Dennis Fisher talks with Joe Grand of Grand Idea Studio about his current project, the JTAGulator, which helps hardware hackers find the OCD connections on devices. They also discuss Joe’s hardware-hacking background and the current resurgence of hardware research.
It’s been a brutal month for crypto.
Starting with the Black Hat conference, researchers, engineers and hackers have been unveiling new weaknesses and attacks in different cryptographic implementations that threaten the security of communication and commerce on the Web.
The topper, however, could be a paper released by a team of scientists from MIT and the National University of Ireland at Maynooth who may just have flipped the study of crypto on its head with their findings. They conclude that the mathematical fundamentals on which cryptography is measured may be, well, misapplied.
The discipline of information theory is what’s at question here, in particular, the notion that most work done analyzing secure cryptographic schemes have depended on a common assumption—which is the incorrect approach according to the scientists.
In an article released by MIT, the scientists said that in information theory, information is tied to entropy, which is a measure of uncertainty in a random variable and usually refers to Shannon entropy, developed by MIT professor Claude Shannon. Shannon entropy, as it turns out, is flawed for secure implementations because it is based on the average probability that a string of bits will occur, according to the MIT article.
But since an attacker needs to make only one reliable correlation in order to continue guessing a password or private key, for example, the need to know the average probability is unnecessary. Giving more weight to an improbable outcome is a more accurate assessment of how to break the security of a given target. The article said that a computer cut loose to guess correlations between encrypted and unencrypted versions of a file would learn the answer much quicker than expected.
“It’s still exponentially hard, but it’s exponentially easier than we thought,” said Ken Duffy, a NUI researcher. “Attackers often use graphics processors to distribute the problem. You’d be surprised at how quickly you can guess stuff.”
Muriel Medard of the research laboratory of electronics at MIT told Threatpost that Shannon entropy works just fine to measure the efficiency of communication. Until now, the randomness of data at the basis of that theory was thought to be enough to protect it, but she said their work proves that data isn’t so random, especially if an attacker knows enough about a target when they’re able to enter passwords, for example.
“When doing a guess of some kind whether it’s a password or verifying a hash, that makes a huge difference in the amount of time it takes to arrive at the guess,” she said. “There are small variations which are small enough not to worry about them for network performance, but have a significant impact on the security of the network when looking at guessing attacks.”
When compression, or any kind of outside noise, is introduced, this alters how an attacker would go about guessing a secret because it’s changing the randomness of the data.
“It’s like when you play 20 Questions with someone you know, you’re likely to guess quickly versus someone you don’t know at all,” Medard said. “Theoretically, people could choose anything in the universe, but you may have knowledge about their preferences that now allow you to guess more quickly.
“That means that small variations from the uniform, whether as a result of compression or noise that are not completely uniformly distributed, you can use these small differences to hear very stark differentials of what happened under an idealized assumption and what might happen under slight non-uniformity.”
Medard said she’s not sure yet about the ultimate impact the team’s work would have on cryptography or security in general.
“We’re still trying to figure that out ourselves,” she said. “Probably in some domains where you’re just trying to hide information and are not so worried about guessing, there would be a limited impact.”
According to research unveiled this week some types of web-enabled light bulbs are vulnerable to a flaw wherein an attacker could literally leave users of the bulbs in the dark.
Hue received scattered acclaim last year after it popped up at the Apple store and was later called the best new product of 2012 by Forbes. Essentially it’s a wireless system that can manage an infrastructure of LED light bulbs via iOS and Android devices.
The main problem here lies in the fact that Hue’s bridge uses a whitelist of associated tokens to authenticate its requests. Anyone else who can get on its network and glean at least one of the whitelisted tokens can issue HTTP commands to the system and in turn control the lightbulbs.
Dhanjani notes that in testing, determining one of the whitelist tokens was not difficult, it was simply the MD5 hash of the MAC address of the users’ iOS or Android device.
“This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine). Once the malware has computer the MD5 of the captured MAC addresses, it can cycle through each hash and issue ‘all lights off’ instructions to the bridge via HTTP.”
Attackers can repeatedly insert code to trigger a “sustained blackout,” and rig the victim’s system so they can remotely change people’s light bulbs.
In one – perhaps farfetched situation – an attacker could even cause a blackout in a person’s home or office just by tagging a completely black image of them on Facebook. This stems from functionality in the app that lets social media dictate users’ lighting. Hue can change lights to reflect the color of an Instagram or Facebook photo and blink a certain number of times if they receive an email.
Dhanjani contacted the makers of the system, Philips, several times via Twitter in June to address the issues with Hue but the company never responded with an email to Dhanjani to further explain the vulnerability.
When reached this week Philips claimed it was aware of Dhanjani’s whitepaper but insists the vulnerability is only possible on local area networks, adding that if users secure their internet, “traffic passing between your devices and across the internet will remain fully secure.”
The news that an internet-connected lighting system is vulnerable shouldn’t come as too big of a surprise. In this day in age – as we’ve learned with cars, pacemakers, washing machines and even coffee makers – practically everything that can connect to the internet can be compromised.
While Dhanjani warns “lighting is critical to physical security,” and that if anyone were to exploit this vulnerability in a hospital or public venue, it could cause trouble, it’s not likely many of these vulnerabilities will really affect the general public. In advertising, the product is catered more towards the home and in most situations it’s hard to comprehend being left in the dark as anything more than just a nuisance.
One day after the New York Times Web site was offline for several hours due to what experts speculated was an attack, the site of the Washington Post was hacked, apparently by the Syrian Electronic Army. Officials at the Post said that the attack followed closely on the heels of the SEA hacking the Twitter account of one of its employees.
The attack on the Post’s site resulted in visitors to some of the paper’s article pages being redirected to the SEA site.
“A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information. The attack resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message. For 30 minutes this morning, some articles on our web site were redirected to the Syrian Electronic Army’s site. The Syrian Electronic Army, in a Tweet, claimed they gained access to elements of our site by hacking one of our business partners, Outbrain. We have taken defensive measures and removed the offending module. At this time, we believe there are no other issues affecting The Post site,” Post Managing Editor Emilio Garcia-Ruiz said in a statement.
The attack on the Post is the latest in a string of such attacks against media sites and social media accounts in the last year or so. In addition to the compromise of the Post reporter’s Twitter account, the SEA also has claimed credit for hacking the Twitter accounts of The Onion, the Associated Press and others. The SEA is a group of attackers who support the regime of Syrian President Bashar al-Assad. The group has been going after various media organizations for some time now.
On Wednesday, the New York Times home page was offline for about two hours, and the company said that the failure was the result of a bad update rather than an attack.
“The outage occurred within seconds of a scheduled maintenance update being pushed out, and we believe that was the cause,” said Eileen Murphy, a spokeswoman for the New York Times, told the paper on Wednesday.
Security experts had speculated on Wednesday that the Times outage may have been the result of an attack, as well.
Fraudulent Twitter accounts are a booming business, accounting for significant underground money for spammers, fake antivirus scams, drive-by downloads and phishing schemes. But research presented at USENIX yesterday proposes a means for driving up the cost for attackers to get these campaigns off the ground.
Vern Paxson of the International Computer Science Institute and Chris Grier of UCal-Berkeley, who presented at USENIX, along with Kurt Thomas of UC-Berkeley, Damon McCoy of George Mason University and Alex Kolcz of Twitter, developed what they called a classifier they hope will soon be integrated by Twitter into its registration process. The tool, the researchers said identifies potentially fraudulent accounts as they’re automatically being registered by a criminal.
“Our technique relies on identifying patterns in the naming conventions and registration process used by [fraud] merchants to automatically generate accounts,” the researchers wrote in the paper they presented at USENIX. With Twitter’s permission, the classifier was used retroactively on Twitter accounts registered in the 10 months leading up to this April. Several million registrations were flagged as fraudulent, the paper said.
“Our detection framework begins by leveraging the limited variability in naming patterns used by account generation algorithms which enables us to automatically construct regular expressions that fingerprint fraudulent accounts,” the researchers wrote.
The regular expressions are generated based on complicated structure of identifying character classes used in short screen names, looking for character lengths, repeated text strings between multiple accounts and other characteristics they refined to build a profile that is then applied to 27 known fraud merchants with whom the researchers established buying relationships with.
The 27 fraud merchants, the researchers said, were responsible for millions of fraudulent Twitter accounts, 95 percent of which were suspended by Twitter. The team of researchers estimates that this relatively small number of merchants was responsible for up to 20 percent of the phony accounts registered on Twitter during the 10 months the study took place and that the fraudsters earned close to $500,000 during that timeframe. After the initial suspensions, the team bought more fraudulent accounts, 90 percent of which were immediately suspended by Twitter, causing some fraud merchants to temporarily stop selling Twitter accounts.
The team said the market did begin a recovery shortly thereafter; another 6,800 accounts were purchased two weeks later and only 54 percent were immediately suspended.
“As such, long term disruption of the account marketplace requires both increasing the cost of account registration and integrating at signup time abuse classification into the account registration process,” the researchers wrote.
Underground merchants are finding huge profits in selling Twitter credentials, bolstered by using services that bypass CAPTCHA protection or techniques such as spreading phony accounts across thousands of IP addresses they control to sidestep Twitter’s blacklist controls, the researchers said. The accounts were selling at a range of $10-$200 per thousand accounts. For this study, the researchers monitored the 27 merchants—finding them via Web storefronts, black hat forums and elsewhere on the Web—and purchased fraudulent Twitter accounts every two weeks, amassing 121,027 accounts from June 2012 to April of this year.
“Our findings show that merchants thoroughly understand Twitter’s existing defenses against automated registration, and as a result can generate thousands of accounts with little disruption in availability or instability in pricing,” the researchers wrote. “In order to fulfill orders for fraudulent Twitter accounts, we find that merchants rely on CAPTCHA solving services; fraudulent email credentials from Hotmail, Yahoo, and mail.ru; and tens of thousands of hosts located around the globe to provide a diverse pool of IP addresses to evade blacklisting and throttling.”
While the researchers estimate the cost of a fraudulent Twitter account to be pennies per account, some of the merchants they dealt with in the research also sold Facebook, Google, Hotmail and Yahoo accounts; Facebook accounts start at 45 cents per account and can get as high as $1.50 for a phone-verified account while Google phone-verified accounts are 50 cents. Hotmail and Yahoo accounts, the researchers said, are in the same pricing ballpark as Twitter accounts. They did not have permission, however, from those Internet companies to vet credentials for those accounts as they did with Twitter.
DEFCON21 - one of the world-largest conferences of hackers - was held in Las Vegas from 2nd-4th August. About 15,000 attendees joined the event from different countries in the world seeking a place to present their research, get the latest information, and exchange their opinions.
DEFCON21 offers not only briefings, but also a variety of other opportunities such as hands-on experience of lock picking tools, sales of event items and spy tools, as well as events like the badge contest. Among all of these, the final of CTF (Capture The Flag) is probably the most prominent one.
Microsoft announced Wednesday afternoon that it has pulled MS13-061, one of the patches issued yesterday for vulnerabilities in Exchange Server 2013.
Microsoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive email, but would not be able to search for messages on the server.
“After the installation of the security update, the content index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,” Microsoft principal program manager Ross Smith said in a post on the company’s Exchange site.
Smith added that patches for Exchange 2007 and 2010 were not pulled back because both use a different indexing architecture and are not impacted.
Organizations that have already installed the patch are urged to follow the steps outlined in a Knowledge Base article released today as a workaround until a new patch is available. The workaround involves the editing of two separate registry keys.
Experts, however, think the number of companies immediately applying the patch could be relatively low given the criticality of Exchange servers to enterprises. Most likely, an Exchange patch, even a critical one, would have been reserved for a maintenance window overnight or on a weekend.
The patch was essentially the integration of an Oracle patch released last month for Outside In, a technology that turns unstructured file formats such as PDFs into normalized files. Outside In is part of Exchange’s WebReady Document Viewing and Data Loss Prevention features.
An attacker would be able to exploit the vulnerability in question if a user opened or previewed a malicious file attachment using Outlook Web Access (OWA) giving the attacker the same privileges as the victim on the Exchange Server.
“This is a fairly important patch in terms of criticality given that it’s the mail server and not a workstation,” said Qualys CTO Wolfgang Kandek.
The issue is amplified because with the OWA module on Exchange, the browser pulls a message into Exchange and using Outside In, processes the message on Exchange exposing the server to attack.
Kandek said organizations that don’t allow OWA or turn off a visualization mode that renders documents are not affected; documents such as PDFs instead would be processed by a reader such as Adobe or Foxit avoiding the attack vector.
In the meantime, Kandek said he hopes Microsoft is transparent about the reason for faulty patch and why it wasn’t caught in testing.
“I think it’s important because we tell people they should install patches as quickly as possible,” Kandek said. “When a patch breaks, that’s an issue.”
The Exchange patch was one of three critical bulletins sent out yesterday in Microsoft’s August Patch Tuesday updates.
Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging service and leveraging it as a command and control server to carry out attacks.
A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking in with GCM after launching.
The first, AndroidOS.FakeInst.a, is one of the more prevalent with more than 4,800,000 installers across 130 countries, primarily Russia and the Ukraine. According to Unuchek, the Trojan can send text messages to premium numbers, delete incoming text messages, generate shortcuts to malicious sites, and display notifications advertising other, fake malicious programs.
The second, AndroidOS.Agent.ao is being peddled as a pornography app and while with only 300 installers, is substantially less popular than FakeInst., can still can use GCM to send text messages and issue notifications. Also found in Switzerland, Iran, Kenya and South Africa, Agent remains most popular in the UK, where “90% of all attempted infections were detected.”
Researchers found 1,000,000 different OpFake installers disguised mostly as games. The app sends several commands from both the GCM and its own C&C, including the following:
- Sending premium text messages to a specified number
- Sending text messages (typically with a link to itself or a different threat) to a specific number, typically to numbers on the contact list
- Performing self-updates
- Stealing text messages
- Deleting incoming text messages that meet the criteria set by the C&C
- Theft of contacts
- Replacing the C&C or GCM numbers
- Stopping or restarting its operations
Backdoor.AndroidOS.Maxit.a, a backdoor threat that disguises itself as a game, also roots its communications through a C&C that later registers information with GCM. Over 40 variants of the threat can send, delete, and redirect incoming messages, install shortcuts and open websites on its own.
Lastly, Trojan-SMS.AndroidOS.Agent.az is similar to the previously mentioned AndroidOS.Agent.ao in the sense that it models itself as a pornography application. Targeting users in Vietnam, the app can send text messages to premium numbers and connect to GCM to “receive certain messages and add them to the cell phone’s notification section.”
Google Cloud Messaging, initially launched at Google’s I/O conference in 2012, allows developers to send free, lightweight 4kb messages to Android devices. After a developer receives an ID for their applications, they can send data to any device that has the app installed. More than half of the apps available on Google Play use the service to send advertising and information to users to the tune of 17 billion messages per day.
Unuchek notes at the end of the research that Google has been notified of the developers in question and states that attackers are using the service shouldn’t come as a surprise.
“It would be surprising, of course, if virus writers did not attempt to take advantage of the opportunities presented by this service,” Unuchek said.
While none of these Trojans are especially new – the OpFake and FakeInst families of malware have proved popular for over a year, infecting systems and sending premium SMS texts to users – it’s interesting to see another infection vector, even in its infancy.
The clock is running on Windows administrators to sweep out MD5 implementations before a February 2014 patch from Microsoft slams the door shut on the broken, aged crypto algorithm.
Microsoft released a pair of advisories yesterday in addition to its regular Patch Tuesday security updates alerting users to the fact it would in six months restrict the use of digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program. Admins should use the leeway to find any systems or applications relying on MD5 and determine whether the patch will break anything and otherwise impact their environments.
The second advisory announced the optional availability of network level authentication (NLA) as an authentication method that can be used during Remote Desktop Protocol sessions. NLA adds a layer of security to RDP sessions by requiring that the user be authenticated to the host server before creation of a session.
“Microsoft seems to be going after less secure encryption techniques, and that’s a good thing for Microsoft to start eliminating them from the landscape, especially MD5,” said Lamar Bailey, director of security research and development at Tripwire. “I also like the way they are releasing them as optional right now. [The MD5 patch] will be pushed out live in February, so this gives customers a chance to determine if it’s going to break anything.”
When the patch is pushed universally in February, MD5 hashes will no longer be accepted among Microsoft root certificates. The change applies only to certificates used for server authentication, code signing and time stamping, Microsoft said, adding that it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.
Customers need to determine, in the meantime, which services are still using MD5 crypto and switch to a stronger algorithm such as the SHA2 family. Weaknesses in MD5 were identified as early as the mid-1990s and research demonstrating collisions was presented in 2004 and 2005. In 2008, practical collision attacks including one where an attacker could spoof a trusted root certificate authority were also demonstrated, leading CERT late in that year to release vulnerability note that sounded the death knell for MD5.
Yet, vulnerability scanners and penetration testers continue to find MD5 inside organizations today and flag them for weak cryptography. The problem is that is that in order for users to change crypto on their servers, they have to manually edit the registry, which can be a chore.
“I’m all for changing it; it should be gone and we see it in customer sites all the time,” Bailey said. “But we have to make it easier to change it. It’s like if you get a recall notice from a car manufacturer that says ‘If you have this spark plug, bring your car in for servicing.’ I don’t know what spark plugs my car is running. I have to dive under the cover to figure out if I have what they’re saying is bad.”
Experts say most production servers and webservers hosting production websites are likely not running MD5; it’s second-tier development servers, for example, that were spun up years ago and still store sensitive data that are the outlying issue here—and a tempting target for a hacker. With MD5 broken for so long, enough attacks have been made public and enough advances have been made in processor speeds that cracking MD5 crypto isn’t likely that much of a barrier for an attacker.
Ross Barrett, senior manager of security engineering with Rapid7, said that attackers can use stolen certificates to redirect traffic or inject malware.
“It’s a bit of a heavy-handed attack to just steal credit cards, but if you have a national security program and you’re sweeping for anyone you can get at, this might justify the cost and effort behind this type of attack,” Barrett said. “Any crypto [attack] relies on the complexity of generating the hash versus the difficulty of creating a collision. This can be facilitated as we get more powerful computers and the technology gets stronger to do so. Plus you have a black market industry building computers suited for doing lots of math, like cracking hashes and generating collisions.”
Tripwire’s Bailey, for example, estimates that 30 percent of the customers he deals with are still running MD5 somewhere in their environments.
“We see it with a lot of homegrown systems and apps where the team that worked on it built it years ago and may not be there anymore. They built a custom app running MD5 crypto and said that was good enough because they were internal. Well it’s not.”
This isn’t Microsoft’s first move against weak cryptographic schemes. Last October, it released a mechanism organizations could use to find RSA certificate key lengths shorter than 1024. In June, anything shorter was considered untrusted and was revoked. Microsoft, in fact, urged customers to move to 2048-bit or higher keys.
“The test will be for the end user that this is coming and it’s time to get rid of it in the environment,” Bailey said. “And Microsoft is testing too whether any of its customers push back and need more time. If February rolls around and it’s not a mandatory update, that’s probably what happened. I don’t remember Microsoft giving customers such a long runway on this kind of change. They must think [MD5] is out there more than we do to give customers that long of a runway of time.”