Feed aggregator

Analysis: Spam report: February 2014

Secure List feed for B2B - Thu, 03/20/2014 - 07:00
The share of spam in global email traffic decreased by 7.6 percentage points and averaged 65.7% in January. As forecasted, the drop in the share of spam was due to a lull early in January when there is less business activity and a large number of botnets are turned off.

Mozilla Patches Pwn2Own Zero Days in Firefox 28

Threatpost for B2B - Thu, 03/20/2014 - 06:45

The Firefox web browser took a beating during last week’s Pwn2Own contest with researchers bringing four zero-day vulnerabilities and exploits to the table, walking away with a collective $200,000 in prize money in the process.

Yesterday, Mozilla capped all four bugs among 18 security advisories addressed in Firefox 28.

Firefox was by no means the only browser targeted during the annual contest; all four leading vendors failed to hold up against some of the best white hat hackers in the world. Two days ago, Google led the charge with the first set of patches addressing vulnerabilities disclosed during Pwn2Own. Google also paid out more than $150,000 to the winners of its Pwnium contest which went after bugs in Chromium and the Chrome OS.

George Hotz, known by his handle geohot and for his iPhone and PlayStation 3 jailbreaking, cashed in at both competitions. The 24-year-old claimed a $50,000 prize for a zero-day in Firefox that also affected Thunderbird and Seamonkey, Mozilla said.

Mozilla said in its advisory that Hotz discovered an issue where values are copied from an array into a second, neutered array. “This allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution,” Mozilla said in its advisory.

Hotz’s big prize, however, came during the Pwnium event when he scored a $150,000 prize for a persistent code execution bug discovered in the Chrome OS. Pwn2Own and Pwnium veteran hacker Pinkie Pie also found a sandbox code execution and kernel out of bounds vulnerabilities; Google has yet to announce his prize.

Three other Pwn2Own bugs were patched by Mozilla in Firefox 28.

Researcher Juri Aedla, a frequent Google bug-hunter, found a zero-day code execution bug in the browser. Mozilla said in its advisory that:  “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.”

Researchers from French exploit vendor VUPEN were the big winners during Pwn2Own and Pwnium, cashing in six times, including a Firefox zero day. Team VUPEN found a memory corruption issue leading to an exploitable use-after-free condition. Founder Chaouki Bekrar told Threatpost that the discovery of the zero-day required running more than 60 million test cases through a fuzzer.

Polish researcher Mariusz Mlynski was the fourth Pwn2Own contestant to topple Firefox. He combined two vulnerabilities to gain privilege escalation.

“Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution,” Mozilla said in its advisory.

Firefox 28 addressed one more critical vulnerability, actually a set of memory safety hazards, Mozilla said.

“Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,” Mozilla said in its advisory.

Research Finds MAC Address Hashing Not a Fix for Privacy Problems

Threatpost for B2B - Wed, 03/19/2014 - 15:27

UPDATE–Cryptographic algorithms and hash functions are designed to be resistant to a variety of attacks, but one of the things that they can’t defend against is time. Time and the inevitable advancement of technology have turned out to be the greatest enemies of cryptography, and a quick research project done by a graduate student at Stanford on the security of hashed MAC addresses in retail analytics software has shown that to be true once again.

One of the things that has raised the hackles of privacy advocates in recent years is the rise of passive tracking of consumers’ mobile devices as they move through stores, coffee shops, malls and other locations. Retailers can use software that detects the network announcements that cell phones with WiFi and Bluetooth enabled make periodically in order to track a given person’s device. This allows retail analytics firms to build databases that include the various locations that a device has been tracked in over a period of time.

This presents some rather obvious privacy issues, because most consumers have no idea that their devices are sending out these signals, let alone that retailers are gathering the information and building massive databases with the results. In October, a code of conduct surrounding retail analytics was released, and one of the provisions is for firms to hash the MAC addresses of users’ devices after they’re collected as a way to preserve users’ privacy. Jonathan Mayer, a PhD student at Stanford University, decided to take a look at how difficult it would be to reverse the hash of a given device’s MAC address, something that is meant to be quite difficult.

Hash functions take an input, in this case a device’s MAC address, and produce a random series of letters and numbers as the output, the hash value. Attackers should not be able to take the hash value and reverse it to get the MAC address. But Mayer found that this was not only possible but quite cheap and quick to do. Using a rented Amazon AWS server with a fast graphics card, Mayer used the hash-checking program oclHashcat and was able to reverse the hash of his own cell phone’s MAC address in about 12 minutes.

“Some back of the envelope math suggested the task was doable. There are 6 bytes in a MAC address; the first 3 bytes are allocated to the network device vendor, and the last 3 bytes are chosen by the vendor. In total, then, there are 248 possible MAC addresses. Since only 19,130 vendor prefixes have been actually allocated for use, however, there are at most 238.22 validly assigned MAC addresses. That number might sound big, but modern consumer hardware can calculate roughly 230 hashes per second. In other words, it should be possible to check every validly assigned MAC address in just a few minutes,” Mayer wrote.

Mayer was using the SHA-1 algorithm during his test, but said that the same approach would work using other algorithms. His research shows that an attacker who was able to access a database of hash values would have the ability to reverse those values and get the MAC addresses associated with the hashes. The attacker still would need to connect those MAC addresses to individual devices and their owners somehow, but Mayer said that can be done.

“Some businesses and network operators keep a mapping between MAC addresses and individuals. A government agency could subpoena the device vendor for the purchaser’s identity. At any rate, the MLA Code of Conduct seems to concede a MAC address is identifiable; it suggests a MAC has to be hashed to be ‘de-personalized’,” Mayer said via email.

Unless every organization that is recording MAC information is hashing them, then an attacker could be able to link a MAC address

“Hashing is not a silver bullet for electronic privacy. As we have seen, it is possible to test retail analytics data against every possible device. If data is associated with a particular device, it is always linkable back to an individual,” he said.

Most hash functions were produced in a time when the average person had no legitimate access to the kind of computing power it would take to reverse them. Indeed, only a handful of government agencies likely possessed that kind of power until very recently. But the rapid improvement in hardware and the concurrent rise of commodity cloud computing platforms such as AWS have made high-level compute power available to the masses at low prices. Reversing a hash value produced by an older algorithm such as SHA-1 is now within reach for just about any attacker.

“The specific hash function doesn’t matter much, though. All three of the problems I wrote about arise from any hash function. One caveat with respect to reversing hashes: Key stretching would make brute force attacks more difficult. It runs up against practical constraints, though, because retail analytics services have to be able to calculate hashes live in production,” Mayer said.

This story was updated on March 20 to add comments from Mayer.

Image from Flickr photos of Jerry Seaman

NSA Spying on Content of Foreign Phone Conversations

Threatpost for B2B - Wed, 03/19/2014 - 12:58

P { margin-bottom: 0.08in; }A:link { }
-->The latest in the slow but steady trickle of leaks dripping out of NSA whistleblower Edward Snowden reportedly shows that the U.S. spying agency has the capacity to recall entire foreign phone call conversations for as long a month after the fact.

The program, according to a Washington Post report citing leaked documents and people with direct knowledge of NSA operations, is called MYSTIC. MYSTIC is a voice intercept program and it reportedly launched in 2009.

The database behind the program stores the contents of each phone conversation for one month, after which point the newest phone call conversation replaces the oldest one. According to the documents viewed by the Washington Post, MYSTIC’s “retrospective retrieval” tool reached it’s operational capacity in its first target country sometime in 2011. The NSA codename for that tool is RETRO.

The Washington Post withheld certain information from its report at the urging of U.S. officials who had expressed concern that the publication could potentially reveal the identity of the target nation in question. Separate planning documents written two years later suggest that the NSA may have initiated the program for use in other countries following its initial success. In fact, the report – citing information procured from secret intelligence budget documents – claims that MYSTIC provides “comprehensive metadata access and content,” from five different countries, with a sixth in the works. It is not clear whether the NSA has full voice intercept and recall capabilities in those countries.

In a summary of the program, the NSA reportedly described RETRO as having the capacity to “retrieve audio of interest that was not tasked at the time of the original call.” The report claims that while law enforcement analysts only listen to a small fraction of one percent of the total calls, they ultimately end up listening to the contents of a large number of conversations.

More specifically, the agency and its analysts are reportedly pulling and sending off millions voice clippings – or “cuts” as they call them – from the contents of these phone conversations for permanent or long term storage every month.

A National Security Council spokeswoman, Caitlin Hayden, declined to comment specifically to the Washington Post. However, more broadly, she did say that threats are “often hidden within the large and complex system of modern global communications, and the United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats.”

NSA spokeswoman Vanee Vines scolded the newspaper in an email statement, saying that “continuous and selective reporting of specific techniques and tools used for legitimate U.S. foreign intelligence activities is highly detrimental to the national security of the United States and of our allies, and places at risk those we are sworn to protect.”

Present and former intelligence officials speaking under the condition of anonymity told the Washington Post that RETRO would certainly end up collecting the phone call contents of U.S. citizens in the country in which it was first rolled out. This – of course – means that MYSTIC and the tool behind it directly contradicts claims made repeatedly by NSA officials and spokespeople, namely that they are not using their tools to spy directly on innocent U.S. citizens.

This latest revelation comes on the heels of another that suggested the NSA had mimicked Web servers belonging to the world’s most populous social network in order to pilfer information via man-on-the-side attacks. Facebook co-founder and CEO Mark Zuckerberg condemned the NSA for this behavior, which – for what it’s worth – the agency has denied.

On Monday, members of the infamous Church Committee (officially known as the United States Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities), penned a letter to President Obama and members of Congress urging them to form a committee to investigate the NSA. The Church Committee very famously investigated intelligence wrongdoings that became apparent following the Watergate scandal.

New Exploits Arrive for Old PHP Vulnerability

Threatpost for B2B - Wed, 03/19/2014 - 12:12

Close to two years ago, a serious vulnerability in PHP was accidentally disclosed after it was discovered months prior during a hacking contest. A patch was released in relatively short order, and one would assume that given PHP’s prevalence as a web development framework, the fix would have been applied just as quickly.

But given the discovery last October of a new set of exploits for CVE-2012-1823, that assumption may not be correct.

Researchers at Imperva have been watching since Oct. 29 attacks exploiting the PHP bug. Attackers were using the new exploit to deliver arbitrary code to websites running PHP 5.4.x, 5.3.x before 5.4.2 or 5.3.12; those vulnerable versions account for about 16 percent of the sites on the web according to director of security research Barry Shteiman.

The new exploits were dangerous in that they allowed hackers to abuse an old vulnerability to not only run arbitrary code, but also adapt techniques found in botnets and crimeware kits to inject malware, steal credentials or system data from the server, or move laterally within the data center.

“Not only are we seeing a vulnerability used after it was released so long ago, but what we’re seeing is attackers and professional hackers understanding what vendors understand—people just don’t patch,” Shteiman said. “They can’t or won’t or are not minded to fix these problems.”

PHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.

“With the new exploit, it’s the same relative technique, but what we’ve seen is a lot of automation,” Shteiman said. “The tool that attacked these systems is running an interesting subset of dictionaries that requires an attacker know where PHP is installed on the server. We’ve seen attackers trying different paths to see which backend contains the [PHP] executable.”

The big-picture problem is the number of PHP websites still running vulnerable code despite the availability of a patch for close to two years now.

“PHP is installed as an interpreter,” Shteiman said. “Replacing the existing instance of PHP with a new one means downtime. Sometimes you may have to change applications because some things that are now deprecated may require application changes. For that reason, sometimes organizations don’t patch or go a different route. They might use a new framework instead.”

Original reports on the vulnerability triggered advisories from a number of organizations, including US-CERT. The bug is a relatively simple one; researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary.

“You’d think these bugs would be long forgotten, but it isn’t so; they’re like the undead. Vulnerabilities never die,” Shteiman said. “They don’t die and we realize if we see this executed by botnets trying to onboard servers and by crimeware kits being sold, that means attackers understand they can rely on old problems because people won’t fix them and attackers don’t have to work too hard.”

Full Disclosure Security Mailing List Shuts Down

Threatpost for B2B - Wed, 03/19/2014 - 11:00

The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said.

John Cartwright, one of the creators of the Full Disclosure list, posted a message on the list saying that he was suspending the list immediately because someone in the security community had asked that a large number of messages be removed from the list’s archive for an unspecified reason. Cartwright did not name the person who made the request, but said he was unwilling to take a “virtual hatchet to the list archives on the whim of an individual”.

When it began in 2002, Full Disclosure was an alternative to the Bugtraq list, which was moderated, something that annoyed some of the members. The new list was meant to be a more free-form discussion and it often included information on zero day vulnerabilities, along with exploit code, especially in the early days. Many software vendors were not too happy to have data on bugs in their products published on a mailing list, but in 2002, most of those vendors didn’t have established security response processes, bug-reporting guidelines or even email addresses to accept vulnerability advisories. Full Disclosure was a valuable source of information on vulnerabilities in all manner of software and hardware and many vendors over the years began posting their own advisories to the list.

The list had more than its share of trolls and troublemakers and it got the occasional legal threat from vendors. But Cartwright said he never thought that the reason he’d have to shut Full Disclosure down would be the actions of a member of the list and not a vendor.

“I never imagined that request might come from a researcher within the ’community’ itself (and I use that word loosely in modern times).  But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done,” Cartwright wrote in his message.

“I’m not willing to fight this fight any longer.  It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one.  There is no honour amongst hackers any more. There is no real community.  There is precious little skill.  The entire security game is becoming more and more regulated.  This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.”

Full Disclosure appeared on the scene at a time when many vendors were not paying a whole lot of attention to security and security researchers who found flaws in their products. Posting full details of a new bug for the world to see on the mailing list was one of the few methods researchers had to get vendors to pay attention and fix their software. Now, most major vendors have formal security response processes and deal directly with researchers on a regular basis, and some have lucrative bug bounty programs to reward them for their work.

And, for researchers who would rather go another route, they can simply post a link on Twitter or write a blog post and get the word out more quickly than sending a message to a mailing list.

“Most people I know unsubscribed from Full Disclosure a long time ago. The signal-to-noise ratio is very low, and these days vulnerability researchers have no need for traditional mailing lists to publish their findings.  We have blogs and Twitter, not to mention hundreds of security conferences.  I think many will be nostalgic about the early days of Full Disclosure, but closing the list will have no noticeable impact on the industry or our ability to share information,” said Chris Eng, VP of security research at Veracode.

The end of Full Disclosure puts a period at the end of that chapter in the security industry.

“I’m suspending service indefinitely.  Thanks for playing,” Cartwright wrote.

Image from Flickr photos of Rianna_reo.

Windows Spy Tool Also Monitors Android Devices

Threatpost for B2B - Tue, 03/18/2014 - 17:10

Researchers have discovered that a commercial Windows-based spy program now comes equipped with capabilities for spying on Android devices as well.

GimmeRAT, a secondary component of Win-Spy, was spotted during an investigation into a targeted attack against a financial institution in the United States. Win-Spy is generally deployed against home PC users for remote monitoring and administration, but has also popped up in two separate targeted attacks.

“The Android tool has multiple components allowing the victim’s device to be controlled by another mobile device remotely over SMS messages or alternatively through a Windows-based controller,” said researchers at security company FireEye who discovered GimmeRAT. “The Windows-based controller is simplistic and requires physical access to the device.”

Remote access Trojans for Android are nothing new; Dendroid and AndroRAT are two that have been in circulation for some time. But this is the first time that a multiplatform Windows RAT featuring Android capabilities has been discovered.

“It’s more common a tool like this that is publicly available might be used,” said FireEye researcher Hitesh Dharmdasani. “Someone might want to use this tool to [avoid] getting into someone else’s radar. You might look at it as a publicly available tool and not think it’s malicious. The intent is what makes it malicious.”

FireEye said it also detected Win-Spy used in another targeted attack campaign where WinSpy was embedded in macro documents to kick off a spam campaign.

Win-Spy Software Pro v16 is the latest version and includes the new Android monitoring capabilities. The tool’s website promises users to be up and spying within five minutes and that the software package allows users to monitor local and remote PCs as well as Android mobile devices. Using Win-Spy, you can monitor email and FTP transfers, record keystrokes, monitor webcam and microphone activity and more.

Dharmdasani said FireEye had no visibility into the effectiveness of the respective campaigns, where they originated and would not say whether the bank was a customer or how it detected the attacks.

In a blog post on the attacks, FireEye said the command and control infrastructure used in the attack on the financial institution was owned by the WinSpy author who provides use of his servers for C&C and storage of exfiltrated data.

“This feature allowing shared command-and-control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker,” the researchers said.

Both attacks started with phishing campaigns; the financial was targeted with an infected attachment posing as a pay slip acting as a decoy while the RAT installed in the background. The second attack posed as Western Union and other money transfer-themed Excel documents.

Win-Spy supports, in addition to monitoring and data exfiltration, connectivity checks and transfer of victim and system information to the remote server. An attacker can also use this to open a backdoor for remote commands, upload and download of more files and the execution of remote commands.

The new Android components also facilitate surveillance; there are three different apps that are part of the Android package.

“One of the applications requires commandeering via a windows controller and requires physical access to the device while the other two applications can be deployed in a client-server model and allow remote access through a second Android device,” FireEye said.

One component, GlobalService.apk, is used primarily for screen capture and sending screenshots to a remote server. A second component, GlobalNativeService, listens on a local socket for commands from the .apk file. There are also two remote controllers that work in concert to track a device’s location via GPS.

“These attacks and tools reaffirm that we live in an age of digital surveillance and intellectual property theft. Off-the-shelf RATs have continued to proliferate over the years and attackers have continued to increasingly use these tools,” the researchers said. “With the widespread adoption of mobile platforms such as Android, a new market continues to emerge with the demand for RATs to support these platforms.”

Sally Beauty Supply Acknowledges Breach of 25,000

Threatpost for B2B - Tue, 03/18/2014 - 16:01

Twelve days after acknowledging that someone attempted to breach its system, Sally Beauty Supply confirmed this week that an attacker was able to penetrate the company and make off with fewer than 25,000 records of its customers’ sensitive banking information.

The chain’s parent company Sally Beauty Holdings, Inc. posted a statement on its site Monday morning that it had detected an “unauthorized attempted intrusion” into its network back on March 5 and that it immediately recruited Verizon Enterprise Solutions to look into the incident.

Once engaged, Verizon discovered that “fewer than 25,000 records containing card-present (track 2) payment card data” had been accessed and possibly removed from the breached system. Track 2 data is the banking information most commonly parsed by ATMs and credit card checkers; it normally includes information about the user’s account and encrypted PIN.

The company confirmed in a FAQ that for this incident the stolen data includes customers’ names, credit or debit card numbers, and the three digit numbers on the back of cards known as the CVV. Sally Beauty claims it doesn’t store its customers’ PIN numbers, insisting that those shouldn’t be at risk and that the company doesn’t believe that customers’ social security numbers or dates of birth were breached either.

Sally Beauty Supplies, a Texas-based distributor of professional beauty supplies with around 2,700 locations in North America, cited an ongoing investigation when asked to comment on any specifics regarding the breach’s scope.

“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation.”

Until the investigation is wrapped up Sally Beauty Supply is asking customers to check their bank statements for fraudulent activity and remain vigilant of phishing attacks.

The confirmation follows a report from Krebs on Security’s Brian Krebs from earlier this month that hackers broke into Sally Beauty Supply’s system and stole as many as 282,000 cards from the retailer.

It was about two weeks ago that a handful of banks purchased some of those cards from the same fraud website that was also peddling cards stolen in the Target breach. The banks discovered the cards had been used at a Sally Beauty Supply store within 10 days prior, which tipped off the banks, and Krebs, who had been looking at the fraud site’s stolen data, to the connection.

Sally Beauty Supply photo via Brave New Films‘s Flickr photostream, Creative Commons

Wide Gap Between Attackers, BIOS Forensics Research

Threatpost for B2B - Tue, 03/18/2014 - 12:59

Vendors have made important strides in locking down operating systems, patching memory-related vulnerabilities and other bugs that could lead to remote code execution or give hackers a stealthy presence on a machine. As the hurdles get higher for the bad guys, the better ones will certainly look for other means onto a system.

In some cases, that involves attacking hardware, specifically BIOS and other firmware that loads during boot-up. Successful exploits at that level can give an attacker not only root-level access to a computer, but persistence that survives most mitigation attempts.

Admittedly, experts concede attackers are ahead of the research curve but there is a steady increase in security researchers looking at BIOS forensics with more than a passing curiosity.

“I think we are seeing a renewed interest in this area as it’s becoming obvious that sophisticated adversaries (such as nation states) have the technical prowess to develop agents that live in this domain,” said Corey T. Kallenberg, a researcher with MITRE.

Kallenberg, along with MITRE colleagues Xeno Kovah and John Butterworth, and Intel researchers Yuriy Bulygin and John Loucaides, spent close to four hours at the CanSecWest conference explaining the risks present in this security discipline and some of the tools—such as MITRE’s Copernicus—available to analyze BIOS and its successor UEFI to learn where the weak spots may be and what attackers are doing about it.

BIOS, Kallenberg said, presented a large barrier to entry with regard to research and reverse engineering because it is closed source and extremely complex. Vendors, for example, each had their own flavor, meaning researchers would have to do significant legwork just to understand how one system’s BIOS worked, Kallenberg said. That knowledge, he said, would not always transfer to the next system’s BIOS.

“UEFI has made BIOS reverse engineering somewhat easier, as significant portions of the platform firmware are now standardized,” Kallenberg said. “Despite this, one of the largest difficulties in operating in this domain is debugging.

“BIOS debugging requires expensive equipment and significant electrical engineering know-how,” Kallenberg said. “Also unlike conventional software research, it is entirely possible to permanently break, or ‘brick’, your computer due to an experiment gone-awry. These compounding issues make it non-trivial to start doing firmware research.”

Attackers, meanwhile, have used bootkits, or kernel-level rootkits, to attack code that launches at startup such as the Master Boot Record. These attacks aren’t limited to nation state use either; crimeware kits include some dangerous bootkits such as Rustock and TDSS. Once malware has a grip at this level of a system, it often passes pre-defined checks in order to attack further up the firmware chain and write code to the hard drive as they wish.

“Attackers are significantly ahead of defenders in this area. This is because the information security industry is rarely driven by inherent flaws in their architectures, but instead driven by whatever is biting them the worst currently,” Kallenberg said. “There’s also the problem that it takes a lot of deep system knowledge to build detectors, and such people are in short supply, but if the commercial industry was sufficiently motivated they would be able to work with OEMs to perform BIOS security inspection.”

With the launch of Windows 8 in 2012, Microsoft required that the Trusted Platform Module chip be installed on all Windows machines going forward. TPM measures BIOS and UEFI activity and if any changes are present—changes that could have been introduced by malware—a clean version of the firmware is used instead. MITRE, however, demonstrated that TPM is vulnerable to replay attacks where an attacker could replay hashes known to be good, allowing him to install a bootkit yet still tell the TPM that all is well, Kallenberg said.

Here’s another area where significant gaps exist in research and forensics capabilities. Since the TPM cannot determine whether changes are good or bad, a knowledgeable analyst would still need a forensics tool to dump the flash contents and investigate the changes made to the firmware and determine whether they’re malicious, Kallenberg said.

“This problem with interpreting [TPM Platform Configuration Register] values is further compounded by the fact that OEMs are not supplying consumers with ‘golden PCR values,’” Kallenberg said. “In short, consumers have no idea what their PCRs should be. These issues make using a TPM-supported ‘Measured Boot’ to detect adversaries very difficult.”

Apache Update Resolves Security Vulnerabilities

Threatpost for B2B - Tue, 03/18/2014 - 12:51

P { margin-bottom: 0.08in; }
-->Apache has released version 2.4.9 of its ubiquitous HTTP web server (HTTPD), resolving two security vulnerabilities and a number of other bugs in the process.

The Apache Software Foundation is recommending HTTPD 2.4.9 over all previous versions.

The first patch fixes CVE-2014-0098. It aims to mitigate a cookie logging issue by accepting fewer redundant string parsing passes. In its latest iteration, Apache will log only cookies containing value assignments. Valueless cookies will be ignored. In all, the new version will prevent segmentation faults when logging truncated cookies.

The second security bulletin closes off CVE-2013-6438, which – on unpatched systems – could potentially enable a denial of service condition. The bug existed in mod_dav, Apache’s Web distributed authoring and versioning module. The fix will do a better job of properly monitoring the length of character data while removing leading spaces. Ultimately, the fix should eliminate the DoS risk posed by specially crafted DAV write requests in prior versions.

Stay tuned for Apache security update news in the future.

Threatglass Tool Gives Deep Look Inside Compromised Sites

Threatpost for B2B - Tue, 03/18/2014 - 11:04

Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it’s not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information on the malicious activity and the threats to visitors to those sites.

Barracuda has been using its technology to scan millions of Web sites every week, looking for malicious activity on legitimate sites. Typically, the tools scan the Alexa top 25,000 sites, along with other suspicious sites. The system hits the sites using a normal browser and waits to see what kind of actions the sites may take, looking for malicious activity like sites serving exploits or trying to download files to visitors’ machines. Now, the company has built a GUI for this system and exposed to the Web so that users and researchers can search the database, dating back to 2011, looking for current or historic compromise data.

Threatglass is set up to give users a variety of information about a give compromised site, including the number of URLs requested and whether the site downloads a binary. The tool also enables researchers to download a packet capture for a given site.

“Threatglass provides detailed information of what happened when visiting each of the infected websites on a given date, such as the screenshots of the browser, whether binary was downloaded or any emails were sent, and number of domains and objects requested. Meanwhile, the requested URLs and anomalous netflow information are presented on each of the infection incident reports. Most importantly, the network package captured during the whole visiting process is freely downloadable, which we’ve found to be well received by many security researchers in the community,” Barracuda Labs said in a blog post.

“With various representations of network traffic including DNS, HTTP, and netflow in both graphical and textual formats displayed to users, we believe that this tool can greatly help casual users to know which websites had been infected, explore how infected websites could damage their browsers and computers, and understand the trending volumes and impacts of malicious websites on the Internet.”

The site’s format also allows users to browse through the most recent group of compromised sites on the home page in a tiled format. The screenshots on the site are obscured until users manually move the window shade, mainly because a good portion of compromised sites contain adult content.

Barracuda Labs often comes across well-known, highly trafficked sites that have been compromised, including the recent example of Cracked.com, the popular humor site. The site, which is ranked in the Alexa top 300, was found to be compromised last fall and was still serving malware earlier this year. The malicious component on the site was serving exploits to visitors via Javascript. Barracuda also discovered similar compromises of PHP.net and the Hasbro site.

Users of Threatglass also can submit suspicious URLs to Barracuda through the site.


Three Things to Take Away from CanSecWest, Pwn2Own

Threatpost for B2B - Mon, 03/17/2014 - 14:42

Browsers, brokers and BIOS: you could safely call that triumvirate the past, present and future of security, but you’d be wrong.

If last week’s CanSecWest conference, and Pwn2Own and Pwnium contests are indeed a point-in-time snapshot of the technical side of information security, then after last week it’s a no-brainer all three merit more than a lackadaisical passing interest.

Researchers came to the Pwn2Own and Pwnium tables with an alarming rash of exploits for zero-day browser vulnerabilities. None was to be spared among the big four of Internet Explorer, Firefox, Chrome and Safari, each falling despite state-of-the-art mitigations and constant reminders about the threats posed by Web-based exploits and malware.

Experts also spent hours during the second day of CanSecWest painstakingly explaining detailed problems in device hardware, in particular how attackers can and will soon exploit weaknesses in bootloaders and machine BIOS in order to own systems. The controversy over the legitimacy of badBIOS did little to dissuade researchers from MITRE and Intel from coming to Vancouver and explaining how an attacker gaining access at this level of system architecture might as well take up permanent residency on a computer.

And then there are the brokers. While VUPEN founder and top boss Chaouki Bekrar may bristle at the notion of being labeled a broker, preferring instead “exploit vendor,” companies like his hover over events like this and over vulnerability research. Their presence is a reminder that high-level hacking is all about playing for keeps, and while $400,000 may be enough of a lure to burn some 0days on a public stage, imagine the deals cut behind closed doors.

On to the three B’s of CanSecWest and Pwn2Own:

Browsers: The greatest payoffs at Pwn2Own—aside from the $150,000 grand prize for Microsoft EMET bypasses—were for browser exploits. Vupen collected skins for zero-days in IE 11, Firefox and Chrome; it withdrew from a chance at a Safari takedown, but only after the Keen Team of China successfully bypassed the sandbox in the Apple browser. Browsers are hardened, but even with sandboxes and other mitigations in place, white hats are finding ways to sidestep those protections.

“Exploitation is harder. Finding zero-days in browsers is hard,” Bekrar said.

Researchers have to find one or more vulnerabilities and chain together exploits in order to beat the enhancements vendors have made; Bekrar said his team was able to find a Firefox zero-day, but only after running 60 million test cases through a fuzzer.

“That proves Firefox [Mozilla] has done a great job fixing flaws. The same for Chrome,” Bekrar said of the Google browser. “Chrome has the strongest sandbox; it’s even more difficult to create exploits for it.”

BIOS: Easily the headiest session track at CanSecWest, the threat to the boot-up process is real and it may be one area where researchers have a jump on attackers. What hackers covet, perhaps more than anything, is a persistent presence on a machine. Replacing a computer’s BIOS or Master Boot Record gives an attacker that nearly unbreakable grip on a computer.

Researchers from MITRE and Intel shared tales of sophisticated bootkits that execute before start-up and take advantage of signed checks built into the boot process to validate its presence and escalate all the way up to platform firmware. It’s a fatal infection, one that often lingers after BIOS is re-flashed.

There’s plenty more to come on this, but one thing is for certain: Sharpen your skills around this discipline and prepare for an investment in people who are adept at BIOS and firmware security research and forensics.

Brokers: A few years back, there was the No More Free Bugs movement, a grassroots cause that clamored for vendors to pay up for bugs. While this didn’t exactly spawn the market that gave us the VUPEN and Endgame Systems of the world, it did draw them out from the shadows. Bugs are big business and companies such as these develop six- and seven-figure exploits for the exclusive purview of their customers. Bekrar says his customers are NATO governments and that he would not sell to an oppressive regime. This is, however, the new normal.

“We were trying to convince vendors to put bounties in place and no one accepted this,” Bekrar said. “We moved to another model which is a paid subscription model; the aim for us is the same, protect our customers.”

“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising. Not one of our exploits has ever been discovered in the wild. All of our customers use exploits in a targeted way for specific national security missions.”

*CanSecWest image via leduardo‘s Flickr photostream

Google Patches Four Pwn2Own Bugs in Chrome 33

Threatpost for B2B - Mon, 03/17/2014 - 11:24

Now that the dust has settled after the Pwn2Own contest, the browser manufacturers are beginning to roll out patches for the vulnerabilities exploited by contestants. Google on Monday released fixes for a number of bugs in Chrome discovered and exploited during Pwn2Own, releasing new versions of the browser for Windows, Mac and Linux.

This year’s Pwn2Own, which runs in conjunction with the CanSecWest conference in Vancouver, showcased vulnerabilities and exploits in most of the major browsers, including Internet Explorer and Firefox, along with Chrome. The team from VUPEN, the French security and exploit-sales firm, took home several hundred thousand dollars in prize money from the contest, a good portion of it for demonstrating new bugs in Google Chrome. In addition to the prize money from the contest, Google also is paying its own rewards to the researchers who used new flaws in Chrome.

VUPEN earned a $100,000 reward from Google for its two Chrome vulnerabilities, and an anonymous researcher also earned $60,000 for two separate vulnerabilities. The flaws used in Pwn2Own that Google fixed in Chrome 33 are:

  • [$100,000] [352369] Code execution outside sandbox. Credit to VUPEN.
    • [352374High CVE-2014-1713: Use-after-free in Blink bindings
    • [352395High CVE-2014-1714: Windows clipboard vulnerability
  • [$60,000] [352420] Code execution outside sandbox. Credit to Anonymous.
    • [351787High CVE-2014-1705: Memory corruption in V8
    • [352429High CVE-2014-1715: Directory traversal issue

Patches for Internet Explorer and Firefox likely will take a little longer, as they’re on longer update cycles than Google, which typically pushes out new versions whenever significant security issues need to be fixed. Google security officials said that they plan to publish some details of the exploits used against Chrome in Pwn2Own in the coming weeks.

“We’re delighted at the success of Pwn2Own and the ability to study full exploits. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwn2Own submissions in the future,” Anthony Laforge of Google said in a blog post.

Former Church Committee Members See Need for New Group to Investigate NSA

Threatpost for B2B - Mon, 03/17/2014 - 10:35

In a letter sent to President Obama and members of Congress, former members and staff of the Church Committee on intelligence said that the revelations of the NSA activities have caused “a crisis of public confidence” and encouraged the formation of a new committee to undertake “significant and public reexamination of intelligence community practices”.

Although it may seem like the NSA’s activities have only recently come under public scrutiny, the agency first was dragged into the light in 1975 when reports surfaced that for decades it had had secret agreements with telegram companies to get copies of Americans’ international communications. The Church committee, formally known as the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, was formed to investigate the NSA’s methods and produced a report that took the agency to task for overstepping its bounds and expanding programs well beyond their initial scope.

“We have seen a consistent pattern in which programs initiated with limited goals, such as preventing criminal violence or identifying foreign spies, were expanded to what witnesses characterized as ‘vacuum cleaners,’ weeping in information about lawful activities of American citizens. The tendency of intelligence activities to expand beyond their initial scope is a theme, which runs through every aspect of our investigative findings,” the committee’s final report said.

In the letter sent Monday to Obama and Congress, several former advisers to and members of the Church committee, including the former chief counsel, said that the current situation involving the NSA bears striking resemblances to the one in 1975 and that the scope of what the NSA is doing today is orders of magnitude larger than what was happening nearly 40 years ago.

“The need for another thorough, independent, and public congressional investigation of intelligence activity practices that affect the rights of Americans is apparent. There is a crisis of public confidence. Misleading statements by agency officials to Congress, the courts, and the public have undermined public trust in the intelligence community and in the capacity for the branches of government to provide meaningful oversight,” the letter says.

“The scale of domestic communications surveillance the NSA engages in today dwarfs the programs revealed by the Church Committee. Indeed, 30 years ago, the NSA’s surveillance practices raised similar concerns as those today.”

Signed by 15 former advisers and members of the committee, including Frederick A.O. Schwarz Jr., the lead counsel for the committee, the letter is addressed to Obama, Congress and the American public.

The findings of the Church committee eventually led to a number of changes in the way that intelligence agencies operated and the checks that were put in place to oversee their activities. One result was the formation of the permanent intelligence committees in the House of Representatives and the Senate, and another was the passing of the Foreign Intelligence Surveillance Act. FISA is one of the authorities that the NSA relies upon in order to conduct its surveillance operations, specifically the phone metadata program that was the first one revealed last year by Edward Snowden.

The former members of the Church Committee said that a new committee to oversee and investigate the NSA’s activities is a must if the American public is to ever have any trust in the agency and the intelligence community as a whole again.

“As former members and staff of the Church Committee we can authoritatively say: the erosion of public trust currently facing our intelligence community is not novel, nor is its solution. A Church Committee for the 21st Century—a special congressional investigatory committee that undertakes a significant and public reexamination of intelligence community practices that affect the rights of Americans and the laws governing those actions—is urgently needed. Nothing less than the confidence of the American public in our intelligence agencies and, indeed, the federal government, is at stake,” the letter says.


Is It Time for Certified ICS Security Specialists?

Threatpost for B2B - Fri, 03/14/2014 - 15:05

The information security field is full of certifications – CompTIA, GIAC, CHE, ISC2 CISSP, CISM, with a vast number of areas and directions within these families. In the industrial space, the most “unsecured” enterprise sector compared to well-established information security practice in most economies, the situation is absolutely different.

We have just a few known certifications related to Industrial (ICS/SCADA) security – IC32 from ISA99 and, recently, a GICSP, based on a SANS training course.

There were a number of hot debates recently in the Industrial Automation community about which of those two is better and whether either of them is good enough to ensure that the certified person can do a good job on Industrial Security.

In fact, I personally do not think either IC32 or GICSP is sufficient for people to be responsible for ICS cyber security.

More than that, I do not believe that one person could be fully responsible for security of a critical infrastructure, being skilled enough in both IT Security and Engineering. It takes a mixed team with enough knowledge overall to make the right decisions, and to safely walk through a “SCADA Triangle”.

What is the SCADA Triangle? The creator of the SCADA Triangle idiom is Jason Larsen from INL.

He made one of the most remarkable speeches during the latest S4x2014 conference. His talk focused on the potential staging of an attack on an industrial system, using a device with limited resources – having only 4 kilobytes of memory. This is not enough to record and replay data to fool the control room, hiding an attack from the operator. But he discussed some ways that could make such a hidden attack possible, particularly the
DSP (digital signal processing) techniques that modulate the fake signal by using triangulation.

Jason’s keynote was full of technical details, which led to the tongue-in-cheek response from the audience: “OK, so we now understand that SCADA is a triangle”. Eventually it became a recurring joke during the entire four-day conference.

Jokes aside, today on many (not all, but many) industrial sites, we have a real SCADA Triangle.

The Bermuda SCADA Triangle describes people involved in the ICS security decisions, namely:

  • -  Engineers, who are often more afraid of security measures than of malware,
  • -  IT security people, most likely not allowed to go into or make decisions about industrial infrastructure,
  • - CEOs, who don’t see how Cyber Security spending relates to revenues and why should they invest in it;

ICS security is typically lost in this triangle, in many cases without even clear decisions on how responsibility for ICS security has to be split between the teams and people inside the company.

Efficient ICS security is to be built by the above mentioned team of people. So there is no such thing as a single professional certification. Instead there are several things to be done:

1) Establish a common language and understanding between the decision-makers from CxO, engineers and IT. Change their perception of the problem. It’s not easy, as lectures and technical red/blue exercises are flawed: too long, too technical, boring, not for managers, failing to build “common language” at the “common sense” level.

A good example of how it gets solved is Kaspersky Industrial Protection Simulation (KIPS), a role playing game featuring a simulated water utility trying to accomplish its mission to produce and sell water to the community, while dealing with and resolving a number of unexpected cyber events.

I have seen it run at the ICS Cyber Security Conference, Cyber Security Malaysia, Security Analyst Summit (so some of you have already played it as well), feedback ranged between “It was truly eye-opening and a number of the participants asked about setting up this game at their companies” and “We have to build a network of people based on affiliation and cooperation and the KIPS is a perfect way how to kick it off.”

So it is possible to sail through a SCADA Triangle safely, but it is an enormous task to make such mutual understanding among ICS-related decision makers happen worldwide.

  1. 2)  Educate Engineers on the basics of IT security
  2. 3)  This is what IC32 stands for. It is somewhat weak from a security specialist point of view, but provides overall understanding to engineers.
  3. 4)  Educate IT security professionals on ICS specifics
  4. 5)  This is also a very important part – as we have Security teams inside the companies, security service providers, government agencies responsible for regulation/audit – but none of them understand the specifics of ICS (I run trainings on ICS/SCADA Security Basics for such entities).SANS ICS training (note that I was not able to take the course personally yet) can also be helpful for providing such basics to security people, but I would not set the goal of having certification as creating “compliant”, “ready-to-go” ICS Security experts.

And after those people have more understanding of each other’s “playgrounds”, a company should form the team including both engineering and IT security specialists, to make effective decisions on ICS security.

P.S.: After setting up the ICS security team decision-making process, there is still a big challenge on making all employees on the industrial site obey security rules so they do not become the weakest link. But that is another (big) topic to cover.

What do you think?

Vyacheslav Borilin is a business development manager at Kaspersky Lab and specializes in ICS security.



Syndicate content