We are one day in and Apple’s sleek new mobile operating system, iOS 7, has been dissected to death – the colors, the similarities to Android’s OS, the amount of time it took some users to download the update from Apple’s servers. Those talking points aside, the update also brought a slew of bug fixes, 80 in total, to devices that should appease Apple users with security concerns.
The update fixes a handful of issues, most which could lead to a denial of service attack or trigger unexpected application termination or arbitrary code execution on devices like an iPad, iPod Touch or iPhone running an out of date OS.
Some of the bigger flaws addressed involve two fixes for passcode bypass flaws, one (CVE-2013-0957) that could’ve allowed an attacker to break an app in the third-party sandbox and determine the user’s passcode and a second (CVE-2013-5147) that exploited the way the iPhone handled calls to bypass the screen lock in iOS 6.1.
Another similar data privacy bug could have allowed an attacker to intercept user credentials by compromising a TrustWave certificate (CVE-2012-5134). TrustWave issued and subsequently revoked the faulty sub-CA certificate.
Four Safari bugs were also addressed in yesterday’s update, including a problem where the browser’s history was still visible even after it was cleared and a problem stemming from a memory corruption issue in the way it handled XML files and a cross-site scripting flaw on sites that allow users to upload files.
The oldest bug in the batch appears to be a kernel issue from 2011 discovered by Marc Heuse where-in an attacker could have sent specially crafted IPv6 packets to an iPhone 4 and caused a high CPU load. While the bug is known as CVE-2011-2391 in the Common Vulnerabilities and Exposures database, the CVE warns the attached date does not necessarily reflect when the vulnerability was discovered.
Several vulnerabilities from 2012 are also addressed in the update, all involve fixing arbitrary code execution bugs in the libxml and libxslt libraries.
While not discussed in the update notes, iOS 7 also fixes a previously disclosed “USB charger” bug that surfaced in August that allowed hackers complete access to devices via a modded charger. Apple spokesman Tom Numayr confirmed last month that iOS 7 would give users the choice whether or not they want to trust the computer their device has been connected to.
Those interested in the full rundown of security fixes can head to Apple’s Mailing Lists email, posted yesterday.
A researcher has discovered a privacy bug in the Facebook Android app that enables an attacker to view and download any images that a user sends to Facebook. The problem derives from the fact that the app, along with the official Facebook Messenger app for Android, don’t send those images over HTTPS, even though the apps are meant to do so.
The researcher, Mohamed Ramadan, reported the vulnerability to Facebook in February, and the company fixed the issue, Ramadan said. The bug affected the official Facebook and Facebook Messenger apps for Android, both of which are designed to send requests via a secure HTTPS connection. However, Ramadan found that in some cases the apps would send requests to the Facebook servers over plain HTTP. Specifically, he noticed that it happened when uploading photos.
What that means is that an attacker who is able to capture a target’s wireless traffic would be able to grab whatever images the target is uploading. The attacker could then do whatever he chooses with the photos.
“I found that the official Facebook Messenger and Facebook app for android latest version are sending and receiving images using HTTP protocol and any one on the same wireless network can sniff my traffic and view all images or even replace it with his own images,” Ramadan said in his report to Facebook.
Facebook took a month or so to respond to the report, Ramadan said, but when they did, they said that the security team had been able to reproduce the bugs and was going to pay Ramadan $1,500 as part of its bug bounty program. A nice reward for a bit of security research. But then, a short while later, the Facebook security team got in touch again to say that it was adding $500 to the bounty because Ramadan had reported both the Messenger and regular app bugs.
The Android Facebook apps have been updated to fix this issue, and Ramadan said he recommends that users install the updates to avoid running into a problem with their private photos ending up in the wrong hands.
“It is time to update your Facebook apps right now, if you are a bit lazy like me and forget to update android apps then UPDATE NOW!” he said.Image from Flickr photos of mkhmarketing.
Two dozen major U.S. and European banks are in the crosshairs of the Shylock, or Caphaw, financial malware of late, and victims who trade with one of the 24 financial institutions are at risk of giving up their credentials and losing assets in their accounts.
Malware researchers have noticed a rise in infections of late; the malware has been in circulation since 2011, however. While the initial infection point is unknown, the malware is adept at hiding its tracks. It uses a Domain Generation Algorithm to route phone-home traffic through a number of IPs created using self-signed SSL certificates.
“This limits the ability of traditional network monitoring solutions to dissect the packets on the wire for any malicious transactions,” said Zscaler researchers Sachin Deodhar and Chris Mannon in a blogpost today. Most of the infections, they said, are happening in the U.K., Italy, Denmark and Turkey.
DGA has been used previously by other malware families to disguise themselves from detection services and software. Domain generation algorithms periodically generate and test new domain names and determine whether a command and control server responds to a request. Static reputation servers that maintain lists of C&C domains don’t fare well against DGA. On the attacker’s end, by using DGA, they don’t need to manage a command and control infrastructure of servers that can be targeted by researchers and law enforcement for takedown.
Botnets and malware families such as PushDo, Zeus and TDL/TDSS also use DGA to attack financial customers, send spam or assist in targeted attacks against government, military and political organizations.
Shylock has been modified many times, adding features that help it slip past security detection software and services and frustrate researchers trying to analyze it. It has also added features such as webinjects to help it install malware on compromised machines on the fly, and plug-ins that help it spread over Skype instant messages.
“Administrators should view this transaction as a starting point for their investigation into any suspicious activity,” the researchers wrote. “It is not a malicious service, but illustrates how malware writers can leverage even legitimate services.”
Experts speculate that an exploit kit is serving up the latest Caphaw infections and exploiting vulnerabilities in Java to get onto a victim’s machine. It then drops an executable that varies for every infection, putting a damper on the ability to detect infections.
“The large number of potential rendezvous points with randomized names makes it extremely difficult for investigators and law enforcement agencies to identify and take down the CnC infrastructure,” the Zscaler researchers wrote. “Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.”
To date, Zscaler has found 64 Caphaw samples and 469 IP addresses making a call to a DGA location.
The malware does what it can to survive and persist on a machine; it can determine whether it’s being executed in a virtual machine and whether the host is online. If either fails, the malware will not execute. To maintain persistence, it creates an autorun registry entry and augments system processes to hinder its removal, the researchers said.
The researchers provided the list of 24 banks being targeted:
- Bank of Scotland
- Barclays Bank
- First Direct
- Santander Direkt Bank AG
- First Citizens Bank
- Bank of America
- Bank of the West
- Sovereign Bank
- Co-operative Bank
- Capital One Financial Corporation
- Chase Manhattan Corporation
- Citi Private Bank
- Comerica Bank
- E*Trade Financial
- Harris Bank
- Intesa Sanpaolo
- Regions Bank
- Bank of Ireland Group Treasury
- U.S. Bancorp
- Banco Mercantil, S.A.
- Varazdinska Banka
- Wintrust Financial Corporation
- Wells Fargo Bank
LinkedIn on Tuesday joined the fray of Internet companies requesting permission from the Foreign Intelligence Surveillance Court to publish data on the number of National Security Letters it receives.
Unlike Google, Microsoft and others that have petitioned the FISA court to lift its ban on the sharing of NSL data, LinkedIn does not offer Web-based email or storage service for its members and therefore does not store the same types of data on individuals that might interest the National Security Agency and the FBI. However, with the NSA’s stated ability and desire to map phone call metadata in order to connect and locate individuals who could be a threat to national security, LinkedIn’s similar mapping between its 238 million members’ professional careers could be of interest to the court.
In the meantime, the company was busy filing not only an amicus brief with a California appeals court, but also fired off letters to the FISA court, FBI, and its users explaining its desire for transparency, a public hearing with the FISA court, and calling the ban on sharing NSL data unconstitutional.
Companies and individuals are barred by the FBI from confirming they’ve even received a National Security Letter, much less publicly revealing in aggregate how many requests have been made by the government. LinkedIn, similarly to Google and others in past motions, said the ban violates the company’s First Amendment rights to free speech and hinders their ability to maintain a trustworthy relationship with users with regard to government access to their data. Requests for additional transparency bubbled to the surface shortly after the Snowden documents were leaked exposing the depths of surveillance activity carried out by the NSA and the access the spy agency has to individuals’ data stored by Internet companies.
“This secretive environment and the information the government has shrouded also invites unfounded speculation that American Internet companies are part of the expansive government surveillance activities,” LinkedIn wrote in its amicus brief. “Such public misperception can have devastating effects on those companies’ reputations and can eviscerate the trust and transparency that they have worked so hard to develop with their users.”
The government, meanwhile, has proposed that companies be allowed to report NSL numbers in ranges of 0-1,000. LinkedIn fought back, stating that approach would not work for smaller companies that would not potentially receive thousands of requests for NSLs because it would create the impression that the number of NSLs would be more substantial than reality. It offered the example where a company could receive 10 requests but would be able to report that number only within a range of 0-1,000.
“The information permitted under these measures would be misleading, would distort the public’s understanding of the actual number of government requests received, would reduce rather than increase transparency, and would deplete rather than enhance trust in the companies, the industry and the government,” LinkedIn wrote.
LinkedIn also called upon the FISA court to uphold a district court ruling calling the ban on revealing NSL data unconstitutional. In two cases, single individuals in New York and Northern California were granted permission to publicly say they were handed National Security Letters.
“When one individual receives a National Security Letter, they have a First Amendment right to speak about that fact under certain conditions,” said Brett Max Kaufman, a lawyer with the American Civil Liberties Union (ACLU). “At a global level, it’s very clear that LinkedIn has a parallel interest in being able to speak about an entire group of individuals whose information is affected by these requests.”
LinkedIn, meanwhile, published a transparency report yesterday, reporting that it fielded 83 government requests for member data in the first half of 2013, 70 of those from the United States impacting 84 member accounts. LinkedIn reported that it provided data in 57 percent of those requests and 49 percent overall. Again, the number of NSL requests are not included in those totals.
“I believe these companies are absolutely sincere with these filings. LinkedIn has likely been involved in contentious negotiations with the government over the summer,” Kaufman said. “I think we can take their word for it that they are committed to their principles and feel strongly as a company that releasing this information would not damage national security.”
A newly declassified opinion from the Foreign Intelligence Surveillance Court from this summer shows the court’s interpretation of the controversial Section 215 of the USA PATRIOT Act that’s used to justify the National Security Agency’s bulk telephone metadata collections, and reveals that none of the companies that have been served with such orders has ever challenged one.
The opinion, which is one of just a handful of such documents to be made public in the last few months as the leaks of the NSA’s collection and cryptographic capabilities have continued to mount, lays out much of the court’s thinking and reasoning for continuing to grant the agency permission to gather telephone metadata on hundreds of millions of Americans. And what it shows is that the court’s ability to impose restrictions on the NSA’s collection and analysis methods is severely restricted by legal precedent.
The FISC opinion was written by Judge Claire V. Eagan and in it she explains that previous Supreme Court decisions have laid the legal groundwork that the NSA uses today to defend against accusations that its collection methods violate the Fourth Amendment protections against unreasonable search and seizure or that the collection violates a reasonable expectation of privacy regarding phone communications. In Smith v. Maryland, the Supreme Court ruled that people have no reasonable expectation of privacy with phone calls, because the phone company has equipment to record those calls and the numerical data related to them.
That reasoning is still used to underpin the NSA’s metadata collection, using the argument that if one person doesn’t have such protection under the Fourth Amendment, then neither does a large group of people.
“Put another way, where one individual does not have a Fourth Amendment interest, grouping together a large number of similarly situated individuals cannot result in a Fourth Amendment interest springing into existence ex nihilo,” the opinion says.
But perhaps the most interesting part of the opinion is the portion that explains the way that Section 215 is applied to the NSA’s metadata collection activities. In the opinion, Eagan contrasts Section 215 with a portion of the criminal code called the Stored Communications Act. That section includes some language that requires the government to provide “specific and articulable facts” to support its need for records or other information in a criminal investigation. That clause is not included in Section 215, and in fact only requires a statement of facts about the terrorism investigation in question.
“In enacting Section 215, Congress removed the requirement for ‘specific and articulable facts’ and that the records pertain to ‘a foreign power or an agent of a foreign power.’ Accordingly, now the government need not provide specific and articulable facts, demonstrate any connection to a particular suspect, nor show materiality when requesting business records under Section 215. To find otherwise would impose a higher burden–one that Congress knew how to include in Section 215, but chose to dispense with,” the opinion says.
In other words, Section 215 is written and interpreted in such a way so as to allow the NSA’s bulk metadata collection methods and to severely limit any challenges to it, so long as the agency is following the minimization and other guidelines set forth. Eagan’s opinion also makes it clear that the only legal challenges to this section can come from the companies on which the orders are served, and not from individuals whose records may be included. However, not one company has ever raised such an objection.
“To date, no holder of records who has received an Order to produce bulk telephone metadata has challenged the legality of such an Order. Indeed, no recipient of any Section 215 Order has ever challenged the legality of such an order, despite the explicit statutory mechanism for doing so,” Eagan’s opinion says.
Image from Flickr photos of Cameron Russell.
The Mozilla Foundation released Firefox 24 yesterday, issuing 17 security patches for the browser. Seven of the bulletins received the highest, critical impact rating, four are considered high impact advisories, the second most severe rating, and the remaining six are of moderate impact.
Mozilla’s patch contained more total and critically rated advisories than any other since January.
According to Mozilla’s security advisories, critical impact bugs are those that give attackers the ability to run code or install malicious software with no user interaction beyond typical browsing:
The first critical advisory, MFSA 2013-92, resolves a garbage collection hazard with default compartments and frame chain. The bug, which could be exploited to establish a use after free scenario, was uncovered by a security researcher operating under the handle Nils and a Mozilla developer named Bobby Holley.
MFSA 2013-90 is a pair memory corruption bugs also reported by Nils. The first led to a use after free condition while scrolling through an image document and the second had to do with nodes in a range request being added as children of two different parents.
Security researcher Aki Helin reported found that combining lists, floats, and multiple columns could trigger an exploitable buffer overflow, which mozilla fixes with MFSA 2013-89.
Using the address sanitizer tool, researcher Scott Bell discovered a use-after-free condition after destroying a <select> element form. If MSFA 2013-81 goes unpatched, it could lead to a potentially exploitable crash.
Chrome security team member Abhishek Arya found a crashable use-after-free problem (MSFA 2013-79) in the Animation Manager while also using the address sanitizer tool.
MSFA 2013-78 patches an integer overflow bug, discovered by Alex Chapman, in the Almost Native Graphics Layer Engine (ANGLE) library that Mozilla uses. The vulnerability existed because “of insufficient bounds checking in the drawLineLoop function, which can be driven by web content to overflow allocated memory, leading to a potentially exploitable crash.”
The last critical impact bulletin, MSFA 2013-76, fixes a handful of memory safety hazards uncovered by Mozilla developers.
Moderate impact bugs are high of critical impact bugs that an attacker could only exploit under uncommon circumstances when a user is running non-default configurations. Mozilla’s fixes for these bugs are as follows: user-defined properties on DOM proxies get the wrong “this” object, WebGL Information disclosure through OS X NVIDIA graphic drivers, uninitialized data in IonMonkey, same-origin bypass through symbolic links, NativeKey continues handling key messages after widget is destroyed, and improper state in HTML5 Tree Builder with templates.
Is it so outlandish anymore to consider that an attacker interested in military, political or corporate espionage would be able to infiltrate a supply chain and drop malware onto an integrated circuit? Evidence of hardware-based Trojans is anecdotal at best, and experts believe a change in motherboard circuitry or wiring, for example, would be detectable either via visual inspection or in comparison to a gold copy of the hardware in question.
However, given that documents leaked by NSA whistleblower Edward Snowden intimate the U.S. spy agency was working with chipmakers and placing backdoors into hardware bound for foreign targets, the once-outlandish doesn’t seem so outrageous anymore.
And now, an international team of researchers may have upped the ante on hardware-based attacks. In a recently published paper, they describe how they are able to modify a circuit with malware and yet, to detection mechanisms, the circuit appears to be pristine.
“Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against ‘golden chips,’” the team—Georg T. Becker, Francesco Rgazzoni, Christof Paar and Wayne P. Burleson—wrote in its paper.
Dopant is a material that is added to semiconductor material that enables it to be electrically conductive. The researchers tested their stealthy Trojan on Intel’s random number generator design used in Ivy Bridge processors, as well as in a side-channel resistant SBox implementation.
While there is relatively little research available on hardware Trojans, the team dove into its research understanding that a jump in outsourcing—circuits are often designed in one location, likely built offshore, and then packed and distributed by more external parties—damages trust in the security of circuits.
“Even if chips are manufactured in a trusted [fabrication], there is the risk that chips with hardware Trojans could be introduced into the supply chain,” the researchers wrote. “The discovery of counterfeit chips in industrial and military products over the last years has made this threat much more conceivable.”
Some existing work on hardware Trojans, done mostly in academic settings, introduce malware at the hardware layer. This generally happens in a foundry setting where an attacker would have access only to layout masks; this limited access makes these types of attacks impractical because additional space is required for the malicious circuit and connections and would be easy to detect. Attacks using dopant have also been tried before where the concentration of dopant is changed to age the circuit, eventually causing it to fail. However, the researchers point out that approach is impractical because it’s impossible to predict when the circuit would fail and cause a denial-of-service condition.
The researchers said their approach is more realistic because it is done by modifying the polarity of the dopant, which can be done at a foundry setting, and still resist optical inspection and go undetected.
“A dedicated setup could eventually allow one to identify the dopant polarity. However, doing so in a large design comprising millions of transistors implemented with small technologies seems impractical and represents an interesting future research direction,” the paper said. “We exploit this limitation to make our Trojans resistant against optical reverse-engineering.”
“To the best of our knowledge, our dopant-based Trojans are the first proposed, implemented, tested, and evaluated layout-level hardware Trojans that can do more than act as denial-of-service Trojans based on aging effects.”
The paper explains in great detail how the researchers attacked the Intel Ivy Bridge processors and pulled off a side channel attack that leaked secret keys from the hardware.
Ivy Bridge generates unpredictable 128-bit random numbers for the security of transactions. The researchers were able to get their Trojan onto the processor at the sub-transistor level to compromise the security of the keys generated with its random number generator.
“Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen,” the researchers wrote. “Despite these changes, the modified Trojan RNG passes not only the Built-In-Self-Test (BIST) but also generates random numbers that pass the NIST test suite for random numbers.”
As for the side-channel Trojan, it demonstrates flexibility of the dopant Trojan by attacking weaknesses that enable side-channel attacks in iMDPL, or improved Masked Dual Rail Logic.
“Rather than modifying logic behavior of a design, dopant Trjoan establishes a hidden side-channel attack that leaks secret keys,” the researchers wrote. “The dopant Trojan can be used to compromise the security of a meaningful real-world target while avoiding detection by functional testing as well as Trojan detection mechanisms.”
UPDATE–Microsoft is looking into reports of targeted attacks against a new vulnerability that exists in all supported versions of Internet Explorer. The attacks are targeting IE 8 and 9 and there’s no patch for the vulnerability right now, though Microsoft has developed a FixIt tool for it.
“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” the Microsoft advisory says.
Microsoft did not specify where the attacks against this vulnerability were coming from or whether there are specific compromised Web sites involved. The company has several recommendations for mitigations for this vulnerability, including applying the FixIt solution and setting IE to warn you before running Active Scripting. The most likely attack scenarios for this vulnerability are the typical link in an email or drive-by download.
“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website,” Microsoft said.
Researchers at Qualys say that the attacks are happening in Japan right now, but could spread quickly now that some details of the vulnerability are public.
“The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ALSR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much. While the attack is very targeted and geographically limited to Japan, it might not affect you at the moment. But with the publication of the shim, other attackers can now analyze the condition fixed and will be able to produce an equivalent exploit fairly quickly,” Wolfgang Kandek of Qualys said.
This story was updated on Sept. 18 to add technical information on the exploit.
Developers behind the Web framework Django have pushed out a new build that fixes a handful of security issues, including a denial of service vulnerability in the framework’s password hasher.
Django 1.4.8, Django 1.5.4, and Django 1.6 beta 4 were released over the weekend and users are urged to upgrade immediately according to a blog post by Django developer James Bennett on Sunday.
The main problem with Django – versions 1.6, 1.5 and 1.4 are affected – lies in how it authenticates users and passwords. Django doesn’t store the raw password in its database, it stores a hashed version of it that is computed at each log-in attempt.
It was discovered recently however that attackers can repeatedly submit large passwords and overwhelm Django’s servers in “the expensive computation of the corresponding hashes.” According to Bennett, before this fix, Django didn’t impose a maximum when it came to plaintext password length. Attackers could submit ridiculously long, sure-to-fail passwords and in turn, the framework would have run a lengthy check to verify it.
Bennett notes that using its standard password hasher, PBKDF – part of RSA’s PKCS series, it would take Django about a minute to check a password one megabyte in size. The bigger the password, the longer system resources are tied up. With the new patch, Django fixes this flaw (CVE-2013-1443) and now fails authentication on any password submitted over 4096 bytes.
Bennett notes that for this fix, the developers had to issue and out-of-band patch of sorts. Usually security issues are reported via email but in this case, a third party publicly disclosed the flaw via Django’s developers mailing list. Since the flaw could have potentially impacted what they refer to as live deployments of the framework, the team was forced to issue a release outside of its usual schedule.
Django is an open source web framework, written in Python, that lets developers rapidly produce and maintain Web applications. The functionality is used, in varying extents, on social media sites like Pinterest, Instagram and in work done by the software company Mozilla, among others.
A NASDAQ representative confirmed this morning that a cross-site scripting vulnerability on the exchange’s website discovered by an ethical hacker has been patched.
The issue was reported on Sept. 2 by Ilia Kolochenko, chief executive of High-Tech Bridge, a Swiss penetration testing company. Kolochenko characterized the issue as a relatively simple cross-site scripting vulnerability.
“It’s not something that would shut down the site, but if a good hacker group wanted to hack them, XSS will make that hack simpler for them,” Kolochenko said, adding that it took two weeks for NASDAQ to address the situation and that it did so only after media reports surfaced on the vulnerability.
NASDAQ said it addressed the issue immediately internally.
“We have fixed the vulnerability, and we began working on the issue once it was flagged to us by the High-Tech CEO – we address any and all vulnerabilities identified, whether internally via our standard processes or externally, like the one we received on September 2,” a NASDAQ representative said in an email to Threatpost.
NASDAQ suffered an outage on Aug. 22 that prompted the exchange to shut down for three hours; a software error was blamed. Kolochenko said the outage prompted him to look at the Web platform used by NASDAQ and that he then discovered a Web application vulnerable to cross-site scripting attacks.
“A quick and totally harmless test confirmed an exploitable XSS vulnerability that allows injecting arbitrary HTML and scripting code into NASDAQ.com webpages,” he said in a statement.
NASDAQ said it validated the claim, as it does with all reported vulnerabilities.
“We take all information security matters seriously,” NASDAQ said. “We work with leading security vendors and have a trained and professional team that evaluates all credible threats across our digital assets.”
Kolochenko said an attacker could gain access to a protected portion of the NASDAQ environment, such as an administrative portal, and modify content on the site.
“Assuming the hackers know where this [vulnerable] component is located, he has to find someone from NASDAQ who can access it, send him a link pointing to NASDAQ.com that will exploit the cross-site scripting vulnerability,” Kolochenko said. “When the person who gets the link clicks on it, his cookies or other sensitive information will be sent along. The hacker will receive this information and will be able to log in to an admin panel with the victim’s user name and password and can do any modification on the site he wants.”
Kolochenko said the NASDAQ site has no mechanism on which to report security vulnerabilities, something NASDAQ denies, adding that such channels are used regularly. Kolochenko contends that only after two weeks and a barrage of initial media reports over the weekend about his discovery of the vulnerability did NASDAQ move to action.
“I have checked all my email and spam folders and I have never ever received a single email from NASDAQ, a NASDAQ contractor, or anyone related to them,” Kolochenko said. “If NASDAQ insists they replied to me, my question is simple: Why after all the articles about the issue didn’t NASDAQ try to contact me again? No one resent the original contact, notified or replied to me.”
This week, meanwhile, U.S. stock exchanges and Federal regulators agreed to reforms, including a kill-switch mechanism that would shut down trades during emergencies, Reuters reported.
“I stressed the need for all market participants to work collaboratively – together and with the Commission – to strengthen critical market infrastructure and improve its resilience when technology falls short,” said Securities and Exchange Commission chair Mary Jo White.
The decision by the Ninth Circuit Court last week to allow the class-action suit against Google over its collection of WiFi data to continue was welcomed as good news by privacy advocates, but it may have considerable consequences for security researchers who collect such data during legitimate research projects.
The legal dispute over the WiFi data gathered by Google goes back several years and stems from unencrypted payload data collected by the company’s Street View vehicles. The cars drive around taking hi-res photos that show up as images on Google Maps’ Street View feature. During their exploits several years ago, the vehicles also collected data from unsecured WiFi routers, ostensibly as a way to improve the accuracy of their location services. Initially, Google officials said that the cars only were recording the location of the routers, but it soon came out that they also gathered payload data.
A number of groups filed suits against the company, which eventually were consolidated into a class-action suit that’s still winding its way through the federal courts. The most recent decision, which came last week, saw the Ninth Circuit Court deny two motions by Google to dismiss the suit on the grounds that the WiFi transmissions constituted radio broadcasts.
“The panel held that the Wi-Fi network data collected by Google was not a radio communication, and thus was not by definition readily accessible to the general public. The panel also held that data transmitted over a Wi-Fi network is not readily accessible to the general public under the ordinary meaning of the phrase as it is used in § 2511(2)(g)(i). Accordingly, the district court did not err in denying the motion to dismiss on the basis of the Wiretap Act exemption for electronic communication that is readily accessible to the general public,” the decision says.
That means the suit will go forward, but, as the EFF explains, it could also lead to problems for some security researchers who rely on the ability to collect WiFi data for legitimate purposes.
“If you’re a security researcher in the Ninth Circuit (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can help you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don’t read the actual communications —may be found in violation of the law. Given the concerns about over-criminalization and overcharging, prosecutors now have another felony charge in their arsenal,” Hanni Fakhoury of the EFF wrote.
Researchers will sometimes do large-scale surveys of wireless access points for various projects, and the court’s decision could hinder those kinds of projects. However, the decision also supports the notion that law enforcement agencies still need wiretap orders to capture unencrypted WiFi data.
“That’s good news since wiretap orders are harder to get than a search warrant,” Fakhoury said.
Image from Flickr photos of Sancho McCann.
The U.S. government–particularly the National Security Agency–are often regarded as having advanced offensive cybersecurity capabilities. But that doesn’t mean that they’re above bringing in a little outside help when it’s needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN.
The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN’s services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company’s “binary analysis and exploits service”.
VUPEN is one of a handful of companies that sell software exploits and vulnerability details. The company, based in Montpellier, France, employs a number of security researchers who do original vulnerability research and develop exploits for bugs that they find. That information is then sold to governments and law enforcement agencies. VUPEN officials have said that the company only will sell its services to NATO countries and will not deal with oppressive regimes.
“We only sell to democracies. We respect international regulations, of course, and we only sell to trusted countries and trusted democracies,” VUPEN CEO Chaouki Bekrar said in an interview last year. “We do not sell to oppressive countries.”
In the debates and conversations that have followed the flood of documents leaked by Edward Snowden about the NSA’s intelligence gathering and surveillance programs, there has been an undercurrent of discussion about the agency’s use of software exploits and malware to eavesdrop on targets. The NSA has an in-house team of security researchers and engineers who do their own vulnerability and exploit research, but the publication of the NSA-VUPEN contract shows that the agency also does business with outside zero-day merchants. Government agencies, intelligence organizations and law enforcement are among the larger buyers of software exploits and there are still a relatively small number of companies who sell these wares, although that number is growing.
Several U.S. defense contractors and small, private security companies also sell vulnerability details and exploits. VUPEN is the most visible and vocal of this group and its researchers can be found at most of the top security conferences throughout the year.
Image from Flickr photos of Jim Kelly.
A strain of the Revoyem ransomware, also known as DirtyDecrypt, is aggressively spreading beyond Germany and Great Britain, the first two countries in which it was spotted back in March. A researcher who goes by the handle Kafeine reports on his Malware Don’t Need Coffee website that Revoyem is being aggressively distributed internationally.
Victims are generally infected on pornographic websites with the malware, Kafeine reports in a blogpost. It then takes a turn for the worst, redirecting victims via a TrafficHolder malvertising ad to page hosting child pornography which drops the Styx exploit kit on the victim’s machine and the DirtyDecrypt ransomware locking the victim’s computer and informing the victim they’ve just viewed illegal content.
“This is amplified [because] it’s true, you just viewed illegal content even if you’ve been driven there against your will,” Kafeine said.
Ransomware generally follows a similar pattern, though previous strains of the malware have forgone actually displaying child pornography. The victim’s computer is locked by the malware and displays a banner purporting to be from a law enforcement agency. Sometimes these banners are regionalized, i.e., a U.S.-based infection will display an FBI banner informing the victim they must pay a “fine” in order for their machines to be returned to normal working order.
Kafeine said the DirtyDecrypt ransomware has been spotted in 15 countries including the U.S., Spain, France, Italy and the Netherlands.
The FBI banner displays the victim’s IP address and location as well as the illegal images displayed by the malware before locking the computer. The FBI warning also posts a log of visits from the victim’s IP address, and the charges the victim faces.
“In the case of payment of a fine, all data collected against you will be removed from the evidence base,” reads the final page displayed by the malware, along with payment options from MoneyPak and PaysafeCard.
In the background, the malware is stealing private information from the machine’s browser, disabling Windows Task Manager and installs itself for autorun at Windows startup, an analysis at Malwr.com indicates. A list of domains associated with Revoyem have been posted on Pastebin, all of which have been posted in the past few days.
The BEAST cryptographic attack, once thought to be largely mitigated, has two things conspiring against it to make breaches potentially possible again.
Not only has a server-side mitigation essentially been rendered moot by recent research into the RC4 cryptographic protocol, but Apple has yet to enable by default a client-side mitigation into its Safari browser that would keep BEAST at bay, according to research done by Qualys director of application research Ivan Ristic.
BEAST is an attack tool that targets a vulnerability in TLS 1.0 and SSL 3.0 and was reported in September 2011 by researchers Juliano Rizzo and Thai Duong. They built the BEAST tool, which is capable of grabbing and decrypting HTTPS cookies and hijacking browsing sessions in order to steal credentials and more. Major browser makers, except for Apple, addressed the issue on the client side by implementing a technique known as 1/1-n split. The technique stops attackers from being able to predict the initialization vector blocks that are used to mask plaintext data before it is encrypted.
An attacker with a man-in-the-middle presence in a browser session can predict the initialization vector blocks, see what the encrypted data output looks like and influence what is encrypted, Ristic said. No data can be decrypted, Ristic said, but an educated attacker with enough guesses is likely to land on the correct one.
“Because guessing is not very efficient, the BEAST attack can in practice used to retrieve only small data fragments,” Ristic wrote. “That might not sound very useful, but we do have many highly valuable fragments all over: HTTP session cookies, authentication credentials (many protocols, not just HTTP), URL-based session tokens, and so on. Therefore, BEAST is a serious problem.”
Ristic told Threatpost that browser vendors were quick to deploy the 1/1-n split except for Apple, which encoded the mitigation into its Mountain Lion release more than a year ago, but disabled it by default.
“There is no statement [from Apple] on its intentions or published information on how to enable mitigation if people wanted to,” Ristic said, adding that only experience security-aware people would likely think about enabling this type of defense.
On the server side, the best way to mitigate BEAST had been to enforce RC4 encryption whenever TLS 1.0 is used. However, experts Dan Bernstein, Kenny Paterson, Nadhem AlFardan, Bertram Poettering and Jacob Schuldt published an attack that exploits a weakness in RC4 that could allow an attacker to decrypt the key stream—an issue that’s been known about in the community for 15 years.
“Now that RC4 is weak, we have to begin to take measures to disable it. So therefore, we can no longer mitigate BEAST on the server side,” Ristic said. “As long as Safari remains theoretically vulnerable, we are afraid that any change in browser capabilities may lead to a condition that would enable an exploit to the BEAST attack.”
BEAST attacks are ideal in targeted attacks against specific individuals and attackers would need to carry out a man-in-the-middle attack to exploit the issue; BEAST cannot be done on any kind of scale, Ristic said. Also, the source code for BEAST was never released by Rizzo and Duong.
Ristic also cautions that deploying TLS 1.1 or TLS 1.2 would not address BEAST, regardless of the fact they don’t know carry the same initialization vector weakness as TLS 1.0. Most of the Internet remains on TLS 1.0 and while future browsers will support TLS 1.2, Ristic said they will still be vulnerable to protocol downgrade attacks.
“An active MITM can simulate failure conditions and force all browsers to back off from attempting to negotiate TLS 1.2, making them fall back all the way down to SSL 3,” Ristic said. “At that point, the predictable [initialization vector] design is again a problem. Until the protocol downgrade weakness is fixed, newer protocols are going to be useful only against passive attackers, but not against the active ones.”
Apple pushed a handful of patches late last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.
The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.
Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched up its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the dialog has been removed and the system refuses any revoked package.
The update also resolved the previously reported sudo vulnerability. An attacker could’ve gained root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, has been used before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” reads the security document released in tandem with the patches Thursday.
10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is slated for release at the end of October.
On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.
UPDATE: The popular cloud storage service Dropbox was reportedly undercutting the efficacy of access space layout randomization (ASLR) by failing to enable that feature within the dynamic link libraries (DLLs) it injects into other applications. The company now claims it has resolved the issue.
Graham Sutherland explained in a post last week on codeinsecurity that Dropbox and similar tools tend to extend their functionalities to other programs using shell extensions. In Dropbox’s case, Sutherland says the extensions are likely used to add Dropbox functionalities to the menu that pops up when a user right-clicks a given file. These shell extensions are basically custom-designed DLLs which are loaded into process memory. Dropbox apparently uses two DLL extensions, one for 32-bit systems and another for 64-bit systems.
ASLR is a widely deployed security technique that randomly arranges the locations of key data on machines in order to keep attackers from reliably guessing where particular processes take place. The technique’s primary purpose is to protect machines against buffer overflow attacks.
Sutherland examined that way that Dropbox extended its functionalities to Mozilla’s Firefox Web browser and noticed that the extension DLLs at work there do not have ASLR enabled. More broadly, Sutherland’s findings suggest that Dropbox is arbitrarily injecting DLLs without ASLR enabled into any number of 32- and 64-bit applications and processes.
“This means that any vulnerability in Firefox becomes a lot easier to exploit, since the Dropbox module provides an unrandomised anchor for a ROP (return-oriented programming) chain,” Sutherland wrote on his blog last week.
He went on to explain that this practice causes “significant degradation in the efficacy of ASLR across the entire system,” because an attacker could exploit this by putting some executable code inside the to-be-injected DLL in order to produce an ROP chain that could then be used to execute malicious code on affected machines.
The vulnerability is of particular concern in cases where Dropbox is extending itself into high-risk programs such as browsers and torrent clients, Sutherland claims.
Sutherland notified Dropbox and its has confirmed the existence of the problem to codeinsecurity and are said to be working on a fix. It appears that the company has resolved the problem for 64-bit DLLs but not yet for the 32-bit variety.
“Our engineers are aware of this issue and actively working on fixing it,” Dropbox is quoted as having said in a statement on codeinsecurity. “Unfortunately, I can’t give you an exact timeline that a fix will become available. If you have any additional questions or concerns please let me know.”
A Dropbox spokesperson confirmed the issue in an email interview with Threatpost, saying that the problem has been fixed in the latest forums release.
A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries’ intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ “have been acting against the interests of the public that they are meant to serve.”
The appeal comes a couple of weeks after leaked documents from the NSA and its UK counterpart, Government Communications Headquarters, showed that the two agencies have been collaborating on projects that give them the ability to subvert encryption protocols and also have been working with unnamed security vendors to insert backdoors into hardware and software products. Security experts have been debating in recent weeks which products, standards and protocols may have been deliberately weakened, but so far no information has been forthcoming.
The cryptography researchers in the UK are asking the UK and U.S. governments to reveal which ones are suspect.
“By weakening cryptographic standards, in as yet undisclosed ways, and by inserting weaknesses into products which we all rely on to secure critical infrastructure, we believe that the agencies have been acting against the interests of the public that they are meant to serve. We find it shocking that agencies of both the US and UK governments now stand accused of undermining the systems which protect us. By weakening all our security so that they can listen in to the communications of our enemies, they also weaken our security against our potential enemies,” the letter says.
Published on Monday, the letter is signed by cryptographers from the University of Bristol, University of London, University of Birmingham, University of Luxembourg, University of Southampton, University of Surrey, University of Kent, Newcastle University and University College London. In it, the researchers call on the relevant authorities to publicly name the products and standards that have been weakened in order to inform users which systems they should avoid.
“We call on the relevant parties to reveal what systems have been weakened so that they can be repaired, and to create a proper system of oversight with well-defined public rules that clearly forbid weakening the security of civilian systems and infrastructures. The statutory Intelligence and Security Committee of the House of Commons needs to investigate this issue as a matter of urgency. In the modern information age we all need to have complete trust in the basic infrastructure that we all use,” the letter says.
In the weeks since the documents detailing the NSA’s cryptographic capabilities emerged, further details about exactly which protocols the agency can attack successfully and which standards it may have influenced have been scarce. NIST, the U.S. agency that develops technical standards for cryptography, among other things, as denied accusations that the NSA was able to weaken some of the NIST standards. However, at the same time, NIST officials have issued a recommendation that people no longer use one of the encryption standards it previously published.
“NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used,” the NIST statement says.
The standard in question is an elliptic curve random bit generator, and cryptographers have called into question its integrity in the wake of the latest NSA revelations, mainly because its difficult to tell how the points on the elliptic curve were determined.
“This algorithm includes default elliptic curve points for three elliptic curves, the provenance of which were not described. Security researchers have highlighted the importance of generating these elliptic curve points in a trustworthy way. This issue was identified during the development process, and the concern was initially addressed by including specifications for generating different points than the default values that were provided. However, recent community commentary has called into question the trustworthiness of these default elliptic curve points,” the NIST statement says.
Image from Flickr photos of Elliott Brown.
A Belgian telecom company that handles some of the undersea cables that carry international voice traffic said Monday that its internal network had been compromised sometime in the last few months and malware had planted on some of its systems. Belgacom said the attack only affected its own systems, and not those of customers, and said it has filed a complaint with the Belgian federal authorities about the incident.
The attack reportedly affected a few dozen machines on Belgacom’s network, including some servers, and the company’s CEO said in a press conference that he had no idea how long the malware had been present in the network. There are reports that the intrusion had been active for as long as two years by the time the Belgian company discovered it. Belgacom officials took remediation steps over the weekend to remove the unidentified malware.
“This weekend, Belgacom successfully performed an operation in the light of its continuous action plan to protect the security of its customers and their data and to assure the continuity of its services,” Belgacom said in a statement.
“Previous security checks by Belgacom experts revealed traces of a digital intrusion in the company’s internal IT system. Belgacom has taken all appropriate actions to protect the integrity of its IT system and to further reinforce the prevention against possible incidents.”
Belgacom is the biggest telecom in Belgium and the country’s government is the majority shareholder in the company. The company provides a variety of voice and data services to carriers around the world, including leased capacity on undersea cables that carry large amounts of international traffic through its BICS (Belgian International Carrier Services) offering. That traffic would be a likely target for an attacker. Belgacom officials said that they’re not naming the intruder, but have filed a complaint with the Belgian federal prosecutor about the incident.
“For Belgacom, the protection of the customers and their data is a key priority. At this stage there is no indication of any impact on the customers or their data. At no point in time has the delivery of our telecommunication services been compromised,” the company statement said.
“Belgacom strongly condemns the intrusion of which it has become a victim. The company has filed a complaint against an unknown third party and is granting its full support to the investigation that is being performed by the Federal Prosecutor.”
Image from Flickr photos of Greckor.
Dennis Fisher and Mike Mimoso talk about the news of the last couple of weeks, including the revelations of the NSA’s anti-cryptography capabilities, the botnet making use of Tor and the Kimsuky cyberespionage attack.http://threatpost.com/files/2013/09/digital_underground_126.mp3