchers had not been able to find a malicious payload and were unsure whether a command and control connection is functional.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide,” Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”

Linksys said its older E-series routers and Wireless-N access points ship with the Remote Management Access feature off by default and customers must enable it to be vulnerable.

“Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network by disabling the Remote Management Access feature and rebooting their router to remove the installed malware,” Linksys said in a statement. “Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”

First AT&T Transparency Report Shows 2,000+ NSL Requests

Threatpost for B2B - Tue, 02/18/2014 - 13:01

AT&T, in its first transparency report, said that it received at least 2,000 National Security Letters and nearly 38,000 requests for location data on its subscribers in 2013.

The new report from AT&T is the latest in a growing list of publications from telecom companies, Web providers and cell phone carriers who have been under pressure from privacy advocates and security experts in the wake of the Edward Snowden NSA surveillance revelations. Telecoms had been resistant to providing such information in the past and it’s really only in the last month or so, since the Department of Justice loosened its restrictions on the way that companies can report NSL and Foreign Intelligence Surveillance Act requests that more companies have come around on the issue.

AT&T’s report shows a higher number of NSLs and subpoenas in 2013 than its most relevant competitor, Verizon. In January, Verizon’s first transparency report showed that the company received between 1,000 and 1,999 NSLs in 2013 and 164,000 subpoenas. AT&T said it got 2,000-2,999 NSLs and 248,343 subpoenas last year. AT&T also received nearly 37,000 court orders and more than 16,000 search warrants.

Interestingly, the number of demands for location information that AT&T received last year is pretty close to what Verizon saw. AT&T got nearly 38,000 requests for location information for its subscribers, including more than 12,500 requests for real time information. Verizon received about 35,000 requests for location data in 2013.

“We take our responsibility to protect your information and privacy very seriously, and we pledge to continue to do so to the fullest extent possible and always in compliance with the law of the country where the relevant service is provided. Like all companies, we must provide information to government and law enforcement agencies to comply with court orders, subpoenas, lawful discovery requests and other legal requirements. We ensure that these requests are valid and that our responses comply with the law and our own policies,” AT&T said in its report. “Interest in this topic has increased in the last year. As you might expect, we may make adjustments to our reporting processes and create ways to track forms of demands in the future.”

Of the more than 301,000 total criminal and civil requests from United States agencies that AT&T received in 2013, the company only rejected or challenged about 3,700 of them and provided partial or no data in about 13,700 cases.

The FISA request data in the AT&T report only covers the first six months of 2013, per the Department of Justice regulations, and it shows that the company received between 0-999 FISA requests for content covering more than 35,000 customer accounts. By contrast, the company got the same range of non-content requests, but they only covered fewer than 1,000 accounts.

Image from Flickr photos of Mike Mozart.

Researchers Find Serious Flaws in WeMo Home Automation Devices

Threatpost for B2B - Tue, 02/18/2014 - 11:37

There has been a joke going around the tech industry for years about refrigerators and other home appliances one day being connected to the Internet and being able to order more milk for you or allow you to turn off your lights remotely. That day is today, and those Internet-connected devices–surprise!–have many of the same vulnerabilities that normal software applications and hardware devices have had for decades.

Security researchers who have had an increasingly difficult time in recent years finding major vulnerabilities in browsers or desktop applications are now finding that a little time spent on home-automation products can yield serious results. Researchers at IOActive found a series of vulnerabilities in the WeMo home automation products built by Belkin that enable them to gain remote control of connected devices, provide malicious firmware updates and gain access to the internal LAN.

The WeMo products, which include sockets, light switches, motion sensors and Web cams, allow users to connect to their monitored devices from a mobile device. They can monitor usage and turn various devices on and off. The vulnerabilities that the IOActive researchers uncovered relate to the way that WeMo pushes out firmware updates and implements the GPG encryption scheme.

“WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates. Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing the RSS feed with a correctly signed firmware,” IOActive principal research scientist Mike Davis wrote in an advisory on the vulnerabilities.

“The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.”

Davis reported the vulnerabilities to US-CERT, which tried contacting Belkin, which did not respond. The WeMo devices use a protocol known as STUN to communicate, and was designed to bypass NAT firewalls. The way that WeMo uses the protocol, however, compromises the security of the devices and creates what IOActive called a “darknet” of WeMo devices that attackers can connect to directly.

“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk.  Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home,” Davis said.

US-CERT also has published an advisory on these issues.

Kickstarter Compromised, User Data Stolen

Threatpost for B2B - Sat, 02/15/2014 - 18:48

Attackers broke into the network of Kickstarter, the crowdfunding platform, and stole a variety of user data, including usernames, addresses, email addresses and encrypted passwords. Company officials didn’t specify exactly how many users were affected and said that “no credit card data of any kind was accessed by hackers.”

Kickstarter is a popular platform for raising funds for a variety of projects. Supporters pledge various amounts of money in return for certain levels of rewards from the creators of a project. Supporters enter their credit card information when creating an account, and their cards are charged once a specific project they have supported reaches its funding goal. Creators of projects such as Web comics, TV shows, robotic bartenders and books all seek funding on the site.

Officials at Kickstarter said that they were alerted to the intrusion by law-enforcement officials on Wednesday night. This is a common method of detection for data breaches. The Verizon Data Breach Investigation Report, a deep study of breaches at a variety of organizations, shows that 70 percent of breaches are discovered by third parties such as forensics teams, law-enforcement agencies and other security teams. Kickstarter officials were alerted to the compromise earlier this week and published details on the company blog Saturday.

“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system,” Yancey Strickler, CEO of Kickstarter, wrote.

So far, only two customers’ accounts have shown evidence of unauthorized activity. Strickler said that user passwords were encrypted. Older passwords were encrypted using the SHA-1 algorithm, and salted. Newer passwords were encrypted with Bcrypt. SHA-1 is an older hashing algorithm that has long been considered weak, and security experts have been warning organizations away from using it for several years. Bcrypt is a hashing function based on the Blowfish algorithm.

Kickstarter joins a long list of major Web companies that have faced data breaches in recent months, including Snapchat, Evernote, Dropbox and Yahoo. Attackers love to target companies with large user databases, knowing that users are lazy and will often reuse passwords on multiple sites. Attackers grabbing a password database at one company can sometimes lead to cascading problems for users at other sites.

Strickler said in his statement that users should change their passwords immediately.

“We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again,” he said.

Microsoft Pays Out Another $100,000 Mitigation Bypass Bounty

Threatpost for B2B - Fri, 02/14/2014 - 18:08

Microsoft has paid out another $100,000 bounty as part of its Security Response Center’s bounty program.

A researcher from Asia named Yang Yu was awarded the prize today for three mitigation bypass variants, Microsoft announced.

“This payout reflects the fact that we learned something new that will help us build more robust defenses, but it was built upon known mitigation bypass techniques,” a Microsoft spokesperson told Threatpost. Efforts to reach Yu in time for publication were not successful.

This is the second $100,000 bounty the program has paid out; more than $253,000 has been awarded to date since the program began last June 26.

The mitigation bypass bounty is one of three offered by Microsoft. It pays out up to $100,000 and rewards novel exploitation techniques against mitigations native to the latest version of Windows. Microsoft also awards the Blue Hat Bonus for Defense and previously, the Internet Explorer 11 Preview Bug Bounty.

The Blue Hat Bonus for Defense pays up to $50,000 for defensive ideas that accompany a mitigation bypass; the IE bounty paid out up to $11,000 for critical vulnerabilities in the beta version of IE 11. The program was closed July 27.

Little is known about Yu’s mitigation bypass. The previous $100,000 winner, James Forshaw, won his prize in October. He collected for a bypass he developed that eluded Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), two memory exploit defenses native to Windows.

Last year, Forshaw won the Java portion of the Pwn2Own contest at the CanSecWest conference with an exploit for a vulnerability in a trusted class in the Java framework. The exploit allowed him to bypass the sandbox and execute code remotely. That Java bug was patched in April with the release of Java 7u21 and the researcher explained in a blogpost shortly thereafter that his code allowed him to disable the security manager in Java and run malicious code as trusted.

According to Microsoft, bypass submissions must demonstrate a novel way of exploiting a remote code execution vulnerability in Windows and must be capable of exploiting an application that makes use of stack- and heap-corruption mitigations as well as code-execution mitigations. The bypass must also meet seven criteria: it must be generic in that it’s applicable to more than one memory corruption vulnerability; the exploit must be reliable and have reasonable requirements; it must be applicable to a high-risk application such as a browser or document reader; it must be applicable to user mode applications; it must also target the latest version of a Microsoft product; and it must be novel, Microsoft said.

New IE 10 Zero Day Targeting Military Intelligence

Threatpost for B2B - Fri, 02/14/2014 - 15:27

Attackers were able to compromise the U.S. Veterans of Foreign Wars’ website this week and serve up a previously unknown zero day exploit in Internet Explorer 10, and while motivation behind the campaign is still unclear, experts are speculating its aim was to procure military intelligence.

According to researchers at FireEye, the campaign, dubbed Operation SnowMan, follows in the footsteps of operations DeputyDog and Ephemeral Hydra, two campaigns that recently used IE zero days to carry out watering hole attacks, dropping remote access Trojans to takeover machines.

While a number of retired military personnel use the site, VFW.org, active military personnel also frequent it, potentially putting sensitive military information at risk.

FireEye noticed the “classic drive-by download” style attack on Tuesday after discovering that an iframe had been appended to the beginning of the website’s HTML code. The iframe contains a corrupted Flash object that goes on to trigger the IE 10 vulnerability, (CVE-2014-0322), a use-after-free bug in the browser.

From there the Flash file downloads a XOR-encoded payload from a remote server, decodes it and executes it.

According to FireEye it starts off as a .JPG image, then the .JPG is attached to the shellcode which is executed to produce two files, sqlrenew.txt and stream.exe, before its executed with a Windows API call.

Like DeputyDog, SnowMan deploys an HTTPS version of Gh0stRAT, a remote access Trojan that has been spotted connecting to some of the same IP addresses as DeputyDog. SnowMan can let the attacker modify one byte of memory at an arbitrary address, meaning it can also bypass ASLR, or Address Space Layout Randomization, along with DEP, Data Execution Prevention, both security features in Windows.

A quintet of researchers – Darien Kindlund, Dan Caselden, Xiabo Chen, Ned Moran and Mike Scott – described the campaign on FireEye’s blog yesterday, acknowledging that the time frame of the attack, “amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend,” could have helped the attackers.

Winter storm Pax forced much of the U.S. Capitol to shutter Thursday and Monday of course is a U.S. holiday, President’s Day, a time lapse that could give the attackers the window they need.

While the attack is targeted, Jerome Segura, a researcher with MalwareBytes, was able to reproduce the zero-day on Windows 7 on Internet Explorer 10 with the latest version of Flash Player today, showing how easy it may be for an attacker to replicate.

Users running IE 11 or using Microsoft’s Experience Mitigation Toolkit (EMET) are not at risk because the iframe will abort exploitation under those conditions.  The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit.

According to FireEye the threat has several connections to the DeputyDog and Ephemeral Hydra campaigns. All of them use a zero-day to deliver a RAT and use a 0×95-encoded payload – obfuscated by a .JPG extension – among other traits.

Additonally there are a handful of infrastructure overlaps and connections between SnowMan, EphemeralHydra and DeputyDog, including similar domains and IPs. The code found in the Flash file and the way the shellcode is executed share similarities with the attacks as well, suggesting they may be intertwined.

Researchers at security firm Websense had also been looking into the zero day and published information about it shortly after FireEye on Thursday.

While Websense agrees with FireEye that the attack appears to have correlations with DeputyDog and EphemeralHydra, Websense claims it first saw it being used in exploits as far back as Jan. 20, about three weeks before FireEye noticed it.

Websense researchers Alex Watson and Victor Chin write that the attack could also be targeting the Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS) a French aerospace association.

According to the two, the exploit was at one point hosted and distributed via a (U.S.-based) site masquerading as GIFAS’ site, suggesting the French group, or those visiting its website may be a target in addition to those visiting the VFW website.

It’s a small difference but Websense’s analysis also notes that a malicious Shockwave file, not a Flash file, downloads the .JPG payload that leads to the attack.

Counting the US military this week, FireEye points out the threat actors have targeted a swathe of industries with the attacks including but not limited to: law firms, NGOs, mining companies, Japanese firms and IT companies.

FireEye discovered the DeputyDog attack, which also targeted Internet Explorer (both 8 and 9) and delivered a payload via an image file, back in September. That attack targeted Japanese media and government outlets via a watering hole attack, dropping a McRAT variant onto compromised computers.

Ephemeral Hydra, which came to light in November and and dropped a McRAT variant, this time on a U.S.-based non-governmental organization in order to secure “industry-specific intelligence.”

Microsoft has not yet issued an official security advisory about the vulnerability but it likely will soon, in addition to potentially releasing a workaround for IE 10 users. The company has announced it will not release an out-of-band patch for the vulnerability. Microsoft’s next scheduled Patch Tuesday update is March 11.

Microsoft acknowledged the vulnerability on Friday and until the update, encouraged users to update to IE 11.

“Microsoft is aware of limited, targeted attacks against Internet Explorer 10,” a Microsoft spokesperson said, “Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected. We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.”

The news comes just a few days after the Microsoft released February’s Patch Tuesday update, including the last minute MS14-010 bulletin which addressed 24 vulnerabilities in the browser.

Large List of FTP Credentials For Sale in Underground Forums

Threatpost for B2B - Fri, 02/14/2014 - 15:16

Hackers are targeting FTP upload sites with the hopes of redirecting victims to spam or even infecting webservers that rely on FTP applications for updates.

Hold Security reported yesterday it had secured a list of credentials for close to 7,800 FTP sites being circulated in cybercrime forums. The list includes high-profile targets all the way down to individual FTP servers that are exposed to the Internet and guarded only by default credentials, or access codes that have been stolen by botnets or other infections.

Founder and chief information security officer Alex Holden said he is unsure of the scale and damage of these attacks, or who might be behind them. A number of potential victims have been notified by Hold Security, Holden said.

“The signatures seem to be the same. Whether it’s a single group that has been doing this, or multiple groups, we don’t know,” Holden said. “We have been gathering information on the malware they distributed and with the malware, there is quite a bit of re-use and recycling. It’s hard to pinpoint it to a single group, especially if we don’t know the exact source of the data.”

Holden said there are two different attack vectors. One, hackers are uploading malicious PHP scripts to the FTP servers they have access to hoping the FTP server has some link to a webserver where it is used to upload content.

“Hacker’s cannot usually upload information to a website, but using FTP, they can upload [malware] and if there is a connection between FTP and the webserver, they can execute code and can actually take control over a webserver,” Holden said. “This is probably their end goal because the webserver gives them the ability to access data and the database.” Holden said the attackers have had limited success so far finding this type of connection.

The second exploit observed in these attacks are the uploading of HTML files onto the FTP server, which if opened via a browser, which is often the default client for looking at files on an FTP app or server, can redirect the victim to a hacker-controlled site. The files, Holden said, are named something innocuous, such as Pinterest, AOL, or something related to the victim’s company that would entice the victim to open the file. Holden said some victims have been redirected to malicious sites peddling prescription medication, pornography or even ransomware sites.

“This is why we think it may be more than one group,” Holden said. “There are different schemes going on.”

The list of FTP credentials has been compiled over some time and is being peddled recently on underground forums. PC World reported that the New York Times and UNICEF were among the high-profile victims; both have been notified and told the publication they were in the process of hardening their FTP servers.

Some others, worldwide, were also compromised, Holden said, but they are still in the process of notifying them. Holden said there were no major U.S. banks on the list, likely because FTP is not a secure means of file exchange and not used by financial organizations. He did say a number of media companies were on the list, however; companies in that industry are more likely to exchange graphics files over FTP.

Holden urges organizations to inspect their FTP deployments, scan them with antimalware agents and check for open deployments on the Internet.

Moon Worm Spreading on Linksys Home and SMB Routers

Threatpost for B2B - Fri, 02/14/2014 - 11:58

A self-replicating worm is spreading among a number of different Linksys home and small business routers.

Researchers at the SANS Institute reported the outbreak yesterday and have not been able to determine whether there is a malicious payload or if the worm connects to a command and control server. Johannes B. Ullrich, chief technology officer at SANS said the worm appears at the moment to be doing little more than scanning for other vulnerable routers and seeding itself.

“The vulnerability allows the unauthenticated execution of arbitrary code on the router. We haven’t published all the details about the vulnerability yet as it appears to be unpatched in many routers,” Ullrich said, adding that Linksys has been notified.

Ullrich said an Internet service provider in Wyoming alerted SANS to the unusual network activity and SANS researchers were able to capture samples of the worm in its honeypots.

The worm has been dubbed The Moon because of a number of lunar references made in code strings that could be part of a command and control channel. SANS released an early list of vulnerable routers that could be vulnerable depending on the firmware version they’re running: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900.

After landing on the router, Moon connects to port 8080 and using the Home Network Administration Protocol (HNAP) used in Cisco devices, calls for a list of router features and firmware versions, Ullrich said. Once it learns what type of router it has infected, it exploits a vulnerable CGI script that allows it to access the router without authentication and begins scanning for other vulnerable boxes.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”

It’s unclear what the payload is or whether it’s receiving commands, Ullrich said.

“We haven’t exactly worked out the command and control part yet. There is some evidence of at least a reporting feature,” he said. “It may make changes to DNS settings like a lot of other router exploits, but this is still work in progress.”

Changing the DNS settings on the router will redirect traffic to an attacker controlled site or allow them to monitor traffic in transit. Users will know they could be compromised if they log heavy outbound scanning in port 80 and 8080 and whether there are inbound connections on miscellaneous ports lower than 1024. Ullrich wrote on the SANS Internet Storm Center site that users can ping:

 echo “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If an XML HNAP output is returned, then the vulnerability is likely present, Ullrich said.

Ullrich said that until Linksys-Belkin releases a patch or new firmware, users can turn off remote administration as a mitigation. Running the latest firmware is advised, but Ullrich said it is unclear whether that will be a help with this vulnerability until a patch is ready. Users may also limit access to the remote administrator interface to specific IP addresses and change the port number of the administration interface to make it more difficult to find.

Certificates Spoofing Google, Facebook, GoDaddy Could Trick Mobile Users

Threatpost for B2B - Thu, 02/13/2014 - 17:21

Dozens of phony SSL certificates were discovered this week mocking legitimate certs from banks, e-commerce sites, ISPs and social networks. If a user stumbled over one of the bogus certificates on a mobile device it could put them at risk for a man-in-the-middle attack.

Disguised as official certificates from Google, Facebook, GoDaddy, YouTube and iTunes, just to name a few, the certs aren’t signed, so it’s unlikely they’ll dupe anyone using a conventional browser. Still though, Netcraft, the British security firm that wrote about the fake certificates yesterday on its blog, is sounding the alarm for users who frequently use apps or other non-browser software to access the Internet that may not check the legitimacy of SSL certificates.

While the attacker would have to be on either the same network as the victim, or sharing the same internet connection to carry out such an attack, that hasn’t stopped the certificates from spreading.

Netcraft broke down a handful of them, describing each one’s intentions Wednesday.

For starters a Google certificate the group found is being served by a machine in Romania and claims to have been issued by the America Online Root Certification Authority 42, a non-existent authority trying to pass itself off as America Online. Netcraft rationalizes the certificate could be aimed at executing an attack against “a multitude of Google services”

Another certificate was found impersonating GoDaddy’s POP mail server, something that according to Netcraft, could allow capturing mail credentials, issuing password resets and stealing sensitive data.

Elsewhere a fake YouTube cert was spotted blocking access to the site for Pakistani citizens, a forged iTunes cert was discovered – potentially for use in a scam, and a fake Facebook cert was found redirecting users to a phishing site.

Netcraft notes that the Facebook app is safe from attacks using this particular fake certificate because it “properly validates SSL certificates and also uses certificate pinning to ensure that it is protected against fraudulently issued certificates.”

Netcraft also found fake certificates pretending to come from Russia’s second largest bank, Svyaznoy Bank and a large Russian payment provider, KIWI International Processing Services.

Paul Mutton, an online security expert with Netcraft, points out several recent studies that suggest mobile websites may be more vulnerable to attacks using these vectors than previously thought.

Either a lack of certificate checks or broken SSL certificate validation has plagued Amazon’s EC2 Java Library, Amazon/PayPal’s merchant SDKs and shopping carts like osCommerce and ZenCart, along with Steam.

Netcraft also points out that 40 percent of banking apps recently tested by IOActive didn’t properly “validate the authenticity of SSL certificates” presented to the server, according to research last month, making them a prime target for man-in-the-middle attacks.

Man-in-the-middle attacks are a type of Internet-eavesdropping attack wherein the attacker can gain access to, send and receive data meant to be sent to someone else.

In these cases an attacker would be able to eavesdrop on either the network or the connection to communicate with the user’s mobile device and sniff online banking traffic or credentials before they’re sent along to their final destination.

400 Gbps NTP Amplification Attack Alarmingly Simple

Threatpost for B2B - Thu, 02/13/2014 - 16:26

The largest distributed denial of service attack on public record was reported this week, and with it came many alarming numbers, not only in the volume of traffic generated (400 Gbps at its peak), but in the number of Network Time Protocol servers involved (4,592 on 1,298 networks) as well as the traffic each server directed to the victim (87 Mbps). The scariest number of all, however, may be the number 1.

“Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests,” said CloudFlare CEO Matthew Prince, whose company reported the attack on Monday against one of its customers, an unnamed organization in Europe.

The simplicity of the NTP amplification attack has potential targets on edge. U.S. banks have already had their share of angst dealing with DNS amplification attacks that disrupted services throughout last year in politically motivated attacks. And one year ago, a massive DDoS against spam blacklist provider Spamhaus topped out at 300 Gbps, to date the biggest firehose of traffic directed at one target.

The use of NTP amplification as a DDoS attack technique opens a number of possibilities for attackers to try their hand at exploiting weaknesses in other foundational protocols such as SNMP, which is used to manage network devices. Prince warned in a blogpost today that attackers are already testing those waters.

“If you think NTP is bad, just wait for what’s next. SNMP has a theoretical 650x amplification factor,” Prince said. “We’ve already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up.”

Prince told Threatpost on Tuesday that the large attack lasted a couple of hours and had been mitigated by late Monday. A large webhost based in France, OVH, was also a victim according to CloudFlare and Arbor Networks; it saw volumes of traffic approaching 325 Gbps, and other attacks starting last weekend against other targets in France hitting up 80 Gbps. OVH, Prince said, was also a principle source in the attack against its customer.

“At some level, stopping an attack like this requires having more resources than the attacker is able to muster,” Prince said. “NTP attacks are definitely on the rise. Because the amplification factor per misconfigured server can be 10x as large as a typical DNS amplification attack, they pose a significant risk.”

Prince recommended that network administrators test whether they’re running misconfigured NTP servers at the Open NTP Project website.

NTP is a protocol used to synchronize time on computer clocks; experts call it a set-and-forget feature on networks, but attackers have been able to ferret out a weakness in a feature called MONLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Attackers exploiting the exposed feature are able to query NTP servers for traffic counts using the victim’s spoofed source address. In return, the response is much larger than the original request, and with enough vulnerable NTP servers returning requests, a website and/or services are quickly overrun with UDP packets over port 123. NTP servers that allow source IP address spoofing and do not follow BCP38, a standard that defines how to defeat IP source address spoofing, are liable to become sources of future DDoS attacks.

“I’d personally be curious to talk with whoever added MONLIST as a command to NTP servers,” Prince said. “The command seems of such little practical use — it returns a list of up to the last 600 IP addresses that last accessed the NTP server — and yet it can do so much harm.”

Prince said a fully populated NTP list can generate a response to a MONLIST request that is 206 times larger than the request.

“In the attack, since the source IP address is spoofed and UDP does not require a handshake, the amplified response is sent to the intended target,” Prince said. “An attacker with a 1Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.”

A US-CERT advisory in January warned of the potential for harm from NTP amplification attacks; it recommends moving off vulnerable versions of NTP, prior to 4.2.7, that are publically accessible. It is also possible to manually disable the MONLIST feature in NTP servers, which would mitigate attacks.

“NTP amplification can achieve as much as a 10x the amplification factor as more common DNS reflection attacks,” Prince said. “This makes an improperly secured NTP server significantly more dangerous than an open DNS resolver.”

Blog: Absolute Computrace: Frequently Asked Questions

Secure List feed for B2B - Thu, 02/13/2014 - 15:32

In response to numerous requests for comments and clarifications after our presentation at the Kaspersky Security Analyst Summit 2014, we have created this FAQ with some answers to the most commonly asked questions.

BlackBerry Releases Guidelines to Deter Privacy-Infringing Apps

Threatpost for B2B - Thu, 02/13/2014 - 15:09

Aiming to shore up user security BlackBerry this week released a new set of privacy guidelines it’s encouraging third-party app developers to follow to better protect their customers.

The guidelines apply to customers’ personally identifiable information (PII) – the bits of information that apps collect from their users: names, email addresses, telephone numbers and the like – and how they’re used, stored and accessed.

The guidelines initially surfaced in an article last Friday on the company’s Developer Support forums but were revised Tuesday.

Addressing data collection, BlackBerry is stressing apps only collect user information when it’s reasonable to do so and to make sure it’s clear to users what developers are doing with that information via an easy to find privacy policy.

If the apps use third-party code, like an ad service for example, BlackBerry wants app developers to understand how it works and how it may directly affect user information. While BlackBerry assuming developers will follow any privacy/data protection legislation, its still is stressing they stay accountable for its users’ information and to familiarize themselves with the law wherever the app is being downloaded and used.

If a user’s data is sent to an external server, it’s encouraged to be encrypted, on and off the phone and everywhere in between. If it must be transferred, BlackBerry is encouraging the app to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

The guidelines aren’t mandatory, the company still has its RIME Store Vendor Agreement and its BlackBerry World Vendor Guidelines for that, instead the new list is expected to be viewed as recommended best practices.

BlackBerry notes that app developers will bear final responsibility but acknowledges that complying with the principles will ensure the vendors’ apps will remain listed in the company’s recently re-launched online app store, BlackBerry World.

To compete with Google’s Play marketplace and Apple’s app store, BlackBerry rebranded its app store last week to include music and video offerings. The company even ditched the name its used since 1985, Research in Motion (RIM), to fully embrace the BlackBerry brand.

With these guidelines however, the company is essentially telling its developers to do their due diligence to ensure they can find a balance between being transparent while adequately securing their users’ information.

To clarify exactly what kind of user information (or PII) includes, BlackBerry gives a pretty extensive rundown, noting the data can include everything from a user’s passwords to geolocation data to phone call logs to calendar reminders.

While some of these suggestions may sound a bit obvious, especially for a company operating in the mobile security sphere, in BlackBerry’s defense, it’s not the first time the group has tried to lock down a uniform list of principles.

This week’s guidelines build off a blogpost written by Adrian Stone, BlackBerry’s Head of Security Response team, last summer. In that post, on the company’s Business Blog, Stone pointed out that users would see new privacy notices pop up from time to time warning them about any third-party applications that don’t properly address how the app accesses and uses the data.

While the group tasked with scouring BB code and keeping its products secure, BlackBerry’s Security Incident Response Team, still issues these alerts, it’s clear the company is looking to hold third-party developers to a higher standard and curb the number of alerts it sends going forward.

US Government Delivers Cybersecurity Framework for Critical Infrastructure

Threatpost for B2B - Wed, 02/12/2014 - 16:21

Critical infrastructure operators have been delivered a cybersecurity framework by the U.S. government that paints broad strokes as to how to defend IT and SCADA networks in some of the country’s most sensitive industries such as energy, water and financial services.

NIST today announced the Framework for Improving Critical Infrastructure Security, a 41-page document that is a collaborative effort between industry and government, a compilation of cybersecurity standards and practices which the standards body hopes private sector operators will consider as they build out security programs.

“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” President Barack Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”

The framework is a deliverable coming out of Executive Order 13636, which was signed a year ago and directed critical infrastructure stakeholders to develop and deliver such guidance in conjunction with the government.

A number of executives from leading energy, financial and telecommunications firms praised the framework as an important baseline toward the establishment of new cybersecurity programs or the enhancement of existing efforts.

“The Cybersecurity Framework represents a comprehensive compendium of sound and effective cyber defense processes, practices, and protocols available today,” said Myrna Soto, senior vice president and CISO at Comcast Cable. “We will evaluate the Framework Core to assess whether it can be tailored and adapted to our business circumstances and network configuration, and possibly serve as a reference tool for managing the cyber risks and threats we face.”

The framework, NIST said, is a living document that helps an organization define their current and desired cybersecurity state, identify areas of need, and how well they are progressing in that direction, as well as advice on how to communicate to internal and external stakeholders about risks that threaten services. The framework is meant to be a companion to existing risk management procedures, the document says.

There are three parts to the framework:

  • The Framework Core establishes common outcomes, references and activities organizations can use to communicate desired states across an organization. According to the document, the Core has five functions: identify; protect; detect; respond; and recover from an incident, providing a high-level strategic outline for critical infrastructure operators.
  • Framework Implementation Tiers describe an organization’s current practices and helps a security team determine whether current processes are risk aware, repeatable and adaptive enough to current threats.
  • The Framework Profile establishes the desired outcomes as they relate to business needs. The document says the profile is an alignment of standards, guidelines and practices to the Core for particular implementation scenarios.

“Each of the Framework components reinforces the connection between business drivers and cybersecurity activities,” the White House said in a statement. “The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.”

Threats to critical infrastructure have been top of mind, and not necessarily because of their sophistication but because of the general disregard for information security built into SCADA and industrial control systems that manage critical infrastructure. Experts have made child’s play out of finding exposed systems online protected with default passwords, or critical gear running on out-of-date software making vulnerabilities trivial to exploit.

“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” Obama said. “Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.”

Dropbox Reports Fewer than 250 National Security Requests

Threatpost for B2B - Wed, 02/12/2014 - 13:30

Dropbox yesterday released a new set of principles that explain how it deals with government requests for customer data. The principles were a companion to its 2013 Transparency Report, which for the first time included National Security Letter requests made to the file hosting service.

“We believe everyone has a right to know how much information the government is seeking from online services,” Dropbox legal counsel Bart Volkmer. “This lets users fight back against improper requests, helps prevent abuses of power, and allows for a more informed public debate.”

Large Internet services companies such as Dropbox recently won a reprieve from the government which eased a gag order on reporting of National Security Letters and orders from the secret Foreign Intelligence Surveillance Court under the Foreign Intelligence Surveillance Act (FISA). For months last year, Dropbox, Facebook, Google, Yahoo, Microsoft, LinkedIn and others argued that their inability to report on FISA orders and National Security Letters not only hurt their transparency efforts with users, but infringed on the respective companies’ First Amendment rights to free speech.

The Justice Department wrote a letter in late January conceding after negotiations and lawsuits were filed on behalf of the tech companies that they would now have two reporting options for FISA requests related to national security. In return, the companies dropped their suits.

Dropbox, like Twitter before it, gave the ruling a half-hearted clap.

“This is a step in the right direction. But it doesn’t go far enough, especially for services that receive only a handful of requests or none at all,” Dropbox’s Volkmer said. “We believe the public has a right to know the actual number of requests received and accounts affected, and we’ll continue to push to be able to provide this information.”

The two reporting options available to companies going forward on FISA request reporting allow that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting. Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.

The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.

Dropbox reported that it received between 0-249 National Security Letters affecting a similar range of accounts.

As for law enforcement requests, Dropbox received 118 search warrants on 172 accounts; it produced content or subscriber information on 104 accounts, provided notice to the user in 42 cases, and five times it did not provide information. It also reported receiving 159 subpoenas on 401 accounts; Dropbox did not turn over any content, but in 155 cases either provided subscriber information or gave notice to the user. In 28 cases, no information was provided.

Analysis: Absolute Computrace Revisited

Secure List feed for B2B - Wed, 02/12/2014 - 06:00
The curent report is a return to the problem of security mechanisms implemented in modern anti-theft technologies that reside in firmware and PC BIOS of commonly used laptops and some of desktops.

CoinThief Bitcoin Trojan Found on Popular Download Sites

Threatpost for B2B - Tue, 02/11/2014 - 19:01

Phony Bitcoin ticker apps hosted on popular sites Download.com and MacUpdate.com are fronts for the OSX/CoinThief Trojan, which was built to steal Bitcoin wallet credentials and keys, and to date has drained a small number of accounts.

SecureMac lead developer Nicholas Ptacek said new variants of the Trojan targeting Mac OS X users were found on the sites and also include a browser extension for Firefox. Previous versions of CoinThief spread through a GitHub page that has since been taken down and included extensions for Safari and Google Chrome only.

The price ticker apps for Bitcoin and Litecoin are called Bitcoin Ticker TTM (To The Moon) for Mac and Litecoin Ticker. Both have been available on the sites since December; the app on Download.com was downloaded 57 times and the MacUpdate app was downloaded 356 times, Ptacek said. While the Download.com link is still available, the link on MacUpdate was disabled by the site, Ptacek said.

Efforts to contact Download.com were unsuccessful, Ptacek said.

“The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store,” Ptacek said. “At this time it is unclear what, if any, connection is shared between the apps. Initial analysis of the Mac App Store versions of the apps did not include the malicious payload found in the versions from download.com.”

The previously discovered versions of CoinThief installed browser extensions for Safari and Chrome that monitored browser traffic and watched for log-in attempts on pre-loaded Bitcoin exchanges such as Mt. Gox and BTC-e, and wallet sites such as blockchain.info. The extensions, meanwhile, are generically named “Pop-up Blocker,” and arrive with an equally generic description that wouldn’t raise suspicions with the user or security researchers.

Aside from the Firefox extension in this variant, the payload is similar, Ptacek said. In addition sniffing out log-in attempts, it also targets and tries to modify Bitcoin-Qt, stealing addresses and private keys from the sync client.

“This variant actually appears to be an earlier build of the malware, as it is missing much of the code obfuscation employed in the variant we previously analyzed,” Ptacek said.

Two days ago, SecureMac reported its discovery of CoinThief on GitHub. Researchers found StealthBit, which pretended to be an app used to send and receive payments on Bitcoin Stealth Addresses. The attackers hosted source code and a pre-compiled version of StealthBit on code repository; both however were not a match. The pre-compiled app contained the CoinThief malware not present in the source code. Ptacek said the malware connected to a remote server where it sent stolen data.

“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,”  SecureMac said on its site on Monday.

Ptacek said the remote server was registered in Australia via bitcoinwebhosting[.]net, but appeared to be hosted elsewhere. The remote server was located at www[.]media02-cloudfront[.]com, with a current IP address of 217[.]78[.]5[.]17, but it appears to be down at this time, Ptacek said.

Facebook Fixes Instagram CSRF Vulnerability to Keep Private Profiles Private

Threatpost for B2B - Tue, 02/11/2014 - 18:03

Until last week, some parts of the API that Instagram uses were vulnerable to a cross-site request forgery (CSRF) attack, something that could have put photos users thought were private, out in the open.

It took almost six months but Facebook, the photo sharing application’s parent company, patched the flaw last Tuesday.

Barcelona-based security researcher Christian Lopez Martin, who found the vulnerability last August and detailed the vulnerability on his personal blog yesterday, claims he almost didn’t catch it at first.

Martin initially scoured the application’s website looking for bugs but couldn’t find a vector that allowed him to inject code. It wasn’t until Martin started to root around the app’s mobile versions that he realized a big difference between the way the two handle privacy. The Android and iOS apps allow users to select whether or not their images are kept private while the website does not.

Martin, who spent most of his time trying to break the Android version of the popular app, discovered that when a person goes to change their privacy settings on Instagram, its API doesn’t control the user agent of the user’s request. Requests like setting a user’s profile to public (set_public) or private (set_private) did not use a security token.

Of course, when sites use security measures like secret, user-specific tokens, it can usually help thwart attacks, especially those of the CSRF variety.

To test, Martin wrote a simple CSRF proof of concept to exploit the weakness on the web. By simply getting a user who was logged in via a browser whose profile was private to click on a payload, Martin could make that user’s profile public. Martin claims he “wanted more” though and with an easy tweak was able to reverse his code, replacing “set_public” to “set_private,” making it so he could set any users’ profile that was public to private.

It took a lengthy e-mail chain between Martin and officials at Facebook and Instagram but the matter was finally resolved on February 4 last week.

Facebook has made it so that going forward any attempts to use this attack vector will result in “Fail, Login_Required,” according to the researcher.

“All new sessions are differentiated between mobile and web at login time so the web-based sessions have full CSRF protection enabled using secret security tokens and the mobile-based sessions have CSRF protection using user-agent control and a reCAPTCHA that forces the user (victim) to interacting with the mobile user interface.”

While Martin received a bug bounty from Facebook for his troubles in December, he discovered a potential way to bypass Facebook’s fix in January. Having obviously formed a rapport with the researcher, a week and a half later, Facebook wrote Martin back, confirming the hole had finally been patched, closing his report.

Encryption at Times a Detriment to Honest Policing

Threatpost for B2B - Tue, 02/11/2014 - 15:49

PUNTA CANA -The use of surveillance tactics by law enforcement in the performance of precisely targeted criminal investigations is still widely accepted and supported by much of the global public. The water gets murky and support evaporates altogether when allegations emerge that law enforcement is deploying blanket-style surveillance to spy on everything everywhere all the time.

This line of reasoning is widely held on both ends of the spectrum. On the one end, cryptography expert and privacy advocate Bruce Schneier said as much – though certainly not for the first time – in a panel discussion at Kaspersky Lab’s Security Analyst Summit (SAS) yesterday. Way on the other side of the spectrum, General Keith Alexander, the director of the National Security Agency and supervisor of what may be the most thorough surveillance apparatus ever conceived, echoes the same sentiment nearly every time he is asked to speak about his agency’s surveillance efforts.

Troels Oerting is the head of the emerging European Cybercrime Centre (EC3), a joint cybercrime task force under the authority of Europol, and he said essentially this in a briefing at the Kaspersky Lab Security Analyst Summit as well. Where Oerting differs from nearly everyone though, is that he was forthright enough that he is concerned about encryption.

As companies react to surveillance revelations, he said, they are increasingly adopting strong encryption and making it harder for people of his ilk to do honest, well-meaning police work.

Unfortunately, he explained, we live in an increasingly complicated world. Within five years, he went on, there will be some 40 billion devices transmitting various sorts of information about us over the Internet. As the concept of cybercrime as a service has emerged, the barrier for entry into cybercrime has lowered significantly and the ease with which almost anyone can make illicit money online has increased dramatically.

IPv6 is unimaginably massive and will only complicate matters further. The number of things that can connect into this new Internet with unique IP addresses is so vast that Oerting attempted to demonstrate by counting on his fingers the number of times he would need to multiply one billion by one billion in order to arrive at the exponentially dizzying number.

Admitting that the police can’t combat cybercrime alone, he asked the audience who is in charge of the Internet. Attendees called out all the usual suspects: the United States, the National Security Agency, the users. But the reality, Oerting claims, is that the Internet Corporation for Assigned Names and Numbers (ICANN), the non-governmental organization tasked with assigning IP addresses to machines and Web properties, wields the most power.

Behind one domain, he said, you can park tens of thousands of IP addresses. This makes the work of law enforcement incredibly difficult and is among the reasons why law enforcement must rely on cooperation from ICANN to sort out what data belongs to which people.

“I don’t believe we can protect ourselves out of this,” he said. “We need to hunt down the wolves.”

He went on:

“We like to put people in jail, because this is our job.”

The EC3 is a work in progress. It is designed to be a joint cybercrime task force with various national, private, and academic partners in the Internet security and finance sectors. It’s expansion is well under way, but it’s efforts are to prevent, protect, disrupt, and recover against intrusions, financial theft, and child pornography will kick off in earnest sometime in the next two years.

Six countries will allocate resources to the EC3, likely with help from the FBI. The EC3, he said, will create and pursue their own cases and investigations utilizing intelligence gathering and sharing to pro-actively fight cybercrime.

In terms of cybercrime, Oerting suggested that there is no such thing as too much law enforcement. He brushed off the idea that there would be investigational competition between Europol and Interpol, telling the audience that there is more than enough cybercrime for all law enforcement agencies to share.

Oerting’s presentation painted a grim picture of the challenges that law enforcement faces in the cyber space, but he is ultimately optimistic:

“We will get it right,” he said, “and humanity will survive the Internet.”

Syndicate content