When Cisco released a patch for several of its security appliances Thursday that eliminated the presence of hard-coded SSH host and private keys, the advisory had a distinct air of familiarity about it. That’s because the company released a patch for the same problem in one of its other major products almost exactly one year ago.
Archive for category virus and malware info
One of the longstanding problems in security–and the software industry in general–is the lack of any universally acknowledged authority on quality and reliability. But the industry moved one step closer to making such a clearinghouse a reality this week when Peiter Zatko, a longtime researcher and hacker better known as Mudge in security circles, announced he’s leaving Google to start an initiative designed to be a cyber version of Underwriters’ Laboratory.
Zatko said on Monday that he had decided to leave Google’s Advanced Technology and Projects team and start a cyber UL, at the behest of the White House.
“Goodbye Google ATAP, it was a blast. The White House asked if I would kindly create a
#CyberUL, so here goes!” Zatko said on Twitter.
The new project will not be run out of the White House, Zatko said, and the specifics of the plan are not clear right now. But the fact that someone with Zatko’s experience, history, and respect in the security community is involved in the project lends immediate weight and potential to it.
Zatko is one of the members of the L0pht hacker collective that formed in Boston in the 1990s, and the idea for something along the lines of this project took shape back then. John Tan, one of the members of the L0pht, wrote a paper describing a possible model for a “cyber UL” in 1999, an organization that would certify the reliability and quality of a security product. The paper describes a key problem in the security industry, a problem that still exists more than 16 years later: No one has a good way to prove the claims made by vendors.
“Similarly to early electrical inventions, today’s computer security products may introduce more harm than good when implemented by end users. While some of these products do what they claim, most do not. The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil. While many of the products may solve old problems and
inadvertently introduce worse ones, some just do not perform as advertised at all,” the paper says.
Describing the problem is one thing, and solving it is another thing altogether. Product testing and certification authorities for software and hardware have existed for many years, but they are sometimes seen as ineffective or beholden to the manufacturers whose products they are testing. Creating an independent organization that will perform these functions could solve much of this problem.
Zatko has a long record in the security community and has held a wide variety of positions in the last decade. Before joining Google, he worked at DARPA for several years, running a number of influential research programs, including Cyber Fast Track, which funded security research programs. Several high-profile researchers used grants from the CFT program to fund their research, including Charlie Miller and Chris Valasek, who funded their ground-breaking work on the security of automotive systems, and Joe Grand, who did work on deconstructing printed circuit boards. CFT also helped fund Miller’s research on NFC security and Moxie Marlinspike’s work on the Convergence system.
Two years ago, when he announced that the CFT program was ending at DARPA, Zatko said that the complexity of the security landscape makes defenders’ jobs progressively more difficult.
“When you see that more and more money is being invested and the problem is getting worse, people ask whether we should invest more or none at all,” he said during a talk at the CanSecWest conference in 2013. “Why are we not making progress? There’s a whole bunch of factors involved.”
Before moving to DARPA, Zatko spent many years at BBN Technologies, a pioneering technology company, and was a top researcher at @stake, the security consultancy and research company.
Amazon today released to open source its own TLS implementation called s2n, which stands for signal to noise.
While admittedly not meant to be a replacement for OpenSSL, for example, s2n is a slimmed-down crypto implementation analogous to libssl, the OpenSSL library that supports TLS. Amazon chief information security officer Stephen Schmidt said that s2n will soon be integrated into certain Amazon Web Services, and the experience will be seamless for users; no changes will be required to apps and none will be made that will affect interoperability, Schmidt said in a post on the AWS security blog.
“s2n is a library that has been designed to be small, fast, with simplicity as a priority. s2n avoids implementing rarely used options and extensions, and today is just more than 6,000 lines of code,” Schmidt said. “As a result of this, we’ve found that it is easier to review s2n; we have already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing.”
The relatively small number of lines of code avoids the complexity—and subsequent bugs and security issues—that the OpenSSL team is dealing with, for example. OpenSSL, Schmidt said, has more than 500,000 lines of code, including 70,000 involved in TLS processing.
“Naturally with each line of code there is a risk of error, but this large size also presents challenges for code audits, security reviews, performance, and efficiency,” Schmidt said, adding that s2n has already undergone two external code reviews—one by a commercial security vendor—and has been shared with crypto experts in the security community.
OpenSSL, meanwhile, is on a recovery track after a rocky 18-month period during which Internet-wide vulnerabilities such as Heartbleed tore open the curtain on the frailty of the under-funded and under-resourced open source project. OpenSSL’s maintainers are in the midst of a sizable code cleanup and instituting formal processes for critical changes. Funding from the Core Infrastructure Initiative allowed OpenSSL to hire two full-time employees and fund help to handle bug reports, code reviews and changes.
s2n certainly attempts to steer clear of that kind of complexity, and afford users the ability to hurdle the software upgrades and certificate rotations that accompanied Heartbleed and other Internet-wide bugs in the last year and a half, Schmidt said.
Documentation accompanying the source code, available on Github, says that s2n implements SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. It supports 128-bit and 256-bit AES in CBC and GCM modes, 3DES and RC4, for encryption. It also supports DHE and ECDHE for forward secrecy. Outdated crypto such as SSLv3, RC4 and DHE are disabled by default, however. SSLv3, for example, was recently officially deprecated by the IETF. The protocol, which has long been supplanted by TLS, is responsible for a number of fallback attacks, most notably POODLE and BEAST. s2n, however, does lack x509 certificate parsing, therefore it’s meant to be built with one of the OpenSSL-derived libraries, for example.
It also includes positive and negative unit tests and end-to-end test cases, Amazon said.
“One of the real challenges in existing TLS libraries like OpenSSL is that data structures and state flows are often difficult to test with automated tools,” said Kenneth White, a security researcher and director of the Open Crypto Audit Project. “By making unit and integration testing a first class citizen from the beginning, the AWS team is really promoting an emphasis on software quality assurance, and that benefits all their users.”
Amazon said also that s2n provides every thread with two random number generators.
“One for ‘public’ randomly generated data that may appear in the clear, and one for ‘private’ data that should remain secret,” the documentation says. “This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts.”
Many smartphones manufactured by LG contain a vulnerability that can allow an attacker to replace an APK file with a malicious file of his choice.
The problem is the result of several conditions on LG phones. Like other manufacturers, LG includes custom apps on its handsets, which are not available through the normal Google Play store. The apps are pre-loaded and have a separate update mechanism that relies on contacting an LG server to download new code. Researchers at Search-Lab in Hungary found that the update process for these apps does not validate the security certificate presented by the server on the other end, opening users up to man-in-the-middle attacks.
“Since new applications and/or application upgrades are installed through this channel in APK form without the need for any additional confirmation from the user, a malicious attacker can abuse the functionality to install arbitrary applications into the victim smart phones. These applications might use any permission (except the ones requiring signature by system key), effectively circumventing Android’s own platform security,” Search-Lab wrote in an explanation of the vulnerability.
The process is controlled on LG phones by the Update Center app, and when the app looks for new updates, it contacts the server at lgcpm.com. The app is designed to install updates automatically, and the researchers say that an attacker in a MITM position would be able to hijack the connection silently and replace a target app with a malicious one.
“When fetching new applications, the client looks for the ‘appUrl’ field, which holds a base64 encoded, encrypted URL. The encryption key is symmetric, it is based on the certKey field, which is part of the same message. Since there is no integrity protection applied to the messages, an attacker can intercept the update response and replace the value of appUrl with any arbitrary URL pointing to a potentially malicious APK,” the researchers said.
“This way the handset fetches the APK file controlled by the attacker without the user’s knowledge. This can even occur in the background, when the Update Center believes that a new version of an LG application is available.”
Search-Lab reported the vulnerability to LG in November and said that the vendor plans to fix the bug only in new handsets and won’t push a fix to existing phones. As a workaround, they recommend turning off the “Auto app update” function on affected LG handsets.
“Since smart phone vendors need approval of carriers for every single application update and in this case most of LG’s products are affected; LG made a business decision and they don’t provide the fix for most of their customers, at least ‘for the time being’,” Imre Rad of Search-Lab said by email.
LG officials said they are looking into the details of the report.
Authorities in six different countries worked together to take down a cybercrime ring which ultimately infected tens of thousands of computers with Zeus and SpyEye malware and made off with roughly $2.25 million from banks in the process.
Europol and Eurojust joined forces to take down the group, based largely in Ukraine, that was believed to have been developing and distributing Zeus and Spyeye banking malware.
“The cybercriminals used malware to attack online banking systems in Europe and beyond, adapting their sophisticated banking Trojans over time to defeat the security measures implemented by the banks,” Europol said in a press release published Thursday.
The action, carried out on June 18 and 19, resulted in the arrest of five suspects, stemming from eight house searches in four different Ukrainian cities. Europol clarified that the action was part of a lengthy investigation dating back to 2013 and that so far it’s tallied “significant operational successes” in Belgium, Estonia, Finland, Latvia, and the Netherlands, in addition to Ukraine.
The criminals targeted banking systems in Europe and used malware to harvest credentials and compromise bank account information, according to Europol.
“This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks.”
Zeus and SpyEye are some of the oldest banking Trojans still making the rounds. Countless iterations of the malware have existed since at least 2009, but neither seems to want to fade away completely.
One of SpyEye’s masterminds, Aleksandr Andreevich Panin pleaded guilty in January 2014 after he was caught flying through Atlanta in 2013 – but the malware has persisted and continues to be sold in underground marketplaces.
It’s the latest in a lengthy line of takedowns from Europol and JIT, a joint investigation team comprised of investigators and judicial authorities from Austria, Belgium, Finland, the Netherlands, Norway and the United Kingdom. This particular investigation was launched in 2013 and has totaled 60 arrests to date — 34 of which who were made as part of a ‘money mule’ sting carried out by Dutch authorities.
In April Europol worked alongside both the FBI, the DHS, and Dutch authorities to takedown Beebone, a collection of polymorphic bots that infected machines via removable drives.
The urgency to patch Adobe Flash Player installations ramped up over the weekend when exploits for a recently patched zero-day vulnerability were found in the Magnitude Exploit Kit.
French researcher Kafeine said on Sunday that a sample he encountered was dropping two instances of Cryptowall ransomware against a Windows 7 computer running Internet Explorer 11. Cryptowall is a strain of ransomware that encrypts files on a victim’s computer and demands a ransom, generally paid in Bitcoin. The FBI last week said that consumers have reported losses of more than $18 million related to Cryptowall infections.
An emergency out-of-band update for Flash was released June 23 that patched a vulnerability being exploited in targeted attacks by a group linked to China, said security company FireEye.
Flash vulnerabilities are a favorite attack vector for criminal hackers and nation-state groups because of the player’s ubiquity on Windows machines especially. These groups are moving quickly in developing exploits for patched vulnerabilities; Kafeine said it took only four days for this one to show up in Magnitude, for example.
This vulnerability should be prioritized because it has been publicly exploited since at least the start of June and users were exposed nearly three weeks, researchers at FireEye said.
The group responsible, dubbed APT3 by FireEye, has used its exploits to target critical industries such as aerospace and defense, construction and engineering, high tech companies, telecommunications and transportation organizations. Researchers said the attackers are casting a wide net with phishing emails that look more like spam-type messages soliciting low-cost Apple gear. A link in the messaging points to websites controlled by the APT group that holds the Flash exploit that includes a backdoor known as SHOTPUT used to move stolen data off infected machines. The group, which is believed to be behind last year’s Clandestine Fox operation, primarily covets intellectual property.
“Any time one of these groups is using a zero day and casting such a wide net, it’s pretty significant, especially since the activity started in early June and a patch was not released until today,” FireEye intel operations manager Mike Oppenheim told Threatpost last week. “That’s a big window, and possibly tons of victims affected.
“For victims that have been exploited, they are fast to move,” Oppenheim said. “If you’ve already been exploited, they are already moving along with lateral movement in the network, grabbing credentials and dropping more backdoors.”
Now that criminals have absorbed the exploits into Magnitude, they expect to turn a profit against unpatched machines by infecting them with Cryptowall, fast becoming one of the most prolific crypto-ransomware tools in use.
Close to three weeks ago, the SANS Institute warned that it was observing a spike in Angler Exploit Kit traffic containing Cryptowall 3.0 ransomware. The same group, SANS said, could also have been behind a simultaneous spam campaign pushing the same version of Cryptowall. Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks.
Amazon last week patched three vulnerabilities in its Fire smartphones, including two in its Certinstaller package that put devices at risk.
An attacker could take advantage of the vulnerability in the package, which allows mobile apps to install certificates on Amazon Fire devices without user interaction. Encrypted traffic that does not make use of certificate pinning could be hijacked by an attacker sitting in a man-in-the-middle position, researchers at MWR Labs said.
One of the vulnerabilities, MWR Labs said, allows for the silent installation of certificates while the other fails to properly check the device’s unique identifier, or UID. A UID is a unique string associated with a system that allows for outside interactions, such as updates.
The third vulnerability addressed involves Secure USB Debugging, which was not enforced on devices until last week’s updates. Added to Android Kit Kat (4.2.2), Secure USB Debugging allows only certain hosts to connect to a phone via the Android Debug Bridge (adb).
Of the three bugs, the two Certinstaller issues are much more worrisome since they put supposedly secure traffic and communication at risk for intercept. MWR Labs, points out however, that despite the fact that user interaction is not required to install a new certificate, the user is presented with a notice informing them that a new cert has been installed.
“Users are advised to only install applications from trusted sources and exclusively make use of trusted networks,” MWR said in its advisory. “Users that notice any notifications regarding ‘Certificate Installed’ should immediately remove the certificate and uninstall any possibly malicious applications that were recently added.”
Amazon was notified in January of all three security issues and addressed each in an update to the Fire OS last week; users should update to Fire OS 4.6.1.
MWR Labs explains in its advisory that vulnerable versions of the Fire OS incorrectly use the myUserID() function, allowing silent installations of certificates. The failure of this check would allow an attacker on the network to decrypt traffic, redirect it, or trick users into installing a malicious APK file.
The Secure USB Debugging vulnerability is less severe. The Amazon Fire Phone, prior to last week, did not enforce Secure USB Debugging. An attacker exploiting this issue would gain access to the Android Debug Bridge and install malicious applications, bypass the lock screen, access a shell on the device, or steal application data, MWR Labs said in its advisory.
“The device never prompts users to accept new hosts and it is possible to connect via adb even when the device is locked,” MWR Labs said, adding that temporary workaround involves disabling USB Debugging.
Image courtesy ChrisF608
Credentials stolen in breaches and sundry hacks belonging to close to 100 unique U.S. government domains are scattered among a number of paste sites and are searchable in other locations online.
Analysts at Recorded Future said on Wednesday that through open source intelligence gathering and analysis, they found either clear text or hashed email-password combinations belonging to individuals at 47 agencies. The credentials were found mostly on 17 different paste sites, including Pastebin, and were posted there between November 2013 and November 2014.
All of the affected agencies were informed, Recorded Future said. The lengthy exposure of the credentials—most of which afforded access to non-classified networks—put government employees and agencies at risk for a number of attacks ranging from identity theft to social engineering, phishing, and espionage.
Recorded Future, which is partly funded by the CIA’s venture arm In-Q-Tel, singled out a Dirty Dozen list of agencies that allowed users access to online resources without requiring two-factor authentication. Nine Department of Energy domains and seven belonging to the Commerce Department, for example, were affected—by far the two most exposed agencies. The other agencies are: General Services Administration, USAID, State Department, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior and Homeland Security. None of the aforementioned agencies required a second factor of authentication, even for its most privileged users, according to a February report to Congress from the Office of Management and Budget.
Recorded Future said it found paired email-password combinations for all 12 agencies.
“The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce,” Recorded Future said in its report, “Government Credentials on the Web.” “While some agencies employ VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind as cited by the OMB report to Congress.”
While Recorded Future’s analysis took place prior to the recently disclosed Office of Personnel Management (OPM) hack during which millions of federal employees’ personal records, background checks and security clearance applications were accessed, a number of OPM credentials were also found in the clear on a number of paste sites.
Most of the paste sites removed the stolen credentials once they were informed, Recorded Future said, but added that the government agencies were not informed of the exposed passwords or hashes.
“While the information may be removed from a paste site, it likely still circulates in private circles and is available to the original attackers,” Recorded Future said. “Due to the lack of context with most publicly announced data exfiltration, it’s unclear when specific attacks occurred or if the original attacker had attempted to leverage any stolen information.”
Since most of the stolen credentials were pilfered in hacks or breaches of third-party sites popped in drive-by download attacks, for example, the exposures highlight the problem of password re-use. For example, many of the government employees were using government domain accounts to register for third-party services that had been attacked. Exacerbating the problem is that not only were the passwords re-used over and over, but lacked complexity making them easy to crack with a lookup table or password cracker.
“If a third-party website’s username/password database is hacked and the employee used the same login credentials on that website as at work, those credentials could allow unauthorized access to the employer’s network,” the report said.
Dennis Fisher and Mike Mimoso talk about the Cisco default SSH keys, more details of the OPM data breach, the Adobe 0-day and why we never hear about bad APT groups, only the really good ones.
Samsung PC owners could soon find themselves in an endless carousel of enabling Windows Update with each reboot of their machine after a computing enthusiast discovered that a Samsung feature disables Microsoft’s update mechanism by default.
Windows Update is a service that delivers, among other features, security updates and patches to Windows machines. On Samsung machines, however, it’s been usurped by a program called Disable_Windowsupdate.exe that is part of Samsung’s SW Update mechanism; the manufacturer uses its service to update pre-installed software and Samsung drivers, and is installed on Windows XP, Vista, 7, 8 and 8.1 machines.
The Disable executable is downloaded at each reboot—the file is signed by Samsung—and overrides any changes a user may institute, such as re-enabling Windows Update, said Patrick Barker, a self-proclaimed “22-year-old cashier with a love for Windows internals.” Barker posted a technical explanation of what he had found to his personal website, including a transcript of a chat with a Samsung support representative who explained the behavior.
“When you enable Windows updates, it will install the Default Drivers for all the hardware [on] laptop which may or may not work. For example if there is USB 3.0 on laptop, the ports may not work with the installation of updates. So to prevent this, SW Update tool will prevent the Windows updates,” Barker quoted the transcript.
SW Update, Barker said, forces the user to manually choose whether to download and install updates, and this must be done regularly. The likelihood of that happening is low and it’s equally likely that many Samsung Windows machines would be behind current patch levels.
“Windows Update remains a critical component of our security commitment to our customers. We do not recommend disabling or modifying Windows Update in any way as this could expose a customer to increased security risks. We are in contact with Samsung to address this issue.” said a Microsoft spokesperson in an email to Threatpost.
According to a number of comments on Barker’s post, several people have reported or are planning to report this behavior as malware to Microsoft.
Samsung said in a statement provided to Threatpost: “It is not true that we are blocking a Windows 8.1 operating system update on our computers. As part of our commitment to consumer satisfaction, we are providing our users with the option to choose if and when they want to update the Windows software on their products.
“We take product security very seriously and we encourage any Samsung customer with product questions or concerns to contact us directly at 1-800-SAMSUNG.”
The incident hearkens back to February’s disclosure of vulnerability in the Superfish software installed by another computer manufacturer, Lenovo. Superfish is pre-installed adware that analyzes images from the web and concurrently serves advertising for products similar to the image. Superfish, however, also had an odd behavior in which it acts as a proxy of sorts, generating digital certificates for HTTPS connections. Researcher Rob Graham explained how he was able to crack the private key guarding the certificate, which is the same on all Lenovo laptops shipped with Superfish through January of this year. Users were put at risk of man-in-the-middle attacks because an attacker sitting on the same network and in possession of the private key could decrypt encrypted traffic.