Dennis Fisher and Mike Mimoso discuss the big stories of the last couple of weeks, including the Syrian Electronic Army’s attacks against the registrar for the New York Times and Twitter, and the release of Facebook’s first transparency report.
Researchers have cracked open cloud storage service Dropbox, reverse engineering the encryption protecting the client in order to open it up to further security analysis.
The engineers, Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, also managed to demonstrate how to use code-injection techniques to intercept SSL data, essentially hijacking Dropbox communication, as well as bypass two-factor authentication used to protect accounts. The two researchers presented a paper on their work at the recent USENIX Security Symposium.
“Reversing Dropbox is the main focus of our paper,” Kholia told Threatpost. “The attacks are just side-effects.”
A Dropbox spokesperson said in an email to Threatpost that the duo’s findings do not represent a vulnerability in Dropbox. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” the spokesman said.
Kholia concurred that hijacking a Dropbox client first requires hacking an existing vulnerability on the target user’s machine, which can be executed remotely.
“We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research,” the researchers wrote in their paper. “Dropbox will/should no longer be a black box.”
The research reveals how the internal API used by the Dropbox client works. Using a number of techniques, Kholia and Wegrzyn were able to decompile the Dropbox client source code and examine it. While previous work exists in this field, it’s applicable only to older versions of Dropbox, the researchers said. Patches have been applied by the Dropbox team that prevented them from applying previously successful research in this case.
In addition, they were able to use Reflective DLL injection and LD_PRELOAD on Windows and Linux respectively to intercept SSL traffic.
“Once we are able to execute arbitrary code in Dropbox client context, we patch all SSL objects and are able to snoop on the data before it has been encrypted (on sending side) and after it has been decrypted (on receiving side),” the paper said. “This is how we intercept SSL data. We have successfully used the same technique on multiple commercial Python applications.”
They also learned that the two-factor authentication used to access Dropbox on the Web isn’t supported on the client and the client can be accessed with a value known as host_ID, which they were able to gain.
While the team plans further research into Dropbox security and encourages the security community to take its shots, they acknowledge the client’s security is a constantly moving target, one that has remained fairly safe.
“Overall, Dropbox is just fine,” Kholia said. “There is nothing to worry about. We are still using and loving it.”
Image courtesy JeanbaptisteM.
A string of Arabic text is causing some chaos with iOS and Mac OS X users. It seems wherever the text sequence shows up, whether in a tweet, webpage, or a SMS message on the Apple platform, it’s crashing apps or Safari browser sessions.
The problem has been traced to the Apple Core Text technology which handles page layout and font rendering and has been available since OS X v10.5 and iOS 3.2.
From the online Apple programming guide: “The Core Text layout engine is designed specifically to make simple text layout operations easy to do and to avoid side effects. The Core Text font programming interface is complementary to the Core Text layout engine and is designed to handle Unicode fonts natively, unifying disparate OS X font facilities into a single comprehensive programming interface.”
A post on a Russian site, habrahabr.ru, said crashes are happening on Mac OS 10.8 and iOS 6; newer beta versions of both are not affected, the site said. The post also confirmed that SMS message, iMessages, and opening pages using Safari on iOS or OS X will crash the browser. It also said that renaming a Wi-Fi SSID with the text string will also result in errors while scanning for networks.
The site also said that Apple has known about the bug for six months. Apparently until yesterday, the string had been limited to the Russian site, but it’s quickly spread to social media today causing some denial-of-service angst as Twitter apps, browsers and SMS clients crash. Facebook, meanwhile, has already taken steps to block the code from wall posts and timelines.
Attackers looking to exploit a previously disclosed and apparently still unpatched bug in sudo, a Unix-based Linux command found in most Apple OS X builds have gotten a little more help this week.
As Threatpost reported in March, the vulnerability (CVE-2013-1775) can essentially set back the compromised system’s clock to January 1, 1970, also known as the epoch, so the attacker can be granted access to the machine without entering a password.
Sudo manages user privileges on several types of systems, including versions of OS X from Lion 10.7 to Mountain Lion 10.8.4, as well as several Linux distributions.
Metasploit, the penetration testing software that makes it easier to exploit vulnerabilities, added a module this week that makes exploiting the sudo vulnerability less difficult.
Developed by the folks over at Rapid 7, the Metasploit tool has proved invaluable for security researchers who investigate flaws and “pen test” software.
The module “gains a session with root permissions” as long as the user has run the sudo command before and as long as they have administrative privileges, according to a Packet Storm Security post Monday by sudo developer Todd Miller, Rapid 7’s Joe Vennix and Metasploit developer Juan Vazquez.
In addition to the previously mentioned conditions, they of course must have physical or remote access on top of admin access to the machine, making execution of the bug even less likely.
Miller previously reported that Sudo 1.8.6p7 and 1.7.10p7 fixed the bug and made it so future versions would ignore the epoch time stamp, in a Seclists post in February but this module appears to circumvent that.
Late Tuesday morning, one of the engineers in CloudFlare’s San Francisco office saw a message on Twitter saying that the New York Times Web site was down. Minutes later, more messages appeared, as security researchers and others began looking into the situation and realized that someone may have compromised the site’s DNS records. Understanding the ramifications of that sort of attack, if that’s in fact what it was, Matthew Prince, CloudFlare’s CEO sent an email to Rajiv Pant, the CTO of the Times, saying that the company’s engineers would be available if Pant needed some help figuring out the situation. He did.
The attack, which initially appeared to have affected just the Times, and later some of Twitter’s domains, actually affected several other domains as well, and turned out to be the result of a compromise at an Australian registrar called MelbourneIT. Initially, technicians at the Times and MelbourneIT were having a difficult time getting control back of the company’s DNS data. The Syrian Electronic Army, which claimed responsibility for the attack, had changed the records to point to a server the group controls, redirecting users from the Times home page to the attackers’ server. So Pant and his team called the CloudFlare team to see if they could help.
“They called and asked if we could put them in touch with someone at VeriSign, because they couldn’t get control back through Melbourne,” said Prince. “We reached out to some contacts we had there, and we also got them on the phone with folks at OpenDNS and Google. We were just a facilitator. We knew Rajiv and we knew they were having trouble, so we tried to help.”
Engineers at CloudFlare, a cloud networking and security company, along with engineers from Google, the Times, OpenDNS, GoDaddy and other companies, spent much of the rest of the day on a videoconference, trying to work out the details of the attack, and more importantly, how they could recover from it. One of their first moves was to begin flushing the cached DNS records around the Web, a tactic that would remove the SEA-controlled data and point users back to the legitimate Times and Twitter sites. That’s a tall order, however, because the data is cached at a number of different levels around the Internet, and those caches expire at different times and are controlled by many different entities.
“There are all these different overlapping caches that make cleaning up a problem like this tough,” Prince said. “We got on the phone to get those records flushed. Google and OpenDNS were extremely responsive. The challenge when you have one of these DNS hacks is that even when you get the correct records reinstated in the authoritative registry, the bad records will end up being cached out at the edge of the network. That’s why a lot of the world may not be able to access the Times site.”
As the afternoon wore on, some users began reporting that they were again able to access the Times main site, while others were still seeing an error page or something else. The engineers knew this was a result of the caches around the Internet beginning to expire and the legitimate data being propagated back out to the various DNS providers. That was a good sign, but at the same time, Times technical staff were warning employees to be careful sending emails, as they were unsure whether the attackers had the ability to redirect or capture the company’s email traffic, something that could be possible with the kind of access the SEA had to MelbourneIT’s systems.
The Times had been burned by something similar already, when attackers from China had succeeded in compromising the New York Times network, planting malware and accessing reporters’ email. So caution was warranted.
“It’s still not clear whether the email was accessed, and that’s spooky,” Prince said. “You lose your email, especially if you’re dealing with sensitive emails, and you’re in trouble. They’re potentially capturing Web sessions, and that means potentially capturing cookies, and that’s bad news. If an organization goes through something like this, they have to reset all of that.”
By late Tuesday evening East Coast time, the Times site was accessible again for most users and the paper had published a short account of the attack, saying that it was the result of a compromise at MelbourneIT, the registrar that the Times, Twitter, the Huffington Post, and other victims of the attack used to register their domains. The attack on MelbourneIT appears to have been just a means to an end for the SEA. The attackers initially sent spear-phishing emails to employees of an unidentified reseller partner of MelbourneIT. When an employee of the reseller responded, the attackers were in, getting credentials to access the MelbourneIT system, and giving them the ability to modify the DNS records of the target sites.
“Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict,” MelbourneIT said in a statement.
As troublesome as the attack was, it easily could have been far worse. Had the attackers modified the time-to-live, or expiration time, of the DNS cache in the records of the Times and the other targets, the effects would have lasted much longer.
“The awful thing would be to compromise the DNS and immediately set the TTL to 72 hours or whatever the maximum is,” Prince said. “Even Google would have a hard time flushing that. There are certain choke points on the network, and those will continue to be the foci of attacks.”
Attackers know what those choke points and weak spots on the Internet are just as well as defenders do, and Prince said the attack on MelbourneIT and its customers is a clear illustration of that fact.
“This is a really bad hack,” he said. “I can’t think of a hack that scares me as much as this one.”
There is a critical remotely exploitable vulnerability in Cisco’s Secure Access Control Server which allows a remote attacker to take complete control of a vulnerable server. The bug results from a bad implementation of the EAP-FAST protocol and it affects a number of versions of the Cisco ACS.
The vulnerability is a highly critical one, as an attacker needs no authentication whatsoever and can take over control of the machine running the server. Cisco officials said the flaw only exists when the ACS server is configured as a RADIUS server. The company has issued a patch for the vulnerability, but there are no workarounds that can be implemented before the patch is rolled out.
“The vulnerability is due to improper parsing of user identities used for EAP-FAST authentication. An attacker could exploit this vulnerability by sending crafted EAP-FAST packets to an affected device. An exploit could allow the attacker to execute arbitrary commands on the Cisco Secure ACS server and take full control of the affected server,” the Cisco advisory says.
“Commands are executed in the context of the System user for Cisco Secure ACS authentication service running on Microsoft Windows. Cisco Secure ACS uses the standard RADIUS UDP port 1812 or 1645 for EAP-FAST authentication.”
The vulnerability affects versions 4.0 through 22.214.171.124 of the Cisco ACS server and the patch is implemented in version 126.96.36.199.11. Cisco officials said they’re not aware of any public exploitation of the vulnerability yet.
Norwegian software company Opera pushed out version 16 of its eponymous Internet browser this week, complete with what it’s calling “tons of bug fixes,” improved performance and a slew of new features and APIs.
While the full changelog hasn’t been published yet, Ruarí Ødegaard, a member of Opera’s desktop team, pointed out that a handful of the bugs were addressed earlier this month, including fixing how the browser crashed following the opening of a new tab after closing a certificate/authentication dialog and restricting the browser’s auto fill capabilities when it comes to entering credit card credentials. Ødegaard also notes the browser can now check for new versions of “updateable components” when it’s started.
Until the changelog is published, it’s unclear just how many bugs Opera 16 fixes – but at least 13 of them, including the three above, were fixed earlier this month.
The browser has also added support for W3C’s Geolocation API, letting the user decide if they want to share their location with location-aware services such as Foursquare much like Chrome and Firefox. The Opera team has also added support for Windows jump lists, a set of internal Flags for developers and improved HTML5 support.
Opera 16 has also updated its Engine to Chromium 29 and fine-tuned its “form filler” autofill settings.
With the switch to Chromium 29, Opera will now support chrome.cookies and chrome.history APIs, adding to the Chromium support it introduced in Opera 15.
Like most browsers, Opera has to go through a rapidly evolving development channel. Opera started its “fast release cycle” earlier this month with three different streams: stable, Next and developer.
Opera 16 is technically the latest stable version of Opera Next. According to developer Sebastian Baberowski, the next iteration of the browser, version 17, will switch from the development channel to the Next channel in the next one to two weeks.
Naturally, with the new browser build, the next developer build version 18 should show up in the developer channel in due time, giving users and web extension creators a rough and mostly experimental look at the browser’s future.
Kelihos, the peer-to-peer botnet with nine lives, keeps popping up with new capabilities that enable it to sustain itself and make money for its keepers by pushing spam, harvesting credentials and even stealing Bitcoins.
According to a number of sources, Kelihos is now leveraging legitimate and freely available security services that manage composite blocking lists (CBLs) to determine if a potential victim’s IP address has previously been flagged as a spam source or as a proxy. A CBL is a blacklist of IP addresses known to be participating in spreading spam or malware.
“Personally, I haven’t seen anything ever use a composite blocking list before, but it’s not unheard of with other types of malware,” said Zscaler security researcher Chris Mannon. “A lot of Trojans or viruses will ping legitimate services to gain more information about a victim.”
Since security researchers often share intelligence data such as this, an attacker knows that if an IP address passes muster with one service, it likely would do so with most others.
“The attacker will know whether the victim is known to the security community. We share everything, that’s part of what these services are about. I can look up anything to determine if it’s bad,” Mannon said. “If an attacker has found a victim with a good IP reputation, then they can sully it by spamming from that location.”
Spamhaus, the Mail Abuse Prevention System, and a few other free vendor black list services are being leveraged by Kelihos, currently.
“I know that if Spamhaus hasn’t blocked the victim IP yet, I know the other services won’t block it either; then the botnet could spam from that location,” Mannon said.
Kelihos’ tactic of using peer-to-peer communication rather than a centralized command and control server or servers also contributes to its staying power. Peer-to-peer botnets are difficult to take down and are finding favor not only with spam bots, but criminal gangs involved in financial fraud, identity theft or denial-of-service attacks. A P2P botnet is resilient not only against law enforcement, but security analysts who want to enumerate these networks of compromised computers or disrupt their services.
Earlier this month, researchers at the Malware Must Die blog reported other infrastructure changes with Kelihos, particularly that it had switched its DNS from .RU to .com top level domains and identified a dozen .com domains and hundreds more .ru sites that were removed from the Internet, all of which were found on a Bahamian web host. It is also employing different file and registry names than in the past to help it avoid detection, according to Lavasoft.
Recent research examined the resilience of peer to peer botnets, in particular Kelihos, ZeroAccess and Zeus, and found a number of reasons why it has legs. Often, P2P botnets use custom and encrypted protocols for communication that makes analysis a challenge. Also, they make good use of a peer reputation scheme to determine whether bots are trustworthy; those that are not are blacklisted. Others are even more sophisticated, using fast-flux DNS or domain generation algorithms to protect the botnet from disruptions.
At RSA Conference 2013, CrowdStrike researcher Tillmann Werner did a live takedown of Kelihos on stage during a presentation. He managed to poison a middle layer of P2P proxy servers that communicate with the attacker by writing a sinkhole daemon that behaved like a bot. The daemon would send poisoned peer lists to the other bots it communicated with, specifically blacklisted sets of IP addresses, sending them toward a sinkhole and oblivion.
This article was updated to clarify comments made by Chris Mannon.
Unless you have an Oracle product that requires Java 6 or are paying for support for that version of the platform, you’d seen the last publicly available updates as of February. That doesn’t mean attackers have pushed back from targeting Java 6, and that certainly doesn’t mean that organizations have upgraded to version 7.
Reportedly, exploit code for a previously patched vulnerability in Java 6 has been folded into the Neutrino exploit kit, another reminder for organizations reliant on the Java to stay tuned in and up to date on patches for the browser plug-in.
The vulnerability, CVE-2013-2463, was patched in June when Oracle released its most recent Critical Patch Update for Java 7 Update 25. According to the CVE entry, the flaw is in the Java 2D subcomponent and affects Java SE 7 Update 21 and earlier, Java 6 Update 45 and earlier and Java 5.0 Update 45 and earlier, as well as OpenJDK 7. The new exploit is another in a long line of Java sandbox bypasses, this one related to an incorrect image attribute verification in Java 2D, according to the CVE entry.
“The bug exploited is however quite serious as memory corruption issues can usually lead to complete Java security compromise,” said Java bug hunter Adam Gowdiak of Security Explorations in Poland. “Java 2D is the component especially prone to such issues as it relies on a native code layer implementing support for numerous graphics operations.”
Gowdiak said he has not seen the new exploit code and was not able to comment on its effectiveness or reliability. He did, however, join the chorus of experts urging organizations to move onto Java 7.
“Java SE 6 lacks security levels (security warnings) introduced to Java SE 7. According to recently published data, the software is still in a widespread use among corporations, but support for it and security fixes in particular are available to paying customers only,” Gowdiak said. “All of the above makes Java SE 6 an attractive target for attackers.”
Java 7 has not been without its security issues, however. A number of sandbox bypass vulnerabilities and exploits have been unearthed in 2013, many of those related to serious issues with the new Reflection API introduced in Java 7.
Recent Java updates have brought about changes that prevent unsigned applets from executing by default. Users also see enhanced security warnings about potentially malicious applets and configurations that restrict what older Java versions can do. While signed applets do limit the effectiveness of some malware, it’s been proven that attackers don’t have much of an issue getting their hands on stolen digital certificates that validate malicious applets as legitimate.
Oracle also said earlier this year it would delay the release of Java 8 until Q1 of 2014, rather than next month as originally scheduled, to get its security house in order. Oracle promises enhancements to the Java security model, new security features and to increase the pace at which vulnerabilities are patched.
“Security levels introduced into Java SE 7 changed the whole picture as numerous security warnings got introduced into the software that made Java SE 7 rather less attractive for attackers,” Gowdiak said.
As for the Java 6 exploit, the fact that it has been introduced into an exploit kit and that Java 6 is still seeing widespread use is cause for alarm, according to Qualys’ Wolfgang Kandek, who notes on the company’s Laws of Vulnerabilities blog that just over 50 percent of the Java population still uses Java 6.
Per usual, experts are advising users or groups still running Java 6 update to Java 7 but in some cases that’s easier said than done. As Kandek notes many corporations have Java 6 linked with other critical business applications and – almost like a game of Jenga – removing it or even updating it could cause the whole tower to crumble.
“In essence they accept the risk of outdated Java in order to be able to continue to do business,” Kandek says in the blog post.
Oracle retired Java 6 in February, effectively suspending free updates for the foreseeable future, meaning that only Customers that pay for Java and commercial support can install Java 6 Update 51, the most recent Java 6 update.
UPDATE–The attack that took down the New York Times Web site Tuesday afternoon, along with domains belonging to Twitter and the Huffington Post, was accomplished through the use of compromised credentials belonging to a reseller for the registrar that those companies use to buy their domains. MelbourneIT, the registrar the Times, Twitter and others use, was the initial target of the attack, which enabled the Syrian Electronic Army to change the DNS records for the targeted domains and redirect traffic from those sites to a domain that may have been hosting malware.
The attack’s effects were widespread, making the Times home page unavailable to some visitors for long periods of time Tuesday afternoon and also put control of domains that Twitter uses to host images in the hands of the SEA. The operation, which began in the early afternoon on Tuesday and continues to have effects in some places on Wednesday morning, shows how easily and quickly things can go downhill when a key piece of the Internet’s underlying infrastructure is compromised.
The attackers from the SEA, a group that professes loyalty to the Syrian president and has gone after a long list of media organizations and other high-profile targets in the last year or so, had full access to the DNS records for the Times, Twimg.com, a domain used to host images on Twitter, a Huffington Post site in the UK and some others. They were then able to change the records so that rather than pointing to nytimes.com, for example, the Times’ name servers pointed to a domain controlled by the attackers. Officials at CloudFlare, a cloud hosting provider that was involved in the effort to counter the attack, said that the domain to which visitors were redirected was serving malware.
In the midst of the attack, CloudFlare, along with technical teams from Google and OpenDNS, two of the larger providers of recursive DNS services worldwide, worked together to find the root of the problem and then clean it up by getting the correct data back in the DNS records.
“While NYT worked on getting the bad records corrected with MelbourneIT, we reached out to two of the largest recursive DNS providers: OpenDNS and Google. Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the NYTimes.com site was redirected. OpenDNS and Google’s DNS team worked to correct the hacked records for the customers of their recursive DNS services,” Matthew Prince, CEO of CloudFlare, wrote in an analysis of the attack and its aftermath.
“The OpenDNS team was also able to look for other domains that had been updated recently to name servers controlled by the Syrian Electronic Army. We discovered several domains that had been updated, including several belonging to Twitter and the Huffington Post. As mentioned above, these organizations also used MelbourneIT, suggesting that the compromise was more than just the NYT’s account.”
Officials at MelbourneIT said in an email statement that the company determined that one of its resellers was targeted in a spear-phishing attack, which ultimately resulted in the compromise of MelbourneIT’s systems.
“Staff of an overseas-based reseller unwittingly responded to a spear phishing attack which allowed attackers to access sensitive information, including usernames and passwords, which was used to access the reseller’s account on Melbourne IT systems. This resulted in unauthorized changes to the DNS records of two domain names associated with providing news related to the Syrian conflict,” the company’s statement said.
“I spent most of my day on a multi-hour video conference with cyber security and systems folks from a dozen Internet companies. What a day!” Rajiv Pant, the CTO of the New York Times, wrote on Twitter late Tuesday night.
Eventually, VeriSign, the registry that runs the .com TLD, rolled back the changes to the DNS records that had been compromised, and then locked them so that no further changes were possible. An email sent by MelbourneIT to its customers on Tuesday said that the attackers were able to compromise credentials belonging to a reseller partner of MelbourneIT, and then used them to access the backend system and change the DNS records.
“We are currently reviewing our logs to see see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” the email says.
Prince of CloudFlare said that Tuesday’s attack show how serious the effects of a simple compromise like this one can be.
“The hack also illustrates the damage that can be done by redirecting a site’s DNS. DNS forms the heart of the Internet, not just the web. Email routing, too, depends on DNS to route message to the correct server,” he said.
Image from Flickr photos of Subcircle.