VANCOUVER – A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes.
A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS.
“The Early Random PRNG in iOS 7 is surprisingly weak,” said Tarjei Mandt senior security researcher at Azimuth Security. “The one in iOS 6 is better because this one is deterministic and trivial to brute force.”
The Early Random PRNG is important to securing the mitigations used by the iOS kernel.
“All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,” Mandt said. “It must provide sufficient entropy and non-predictable output.”
The PRNG launches at boot and provides entropy to various kernel exploit mitigations, Mandt said.
Those mitigations include physical kernel map randomization, stack-check guard, zone cookie protections, and kernel map randomizations. Those mitigations are important memory protections that keep the kernel safe from buffer overflow attacks and other exploits targeting how memory is allocated and where code is safely allowed to execute.
IOS 6’s PRNG, Mandt said, suffered from poor entropy sources and poor use of seed data used to generate outputs. Similar to its deployment in OS X, Mandt said, the PRNG in iOS 6 used Mach Absolute Time to derive outputs.
“It could return the same value over and over because it was reliant on clock information,” Mandt said.
This was supposedly addressed in iOS 7 where time-based correlation issues were avoided through the use of a Linear Congruential Generator (LCG). The LCG in iOS 7 leverages information from four state generations, Mandt said, each one producing 16 bits of output. Each time, the lower three bits of each piece of output are discarded because they are considered weak.
Mandt said there are generally known problems associated with LCGs, including serial correlation between outputs making them susceptible to brute force attacks.
Mandt stressed that it is difficult to defend against an attacker who has already exploited an existing vulnerability in iOS or even OS X and is able to then monitor PRNG outputs.
“Having fewer state generations per output makes this less practical,” he said. “This prevents brute forcing of the internal state using a single output.”
Mandt also suggested Apple could avoid the usage of weak bits by passing output through a temper function or choosing a PRNG with less correlation. Hardening mitigations could help too, he said; that could include XOR encryption of stack cookies.
Mandt said he did not disclose the issue to Apple, representatives of which, he said, requested to see his slides 15 minutes before his presentation today.
“Quite a bit of mitigations rely on the PRNG,” Mandt said. “If the generator is broken, all of this is pretty much useless.”
VANCOUVER – It’s become a familiar walk for Chaouki Bekrar. Year after year at the Pwn2Own contest, the controversial Vupen founder is scurried from a small room in the basement of the Sheraton hotel to a suite several floors above. It’s a short journey from where a string of zero-day exploits are executed to where formal disclosure is made to the vendor in question. It’s also where payment is arranged, and on this day, exclusivity is promised to HP’s Zero Day Initiative.
Bekrar, left, made this trek four times on Wednesday, earning close to $400,000 in the process and cementing his place as perhaps one of the most divisive people in security. Vupen, a French company, is well known as an exploit vendor and its magnetic figurehead stands by his well-worm mantra that the zero-days they develop are exclusively for customers, a list that includes a number of NATO governments. Vupen, Bekrar said, will not sell zero-days to repressive regimes.
“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising.
“Not one of our exploits have ever been discovered in the wild,” Bekrar added. “All of our customers use exploits in a targeted way for specific national security missions.”
Vupen, like other research outfits, used to disclose zero-day vulnerabilities to vendors, but that changed in 2010 because most vendors were reticent to support bug bounty programs or compensate bug hunters.
“We were trying to convince vendors to put bounties in place and no one accepted this,” Bekrar said. “We moved to another model which is a paid subscription model; the aim for us is the same, protect our customers.”
Now, Google, Facebook, Yahoo and many other technology companies have instituted some sort of bug bounty program. Microsoft take on bounties—paying for mitigation bypasses—was admittedly a shot across the bow of exploit vendors such as Vupen and a reaction to a growing trend of researchers no longer disclosing directly to Microsoft but instead through a broker.
“I’ve been working on this for a while and this is the first time the research told us that the majority of people were going through brokers,” said Microsoft senior security strategist Katie Moussouris in June when the program launched. “If we can find these holes as early as possible, we can protect against whole classes of attack. We don’t want to wait for a third party.”
Microsoft has paid out a pair of $100,000 bounties for bypasses of its ASLR and DEP mitigations in Windows. A similar program for Internet Explorer vulnerabilities—with smaller payouts—was also launched but only for a month.
“They have a bounty for techniques, however the number of techniques is limited,” Bekrar said. “So the scope of the bounty is pretty small.”
Bekrar and his team of Vupen researchers did earn a $100,000 payout today for the IE 11 zero-day. He said the Vupen exploit took down a use-after-free vulnerability combined with an “object confusion” to bypass the IE sandbox.
“It’s definitely getting harder to exploit browsers, especially on Windows 8.1,” Bekrar said. “Exploitation is harder and finding zero-days in browsers is harder.”
Vupen also successfully exploited Firefox, exploiting another user-after-free bug to bypass ASLR and DEP memory protections in Windows.
“The Firefox zero-day we used today we found it through fuzzing, but it required 60 million test cases. That’s a big number,” Bekrar said. “That proves Firefox has done a great job fixing flaws; the same for Chrome. Chrome has the strongest sandbox, so that’s even more difficult to create exploits for.”
Vupen has a Chrome zero day it plans to exploit tomorrow possibly for another $100,000. It is also registered for a try at Safari, but the Keen Team is first on the docket against Safari and depending on what happens there, Bekrar said Vupen may not try its Safari zero day. Vupen also withdrew a planned Java exploit that required a click-to-play bypass that offered a $30,000 prize.
Vupen also successfully exploited Adobe Reader and Flash running in Internet Explorer 11 on a patched 64-bit Windows 8.1 machine. Each of the Adobe vulnerabilities and exploits were worth $75,000.
The Adobe Reader exploit was the first of Pwn2Own. Vupen chained together a heap overflow exploit and a native PDF sandbox escape to beat Reader XI. The Flash exploit, meanwhile, required three zero-days, Bekrar said, a use-after-free, a JIT spray and a sandbox escape.
“The first motivation for coming to Pwn2Own is the challenge to show that even the most secure browsers and products can still be compromised,” Bekrar said, adding that all of the exploits used at Pwn2Own were developed for the contest and were not shared with customers beforehand.
Mozilla had a busy day with three zero-days disclosed against Firefox. Beyond Vupen, Mariusz Mlynski, a Polish researcher who has been credited with reporting dozens of Firefox bugs, and Juri Aedla, a frequent Chrome bug-finder, won $50,000 each for toppling the Mozilla browser.
More than 162,000 “popular and clean” WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system’s pingback feature.
While the WordPress team is aware of the issue it’s not expected to be patched as it’s a default feature on WordPress, not a flaw, meaning it’s a problem that will likely be left up to site developers to mitigate.
Attackers abused a number of sites that have the feature, essentially XML-RPC requests that make it easy for blogs to cross-reference other blog posts, enabled.
Daniel Cid, the CTO of security firm Sucuri, described the attack, which took down a undisclosed website belonging to one of the firm’s clients, in a blog post on Monday.
According to Cid the attack appears to have used the application-layer (Layer 7) HTTP Flood Attack style of DDoS, which are harder to detect as the requests look like they’re coming from legitimate sites.
In this case they were legitimate sites, 162,000 of them, sending “random requests at a very large scale” to the site’s server, each one with a randomized value that bogged their site down by bypassing their cache and mandating a full page reload each time.
Unlike conventional DDoS attacks that use NTP and DNS, this attack, reflective in nature, used the websites as indirect source amplification vectors. While WordPress sites were the victim this time around, experts say any site could technically be tweaked to dole out this kind of flood attack.
“We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk,” Cid wrote.
Since the POST requests were sent to “/xmlrpc.php request” they’re easy to find in logs, so Cid is encouraging WordPress developers to check theirs to ensure that their sites aren’t vulnerable and attacking other WordPress sites.
Users can look through logs for POST requests to a XML-RPC file like the one below:220.127.116.11 – - [09/Mar/2014:20:11:34 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A\x0A\x0Ahttp://fastbet99.com/?1698491=8940641\x0A\x0A\x0A\x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A” 18.104.22.168 – – [09/Mar/2014:23:21:01 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A \x0A \x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899\x0A \x0A \x0A \x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A”
Developers can also use a scanner the firm came up with this week to check its logs to tell if certain WordPress sites are DDoSing other websites.
If found, Cid claims users can remedy the situation by either disabling XML-RPC pingback or creating a plugin to add a filter to block these kind of pingbacks. Users interested in learning more on how to do that can head over to their blog.
As Johannes B. Ullrich, chief technology officer at the SANS Technology Institute adds, removing xmlrpc.php is not a recommended option as it will “break a number of other features that will use the API.”
Google has fixed several serious security vulnerabilities in Chrome 33, just ahead of the Pwn2Own hacking competition at CanSecWest this week, which surely will reveal several more new bugs in the browser.
The company’s Chrome browser is always at the top of the target list for contestants in Pwn2Own, which rewards them with cash prizes for demonstrating exploits against previously unknown vulnerabilities in the major browsers. A team from VUPEN, along with individual researchers, are lined up to go after Chrome, Internet Explorer, Safari and Adobe Reader and Flash. Google also runs its own Pwnium contest in parallel with Pwn2Own and offers large rewards for new attacks against Chrome.
Pwn2Own is set to begin Wednesday and run through Thursday at the conference, and on Tuesday Google patched four high-risk flaws in Chrome.
 High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.
Google likely will be releasing more patches for Chrome later this week as researchers demonstrate their new exploits.
An ever-shrinking number of vulnerable network time protocol (NTP) servers are being used with customized distributed denial of service (DDoS) toolkits to perform increasingly potent NTP amplification attacks.
According to the DDoS mitigation specialists at Prolexic, who issued a high alert DDoS attack threat advisory this morning, high-bandwidth NTP amplification DDoS attacks are up 371.43 percent in the last 30 days. This increase comes despite a high-level of awareness regarding the fact that vulnerable NTP servers can be exploited to amplify DDoS attacks and a concerted effort throughout the security community to decrease the number of vulnerable NTP servers.
“During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base,” said Stuart Scholly, a senior vice president and general manager of security at Akamai Technologies, who recently acquired Prolexic. “In fact, the largest attacks we’ve seen on our network this year have all been NTP amplification attacks.”
Not only did the overall number of NTP amplification attacks increase from January to February, but so too did the average peak bandwidth of DDoS attacks (up 217.97 percent) and the average peak volume of DDoS attacks (up 807.48 percent). In addition, such attacks are affecting more industries than ever as well, including the finance, gaming, e-commerce, Internet, media, education, software-as-a-service (SaaS), and security industries.
Perhaps the most exploitable aspect of NTP is the monlist request. One of the more recent and commonly deployed DDoS toolkits uses an NTP server’s own list of recent server connections – known as its monlist and containing as many as 600 IP addresses – as the payload to create malicious traffic at the target site. While the method is not new, Prolexic claims it is certainly garnering wider use than it previously has.
In their advisory, Prolexic notes that the ongoing effort to purge the Internet of vulnerable NTP servers is driving attackers to develop new tools enabling them to launch potent attacks with fewer servers. As their report makes clear, the existing vulnerable NTP servers are more than capable of reaching crippling DDoS amplification levels.
In a lab environment, Prolexic simulated NTP amplification attacks and found that the method could amplify the bandwidth and volume of DDoS attacks by 300 times and 50 times respectively. The company notes that the results of these test reflect a “perfect storm” scenario and that real-world attacks would be less effective.
Researchers looking into the recently uncovered Turla, or Snake, cyber espionage campaign have discovered some similarities connecting it to older pieces of malware such as Agent.btz, the worm that several years ago infected U.S. military networks and eventually caused the Department of Defense to ban the use of USB drives. However, there is not enough evidence to suggest that the two pieces of malware were created by the same authors, researchers say.
Reports last week detailed the Turla malware’s infection of networks belonging to U.S. government agencies as well as some targets in Ukraine, the U.K. and some other European countries. The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. Turla seems to have been written by Russian-speaking authors, like Agent.btz and the Red October cyber espionage malware. Turla also uses the same XOR key and log file names as Agent.btz, suggesting a strong link between the two.
However, the details of the Agent.btz attack have been known publicly for six years now, including the specific log file names, and even the XOR key, which was published in 2008 when the attack was discovered. Agent.btz, unlike Turla, was a self-replicating worm and it infected U.S. military networks and had the ability to jump to USB drives connected to compromised machines. After the attack was discovered and remediated, the Department of Defense prohibited the use of USB drives on its networks. Both Turla and and Agent.btz have files with identical names, and Red October and Turla both use a file called “thumb.dd”.
With all of that detail known publicly, researchers say that there is not enough evidence to say conclusively that Turla is directly connected to Agent.btz or Red October.
“We cannot make such a conclusion based only on the listed facts”, said Aleks Gostev, Chief Security Expert at Kaspersky Lab. “All the information used by developers was publicly known – at least by the time of Red October and Gauss/Flame creation. First of all, it wasn’t a secret that Agent.btz used ‘thumb.dd’ as a container file to collect information about infected systems.
“Secondly, the XOR key used by developers of Turla and Agent.btz to encrypt their log files was also published in 2008. It’s unknown since when this key was first used in Turla, but we see it for sure in the latest samples of the malware (created in 2013-2014). At the same time, there is some data that Turla’s development started in 2006 – before any known sample of Agent.btz. Which leaves the question open.”
Researchers at Kaspersky Lab, who uncovered the Red October cyber espionage campaign, said that it’s possible that malware was programmed to scan for the “thumb.dd” file on infected machines in order to steal whatever data the file contained. Red October was a highly specialized tool designed to infect specific systems and steal data. Gostev said that there also are some similarities between the Flame and Gauss malware and Agent.btz, including some similar naming conventions. A possible explanation, he said, is that the authors of Flame and Gauss were familiar with the analysis of Agent.btz and adopted some of the same techniques.
“Summarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties. Were the people behind all these programs all the same? It’s possible, but the facts can’t prove it,” Gostev said in his analysis of the Turla connection to other malware.
The open-source content management framework Joomla pushed out version 3.2.3 of its product last week, fixing a SQL injection zero-day vulnerability that could have let attackers steal information from databases or insert code into sites running the CMS.
While little is being disclosed by Joomla, according to a security notice on its site the problem carried a high severity rating and affected versions 3.1.0 through 3.2.2 of the CMS before being patched on Thursday.
According to researchers at security firm Sucuri the SQL injection vulnerability may be linked to an exploit discovered last month involving weblinks-categories id. The exploit appears to have “not escaped properly,” according to Sucuri’s CTO Daniel Cid. Cid goes on to reference the exploit-db.com description, writing that the vulnerability “seems very easy to exploit.”
Another write-up of the vulnerability, over at scip VulDB, claims the problem is not only easy to exploit but also that it can be launched remotely and without authentication.
“Affected by this issue is an unknown function of the file /index.php/weblinks-categories. The manipulation of the argument id with the input value 0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20–%20%29 leads to a sql injection vulnerability. Impacted is confidentiality, integrity, and availability,” reads part of the vulnerability summary.
On the release announcement for version 3.2.3 Joomla’s Production Leadership Team writes that its goal is to provide “regular, frequent updates,” to Joomla.
The fact that it took over a month to fix surprised Cid however.
“What really shocked us is that Joomla took almost a month to release a patch for it.” Cid told PCWorld yesterday.
The Joomla update, which developers are encouraging users apply immediately, also addresses two medium severity core XSS vulnerabilities that also stem from “inadequate escaping” along with a problem with inadequate checking in that allowed unauthorized logins via Joomla’s Gmail login module.
Joomla was last forced to patch a zero day last August after attackers were spotted abusing sites running Joomla or WordPress, taking them over and redirecting users to the Blackhole Exploit Kit.
At the time it discovered the vulnerability, security firm Versafe reported that 57 percent of the attacks it had seen that year came from sites hosted on Joomla’s CMS.
UPDATE: a previous version of this story mistakenly stated that Microsoft’s March patch Tuesday would be the last one providing support for Windows XP. Windows XP’s last patches will in fact be shipped with next month’s patch Tuesday release.
Microsoft has finally pushed a fix for a stubborn and widely publicized Internet Explorer zero day vulnerability known to have been exploited in a number of recent attacks targeting the website of Veterans of Foreign Wars, a French aeronautical firm, and at least three other sites.
This fix is part of Microsoft’s March edition of Patch Tuesday, a five bulletin affair resolving some 23 vulnerabilities of varying severity.
The top priority this month is – of course – the cumulative update to IE. This bulletin resolves one publicly disclosed bug and 17 privately disclosed ones. On unpatched systems, these vulnerabilities could give an attacker the ability to remotely execute code if a user is compelled to visit a maliciously crafted website. Upon successful exploitation, the attacker would achieve the same rights as the victim. As always, individuals with more privileges would be more impacted by these bugs.
Among this group of vulnerabilities is the now-notorious IE zero day, which is precisely why this bulletin should be considered the highest priority for installation this month. Qualys CTO Wolfgang Kandek noted in an email to Threatpost that – if it weren’t for the zero day fix – one would likely consider this an uneventful patch cycle.
The second critically rated bulletin – also of high installation priority according to Kandek – resolves an issue in Microsoft DirectShow, a Windows-based API for streaming media content. This privately reported vulnerability could allow remote code execution if a user opens a specially crafted image file. Upon exploitation, the attacker would have the same rights as the user.
The few remaining important bulletins resolve two elevation of privilege bugs in the Windows kernel-mode driver, a security feature bypass flaw in the Windows Security Account Manager Remote (SAMR) protocol, and another security feature bypass problem in Microsoft Silverlight.
As a side note, this patch tuesday release pushes us one month closer to the end of an era: after April’s patch Tuesday release, no longer will Microsoft provide security fixes for it’s more-than-a-decade old and once-ubiquitous XP operating system. It’s well-known that XP has for some time been marred by security vulnerabilities. Despite this, the operating system still commands 29.53 percent of the market, according to the market share statistics firm, Net Marketshare.
“All of today’s bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won’t have access to patches for these problems anymore,” says Kandek. “This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.”
Kandek cites different figures than Net Marketshare, claiming that his scans suggest that XP commands 14 percent of the operating system market. Whichever figure is most accurate – and 15 percentage points is a rather large gulf–entirely too many organizations and individuals are still running the archaic operating system, and things are only going to get worse for those people.
Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) set to be fixed by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.
According to a Websense report, the exploit source code deployed in at least two incidents – one targeting a French aerospace manufacturer and another targeting the website of Veterans of Foreign Wars – appears to have been made public. This publication and the subsequent addition of the zero-day to popular crimeware kits seems to have spurred the uptick, at least in part. As Websense notes, once exploit code like this goes public, generating attacks using it is essentially as easy as “copy and paste.”
Another factor contributing to the IE zero day vulnerability’s increased exploitation is likely the sheer amount of press it received, especially after researchers announced they would demonstrate a total bypass of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) at CanSecWest in Vancouver this week. This EMET bypass is both relevant and significant because the Redmond, Wash., computer giant urged its customers to install and run EMET as a temporary mitigation against this very same zero-day.
In addition to the two websites listed above, Websense reports that three others have been targeted using the same bug: hatobus[dot]co[dot]jp, a Japanese travel site hosted in Tokyo; english[dot]com[dot]tw, the site of a Taiwanese English school hosted in San Antonio, Texas; and chemistry[dot]hku[dot]hk, a Hong Kong University Chemistry Department website hosted in Hong Kong.
It all began with a typo-squatted variety of giffo[dot]asso[dot]fr, the website of the French aerospace company. The attackers set up giffo[dot]assso[dot]net and hosted a malicious iframe there that led to another part of the same domain where the exploit was actually located.
Once this attack began garnering media attention, other criminals began copying it, deploying the same code on different lure sites with different payloads.
Both other attacks were essentially copycats as well. Interestingly, in the case of the Taiwanese English school, the exploit was rather flagrantly hosted on the homepage of that website. The Hong Kong University Chemistry Department attack deployed redirecting iframes similar to those in the other incidents.
“It’s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,” wrote Websense’s Elad Sharf. “We could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it “evolved” in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected “under the radar” targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.”
Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he’s revealed. Snowden bemoaned the fact that the NSA specifically and the intelligence community in general have shifted its focus to offensive operations, implying that defense should be focus. But now that those agencies have the tremendous offensive powers they’ve accumulated in the last decade, they’re never giving them back.
Whatever your feelings are about Snowden, listening to him speak about why he did what he did, what he hoped to accomplish and how he feels about the public reaction is informative. He spoke Monday for about an hour from an undisclosed location in Moscow and, while he touched on many subjects, Snowden returned several times to the idea that the NSA and other government agencies have hijacked the Internet for their own purposes, all in the name of protecting us from…something.
“The result has been an adversarial Internet, a global free-fire zone for governments. This is a global issue. They’re setting fire to the Internet,” Snowden said during a discussion at the South By Southwest conference.
In one sense he’s correct. Governments around the world are indeed using the Internet as a platform for offensive operations against foreign governments, terrorist groups and, in some cases, their own citizens. They’re hoarding zero-day vulnerabilities, developing sophisticated malware and building entire catalogs of hardware tools that can compromise every conceivable communications platform. Those are simply the facts. And the NSA is at the forefront of these operations. One part of the agency’s mission is to conduct offensive cyber operations against foreign targets, and the NSA is as good as it gets in that game.
“If you’re a target of the NSA, it’s game over no matter what,” said Chris Soghoian of the ACLU, who participated in the Snowden discussion.
That’s the part of the NSA’s mission that Snowden’s disclosures have centered on, the amazing technical capabilities and the large-scale surveillance programs. But Snowden said Monday that one of the big problems at the agency, where he worked as a contractor, is that the focus on offense has come at the expense of defense, which is the second half of the NSA’s mission. The agency is charged with defending the country’s electronic communications against foreign intruders, but Snowden argues that NSA Director Gen. Keith Alexander and his predecessor, Michael Hayden, made a conscious choice to minimize that mission in the years after 9/11.
“It was Michael Hayden and Keith Alexander in the post-9/11 era who made a very specific change. They elevated offensive operations over the defense of our communications,” he said. “This is a problem because America has more to lose than anyone else when an attack succeeds. It doesn’t make sense for you to be attacking all day and never defending your vault.”
But what Snowden didn’t say is that it was Congress who continued to hand new capabilities to the NSA–indeed it was eager to do so as part of the massive ramp-up of anti-terror programs after 2001. The Section 215 metadata and Section 702 intelligence-gathering provisions in the Foreign Intelligence Surveillance Act and USA PATRIOT Act, respectively, have given the NSA unprecedented ability to vacuum up massive amounts of data, and advances in technology have provided the capability to store and search that data for decades to come. And the deep bench of technical talent the agency has amassed has given it the ability to develop a wish list of spy tools, exploits and implants to do the targeted work that mass surveillance doesn’t accomplish.
Given those abilities, and more importantly, the legal authority to use them, the NSA is, of course, going to do so. If you have a Ferrari, you don’t leave it sitting in the garage, you drive the hell out of it. Technology advances, regardless of our desire for it to slow down sometimes, and, as Bruce Schneier often says, attacks only get better, not worse. And the NSA is the apex predator of this environment. The agency hasn’t abandoned its defensive mission, not by a long shot, but offense is sexy and provides tangible results to show the higher-ups.
Offense is the present and it’s also the future. And, to borrow a phrase, the future will retire undefeated.
Image from Flickr photos of Tim Lucas.
Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error.
Unlike that release, which fixed just the one vulnerability, significant though it was, iOS 7.1 is a major security release containing patches for a large number of vulnerabilities in a bunch of different components. Webkit, the framework underlying Safari, got a major security upgrade in iOS 7.1, with Apple fixing 19 separate memory corruption issues. Nearly half of those vulnerabilities were discovered by the Google Chrome security team, and many of the 19 bugs were identified last year.
Among the code-execution vulnerabilities patched in the new release are a pair of buffer overflows in ImageIO, a library that enables the reading and writing of multiple image formats. Apple also fixed a code-execution flaw in the kernel caused by an out of bounds memory access issue in the ARM ptmx_get_ioctl function. There also is a fix for a vulnerability in the way that Office Viewer handled certain Microsoft Word documents.
Along with the more serious code-execution bugs, Apple also pushed out a fix for a vulnerability in the iTunes Store that could allow an attacker to trick a user into downloading a malicious app from the store.
“An attacker with a privileged network position could spoof network communications to entice a user into downloading a malicious app. This issue was mitigated by using SSL and prompting the user during URL redirects,” Apple said in its advisory.
There were patches for several other less-serious vulnerabilities, as well. The full list of fixes is included in the Apple advisory.
An ongoing investigative report has revealed that a man posing as a private investigator may have compromised millions of Americans’ personal and financial records from 2007 to 2013.
The news is the latest fallout from last year’s discovery that Experian, one of the “big three” national credit reporting agencies, indirectly sold consumer data to a Vietnamese national, Hieu Minh Ngo, 24, who was masquerading as a Singapore-based P.I.
Ngo pleaded guilty last week and Krebs on Security reporter Brian Krebs, who has been following the story since last year, acquired a transcript of his guilty plea proceedings, according to a post on his blog today.
According to those proceedings (.PDF) Ngo peddled that data through ID theft websites, giving more than 1,300 customers access to a cache of personally identifiable information (PII) belonging to 200 million Americans, including addresses, previous addresses, phone numbers, email addresses, dates of birth, along with the coup de grâce, their Social Security numbers.
Ngo’s customers ponied up around $1.9 million for about 3.1 million queries on Americans over the course of 18 months. The corresponding database, owned by Ohio-based U.S. Info Search, contained the information on 200 million U.S. citizens.
We learned the basics about the case back in October: Experian-owned entity Court Ventures, an aggregator of electronically available public records data, had a deal worked out with a third-party group, U.S. Info Search, that gave both firms complete access to each others’ databases. Using regular cash wire transfers from a bank in Singapore, Ngo was able to secure monthly access to that database.
While it’s unclear exactly how many Americans may have had their information compromised, Krebs theorizes that since each query exposed multiple records, information about a staggering number of citizens, perhaps as many as 30 million records, may have been divulged.
“At this point the government does not know how many U. S. citizens’ PII was compromised, although that information will be available in the near future,” U.S. Attorney Arnold H. Huftalen told Judge Paul Barbadoro in a U.S. District Court in New Hampshire last Monday, according to the report.
Huftalen goes on to add that the way Ngo sold the information, via identity theft websites, customers could access the information by merely just typing in the name of an individual and a state, which makes it much more difficult to get an exact number of those at risk.
Ngo sold customers “fulls,” essentially batches of the information previously described, but also portioned out access to limited bits of information. Ngo charged individuals via Liberty Reserve, a Costa Rica-based currency service.
According to a U.S. Secret Service-led investigation, all of Ngo’s customers claimed they intended to “engage in criminal fraud,” and the government believes the “fulls” were used by carders, criminals who buy, sell, and trade stolen credit card data online, to takeover identities, engage in bank, credit card and ATM fraud, along with the filing of fake U.S. personal income tax returns.
Experian hasn’t said much about the case, citing an ongoing federal investigation but as Krebs notes, in a December hearing the company’s Senior Vice President of Government Affairs Tiny Hadley did acknowledge the incident, stressing that it didn’t find out until the U.S. Secret Service informed them.
“We were a victim, and scammed by this person,” Hadley told Missouri Senator Claire McCaskill at the time.
Hadley later indirectly admitted that the company knows that customers have had their identity stolen but still went on to downplay the incident, adding that “there’s been no allegation that any harm has come.”
A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.
Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government.
Filiol said he submitted the presentation, entitled “Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,” to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.
“They told me that this presentation was unsuitable for being public,” Filiol said in an email. “It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).”
Filiol said his methodology—a combination of information gathered through open source intelligence means, mathematical modeling and infantry techniques—could damage critical infrastructure in the United States, and likely worldwide.
“With a small unit of around 10 people, it is possible in an invisible way to cause major national disruptions,” Filiol said.
Filiol said his research is now classified. “I will present it only to people of the French government in forthcoming days,” Filiol said.
Event organizer Ruiu announced Filiol’s withdrawal on Twitter yesterday, initially blaming the French Department of the Interior, the equivalent of the U.S. Department of Homeland Security, and the U.S. Department of Defense, for Filiol pulling out.
“I’d like to remind all concerned: Security by obscurity is not much security at all,” Ruiu tweeted.
Filiol said he gave in, not only for legal, but also moral reasons.
“Moreover aside the legal responsibility, I have to face a moral responsibility if someone was misusing [this] information against innocent citizens,” Filiol said. “The presentation was very precise with a lot of details. Of course I could not give those details, but it is the problem of proof and attendees would claim that my work was of theoretical interest only (it is often the way that decision-makers elude the real risks).”
Filiol’s talk is still listed on the CanSecWest agenda in its original time slot on Friday morning, but Ruiu said it will be replaced by a runner up talk organizers had to originally turn away.
“So it is indeed censorship, but self-censorship inspired by legal and moral reasons,” Filiol said. “As long as full disclosure will be risky, then this kind of decision is preferable.”
The mass surveillance programs that he revealed through media leaks in the last year have not only compromised the privacy and security of Americans, but have damaged the country’s economy, Edward Snowden said in an interview Monday.
Snowden, the former National Security Agency contractor who stole untold numbers of agency documents last year and has been feeding them to the media, said that because the United States government–and others–have been treating the Internet as a surveillance platform, the network has become far less usable and safe.
“The result has been adversarial Internet, a global free-fire zone for governments. It’s not something we asked for or wanted,” Snowden said, speaking remotely from Russia to an audience at the South By Southwest conference. “This is a global issue. They’re setting fire to the Internet.”
Snowden seemed polished and calm, speaking deliberately and without hesitation. The session he participated in was moderated by Chris Soghoian, principal technologist at the American Civil Liberties Union, and Ben Wizner, director of the ACLU’s Speech, Privacy & Technology Project, and much of the discussion focused on the NSA’s use of mass surveillance techniques and what technologists and users can do to defend themselves. Asked whether the kinds of sweeping phone and Internet surveillance methods that the NSA uses are effective, Snowden said no.
“They’re not. We’ve reached a point where the majority of American’s phones are being recorded. We’ve got to think about what we’re doing with those resources,” he said. “What are we getting out of them?”
Soghoian, who has been a frequent vocal critic of the NSA and surveillance in general, said that not only is the government not helping citizens defend themselves online, it’s actively compromising the integrity of the network itself.
“What should be clear is that the government isn’t doing anything to make us secure. As a country, we have basically been left to ourselves,” Soghoian said. “The government has really been prioritizing its efforts on information collection. Our networks have been designed with surveillance in mind.”
Snowden and Soghoian both emphasized that the thing that gives users the nest chance of protecting themselves against both the NSA and more banal online threats is the use of encryption.
“It’s protection against the dark arts. The government has assembled a massive investigative team into me personally and they still have no idea what documents I have, because encryption works,” Snowden said.
NSA officials, legislators and other government officials have criticized Snowden’s actions and said repeatedly that he has damaged the security of the country. Snowden said that Gen. Keith Alexander, the current NSA director, and Michael Hayden, his predecessor, are the ones who have done the real damage.
“It was Michael Hayden and Keith Alexander in the post-9/11 era who made a very specific change. They elevated offensive operations over the defense of our communications,” he said. “This is a problem because America has more to lose than anyone else when an attack succeeds. It doesn’t make sense for you to be attacking all day and never defending your vault. We rely on the ability to trust our communications and without that our economy can’t succeed.”
Snowden has been in exile in Russia for several months and faces federal prosecution if he ever returns to the U.S. But he said that he doesn’t have any regrets about what he did.
“What I wanted to do was inform the public so they could provide their consent for what we should be doing. The result is that the public has benefited, the government has benefited and every single society has benefited,” Snowden said. “When it comes to would I do this again, the answer is absolutely yes.”
Pinterest, the social image-sharing site known predominately for wedding planning and recipe dissemination, released its first transparency report on Friday. While the government – unsurprisingly – makes few requests of this most bubbly of social networks, the report seems to carry a broader message: If your company stores user data, the government is likely to ask for it at some point.
The company claims it received seven warrants, five subpoenas, and no other requests between July and December 2013. In all, government requests for user-data affected just 13 accounts.
Only United States law enforcement agencies made requests of Pinterest and among those, 11 of the 12 requests were made by state and local rather than federal agencies. California made four requests, Florida made two, Utah made two, and New York, Oregon, and Wisconsin each made one request.
Pinterest claims its policy is to notify its users when the government comes asking for their data unless they are prohibited by law to do so. Only in three cases was Pinterest prohibited from informing their users.
“Also,” the company says, “while the vast majority of requests are straightforward and routine, there are some occasions where we the nature, scope or content of the request is objectionable or defective in some way, in which case, we’ll reject the request.”
A quarterly breakdown in the report reveals that law enforcement requested user information more frequently in the third quarter than in the fourth.
Code audits are often ugly tasks and can sometimes find ugly things. Case in point: the GnuTLS goto bug.
Chief architect and Red Hat engineer Nikos Mavrogiannopoulos initiated a code audit of the open source crypto library that eventually turned up last week’s critical bug. The bad code has been present since 2005, meaning that for nearly a decade GnuTLS has not been properly verifying x.509 certificates by incorrectly handling certain errors and consequently incorrectly reporting some verifications as successful.
The upshot is that attackers with man-in-the-middle positioning could present a specially crafted certificate that would be accepted by GnuTLS giving them access to supposedly secure communication between parties.
“I was adding new features to the certificate validation procedure of GnuTLS. Then I noticed some issues and that was the point the full audit started,” Mavrogiannopoulos told Threatpost via email. “[The bug is] as serious as it could get.”
Veracode security researcher Melissa Elliott said the faulty code snippet in question is supposed to return either a true or false variable depending on whether the certificate is valid; this paradigm is called Boolean return code. The GnuTLS bug, however, returns specific error codes including some identified by negative numbers, each signifying something different, she said.
“The mistake was that when one of these functions returned an error, it would be treated as though it were Boolean without changing the actual number. Under Boolean rules, anything that is not a zero is ‘true,’” Elliott said. “Hence, an error meant to indicate failure would be passed up the chain as ‘true’ (no error) instead of ‘false’ (error).”
Mavrogiannopoulos said the error was his and has been present since version 1.0.0.
The wonky code has been fixed and patches made available. Reportedly there are anywhere between 200 and 350 open source software packages, including a number of flavors of Red Hat Enterprise Linux, Debian and Ubuntu that make use of GnuTLS as a crypto library. It’s no OpenSSL in terms of deployment, but regardless, it’s still worrisome to many that such a problem existed for so long.
“It is distressingly easy to accidentally write a bug like this. It does not cause anything to crash. Full-featured C compilers can warn you about this bug, but the false positive rate (that is, instances where it can’t possibly do any harm) is high enough that most programmers are inclined to ignore them,” said Elliott. “Unfortunately, this is security-sensitive code, so the consequences of missing the one important warning in a list of benign ones can be catastrophic.”
GnuTLS is a volunteer-driven project, Mavrogiannopoulos pointed out, meaning that code gets reviewed and patched and updated as manpower is available.
“However, due to this incident I received mail from people that were interested in doing code review,
so I’ve provided information to assist them (as an audit competition),” he said, providing additional details on the GnuTLS mailing list.
Experts such as cryptographer and Johns Hopkins professor Matthew Green said that there are an insufficient number of quality TLS code scanners available that could have helped catch this while in development.
“Clearly people need to run their TLS implementations through test harnesses and tools that may not exist yet,” Green said.
Veracode’s Elliott concurred.
“I think learning the lesson about code auditing is more important than fretting about the past exposure risk of this specific bug in this specific product,” Elliott said. “Any one library may have relatively few users but there are more bugs in more libraries, and cumulatively, all of us are exposed somewhere. Systematically flushing out the bugs will help all of us.”
Mavrogiannopoulos wrote in a separate post to the GnuTLS mailing list that the bug went unnoticed for so long because it cannot be detected by any certificate validation tests, including a certificate validation path suite developed for the Department of Defense and another one developed in-house, he said.
“That didn’t help with the issue either, because it requires a specially crafted certificate (and I’m not revealing more details on that yet),” Mavrogiannopoulos said, adding that the code audit was the only means available to catch something like this.
“As this code was on a critical part of the library it was touched and thus read, very rarely. Moreover, the code in question followed the usual form of error checking in the library ‘if(err<0) return err’, making it look correct, unless one would notice that the function returned a boolean value (and we have very few such functions in the library),” Mavrogiannopoulos said.
It was five years ago when a group of computer security enthusiasts decided to gather together and organize a security conference mainly for a Spanish-speaking audience.
Last week RootedCon celebrated its fifth birthday, gathering more than 1000 attendees. It is now firmly established as the most important security event in Spain.