Feed aggregator

Chinese Internet Traffic Redirects to US Anti-Censorship Site

Threatpost for B2B - Wed, 01/22/2014 - 13:48

Much of the Internet was inaccessible to Chinese users for more than an hour yesterday after a domain name system error – believed by some to have been the result of a censorship error – led Web-surfers to a blank page hosted by an American technology company.

While users were able to access Web-addresses hosted by China’s top level, .cn domain, the South China Morning Post reports that .com, .net, and .org domains would not resolve properly. Instead, users attempting to visit sites not hosted by China’s TLD were being redirected to a site owned an operated by Dynamic Internet Technology, a U.S. company that touts itself as a developer of censorship-defeating software. The company also reportedly helps host the Epoch Times and other sites banned by the Chinese government.

The South China Morning Post spoke with Dynamic Internet Technology CEO and founder, Bill Xia. He confirmed that the redirect website did indeed belong to his company but attributed the DNS issues to an error in China’s massive Web censorship system, often referred to as the Great Firewall of China.

“We noticed a sudden increase of traffic and suspected we were under attack,” Xia told the South China Morning Post. “Our security system has activated a protection mechanism so visitors to the address are not able to see any thing.”

Xia went on to claim that the incident bore similarities to another more than ten years ago in which China’s DNS restrictions backfired and routed Internet users to the website of a spiritual group known as the Falun Gong, a group the Chinese government reportedly considers a cult. It should be noted that the Epoch Times, one of Dynamic Internet Technologies clients, is often associated with the Falun Gong.

In contrast to Xia’s assertion, numerous reports indicate that Chinese officials and other hardliners are blaming the outage on a cyberattack.

XSS Filter Bypass Bug Found in Chrome and Safari

Threatpost for B2B - Wed, 01/22/2014 - 10:15

There is a bug in the anti-cross site scripting filter in Chrome and Safari that enables an attacker to bypass the filter in some cases and use an XSS flaw on a given site to compromise visitors’s machines. The vulnerability is fairly simple to exploit and a researcher has posted proof-of-concept code.

The vulnerability lies in the way that anti-XSS filters handle a specific attribute in IFRAME tags. These filters are designed to prevent attackers from being able to use XSS flaws on vulnerable Web sites in order to run malicious injected code in users’ browsers. Exploiting this flaw allows the attacker to bypass the filter and run his injected code.

“This bug is based on a misuse of srcdoc attribute of IFRAME tag, included in HTML5 definition. To perform an XSS attack on Google Chrome Browser or Safari using this bug, the website must include an IFRAME and must be able to read any attribute of this element from HTTP parameters (GET/POST) without applying any charset filter. Then, in the IFRAME parameter, the srcdoc attribute may be included with JavaScript code. The browser cannot filter it and will be executed,” Ioseba Palop from Eleven Paths wrote in an advisory.

Palop said he informed Google of the vulnerability in Chrome back in October and the company developed a fix a couple of days later. The patch landed in the stable Chrome channel in the recent release of version 32. He said that the vulnerability still exists in Safari on Mac and iPhone, however. Eleven Paths contacted Apple about the flaw, but the company said it is still working on the issue.

“They confirmed our email, and told us they were working on it. And seems that they still are, since the program is still vulnerable. Everytime we have tried to contact back with them again, they reply back telling there is no news, but they are working on it,” the company blog post said.

Robert Hansen, a security researcher and director of product management at WhiteHat Security, said the attack could be a problem, although it’s not the most common XSS attack scenario.

“The attack does rely on being injected into an existing iframe tag.  That does happen, but it somewhat rare compared to the more common HTML or parameter injection variants and is often also coupled to a “content spoofing” exploit as well as defined by WASC.  Generally speaking people who use iframes should be wary of accepting user input to dictate the location of the frame and sanitizing input is always a good idea,” Hansen said.

Image from Flickr photos of Tiger Girl.

WhatsApp Spam Spreads New Banking Trojan

Threatpost for B2B - Tue, 01/21/2014 - 15:59

Spam emails promoting a non-existent PC version of the popular WhatsApp messaging service could be leading unsuspecting users to a malicious banking Trojan.

The emails, written in Portuguese, trick the recipient into thinking they already have 11 pending friend invitations, according to Kaspersky Lab’s Dmitry Bestuzhev, who wrote about the malware today on Securelist.com.

If users click on the “Baixor Agora” (Download Now) link in the email, they’re redirected – through a hacked Turkish server – to a Hightail.com URL to download the Trojan. Hightail, like Dropbox or YouSendIt, is a service that allows cloud file storage and downloads. The downloader then downloads the banker via a server in Brazil. According to Bestuzhev, the file comes disguised as a relatively small 2.5 megabyte MP3 file, making it more likely users will open it.

Once it’s set up the malware gets to work, stealing data, and packing it up and shipping it off to the cybercriminal before downloading new malware files, up to 10 megabytes in size, to the system.

“The malware reports itself to the cybercriminals’ infections statistics console and when open, a local port 1157 sends stolen information in the Oracle DB format,” Bestuzhev wrote today.

It’s unclear if the malware has made it to U.S. shores yet but given the popularity of WhatsApp abroad – especially in Europe and Latin America – it appears to be contained to those areas, at least for now.

Bestuzhev even goes as far as to call it a “classic style of a Brazilian-created malware,” as it appears to be targeting users in Brazil, a country with an established WhatsApp userbase and the Trojan is downloaded from a Brazilian server.

The cross-platform messaging app has been massively popular as of late, boasting more than 430 million users, 30 million added in just the last month, and sending more than 50 billion messages a day. Rumors Google was going to acquire the service last spring for roughly $1 billion bubbled up but quickly deflated.

The company’s CEO and co-founder Jan Koum has previously said the company makes a point to know as little as possible about its users and that it doesn’t collect people’s personal information, just users’ phone numbers and a list of users they want to communicate with.

While that may be true, it was reported in October that if someone wanted to eavesdrop on users’ WhatsApp conversations, it could be done, “given enough effort.”

Dutch researcher Thijs Alkemade disclosed a vulnerability in the app’s crypto implementation, specifically the fact that it uses the same key for incoming and outgoing messages, that could leave messages exposed. The company balked at Alkemade’s research however, deeming it taking place in a scenario “more theoretical in nature.”

This isn’t the first spam email campaign centered around the app. Spammers also leveraged the service in November to push malware via email by tricking users into thinking they had a new voicemail, even though WhatsApp does not provide a calling feature, it is a text messaging service.

Google Auto-Update Weakness Exposed by Ad-Peddling Extensions

Threatpost for B2B - Tue, 01/21/2014 - 15:09

Two Chrome extensions went from legitimate browsing ad-ons to adware-spewing nuisances in the blink of a legitimate transaction.

Google recently took action against the Add to Feedly and Tweet this Page extensions, removing both from the Chrome Store after they were sold to adware brokers and found to be injecting ads into pages visited by users. Big picture, the risk has been mitigated, but it also exposed a weakness in Google’s auto-update mechanism, which automatically inserted changes configured by the new owners of the respective extensions without a head’s up to users.

Amit Agarwal, a popular blogger in India, sold the Add to Feedly extension after receiving a four-figure offer, he said. The deal was too good to resist, especially considering the extension took him an hour to develop. Agarwal admits he did not know the buyer, nor why they would pay good money for a Chrome extension that had been downloaded more than 30,000 times when it was sold.

Agarwal said that within a month, the new owner had built in advertising and users were seeing ads injected onto random websites they visited.

“These aren’t regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links,” Agarwal wrote on his website labnol.org. “In simple English, if the extension is activated in Chrome, it will inject adware into all web pages.”

Google pulled the extensions from the Chrome store because they were in violation of the quality guidelines established by the company. Google’s policy states that extensions must have a single purpose and users should not be forced to agree to additional functionality, especially if it is unrelated to the extension.

“If two pieces of functionality are clearly separate, they should be put into two different extensions, and users should have the ability to install and uninstall them separately,” the policy states, adding that this goes for bundled toolbars as well; Google says those should be separate extensions.

The spammers’ actions are clever. Purchasing popular extensions such as Agarwal’s, which he said was developed in response to Google’s decision to shut down Google Reader, provides spammers and adware purveyors with an effective vehicle to peddle ads for profit. Couple that with the fact they can piggyback onto Google’s silent auto-update mechanism makes for an inviting vector to push not only spam but even malware.

“The extension does offer an option to opt-out of advertising (you are opted-in by default) or you can disable them on your own by blocking the superfish.com and www.superfish.com domains in your hosts file,” Agarwal said of his old extension. “But quietly sneaking ads doesn’t sound like the most ethical way to monetize a product.”

‘Password’ is No Longer the Worst Password

Threatpost for B2B - Tue, 01/21/2014 - 12:08

If you think you’re being clever by basing your password on the site you’re visiting or adding a zero to the end of 123456789, you’re not. A new list of the 25 worst passwords, culled from public dumps of passwords stolen in data breaches, shows that these are some of the least useful passwords you can come up with. The good news is that “password” is no longer the most popular bad password. The bad news is that the new loser is even worse.

The most often-used password found in public password dumps in 2013 was “123456″, about as far as you can get away from being a complex password. The list, complied by SplashData, shows that “password”, which had been the most popular bad password for several years, feel to number two, while several variations of consecutive digits were also found in the top 10. The list reads like a primer on how to devise miserable passwords guaranteed to fall to a brute-force attack.

One of the major contributors to the database of publicly available user passwords was the Adobe data breach, which affected nearly three million users. A number of the passwords found in the top 25 list are clearly related to Adobe accounts, including “photoshop” and “adobe123″. The Adobe password list also contains a sad litany of lazy, simple passwords. For example:

  • 123456 
  • 123456789
  • password
  • adobe123
  • 12345678
  • qwerty
  • 1234567
  • 111111
  • photoshop
  • 123123

These passwords violate pretty much every generally accepted piece of advice experts give about constructing strong passwords. No capital letters, no special characters, consecutive digits, etc. In short, these are the passwords that attackers hope for when they are trying to compromise a user’s account. And, unfortunately, it’s often what they get.

Cutwail-Like Spambot Hides Malicious Activity in its Traffic

Threatpost for B2B - Tue, 01/21/2014 - 10:55

A new spambot has been discovered that generates copious amounts of HTTP POST and GET requests in an attempt to disguise what it’s really up to and throw off the scent of detection capabilities.

“In this case, it seems like it’s trying to hide impactful communication where there are actual payloads among innocuous requests don’t contain anything noteworthy,” said Ed Miles, a senior software engineer, malware research at Dell SonicWALL. “It’s hiding itself in its own traffic.”

The spambot, identified as Wigon.PH_44 by SonicWALL, is being served on compromised websites hosted on the WordPress platform. To date, there are up to 200 sites serving the malicious executable and Miles said that SonicWALL has recorded 15,000 hits in the wild on the malware signature, most of those in the United States.

The Trojan infects Windows machines, including Windows 8 64-bit systems, and not only sends spam, but researchers have also found a data-stealing component that searches victim computers for email and FTP applications such as CuteFTP, FTP Commander, FTP Navigator, FileZilla and more.

Miles and colleague Deepen Desai, a senior security researcher, also note that the malware has similarities to the Cutwail botnet, but aren’t ready to call it a variant yet.

“We were seeing the malware getting the [spam] email templates as part of the HTTP request, but they’re in an encrypted format; that is one of the things we have seen in the past with Cutwail,” Desai said. “I would say it’s too early to call it Cutwail, but based on the behavior we’ve documented, it seems similar.”

Cutwail is one of the most established spam botnets, and most prolific, sending at one point, millions of spam messages daily. It was two million compromised machines strong and used to distribute spam and financial malware targeting not only credit card data but credentials.  The Cutwail emails often included links that would lead victims to sites hosting the Blackhole Exploit Kit, which would then inject downloaders for other malware such as ZeroAccess or Zeus.

Victims in the campaign uncovered by Dell SonicWALL are infected via drive-by download attacks from the compromised WordPress sites. Miles and Desai said they had no information on how the WordPress sites were compromised or what the vulnerabilities may be. Once it’s established a foothold, it connects to a command server and receives other instructions that include orders to spam out other malware families, the researchers wrote on the company blog.

Spambots and financial botnets have regressed a bit since the downfall of the Blackhole exploit kit, Cutwail included. When its alleged creator, a Russian named Paunch, was arrested in October, Blackhole and Cool, another alleged Paunch project, disappeared along with him. Cybercriminal gangs relied for years on Blackhole and its various webinject components to compromise websites and redirect victims to dangerous malware such as Zeus and ZeroAccess, both of which are prolific and handy at emptying bank accounts.

Now that Blackhole is gone, security researchers noticed that some gangs had upped their use of direct attachments in spam and phishing emails to spread malware such as Zeus—a much less efficient means of making a profit, experts said. Some gangs too, were not only pushing financial Trojans, but also ransomware such as CryptoLocker and PowerLocker in an effort to quickly regain revenue until a viable alternative to Blackhole emerged.

Cutwail was one such instance, researchers at Websense said, adding that some criminal outfits have tested the waters with a number of exploit kits including Neutrino, Nuclear Pack and Magnitude. Magnitude was poked and prodded by the Cutwail gang, Websense said, before it decided instead to rely upon emails containing malicious .zip files, numbers of which shot up in the wild.

Blog: WhatsApp for PC - a guaranteed Trojan banker

Secure List feed for B2B - Tue, 01/21/2014 - 00:54
WhatsApp for PC - now from Brazil and bringing banker which will steal your money. It hides itself as an mp3 file and has a low VT detection.

Starbucks Fixes Vulnerable iOS App, Geolocation Issue Persists

Threatpost for B2B - Mon, 01/20/2014 - 17:19

Starbucks has patched a vulnerability in its iOS app that was found last week spilling user data, including usernames and passwords, by adding what it’s called an “additional safeguard measure” to protect its customers.

While it’s a relatively quick turnaround for the company – it only took about four days for it to push out a new version of the app – the security researcher who found the vulnerability is encouraging the company to give one remaining issue its fair shake. According to a post on Full Disclosure’s seclists.org Friday, security researcher Daniel Wood is hoping the coffee conglomerate takes a look at an outstanding geolocation issue still present in the application.

The issue isn’t a huge one – Wood says he doesn’t believe it’s even a security concern per se – but that it’s still worth fixing.

It involves a file stored on iOS devices under /Starbucks/Library/Preferences/com.starbucks.mystarbucks.plist that contains the location data of a users’ last logged geolocation. According to Wood the difference between this file and the old file, session.clslog, is that this information is the last location a customer has used their device and not a running log of where customers have been.

“I do recommend that the above issue [with mystarbucks.plist] be remediated within the next release cycle of the mobile application to prevent a customers’ last logged geolocation data from being stored,” Wood said in his write-up.

While the geolocation information is overwritten each time and can’t be used to track user movement patterns over time there’s a chance it could still could be used in coordinating an attack, perhaps in a social engineering capacity.

Last week it was discovered that a file (session.cslog) on version 2.6.1 of the app stored users’ personal information – their username, email address, address, geolocation data and password – in clear text. Starbucks initially dismissed Wood’s report, calling the vulnerabilities “theoretical” and asserting there was “no known impact” to their customers at the time.

The vulnerability was locally exploitable, Starbucks’ servers were never hacked and there was never a chance that users’ credit card info could have been in danger.

Late last week however the company’s Chief Information Officer Curt Garner released a letter to its users assuring them that “out of an abundance of caution” Starbucks was working hard to “accelerate the deployment of an update for the app.”

The company did just that on Friday when it released version 2.6.2 of the app. Now when users open the updated version “it clears session.clslog out, effectively wiping this data off your device,” according to Wood.

“This behavior makes sense as the application is required to run in order to execute the programmatic functions that address the issue of a static file that was being spooled to,” Wood rationalized.

With the updated app, since data elements are no longer being written to the session.clslog file in clear text, users should expect their information will be safe going forward.

Starbucks’ app is one of the most popular apps available for iOS and routinely appears in the Apple’s “Top 100 Free Apps” section. The app lets users connect their Starbucks card to their smartphone, reload funds via credit card and treat the phone like cash in stores worldwide.

The NSA, Metadata and Straw Men

Threatpost for B2B - Mon, 01/20/2014 - 15:48

For the people expecting President Barack Obama to announce sweeping changes to the NSA’s surveillance programs, his speech on Friday likely was a major disappointment. Obama laid out some new controls and limits for some of the more controversial programs, specifically the phone metadata collection system, but much of the speech focused on why the NSA’s programs work and why the existing oversight keeps it in check. Many privacy advocates and former intelligence officials decried the changes as window dressing, but in the wake of his speech, it’s become clear that some key government officials support Obama’s position and see little need for reform.

The metadata program has become the poster child for the NSA’s alleged abuses, overreaching and invasions of privacy. The program enables the agency to collect hundreds of millions of phone records from mobile providers every month and store them, under the theory that the agency might at some point need to query that database and see whether there are any calls that could pertain to a terror investigation. Obama announced some new limits on the ways those queries work and also said the government should no longer store that data, but it should instead rest with some third party. The message from Obama was clear: this program is not going away.

“I believe it is important that the capability that this program is designed to meet is preserved,” Obama said.

Two days later, Rep. Mike Rogers, the Republican chairman of the House Intelligence Committee, and Sen. Diane Feinstein, Democratic chairwoman of the Senate Intelligence Committee, appeared together on TV to discuss the president’s proposed reforms, and an interesting thing happened: they agreed. Asked whether the NSA metadata program would be killed, Feinstein said she couldn’t see it happening and believed that the program was necessary and appropriate.

“I don’t believe so. The president has very clearly said he wants to keep the capability,” Feinstein said. “We would agree with him. The NSA are professionals. They are vetted and carefully supervised.”

“The most important victory was the president standing up and saying the program didn’t have abuses,” Rogers said in the interview on Meet the Press.

As the chairs of the powerful intelligence committees, both Rogers and Feinstein have had classified knowledge of the NSA’s programs for years now, so the revelations have the last few months would have come as little surprise to them. They’ve had months and years to construct their positions on this issue, and what they came up with was an echo of a talking point. Metadata collection is important because it could prevent a terror attack. It never has, mind you, but it could.

Feinstein, who in Senate hearings has consistently defended the NSA and its programs, has used a variety of different arguments to support her position, including the debunked story line that metadata collection could have prevented 9/11. But she broke out a new one on Sunday, saying that the government is actually less of a threat to users’ privacy than corporate America is.

“When you look at what companies collect, the government doesn’t seem to be a major offender at all,” she said.

This is an argument that will be familiar to every parent on earth. It’s the equivalent of a child caught with his hand in the cookie jar saying, “But I only took one! Johnny took five!” While Feinstein’s statements may have some kernel of truth to them, her argument doesn’t hold up. Users typically have some level of awareness that they’re giving up data to ad companies, mobile phone carriers, Google, Apple and other companies. It’s the foundation of the Internet economy. We trade our personal information for convenience, discounts and access. But in the case of the NSA’s collection methods, only a tiny fraction of the population had any idea before these leaks started that the agency was amassing astounding quantities of data on Americans’ online activities, and those who did were in no position to discuss it.

But now that these programs are common knowledge and we’ve seen their scope and reach, using data collection by private companies as a distraction from the NSA’s activities is disingenuous. Certainly private companies collect massive amounts of data on their customers, and that’s a serious problem in its own right. But the government is not a for-profit organization and it’s meant to protect its citizens, not to treat them as suspects in pre-crime scenarios. Change, not misdirection, is what’s needed.

Android Vulnerability Enables VPN Bypass

Threatpost for B2B - Mon, 01/20/2014 - 12:44

A vulnerability in the Android mobile operating system could allow hackers to write applications that would bypass a secure virtual private network connection and redirect traffic in clear text to an attacker.

Researchers from Israel’s Ben Gurion University claim that the vulnerability can be exploited by a specially crafted, malicious application that bypasses a VPN configuration and redirects device traffic to separate network address.

In a write-up on the university’s cyber security blog, Dudu Mirman, the department’s chief technical officer, writes that a potentially malicious application capable of bypassing a VPN would not require root permissions. Furthermore, he claims, there is no indication to the user that his or her data is being captured during the exploit process.

In a video demonstration, the researcher tests his exploit on a Samsung Galaxy S4 device, though he says he tested the exploit on a number of devices from various vendors. In the background of the video, the researcher is running a packet capturing tool on a desktop machine connected to the same network. As Mirman opens his malicious application, presses the exploit button, turns on the VPN, and sends an email, you can see computer monitor in the background begin collecting information in transit from the Android device.

The vulnerability will reportedly leak transport layer security (TLS) and secure sockets layer (SSL) traffic as well, though that information will remain encrypted after it is captured. Mirman says that the bug is confirmed on the most widely deployed Android version: 4.3 Jelly Bean. The researchers are in the process of testing the exploit on the newer, 4.4 KitKat variety of Android.

Mimran says he reported the vulnerability to Google’s Android security team on Jan. 17 and that he will publish the full bug details as soon as Google resolves the issue. A request to Google to confirm the existence of the flaw was not returned by the time of publication. This research is part of Ben Gurion University Cyber Security Labs’ ongoing effort to uncover mobile security vulnerabilities. Late last year, another researcher there uncovered a serious security flaw in Samsung Knox.

Below is a video demonstration of the hack:

Details on Patched Microsoft Office 365 XSS Vulnerability Disclosed

Threatpost for B2B - Mon, 01/20/2014 - 12:43

A researcher in the UK disclosed the details of a serious cross-site scripting vulnerability in Office 365 that would allow an attacker with a mailbox on Office 365 to gain administrator rights over the Microsoft Web-based application in an organization.

An exploit in an enterprise environment would put email and SharePoint data at risk and could also give a hacker the ability to change Office 365 configuration settings, said researcher Alan Byrne, cofounder of Cogmotive, a business process automation firm in London.

“It was able to be exploited from any web browser, from any internet connected device,” Byrne told Threatpost, adding that an attacker could do so with just a few lines of JavaScript.

Byrne said he reported the vulnerability to Microsoft on Oct. 16 and was informed that the issue was resolved by Dec. 19 when Microsoft rolled out the fix to its online service.

“I believe this makes it a really large vulnerability, as in most companies everyone has a mailbox including interns, part time support staff, contractors and third-party service providers,” Byrne said. “If any of these people had malicious intent they could have used this exploit to gain access to the email correspondence of anyone else in the company including the CEO or looked into the SharePoint document libraries of any department.”

Byrne said in a post to his company’s blog that the vulnerability was introduced into Office 365 in its latest update, called Wave 15, which was completed in November. A number of new features were built into Office 365, including more storage, mobile access for iOS devices and offline access to Outlook Web App. Byrne said he found the bug in the Office 365 Administration Portal.

“At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory,” he said. “In this case, it was possible to modify the Display Name of a user account to include an XSS payload which was then executed in the browser of an administrator when they viewed a list of all users in the Office 365 portal.”

Like many other Web applications, Office 365 relies on JavaScript and uses the jQuery library, which Byrne said made it simple to write a cross-site scripting attack that would call and load a malicious JavaScript file from a remote server. Using legitimate credentials for a standard user account in Office 365, Byrne said he was able to modify his display name and replace it with a XSS string that loaded the malicious remotely stored file

“Now that my display name contains the payload, we just need to wait for an Administrator to log into the web portal to do some business- as-usual user administration,” Byrne said. “The Administrator doesn’t have to click any links for the payload to be executed, they merely have to load up the user administration page.”

The exploit he wrote carries out two functions. First, it creates a new global administrator account in the company’s Office 365 environment; Byrne said that in a large company, such a tactic will likely succeed because new accounts are likely to blend in and essentially hide in plain sight.

“The function appends an iFrame which is zero pixels wide and zero pixels high to the Office 365 administration web page. It is effectively invisible to the Administrator whose account is being attacked,” he said. “Inside this iFrame we load up the Create User page and use jQuery to fill in all the form fields, select the type of Administrative account we wish and request that the initial password be sent to my email address.”

Once the hacker receives his new Office 365 credentials, he’s off and running, free to make configuration changes, read email, copy and steal SharePoint data and more, putting not only personal information at risk, but intellectual property.

The second part of his exploit’s payload, he said, keeps the attack quiet.

“It loads another zero by zero pixel iFrame but instead modifies my user account to change the display name back to its original value,” Byrne said. “By the time the administrator sees the XSS payload, it’s too late and it has already been executed. If the administrator refreshes the administration page or clicks on the user account to investigate further, the display name will appear normally. Most Windows Administrators I know would put it down to ‘internet gremlins’ and pretend they didn’t see it.”

Ironically in November, Microsoft beefed up its encryption capabilities in Office 365, announcing a new service called Office Message Encryption that Microsoft said will simplify email encryption for users. Microsoft is expected to have the service rolled out this quarter.

EFF Activists, Journalists Hit By Targeted Malware Attack

Threatpost for B2B - Mon, 01/20/2014 - 11:15

Phishing and malware attacks are among the more democratic and populist threats on the Internet. You don’t have to stand in the crowd in order to be targeted; the attackers will get to you sooner or later. But while most malware campaigns are aimed at the masses, attackers often save their best stuff for high-value targets, as a recent campaign targeting American journalists and activists from the EFF shows.

The EFF is well-known for its advocacy of privacy, digital and human rights and security and its staffers often write extensively about abuses, especially in countries such as Syria, Iran, Vietnam, China and Egypt. In late December, a pair of EFF employees received an email purporting to be from someone at Oxfam, the global anti-poverty and human rights organization. The email had a couple of links in it, which supposedly would allow the recipients to download information about the “Asia Conference” that the message was pitching. But the links were hosted on Google Drive, rather than an Oxfam site, which raised the EFF’s suspicions right away.

“This targeting is especially interesting because it demonstrates some understanding of what motivates activists. Just as journalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open documents pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences. For greater verisimilitude, the attacker should have included an offer to pay for flights and hotels,” Eva Galperin and Morgan Marquis-Boire wrote in an analysis of the malware.

The messages also contained two attachments, which are actually the same file.  The same malware was also contained in an email that was sent to a reporter from the Associated Press, but this time disguised as a white paper on human rights. The link in the email to the AP downloaded an HTML application that had a Word document and an executable. The executable will install a long list of other files on an infected machine and make some changes to the registry, which allow the malware to survive reboots.

There is a another file that’s written into the process space of explorer.exe, which enables the malware to communicate over port 443 to a remote server. The C&C server has been associated with previous malware campaigns from Vietnam, the analysis says. And the malware bears some resemblances to the one used in previous attacks against Vietnamese bloggers.

“The group behind these attacks appears to have been operating since late 2009, and has been very active in the targeting of Vietnamese dissidents, people writing on Vietnam, and the Vietnamese diaspora. The appears to be the work of a group commonly known as ‘Sinh Tử Lệnh’ and while it has been anecdotally claimed to be the work of Chinese actors, it seems to be more likely the work of Vietnamese targeting Vietnamese,” the analysis says.

The tack taken by these attacks is similar to ones used in campaigns against dissidents and activists in other countries over the course of the last few years. Journalists, bloggers and others in Syria, Tibet, China and elsewhere have been targeted with campaigns that involve highly targeted social engineering techniques and rigged documents designed to install malware on victims’ machines. Some of these attacks have been tied to government groups in those countries as they attempt to keep tabs on opposition voices.

Obama Orders NSA Reforms, But Metadata Collection to Continue

Threatpost for B2B - Fri, 01/17/2014 - 15:21

President Obama today announced reforms to the National Security Agency’s bulk metadata collection program under Section 215 of the PATRIOT Act, ordering a transition that would end the program as it exists today, and prohibit the government from storing and accessing the data without secret court approval.

The reforms allow the NSA to continue collecting metadata on phone calls; metadata includes numbers calls are made to and from, along with their duration. What remained unclear is whether the agency will need a warrant to access it from telecommunications providers such as Verizon or AT&T, or whether the collected data will be managed by a third party.

The agency says it uses call metadata to map connections between foreigners thought to be involved in terrorism. Privacy advocates, meanwhile, point out that the NSA’s activities also ensnare metadata from Americans and that their civil liberties are being violated without just cause.

“I believe it is important that the capability that this program is designed to meet is preserved,” Obama said. He did concede, however, that the program opens the door to more intrusive bulk collection programs and requires oversight and change.

Outspoken opponents, such as CREDO Mobile CEO Michael Kieschnick, were not as optimistic.

“Whether the president moves his telephone data dragnet to AT&T and Verizon, to some other third party, or keeps it at the NSA makes no difference,” said Michael Kieschnick, CEO of CREDO Mobile. “It’s still clearly unconstitutional and must be dismantled.”

Obama’s announced reforms largely call for increased Executive branch oversight of the intelligence community’s dragnet surveillance activities. He ordered annual reviews by the Attorney General and Director of National Intelligence that would help declassify Foreign Intelligence Surveillance Court opinions that have broad privacy implications. Obama also called on Congress to establish a panel of privacy experts outside of government to render opinions on significant cases before the FISC hears them. He also promised changes to how National Security Letters are used and how long they can be kept secret. Obama said. A number of technology companies have petitioned the president and Attorney General to be more transparent about the number of National Security Letters they receive.

“I’ve directed the Attorney General to amend how we use National Security Letters, so that this secrecy will not be indefinite, so that it will terminate within a fixed time,” Obama said. “Unless the government demonstrates a real need for further secrecy.”

The president also ordered changes to the surveillance of foreign heads of state, a firestorm that was raised when it was revealed in one of the multitude Snowden leaks that German Chancellor Angela Merkel’s mobile phone was tapped by the NSA.

Missing from the president’s 45-minute address at the Justice Department was any mention of the agency’s alleged subversion of encryption standards and use of backdoors to keep watch on surveillance targets. The Snowden documents allege that the NSA undermined the National Institute of Standards and Technology (NIST) by introducing code into encryption standards that intentionally weakened them.

NIST-developed Dual_EC-DRBG, a random number generator at the core of RSA Security’s BSafe cryptographic library used in numerous commercial software products, has long been thought to have been backdoored by the NSA. That theory was given credibility after a Reuters report in late December said the security company entered into a secret $10 million contract with the NSA that set Dual_EC-DRBG as the default random number generator in BSafe despite publicly known concerns over its viability as a trustworthy algorithm.

Instead, Obama focused exclusively on the bulk metadata collection program and ordered immediate changes that include pursuing calls two steps removed from a terror suspect rather than three steps, as is the current procedure. Also, he ordered Attorney General Eric Holder to work with the secret Foreign Intelligence Surveillance Court (FISC) so that during this transition period, the database storing phone call metadata can be queried only after a judicial finding or in an emergency.

Overarching, the Attorney General and intelligence community must, before Section 215 comes up for re-authorization on March 28, develop options for a new approach that meets intelligence requirements without the government holding the metadata.

“The reforms I’m proposing today should give the American people greater confidence that their rights are being protected even as our intelligence and law enforcement agencies maintain the tools they need to keep us safe,” Obama said.

In December, a presidential review board recommended to the president that metadata be left with the telecommunications providers who already store it for business purposes, or that it be handed over to an independent third party. It also recommended at the time that the NSA director job be Senate-confirmed and a civilian. That was shot down, however, when Obama announced that the NSA director would continue to be the head of U.S. Cyber Command, a military position.

Obama also announced some organizational changes within government that include: a State Department-designated senior officer to coordinate diplomacy on issues related to technology and signals intelligence; a new White House appointed senior official who will implement any new privacy safeguards announced today; and a team of officials who will look at the challenges to privacy initiated by data collection efforts, not only in the public sector, but commercially as well.

“The President took several steps toward reforming NSA surveillance, but there’s still a long way to go,” said EFF Legal Director Cindy Cohn.  “Now it’s up to the courts, Congress, and the public to ensure that real reform happens, including stopping all bulk surveillance–not just telephone records collection. Other necessary reforms include requiring prior judicial review of national security letters and ensuring the security and encryption of our digital tools, but the President’s speech made no mention of these.”

Target Attackers Took 11 GB of Data, Researchers Say

Threatpost for B2B - Fri, 01/17/2014 - 12:25

The attackers who infiltrated Target’s network several weeks ago and made off with 40 million credit and debit card numbers used a multi-stage attack, funneling their stolen data through an FTP server and then a VPS server in Russia. It took more than two weeks, but the attackers eventually exfiltrated about 11 GB of data, researchers say.

The Target breach has quickly made its way onto the short list of the largest data breaches in history, and details are continuing to emerge. Last week the company admitted that, in addition to the 40 million stolen card numbers, personal information belonging to an additional 70 million people also had been stolen. And earlier this week it was reported that the attackers accomplished their feat by installing malware on the point-of-sale systems at hundreds of Target stores. The malware appears to be a derivative of a previously seen PoS malware strain known as BlackPOS.

Researchers at Seculert in Israel have analyzed a sample of the malware used in the Target attack and found that the malware was on the network for nearly a week before it began sending stolen data off to an FTP server sitting on a compromised Web site. They transmitted the information from another compromised machine on the Target network, the researchers said.

“Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information,” Aviv Raff, CTO of Seculert, wrote in an analysis of the malware.

The specific malware used in the Target breach is reported to have had the ability to intercept targeted sensitive data on compromised machines before it is encrypted. That feature would defeat the end-to-end encryption of data that retailers sometimes use to protect data collected on PoS systems that is then sent to a back-end server and possibly a payment processor.

“The attackers were using several components. One of the components has similar behaviors to BlackPOS, a memory parser PoS malware,” Raff said via email.

Raff said that despite speculation, he didn’t see any signs that the malware used in the Target attack was connected to the Neiman Marcus breach.

“While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack,” he said.

SCADA Company Patches HMI Zero Day Disclosed at S4 Conference

Threatpost for B2B - Fri, 01/17/2014 - 11:13

Malaysian SCADA software company Ecava released a patch yesterday for a zero-day vulnerability in its flagship human machine interface (HMI) that was publicly disclosed at a conference this week.

The patch repairs a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software. HMI software provides a visualization of industrial control and manufacturing processes. These interfaces communicate with programmable logic controllers and manage processes from a central interface, usually a Windows-based system. Those processes can include turning pumps on and off, or temperature control and much more.

The disclosure of the zero day by Luigi Auriemma of ReVuln on Wednesday at the S4x14 Conference in Miami led to an advisory being issued by ICS-CERT the same day. Ecava said it had a patch ready the same day it was notified by ICS-CERT. Auriemma told Threatpost today that ReVuln has tested the patch and it does mitigate his attack.

“The vulnerability is a classical stack based buffer-overflow. This SCADA product is a web server, so it opens a TCP port where it accepts HTTP requests,” Auriemma said. “Exploiting the attack is very trivial because it’s enough to send a long request.”

ICS-CERT said Auriemma did not notify the vendor in advance of his presentation, which included proof-of-concept code that causes a denial of service condition leading to a crash of the HMI. Auriemma said during his presentation that under certain conditions, an attacker could also gain the ability to remotely run code. Ecava said releases before build 4390 are vulnerable; the ICS-CERT advisory identified version 4.1.4380 as vulnerable.

“By judging the vulnerabilities I disclosed in the past and those currently in the ReVuln portfolio, this type of security issues is still diffused,” Auriemma said. “A difference with the past is that more products try to use the security features of the compilers (enabling DEP, ASLR, stack cookies and so on).”

IntegraXor is a suite of management tools for HMIs. The software is used in 38 countries, primarily in the United States, U.K., Canada, Australia, Poland and Estonia.

Ecava this summer announced a bug bounty program that was seen as controversial by security researchers. Rather than cash as an incentive for reporting vulnerabilities, the company offered points toward a discount on its software licenses.

The security model for SCADA and industrial control systems has been scrutinized for years with researchers desperately trying to raise awareness to the risks to not only computers systems but human lives. While operators may be aware of the security vulnerabilities present in these often antiquated systems, patching them is rarely a simple proposition. There are instances, for example, where critical processes must be taken offline to install software updates, and downtime competes mightily with internal service level agreements.

Two years ago at the Kaspersky Lab Security Analyst Summit, researchers Billy Rios and Terry McCorkle presented on a project where they set a goal of finding 100 SCADA and ICS bugs in 100 days. Instead, they quickly exceeded their goal and at the time of their presentation, they’d found more than 1,000 bugs in nine months, close to 100 percent of which were exploitable. The researchers said the state of SCADA security was laughable then.

BrightBox Home, SMB Routers Leak Volumes of Data

Threatpost for B2B - Fri, 01/17/2014 - 11:01

Leave it to a software test engineer to be thorough about his home networking gear.

Scott Helme, an engineer in the U.K., likes to take a close look at traffic coming and going from new devices installed at his home. Recently, he signed up for fiber service from Everything Everywhere, an ISP in the U.K., which delivered the BrightBox router to his home. BrightBox routers have been installed for more than 700,000 home and small business subscribers in the U.K., and to Helme’s horror, the box is awash with security vulnerabilities.

The flaws are so extreme, he said, that it’s trivial to steal not only device credentials, but a user’s ISP login data. The BrightBox router also leaks sensitive device and user data to other clients on the network, including WPA and WEP keys, SSID lists and keys, the MD5 hash of device admin credentials and the user’s ISP log-in information.

“I would say the leakage of the ISP user credentials is the most severe issue. Coupled with some social engineering or online research an attacker could cancel your broadband account, incurring some serious financial penalties and inconvenience,” said Scott Helme, a software test engineer in the U.K. “That’s closely followed by leaking the md5 hash of the admin password as that hands total control of the device to an attacker. Any of these coupled with [a] CSRF attack to enable remote management could be disastrous, especially to a small business.”

Helme reported the issue to EE several times through customer services and its call center before emailing the ISP’s CEO and CTO, which beckoned an almost immediate response from the company’s head of security operations. EE told Helme it would patch the various problems he uncovered in December, and that date was soon pushed out to mid-January. As of this morning, EE had not patched the firmware, nor had it been in contact with Helme again.

“At the time of publishing, the latest information I have is that the firmware is back in development to resolve further issues found during testing. Updates and information from EE regarding when this might be patched seem to have dried up completely. I don’t even have an estimate of when the patch will now be available and my questions remain unanswered,” Helme wrote on his website, adding that he decided it was in the public’s best interest to disclose the issue.

An EE spokesperson told Threatpost the company is aware of Helme’s research.

“We treat all security matters seriously, and while no personal data will be compromised by the device itself, we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection,” the spokesperson said.

Helme said he found trouble from the get-go, noticing a lack of TLS encryption on the log-in page for the router. Running it through the Fiddler debugging program, he was able to quickly find the cgi file storing his credentials as well as a number of other files exposing configuration variables. Normally this would not be a considerable risk for a user logged in as the admin, but as it turns out the device leaks information to any client on the network and anyone could bypass any restrictions imposed on the WiFi network.

“Once a user has access to your Guest Network for example, they could simply view the WPA key for your Main Network and completely bypass all of your restrictions with a simple copy/paste operation,” Helme wrote. “Not only that, but if someone has brief access to your premises and perhaps connects to your LAN, they can steal a copy of your WiFi password/s. This would allow them remote access to your WiFi from outside the premises without you ever divulging the passwords to anyone. Not so good.”

Helme also looked at the password reset mechanism on the router and learned that the existing password is validated only client-side prior to submission on the network.

“If the original password isn’t verified and someone walked by a computer with a logged in session, they could simply reset the password without knowing the existing password,” Helme said. “If the password is available on the client side it means the router transmitted the current admin password to the client.”

Helme loaded another cgi file that contains a MD5 hash of the current admin password, which he said is crackable using rainbow tables available online. The list of javascript files Helme found, he said, could be appended to leak a wide range of data.

He also discovered there were no anti-cross site request forgery protections in place and that enabled him to pull off a replay attack to control the device and gain admin access. He also found a way to bypass the protections in place guarding remote management capabilities.

“With a little CSRF, I can enable remote management on your router and steal all of your sensitive data like WPA keys, ISP credentials and the md5 hash of your admin password over the Internet. Once I’ve cracked the hash I can login and do just about anything I like with your device or not bother with any of that and just call EE to cancel your internet connection,” Helme said. “To try and restrict access to the remote management configuration page but then still allow the feature to be enabled is a huge oversight, especially considering how much data the device leaks! What’s even worse is that there are bugs and odd behavior taking place over the web interface that isn’t normally present.”

This article was updated at 11 a.m. with comments from EE.

Microsoft to Update XP Malware Signatures Beyond Support Cutoff

Threatpost for B2B - Fri, 01/17/2014 - 09:53

Microsoft announced yesterday that it plans to continue updating signatures on the antimalware engine it uses to protect Windows XP for more than a year beyond the date from which it plans to cut off support for the operating system.

That means enterprises still running System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune on XP systems have until July 14, 2015 to find an alternative. This also applies to Microsoft’s consumer product, Microsoft Security Essentials.

For a while now, Microsoft has been spreading the word that it will stop providing support for 12-year-old Windows XP on April 8. On that date, Microsoft no longer issue security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates to the operating system, which is still widely used.

Not until July 2015 will Microsoft stop updating the antimalware engine that protects XP users from viruses, worms, Trojans, and other threats.

“Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited,” the company wrote on its Threat Research and Response Blog. “Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”

Windows XP is most certainly outside the realm of “modern software.” Despite this, according to the analytics firm NetMarketShare, Windows XP still commands 28.98 percent of the operating system market. Other than Windows 7, XP remains the most popular operating system in use today.

Privacy Advocates Anxious Ahead of Obama NSA Speech

Threatpost for B2B - Thu, 01/16/2014 - 13:29

It’s been more than seven months since Edward Snowden began feeding stolen NSA documents to reporters, and in that time, virtually everyone in Washington who could find a microphone or keyboard has voiced an opinion on the agency’s methods and Snowden’s actions. Everyone except President Barack Obama, that is. Obama has been mostly silent on the subject, preferring to let NSA officials and lawmakers speak, but that’s set to change Friday when he is due to speak publicly about proposed reforms for the NSA.

Obama is expected to address some of the 46 recommendations contained in a report produced by his own handpicked panel of lawyers, professors and security experts, the President’s Review Group on Intelligence and Communications Technologies. Much of what the panel addressed in its report comprised recommendations on how to limit the scope of certain NSA collection programs or increase the transparency around their use. However, privacy advocates and other observers say that is just the beginning of what needs to change about the agency’s surveillance methods and data retention. One of the key issues is the NSA’s use of dragnet surveillance methods to collect electronic communications such as phone calls, emails and Web traffic.

Lawyers at the EFF say limiting scope of this kind of surveillance isn’t enough. Rather, the NSA should go back to performing highly targeted surveillance.

“The NSA has disingenuously argued that simply acquiring this data isn’t actually “collecting” and that no privacy violation can take place unless the information it stores is actually seen by a human or comes up through an automated searches of what it has collected. That’s nonsense. The government’s current practices of global dragnet surveillance constitute general warrants that violate the First and Fourth Amendments, and fly in the face of accepted international human rights laws. Obama needs to direct the NSA to engage only in targeted surveillance and stop its programs of mass surveillance, something he can do with a simple executive order,” Cindy Cohn and Rainey Reitman of the EFF wrote in an assessment of what Obama may discuss Friday.

An alternative to the cell phone metadata program, recommended by the president’s panel, is to remove the NSA’s ability to store all of that data in-house and put the onus on the communications companies instead. That would require companies such as Verizon and AT&T to hold such data in reserve, for some undefined period of time, awaiting requests from the NSA. The EFF worries that this will turn the companies into nothing but arms of the agency.

“But companies shouldn’t be pressed into becoming the NSA’s agents by keeping more data than they need or keeping it longer than they need to. To the contrary, companies should be working on ways to store less user data for less time—decreasing the risks from data breaches and intrusions like the one that just happened to Target. Data retention heads in the wrong direction for our security regardless of whether the government or private parties store the information,” they said.

The EFF also encouraged Obama to pressure the NSA not to engage in activities that subvert the security of protocols or encryption algorithms, something that has become a major discussion point in security circles in recent months.

“These practices include weakening standards, attacking technology companies, and preventing security holes from being fixed. As the president’s review group recognized, this has serious consequences for any industry that relies on digital security—finance, medicine, transportation, and countless others, along with anyone in the world who relies on safe, private communication. Obama should follow the recommendations of his review group and immediately stop the NSA’s efforts to undermine or weaken the security of our technologies,” Cohn and Reitman wrote.

All in all, privacy advocates are not expecting Obama to announce major changes to the NSA’s programs or mission.

“Many people are skeptical that the president will create meaningful limits to the NSA’s practice of sweeping up the digital communications of millions of people worldwide. Instead of actually stopping the spying, Obama could just make pronouncements calling for more transparency or additional layers of bureaucratic oversight. Basically, he could duck the most important thing he could do to show leadership: rein in government surveillance,” Cohn and Reitman said.

ICS-CERT Advising Users Update Schneider Electric ClearSCADA

Threatpost for B2B - Thu, 01/16/2014 - 08:56

The Department of Homeland Security is warning the maintainers of industrial control systems (ICS) about a remotely exploitable uncontrolled resource consumption vulnerability in Schneider Electric’s ClearSCADA software.

Schneider Electric says that it has developed a new version of ClearSCADA that resolves the vulnerability reported by Adam Crain of Automatak and independent security researcher Chris Sistrunk. The company further claims it has no evidence suggesting that these vulnerabilities have been exploited in a production environment. The ICS computer emergency response team (ICS-CERT) is also unaware of any in-the-wild attacks targeting these bugs, though their advisory notes that “An attacker with a medium skill would be able to exploit this vulnerability.”

ClearSCADA is secure remote management software designed for use in large, geographically dispersed critical infrastructure systems.

On machines running pre-November 2013 versions of ClearSCADA, an attacker could generate specially crafted, unsolicited frames that – in turn – could cause excessive event logging, slowing driver operation and potentially leading to a denial of service condition in the distributed network protocol (DNP3).

Schneider is recommending that users of its ClearSCADA software monitor DNP3 traffic and their system’s event journal in order to detect excessive amounts of traffic or logging which may be representative of a fuzzing attack attempting to exploit the vulnerabilities. Beyond that, users are advised to upgrade their ClearSCA DA server to SCADA Expert ClearSCADA 2013 R2 or a more recent version. Users can also update to a service pack released later than November 2013.

Affected products include, ClearSCADA 2010 R2 (Build 71.4165), ClearSCADA 2010 R2.1 (Build 71.4325), ClearSCADA 2010 R3 (Build 72.4560), ClearSCADA 2010 R3.1 (Build 72.4644), SCADA Expert ClearSCADA 2013 R1 (Build 73.4729), SCADA Expert ClearSCADA 2013 R1.1 (Build 73.4832), SCADA Expert ClearSCADA 2013 R1.1a (Build 73.4903), and SCADA Expert ClearSCADA 2013 R1.2 (Build 73.4955).

Model Predicts Optimal Timing for Targeted Attacks

Threatpost for B2B - Thu, 01/16/2014 - 08:56

Security researchers from the Ford School of Public Policy at the University of Michigan have published a mathematical model they said will produce the proper timing for the delivery of offensive cyberweapons. Defenders can also make use of the model to understand attackers and when an targeted attack might occur.

“A simple mathematical model is offered to clarify how the timing of such a choice can depend on the stakes involved in the present situation, as well as the characteristics of the resource for exploitation,” wrote Robert Axelrod and Rumen Iliev in a paper called Timing of Cyber Conflict.”

The two researchers used the Stuxnet and Saudi Aramco attacks, as well as the persistent targeted attacks attributed to the Chinese government, as a baseline for their analysis of cyber conflicts. The researchers’ goal is to mitigate the harm destructive cyberattacks can do and understand their capabilities.

The experiment conducted by the researchers is done so from the point of view of the attacker in order to make a best guess as to the conditions and timing under which a potentially destructive attack is launched. The model takes into account the fact that a zero-day launched today will likely be less effective at a later date, especially once an attack is discovered and mitigations are put in place.

“The heart of our model is the trade-off between waiting until the stakes of the present situation are high enough to warrant the use of the resource, but not waiting so long that the vulnerability the resource exploits might be discovered and patched even if the resource is never used,” Axelrod and Iliev wrote.

The model makes a number of assumptions about what’s at stake in a particular conflict, be it an all-out war, or an espionage engagement for trade or military secrets. The stakes change relevant to time, but the model focuses only on the current environment. It also looks at resource, or weapon, characteristics and its sustainability based on its stealth and persistence abilities. A benchmark for stealth used in the study is the average duration of a zero-day attack, 312 days, according to Leyla Bilge and Tudor Dumitras, while a persistence benchmark is that within three to five years, only three percent to five percent of vulnerabilities in Chrome and Firefox are rediscovered. The target’s patching practices also impact the stealth and persistence of an attack, the researchers said.

“Because stakes are not under your control, your best policy is to wait until the stakes are high enough to risk losing the resource because of its limited stealth,” they wrote. In short, an attacker will want to use his available resources often, but only when the stakes are their highest.

Another assumption made in the model is the value of a weapon, which is dependent on its persistence and stealth, the researchers said. Within their paper, the researchers present an equation that helps an attacker or defender determine the value of a resource, which helps determine how to best use it based on particular thresholds.

The researchers concluded that in situations where the stakes are constant, such as the payoff for stealing payment card data, a cyberweapon should be used quickly and often. For high stakes events, attackers and defenders need to evaluate three factors before deciding how long to wait to launch an attack: low stealth, high persistence and large stakes, the researchers wrote.

For a comparison, the researchers looked at the Stuxnet worm, which they said likely had low persistence because it relied on multiple zero-day exploits to get the job done. This meant the attackers had to quickly use their malware, therefore, stealth was important. Stuxnet accomplished this in spades, lasting 17 months inside the Natanz network before it was detected. As for the stakes, they were high for the attackers, whose goal was to derail Iran’s nuclear program.

Another factor to consider is the legitimate market for zero-day exploits and competing vendor bounties for mitigation bypass attacks. The researchers go against the grain of thinking that says the market would be saturated with new exploits, but the pool of undiscovered vulnerabilities is deep.

“With new versions of commonly used software being introduced at a high rate to patch recently discovered vulnerabilities and to add new features, the pool of zero-day exploits waiting to be discovered is ever renewable,” the researchers wrote.

Turning their model on the zero-day market, the researchers concluded that the more effort that goes into finding zero days, persistence will go down because a resource is likely to also be discovered by others and possible sold before it is used. Lower prices will be instituted because supply will be greater and less persistence means weapons are worth less, they said.

“The implications of our model are easy to summarize: Stealth and Persistence are both desirable properties of a resource, and increase its Value,” they wrote. “However, they have opposite effects on the best time to use the resource. Persistence leads to more patience, meaning the stakes need to meet   a higher Threshold before the resource is worth using.”

Syndicate content