The flood of documents regarding the NSA’s collection methods and capabilities that have been leaked this summer has produced thousands of news stories and several metric tons of speculation about what it all means. But for all of the postulating, analysis and reporting, there are still a lot of questions left unanswered in all of this. Let’s try to address some of them.
Can the NSA break the encryption used in HTTPS connections or secure email systems?
For some definitions of “break,” yes. After the overheated reaction to the leak of the documents detailing some of the NSA’s cryptographic capabilities died down, experts took a closer look at the information and began to coalesce around the idea that the agency is essentially doing what it is supposed to do: find ways to defeat encryption. This is done in various ways, including using software vulnerabilities in crypto implementations, man-in-the-middle attacks and perhaps mathematical advances that give the NSA the ability to decrypt some traffic. There are implications in some of the leaked documents that the NSA may have worked to deliberately weaken some cryptographic standards or algorithms, specifically ones approved by NIST, the U.S agency that approves technical standards for the federal government. NIST has denied those allegations, and there are no details right now about which standards are supposedly affected. There are known attacks against some of the more popular ciphers and cryptosystems and some of them are practical. But the easiest way to defeat encryption remains going after anything other than the encryption.
Does that mean I shouldn’t use encrypted email?
No, it doesn’t. Bruce Schneier, who has examined some of the unpublished leaked NSA documents, said that he still trusts the math on which the major encryption algorithms are based. “Honestly, I’m skeptical. Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts,” Schneier wrote. Using secure email is still a good defense against eavesdropping and attacks, even from the most sophisticated adversaries. Schneier and other experts recommend using longer key lengths, such as 2048 or even 4096 bits, as insurance.
Should I consider the Internet to be a hostile environment?
Yes! But that was true long before any of these NSA-related leaks emerged. The Internet is a dirty, nasty place not fit for use by most decent people. In general, it’s safe to assume that the Internet is trying to do you (or your packets) some kind of harm at all times. Act accordingly.
Why does the NSA care about my email?
It’s not you they care about, individually. It’s the plural you that interests them. The NSA’s job is to collect intelligence on foreign threats, mainly terrorists, and analyze it. That intelligence is usually in the form of electronic communications, what’s known as signals intelligence, and thanks to the rise of the Internet and explosion in cell phone usage, there’s now many times more of that traffic to gather than there was just 15 years ago. And a good portion of that traffic is encrypted these days, with major email providers such as Google encrypting their users’ sessions and more and more sites offering SSL connections to users. The NSA is tasked with trying to sift through all of that traffic and find indications of terror or anti-American activity by foreigners. But those foreigners don’t always just communicate with each other, and so sometimes U.S.citizens’ traffic ends up in the net, as well. When that happens, the agency is supposed to discard it in most cases, as the NSA’s mission only applies to non-U.S. persons. But what the leaked documents show is that the agency has been collecting massive amounts of phone metadata and email and Internet traffic involving Americans.
Are they just storing this stuff indefinitely?
That’s not clear right now. Some of the encrypted communications are stored for long periods, in the hope that the NSA may be able to decrypt them at some point in the future. But whether that is happening now using some of the agency’s supposed capabilities against cryptographic algorithms isn’t known.
I read something about the NSA running man-in-the-middle attacks against Google and other companies. What does that mean?
There’s a diagram that’s surfaced online of how this kind of attack may have been done. It’s a pretty basic set-up and is one of many ways that an adversary could conduct a MITM attack on a target. In general, MITM attacks are used to intercept communications between a sender and receiver, and they’re particularly valuable against encrypted traffic. If the attacker can get to the traffic before it’s encrypted and sent off to Google or whatever the destination is, he has essentially defeated the encryption scheme without having to attack the encryption itself. MITM attacks can be accomplished in several ways, including using a spoofed or stolen digital certificate to impersonate a service such as Gmail, or compromising a wireless router that a target is using and intercepting the traffic and using a tool such as SSLstrip to remove the encryption. The diagram in question doesn’t seem to involve the use of a stolen certificate, but rather the ability of the attacker to somehow access a router in the network that’s processing Google requests. Either way, that kind of attack would give the attacker the ability to read communications that the user believes to be secure.
So, is the Internet over?
Not quite yet. But there are apparently a lot more documents coming, so…
*Image above via Mark Turnauckas‘ Flickr photostream, Creative Commons
Security experts are warning Vodafone customers, particularly those in Germany, of a possible increase in phishing attacks after an insider at the telecommunications giant accessed a database and stole personal information on as many as two million customers.
German police have a suspect, adding that customer names, addresses, birth dates and bank account numbers among other types of personal data were accessed, Vodafone Germany said. The company said customer credit card numbers, passwords, PINs and mobile phone numbers were not stolen.
“This attack could only be carried out with high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company,” Vodafone told the BBC.
Vodafone delayed disclosing the breach in order to give authorities time to investigate, it said. A German news agency said the suspect was not a Vodafone employee, but a contractor. The company added it is in the process of informing customers of the breach and the implications may be.
Authorities have not been clear on how long the contractor had access to the database and whether any customer data had been sold or used as of yet. Given the nature of what was taken, it’s likely the data would have some underground value to a spammer or cybercrime gang. Many scams begin with phishing emails that use convincing messaging purportedly from a trusted source to scam users out of passwords, credit card numbers and other sensitive data beyond personal contact information.
Vodafone said in a statement that it had changed administrators’ passwords and any digital certificates issued on their machines. The compromised server, meanwhile, has been wiped, the company said.
“Vodafone advises its customers to take extra care when possible [with] possible telephone or email inquiries in which they are asked to hand over personal information such as passwords or credit card information,” the company said in a statement, adding that Vodafone would not make such requests of its customers.
In this case, it appears only Vodafone Germany customers are at risk. Spam and phishing lists can be divided and sold regionally, by company or even by organization, experts say, facilitating targeted attacks for cybercrime and even nation-state sponsored attacks.
“Most organizational management and security teams understand what spear phishing is. The problem is they do not know how, or do not have the time and resources, to teach people what phishing is and how to detect or defend against it,” said Lance Spitzner, a SANS Institute instructor and proponent of awareness training. “Spear phishing works because people have not been trained on how to detect such attacks. Even if they do fall victim, if people can figure out after the fact they did something wrong and then report it right away, this is still a win.”
*Vodaphone image via tejvanphotos‘ Flickr photostream, Creative Commons.
MEvade, the massive botnet using Tor as a communication protocol, may have moved operations to the network in order to hamper potential takedown efforts, but according to security researchers, the move just served to shine a spotlight on the botnet’s activities.
Rather than hide traffic from bots to command and control servers, moving to Tor by the millions just alerted researchers and Tor’s handlers that something was amiss. The botnet went undetected—possibly for years—and then suddenly because it caused a spike in Tor usage in a matter of days, the botnet was outed.
“A lot of other bot herders have used Tor in the past, but not this extent,” said Mark Gilbert, security researcher at Damballa Labs. “They probably think they were making the botnet safer, but maybe they were not sure of how massive it was or were connecting to Tor entry nodes more often than they should have.”
The attackers decided to hide their control infrastructure on Tor, yet at the same time made their presence on endpoints more obvious, Gilbert said.
“The massive influx of Tor users drew tons of presumably unwanted attention, compared to when it was just SSH traffic exfiltrating data out over port 443,” Gilbert said. “The SSH traffic over 443, through its very obscurity drew more attention than regular http(s) traffic would have from customers who, even when we detected the threat, might otherwise have written it off as ‘just another virus’.”
Gilbert said his company has been monitoring MEvade for most of this year and said its keepers are likely leasing out portions of the botnet for different purposes. Gilbert said the botnet, also known as LazyAlienBikers, isn’t sending out much spam; parts of it are generating revenue pushing adware however. There is also a data exfiltration capability to some of the malware it spreads, which makes sense given that it’s present in 80 percent of the enterprises in which Damballa has monitoring capabilities.
“What they seem to be doing is dividing the botnet for different purposes; the underground commerce seems to work out this way,” Gilbert said. “The malware author, botherder and ad affiliate are usually not the same person. One is good at coding while another is good at laundering money and another is good at identifying customers for stolen data. They build botnets and lease them out for what people are willing to pay.”
Damballa estimates there are as many as five million bots in LazyAlienBikers, most of them in North America, Africa and Asia. In June, Microsoft was among the first to develop a detection signature for MEvade and within two weeks, the attackers changed domain usage tactics, moving to dynamic DNS providers such as No-IP and ChangeIP, likely to support their use of SSH over HTTP ports for communication with command and control and dropping of additional malware.
But by Aug. 19, the botmaster had moved away from SSH over HTTP and onto the Tor network. Moving away from HTTP, Gilbert said, took the botnet off a protocol built for high performance and high traffic volumes, and onto a network with a much smaller number of exit nodes and relays.
“These are very smart guys, but they are misapplying themselves,” Gilbert said. “They’re not looking at the big picture from a business sense and putting themselves in a network engineer’s shoes and figuring out how to balance resilience with evasion.”
Gilbert said botnets, such as Kelihos which has been taken down numerous times by law enforcement and Microsoft, continues to pop up because it has a fallback where it can send out networks and maintain a much more resilient approach.
The botnet, meanwhile, continues to thrive on Tor, even though numbers have dropped a little.
“In the security arms race, sometimes the bad guys screw up too,” Gilbert said. “But you can be sure they’ve taken the lessons learned from this progression, and will continue to find new ways to remain more elusive going forward.”
Oracle released on Tuesday the Java standard edition version 7 update 40. Java 7u40 includes fixes for a long list of bugs and a number of new features as well.
The most notable security patch appears to be a fix for a plugin deployment bug that failed to block expired certificates for users that were operating at the “very high” security level. You can find the entire list of bugs resolved with this update on Oracle’s bug fixes page.
Oracle is also making two new features available to users with commercial licenses, one called flight recorder and another called mission control. The Java flight recorder feature creates a record of the development process in the Java virtual machine and the mission control feature provides developers with an interface to roll back the clock and access that record, essentially allowing them to revisit any part of the development process. Java SE product manager Aurelio Garcia-Ribeyro explained in a video hosted on Oracle’s website that the features will be particularly useful for fixing bugs that emerge after an application has been deployed.
“The idea is you will be able to find out things that only happen in production,” Garcia-Ribeyro explained. “So there are some bugs that you cannot see because you need to have the application leaking memory for 30 days or something. For those types of bugs, that’s when you need mission control and flight recorder.”
Java SE 7u40 also shipped with a new local security policy. Garcia-Ribeyro explains that Oracle has a problem: though they regularly ship new versions of Java SE that contain new features and vulnerability fixes, many of their enterprise users choose not to install these updates because they are running older applications that may not be compatible with the newer versions of Java SE.
The local security policy will give the administrators at these enterprises the ability to choose which particular applications can access each specific version of the Java runtime environment, allowing them to run old Java versions for old applications and the most up-to-date Java versions for newer applications and limit their exposure to security vulnerabilities.
The latest edition of the JDK has also disabled the “remember this decision” feature that automatically approved self-signed applets. All unsigned and self-signed applets will now need to be approved on a per-use basis.
At first it seems like email spammers relying on old tricks – but a further look into a new campaign spotted by security firm FireEye reveals that the messages are not spreading drive-by downloads or even peddling ordinary PC malware. Instead, attackers are beginning to drop Android malware, in this case FakeDefender, on phones via email.
In this case, the new campaign, relatively young at six days, relies on fake emails that appear to come from the United States Postal Service with messages that read: “USPS Notification: Courier couldn’t make the delivery of your parcel. Reason: Postal code contains an error,” asking users to “Print the Label.”
According to an entry by FireEye’s Vinay Pidathala on the company’s blog earlier this week, users just have to click on the featured link in the email – the print the label link – and the malicious .apk (Android Package File) is downloaded.
Researchers at FireEye went through HTTP requests and found nearly two-dozen URLs serving up the .apk, some disguised as LabelReader.apk.
As the security firm notes, this malware isn’t entirely new. It surfaced earlier this year and is known for deceiving users into “paying for cleanup of other non-existent infections on their device.” As long as the user pays the fee, the phone will purportedly remain uninfected with malware.
After it registers two broadcast receivers, the malware can also intercept incoming and outgoing calls and messages.
In some cases the malware uses different User-Agents to disguise itself – on one machine it can look like a mysterious .apk, but on another machine can masquerade as a .zip file, even something as harmless as “Wedding_Invitation_Chicago.zip,” for example.
While scareware like this can be prevented from being installed on most Android phones – it’s still a relatively new vector for a Android malware campaign, following in the footsteps of sorts of Windows malware.
Android users can disable the “Allow installation of apps from unknown sources” setting in their security settings to prevent mysterious apps from being downloaded. In the same section users can also choose to verify apps, which disallows or warns users before installing malicious apps as well.
It’s a good time to be a security researcher. If you have the time and talent to find vulnerabilities in widely deployed applications, there is a lot of money out there for the taking, and not just from the bug bounty programs and regular exploit buyers.
The latest iteration of the Pwn2Own hacking contest, which has run at the CanSecWest conference in Vancouver for several years, will take place at the Japanese version of the conference in November, and the targets will be the most popular mobile platforms. The prizes for the contest reflect the changing nature of the vulnerability landscape, and the fact that there is far more competition for good vulnerabilities–both out in the open and on the underground–than there has been before.
The targets in the contest include some of the more popular mobile devices on the market, including the iPhone 5, Nexus 4, Galaxy 4, 7 and 10, iPad Mini and BlackBerry z10.
The money available in the mobile Pwn2Own contest at PacSec is significant: $300,000 total, including $70,000 for the first successful exploit against any of the popular messaging services, such as SMS, MMS or CMAS. Exploits that compromise mobile devices via Bluetooth, WiFi, USB or NFC are worth $50,000. On top of that, Google is offering a bonus of $10,000 if one of the exploits compromises Chrome on Android on the Nexus 4 or Galaxy 4.
That’s real money, and in the past, some of the more talented security researchers in the industry have shown up at Pwn2Own to collect large checks from HP, the main sponsor of the contest, and Google. But, as the exploit sales market has exploded in the last couple of years, with government agencies, defense contractors and private buyers ratcheting up the prices, more and more researchers have opted to keep their research private and sell their bugs on the open market rather than use them in a contest. With prices running well into the six figures for browser exploits, it’s no wonder.
“Prices are too low for giving full exploit + sandbox bypass. Price for NFC/USB is good,” Chaouki Bekrar of VUPEN, a seller of exploits to governments, said on Twitter after the announcement for mobile Pwn2Own went out on Thursday.
Bekrar’s team has been a major player at Pwn2Own the last few years, but has avoided entering other contests, such as Google’s Pwnium, because they require the contestants to turn over full details of the vulnerability and exploit, rather than just the crash details. The requirements for mobile Pwn2Own make it clear that the bugs that qualify for prizes would likely draw a much higher price on the open market.
“A successful attack against these devices must require little or no user interaction and the initial vulnerability used in the attack must be in the registered category. The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information, silently calling long-distance numbers, or eavesdropping on conversations,” the rules say.
That class of vulnerability is highly valuable to government buyers, and fewer and fewer researchers appear willing to accept half or a third of what they could get on the open market.
Image from Flickr photos of Sean McMenemy.
WordPress has fixed a number of security vulnerabilities, including one that could lead to remote code execution on vulnerable installations. WordPress 3.6.1 is the new, updated release that contains the fixes and also includes some non-security bug fixes and stability changes.
The most serious security issue fixed in WordPress 3.6.1 is a remote-code execution vulnerability related to the way that the software handles certain PHP objects. The vulnerability was discovered by a researcher named Tom Van Goethem, who reported it to WordPress in April. It took five months for the fix to appear in a WordPress release. The bug has to do with the way that WordPress deals with some serialized input.
WordPress says the change in 3.6.1 will “Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.” The description of the vulnerability from Van Goethem is a bit more detailed.
“Another type of vulnerability that an attacker can exploit when his data is run through theunserialize() function, is “PHP Object Injection”. In this case, object-types are unserialized, allowing the attacker to set all the properties of the object to his choice. When the object’s methods are called, this could have some effect (e.g. removing some file), and as the attacker is able to choose the properties of the object, he might be able to remove a file of his choice,” Van Goethem wrote in an explanation of the bug.
“Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.”
In addition to the PHP vulnerability, WordPress 3.6.1 also includes fixes for two other security vulnerabilities:
- Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website.
- Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.
WordPress also made a change to the software that is designed to make cross-site scripting attacks on WP installations more difficult. The change modifies “security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.”
Dennis Fisher talks with Marc Maiffret about his teenage years as a phone phreaker and BBS denizen, the early years of the vulnerability research scene, the Code Red worm and its aftermath and how the security scene has changed in the past 15 years.http://threatpost.com/files/2013/09/10_maiffret.mp3
For the time being, things on the Korean peninsula may have quieted down politically and militarily. But hackers on both sides continue to take shots at each other.
The latest salvo appears to be coming from North Korea, which has been conducting an extensive espionage campaign against specific targets in the South. Researchers at Kaspersky Lab’s Global Research and Analysis Team have been monitoring a malware attacks targeting government and military think tanks in the South, as well as shipping services company.
The Kimsuky Operation—so-named after the Hotmail email addresses used as drop points for stolen data—so far has targeted data from international affairs research groups at South Korean universities, government defense policy think tanks, the national shipping company of South Korea, and groups supporting Korean unification. All of those targets would be of interest to the North Koreans, researchers at Kaspersky said, adding also that IP addresses involved in the attacks are located in China and the ISPs providing access in these attacks also maintain lines into the North.
Researcher Dmitry Tarakanov wrote in a blogpost on Securelist this morning that the team was ready to ignore these attacks as amateurish until they noticed a public mail server involved as a command and control server in the campaign maintained in Bulgaria, as well as a compilation path string containing Korean hieroglyphs translated to remote shell, attack and completion.
“There are a lot of minimal malicious programs involved in this campaign, but strangely they each implement a single spying function,” Tarakanov wrote.
The malware used in these attacks performs a number of functions that help the attackers spy on victims, harvest data and report it back. Separate modules in the campaign include a keystroke logger, directory listing collecter, HWP document theft, remote control download and execution, and remote control access modules.
Tarakanov said the initial infection points are yet unknown, but speculates that part of the campaign is initiated via spear phishing emails. Victims download a Trojan dropper which is used to download additional malware.
“It does not maintain exports and simply delivers another encryption library maintained in its resource section,” Tarakanov wrote. “The second library performs all the espionage functionality.”
Once the malware is on a victim’s machine, it will, at startup, disable the system firewall and an AhnLab firewall if it’s present; AhnLab is a South Korean security vendor. Windows Security Center is also shut off. The malware then begins communicating to the operator through the Bulgarian free webmail service.
The campaign uses a run-of-the-mill keylogger, a similar format to the Madi Malware, Kaspersky researchers said. As for the directory listing capability, researchers saw one sample collector infected with a virus of Chinese origin known as Viking.
“For the attackers, this is certainly a big failure,” Tarakanov wrote. “Not only does the original spying program have marks of well-known malware that can be detected by antimalware products; moreover the attackers are revealing their secret activities to cybercriminal gangs. However, by all appearances, the attackers noticed the unwanted addition to their malware and got rid of the infection.”
The campaign focuses too on stealing HWP documents; HWP is a file format similar to Microsoft Word and is from the Hancom Office bundle, widely used in South Korea. This particular module, however, does not search for HWP files on an infected computer, but only interacts with those opened by the user and then steals them.
“This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits,” Tarakanov said.
Tarakanov notes too that the malware does not include a custom backdoor, instead the attackers modified a TeamViewer client as a remote control module. Three executables are delivered via email; two are TeamView components and the third is a backdoor loader.
If you haven’t heard, Apple unveiled two new iterations of the iPhone at one of the Cupertino company’s typically grandiose product events yesterday. As usual, there was plenty of hype to go around, but the biggest change as far as security is concerned is the addition of a fingerprint scanner on the high-end new iPhone 5S.
Biometric authentication as a replacement for passwords has been the talk of the town for years, mainly because good passwords are hard to remember, so people just create bad ones (or just one bad one) that are easy to guess. No biometric form factor is more well-known and widely deployed than the fingerprint scanner. Apple is by no means the first computer company to put a fingerprint reader on a device. Laptop makers dabbled with the idea here and there throughout the 2000s. The practice never really caught on, but the popularity of the iPhone promises to bring the fingerprint reader to the public like never before.
Assuming it works, the real question is this: Will fingerprint-based verification be more secure than passwords? The answer appears to be a wholly unsatisfying maybe.
In a Wired op-ed yesterday, famed cryptographer Bruce Schneier said that “fingerprint authentication is a good balance between convenience and security for a mobile device.” However, he pointed out that the devices have a long history of vulnerabilities. A solid photocopy is enough to trick some of these things, he wrote, while better scanners will examine fingerprint ridges, pores, heat, and pulses and are therefore more reliable. In the end, Schneier reasons that an attacker could reasonably compromise the fingerprint scanner on an iPhone. He also expressed concern about the possibility that Apple may maintain a centralized database of fingerprints, though most of the reporting on this seems to indicate that the fingerprint storage will take place locally, in an encrypted format inside a hidden file on the iPhone itself.
In an NPR report yesterday, Charlie Miller, a well-known Apple hacker and security researcher who has found several iOS bugs, seemed pretty underwhelmed by the security implications of Apple’s new fingerprint scanner. He said it would be possible to reverse-engineer the encrypted fingerprint hash in order to ascertain a plain-text copy of the fingerprint and suggested that the scanner may make iPhones even easier to break into.
“They are not going to do away with the pass code entirely,” Miller told NPR security and privacy reporter, Steve Henn. “So, really, by creating another way to unlock the phone they have created another access point for a hacker to try and exploit.”
As is generally the case with Apple products, the detractors and the proponents are in equal supply. Rich Mogull, a security analyst and the CEO of Securosis, explained in a Macworld article yesterday that there are two types of fingerprint readers: optical readers that merely take a picture of you fingerprint and capacitance readers that actually measure the electrical conductivity of the ridges on your fingers and use those measurements in order to create an image of the user’s fingerprint. The iPhone 5S uses the latter.
Ultimately, Mogull acknowledges (as did Schneier for that matter) that fingerprints are somewhat inherently insecure because – unlike a cryptographic key or password – they are unchangeable. Once a fingerprint is stolen, it is stolen forever. Despite this, Mogull argues that the fingerprint is a vast improvement on the four-digit passcode, and claims it could have serious implications as mobile devices are increasingly used as tokens to access other services and devices.
Phil Dunkelberger, the CEO of Nok Nok Labs, a firm that specializes in authentication (and is also a founding member of the FIDO Alliance), penned a blog on the Nok Nok Labs website yesterday singing praises to Apple for bringing simple but strong security to the masses.
“Apple now has an embedded Fingerprint Sensor (FPS) that it can use to bind a user and a device, reducing the risk of fraud and improving the customer experience within the Apple walled ecosystem,” he wrote.
It remains to be seen how secure the iPhone 5S fingerprint scanner will be, but the good news is that a user’s fingerprint will only be good to access the iPhone itself. In order to access iCloud, App Store, and other Apple services that are reachable from multiple devices that don’t have such scanners, users must still enter a password or phrase.
Apple primed itself to implement new authentication measures into its products when it acquired the biometric authentication company AuthenTec last year.
The federal government has released hundreds of pages of documents, including orders and opinions from the secretive Foreign Intelligence Surveillance Court, related to the NSA’s surveillance programs, but legislators who have been involved in the process say that there still are significant details of the agency’s email and phone collection activities that remain secret.
Senators Ron Wyden (D-Ore.) and Mark Udall (D-Colo.), who have been outspoken critics of the NSA and warned about the secret collection programs before this summer’s public revelations, said that despite the release of new documents in response to a lawsuit by the EFF, much of the most important information remains classified.
“With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg. Additional information about these violations was contained in other recently-released court opinions, though some significant information – particularly about violations pertaining to the bulk email records collection program – remains classified,” the senators said in a statement.
On Tuesday, the Director of National Intelligence declassified and released hundreds of pages of documents as the result of a lawsuit brought by the EFF and the ACLU. The bulk of the cache comprises FISC opinions and orders, but there also are documents related to so-called “compliance incidents”, which are instances in which the NSA notifies the court and legislators about possible violations of rules regarding intelligence collection. The EFF has posted searchable versions of all of the documents.
One of the interesting findings in the released documents is the fact that no one at the NSA had a full understanding of how exactly its collection programs worked.
“Incredibly, intelligence officials said today that no one at the NSA fully understood how its own surveillance system worked at the time so they could not adequately explain it to the court. This is a breathtaking admission: the NSA’s surveillance apparatus, for years, was so complex and compartmentalized that no single person could comprehend it,” Trevor Timm of the EFF said.
“The intelligence officials also acknowledged that the court has to base its decisions on the information the NSA gives it, which has never been a good basis for the checks and balances that is a hallmark of American democracy.”
Wyden and Udall said that the documents released Tuesday were just a small piece of a much larger puzzle.
“We have said before that we have seen no evidence that the bulk collection of Americans’ phone records has provided any intelligence that couldn’t be gathered through less intrusive means and that bulk collection should be ended. These documents provide further evidence that bulk collection is not only a significant threat to the constitutional liberties of Americans, but that it is a needless one,” they said.
Embedded device manufacturers have been warned for ages about the risks of making networking, telecom and critical infrastructure gear reachable online, worse yet, leaving default credentials in place for authenticating to those devices.
Clearly, most are not listening.
An Australian researcher with access to the data collected by the Carna botnet, also known as the Internet Census 2012, enumerated and analyzed devices exposed to the Internet in the IPv4 address space and found a number of troubling trends.
While hundreds of thousands of devices discovered by the botnet were manufactured by just 15 companies, there are still 2,099 unique device builders with vulnerable devices sitting on the Internet with default credentials still enabled. The vast majority of compromised devices were built by Chinese manufacturers (720,141 or 56 percent) with Hong Kong and Turkish builders (7 percent each) the next biggest offenders. China’s ZTE Corp., was far and away the biggest offender with 353,436 devices accounting for 27 percent of the devices discovered.
ZTE was singled out, along with fellow telco manufacturer Huawei, by the U.S. House Intelligence Committee as security threats and cautioned American companies not to do business with these manufacturers.
“It seems to indicate that there is a manufacturing problem somewhere with these very few companies that are making devices that are vulnerable by default. I think it’s strongly necessary to force manufacturers to alter their habits and make devices that are secure by default,” said Parth Shukla, a researcher with Australia’s AusCERT.
Shukla said he is the only person aside from the anonymous researcher behind the Internet Census 2012 to have access to the full Carna data set. “Perhaps government and consumer pressure might be required to accomplish this as I am not getting much response from them in my attempts to collaborate with them with regards to this issue,” he said.
The creator of the Internet Census 2012 used a botnet of more than 1.3 million devices to conduct a full scan of allocated IPv4 addresses. The creator then developed a binary that was uploaded to the insecure devices found during the scan. The binary included a telnet scanner that would fire different default login combinations at the devices such as root/root or admin/admin, or would attempt to access devices without a password.
“We deployed our binary on IP addresses we had gathered from our sample data and started scanning on port 23 (Telnet) on every IPv4 address. Our telnet scanner was also started on every newly found device, so the complete scan took only roughly one night. We stopped the automatic deployment after our binary was started on approximately thirty thousand devices,” the anonymous researcher said in his paper. “The completed scan proved our assumption was true. There were in fact several hundred thousand unprotected devices on the Internet making it possible to build a super-fast distributed port scanner.”
The scan quickly located hundreds of thousands of devices including consumer routers, IPsec routers, BGP routers, industrial control systems and enterprise-grade networking gear. The researcher said he ignored any traffic going through the devices, nor did he port scan any LAN devices.
Shukla told Threatpost he has not had much success communicating with manufacturers and getting them to understand the severity and depth of the issue. He said he has offered to provide each manufacturer with a sanitized version of the data that applies to them
“I think this highlights a very worrying trend that manufacturers don’t care about security and there is nothing currently we can do to make them care,” Shukla said. “They create vulnerable devices by default and it doesn’t bother them. I’m not even sure if they are aware of this or not.”
The security of embedded devices and the insecure practice of not removing default credentials is a huge issue, in particular with SCADA and industrial control system equipment. Already since the release of the initial Internet Census 2012 data in March, malware known as LightAidra appeared on the scene and is responsible for several botnets that are designed to search for telnet ports and attempt to compromise them with default credentials, Shukla said.
Shukla and AusCERT have provided data to particular country CERTs worldwide and invites other organizations to contact AusCERT.
“ISPs and resellers of these devices also need to play a critical role in ensuring that vulnerable devices are not resold by them to their customers which can place their own networks in jeopardy upon infection,” Shukla wrote in his paper. “Once infected, a device can have a negative impact on network performance for ISPs and as such an incentive to not sell these vulnerable devices should be plainly obvious.”
UPDATE–The revelations last week in leaked NSA documents that the intelligence agency had influenced the standards process at NIST to allegedly deliberately weaken unnamed cryptographic algorithms have spurred a huge amount of speculation and discussion in the security community about the implications and consequences of the NSA’s actions. For its part, NIST is seeking to reassure people that its standards process hasn’t been compromised.
In a statement released Sept. 10, NIST (National Institute for Standards and Technology) said that its standards are always rigorously vetted by outside experts and that the agency would never intentionally backdoor an algorithm.
“We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” the statement says.
“NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.”
As a result of the questions about NIST’s relationship with NSA, NIST has re-opened the comment period on several of its cryptographic standards related to elliptic curves. The agency is accepting comments on 800-90 A Rev. 1, 800-90 B and 800-90 C. These standards are related to random number generation.
NIST is the federal agency responsible for developing technology standards and best practices for the federal government. The organization focuses on a number of different areas, with one of its main concerns being cryptography and computer security. NIST sponsors competitions periodically for new hash and cryptographic algorithms, and just last year selected a new algorithm called Keccak to become the standard hash algorithm. A few years ago, the agency held a competition to replace DES, then the accepted encryption standard, with an algorithm called Rijndael winning and becoming the AES standard.
The documents leaked last week included a briefing sheet for British intelligence that details some of the work that the NSA has been doing for several years on defeating encryption. Those efforts include advances against the algorithms themselves, as well as subverting the protocols by asking vendors to insert backdoors into the hardware or software that implements the encryption. The document says the NSA has “abilities to defeat the encryption used in network communication technologies.”
A portion of the NSA’s secret budget, obtained by the New York Times, reveals that the NSA works to “influence policies, standards and specifications for commercial public key technologies”.
NIST regularly consults with the NSA on cryptographic matters, and is in fact required to do so by law. The NIST statement said that consultation is above board.
“NIST has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA,” the statement says.
Despite the agency’s reassurances, security experts and cryptographers say that the revelations about the NSA’s influence on the NIST process may have caused major damage to NIST’s reputation.
“I think NIST took a big credibility hit, unfortunately. And there are good people there doing good work, but we don’t know which of their standards are tainted,” Bruce Schneier, a cryptographer who has seen some of the leaked documents regarding the NSA’s capabilities, said in a podcast interview Wednesday. “And unfortunately, because trust is lost, when they get up and say, the NSA doesn’t affect our standards, we don’t believe them. We need a way to get trust back.”
Image from Flickr photos of Dan4th Nicholas.
Dennis Fisher talks with cryptographer Bruce Schneier about the revelations of the NSA’s capabilities to subvert and weaken cryptographic algorithms, security products and standards, and what it will take to help defeat these capabilities.http://threatpost.com/files/2013/09/digital_underground_125.mp3
BlackBerry climbed aboard the Patch Tuesday bandwagon today with four advisories patching vulnerabilities in Adobe Flash, Webkit and libexif on the company’s mobile devices.
Adrian Stone, director of BlackBerry’s security incident response and threat analysis, said the company is not aware of any attacks in the wild exploiting these vulnerabilities.
“BlackBerry is committed to protecting customers from third-party security issues,” Stone said in a statement.
BSRT-2013-007 patches remote code execution vulnerabilities in BlackBerry Z10 and Q10 smartphones and the BlackBerry PlayBook tablet. Applications running on these devices have limited access to system resources, BlackBerry said, lessening the risk to private data. An attacker would have to entice a user to view a malicious Flash file or download an Adobe AIR application to exploit the vulnerability.
“If the requirements are met for exploitation, an attacker could potentially execute code in the BlackBerry Browser,” BlackBerry said in its advisory, adding again in this context, that applications have restricted access to system resources to make this a huge risk.
BSRT-2013-009 repairs security flaws in libexif libraries on the BlackBerry PlayBook tablet. The advisory points out that multiple flaws exist in the open source EXIF tag parsing library in the tablet.
“The libexif library is an open source component used for processing EXIF metadata tags embedded in images,” the advisory says. “Successful exploitation of one or more of these vulnerabilities could result in an attacker executing code in the context of the application that opens the specially crafted image.”
Attackers exploiting the vulnerabilities would have to do so by building an image with malformed EXIF data and then enticing the user to open or save the image after it has been displayed in an email or webpage.
It’s no secret that putting SharePoint installations online and making them accessible without authentication is standard practice in many organizations. Those SharePoint administrators, however, may want to rethink their policies after today’s Microsoft Patch Tuesday security bulletins release.
Microsoft patched 10 critical SharePoint vulnerabilities today, one of four critical bulletins released by Microsoft—among 13 in all, patching 47 vulnerabilities across a number of product lines. Details of one of the SharePoint bugs—a POST cross-site scripting flaw—have already been publicly disclosed, and all of the vulnerabilities can lead to remote code execution on the collaboration server.
Microsoft SharePoint Server 2007 and 2010 are affected, according to bulletin MS13-067, as are Microsoft SharePoint Services 2.0 and 3.0, and Microsoft SharePoint Foundation 2010. The most critical is CVE-2013-1330, a remote code execution bug that could give an attacker privileges in the context of the W3WP service account. While the bug requires authentication, any SharePoint server that has disabled it is vulnerable to exploit without user interaction.
“It’s interesting that Microsoft prioritized the SharePoint bulletin as highly as they did. In theory, the vulnerability requires authentication. Given the frequency with which people disable SharePoint authentication and the ease of access to documentation on that process, the priority needs to be that high,” said Tyler Reguly, technical manager of security research and development at Tripwire. “People know their computers and email need good passwords. It boggles my mind that we see so many SharePoint deployments in anonymous mode.”
Microsoft is also patching denial of service, memory corruption and cross-site scripting vulnerabilities in SharePoint. Attackers can tamper with ViewState data and crash a SharePoint server that is running without authentication, or gain code execution by sending malicious ViewState data.
“By default, the pages require authentication, which limits the attack vector,” said Qualys CTO Wolfgang Kandek. “If you have reconfigured authentication, this bulletin should be high on your list.”
Plenty of angst was shared following last week’s advance notification of today’s patches regarding a bug in Outlook that was exploitable by merely previewing an email message. Microsoft still rated MS13-068 critical, but defused a lot of worry over its potential for exploit, explaining that the flaw would difficult if not impossible to trigger.
“In fact, we’re not certain that the issue is exploitable at all, but out of an abundance of caution and because attack technology improves over time, we are issuing the security update today,” said Jinwook Shin of the Microsoft Security Resource Center.
The bug is a message certificate vulnerability, which exists in the way Outlook 2007 and 2010 parses S/MIME messages, Microsoft said. Shin called it a double free vulnerability in a blogpost and explained that the conditions for exploit are not always met.
“An attacker can exploit the certificate parsing algorithm by signing an e-mail and nesting over 256 certificates in the signature,” Qualys’ Kandek said. “The attack causes a buffer overflow, even if just visualized in Outlook’s preview pane.”
Microsoft also released another cumulative security update for Internet Explorer. Bulletin MS13-069 patches 10 vulnerabilities that can be triggered by visiting malicious sites; IE 6-10 are impacted by the numerous memory corruption vulnerabilities.
The final critical vulnerability, MS13-070, is in Windows, specifically in OLE that allows remote code execution if a file with a malicious OLE object is opened. The bulletin, however, is limited to Windows XP and Windows Server 2003, both of which will no longer be supported after April 2014.
“MS13-070 is concerning because it only applies to XP and Server 2003 and those vulnerabilities tend to be less ‘contained’ than more mature versions of Windows,” said Rapid7 senior manager of security engineering Ross Barrett. “XP and Office 2003 have shown no let-up in patching frequency, despite the end of support for XP looming just around the corner in April 2014. April will be here before we know it, and who knows what patches will never make it out the door, let alone be found after that date in one of the world’s most widely deployed operating systems.”
The remaining bulletins were rated Important by Microsoft:
- MS13-071 is a remote code execution bug in Windows Theme File executed when a user is tricked into applying a malicious these on their system.
- MS13-072 patches 13 vulnerabilities in Microsoft Word and MS 13-073 is another Office patch, this one in Excel, both of which could lead to remote code execution. Kandek said: “To exploit these, an attacker needs to entice the target to open a malicious file, most likely through a spear phishing type of e-mail. Microsoft only rates these vulnerabilities as ‘important’ because they require the target to cooperate. However, attackers have proven time and again that they have the necessary social engineering techniques to overcome that obstacle with ease.”
- MS13-074 repairs three vulnerabilities in the Microsoft Access database that could give an attacker remote code execution capabilities if a user opens a malicious file
- MS13-075 patches a vulnerability in Microsoft Office IME (Chinese) that could give an attacker elevated privileges on a compromised machine. The attacker would have to be logged on and launch IE from the toolbar in Microsoft Pinyin IME for Chinese.
- MS13-076 addresses a Windows vulnerability in Kernel-Mode drivers that enables elevation of privileges.
- MS13-077 patches a Window bug in the Windows Service Control Manager that leads to privilege escalation.
- MS13-078 fixes an information disclosure vulnerability in Microsoft FrontPage.
- MS13-079 patches a denial of service vulnerability in Active Directory.
The IETF is considering a range of options to help reengineer some of the fundamental protocols that underpin the Internet in response to revelations that the NSA and other intelligence agencies are conducting widespread, dragnet-style surveillance online.
The group, which is responsible for developing the standards that govern much of the technical workings of the Internet, has been looking at all of the information revealed by the documents leaked by former NSA contractor Edward Snowden with dismay and officials said that they’re already at work on some changes that could help make the Internet more resistant to pervasive surveillance. The IETF is not putting out a huge amount of detail on the changes, but said that regardless of the modifications, they won’t matter if the devices people use or the people they communicate with aren’t trustworthy.
“Operational practices, laws, and other similar factors also matter. First of all, existing IETF security technologies, if used more widely, can definitely help. But technical issues outside the IETF’s control, for example endpoint security, or the properties of specific products or implementations also affect the end result in major ways. So at the end of the day, no amount of communication security helps you if you do not trust the party you are communicating with or the devices you are using,” IETF Chairman Jari Arkko and IETF Security Area Director Stephen Farrell wrote in a statement.
The IETF is considering changes to the way that the HTTP 2.0 protocol handles security, specifically whether it should require the use of security up front rather than relying on the server on the other end to decide to provide it. The group also is looking at ways to better instruct people interested in deploying TLS with Perfect Forward Secrecy.
“We’re considering ways in which better use can be made of existing protocol features, for example, better guidance as to how to deploy TLS with Perfect Forward Secrecy, which makes applications running over TLS more robust if server private keys later leak out,” the statement says.
The changes under consideration at the IETF were already being discussed before the revelations about the NSA’s surveillance capabilities over the last few months, but the leaks have accelerated those discussions.
“We knew of interception of targeted individuals and other monitoring activities, but the scale of recently reported monitoring is surprising. Such scale was not envisaged during the design of many Internet protocols, but we are considering the consequence of these kinds of attacks,” the statement says.
“Recent days have also seen an extended and welcome discussion triggered by calls for the IETF to build better protections against wide-spread monitoring.”
The IETF will meet inVancouver in November and the group will discuss the ways in which it can help protect the Internet and users against pervasive surveillance.
Image from Flickr photos of Alessio Canepa.