malware – Rob Medley

Hacking the Irony

By Rob Medley

AlphaBay founder Alexandre Cazes had a bad week. Business on his Dark Web version of eBay was making the Canadian lots of money, literally hand over fist. He didn’t need to worry about the police, his service operated via anonymizing methods such as Tor and I2P. Things were really looking up, until the man found himself in a dank Bangkok jail. It seems, in a veritable twist of irony, that Cazes had fallen victim to the same hacking techniques as millions of individuals and businesses face each day.

“You will never find a more wretched hive of scum and villainy. We must be cautious”

AlphaBay, like Mos Eisley Spaceport in the Star Wars saga, was a bazaar of digital dubiousness. Anything and everything could be found there, from drugs, to arms, to hacking tools with extensive instructions and even customer support. It was a thriving bastion of Capitalism dedicated to the underworld. Unfortunately, the 1% were not getting their cut, so it had to be taken down. The beginning of the end happened simply enough. Police had acquired Cazes’ email address ‘Pimp_alex_91@hotmail.com’ way back in 2014 while monitoring the site. In a fait accompli, Cazes had somehow added his personal email to the new user welcome message; a good thing for legitimate CEO’s, showing that they care, but not so much for something that could land you in a Thai jail.

“Treachery has existed as long as there’s been warfare, and there’s always been a few people that you couldn’t trust.”

General James Mattis, the stalwart symbol of American military prowess, follows the eastern philosophy which teaches knowledge as the key to defeat an enemy. By the same token, any hacker worth his salt can break into a network with just a single piece of information, like an email address. Conducting reconnaissance using the address can reveal social media and financial accounts, domain registration data, and daisy-chain contacts associated with the email. The exploitation process after this can be as easy as sending a compromised link in a phishing email from one of the targets friends, placing malicious code on a site the target is most likely to visit, to planting a rootkit.

“Once you’ve lost your privacy, you realize you’ve lost an extremely valuable thing.”

Billy Graham, the champion of cable TV Christianity, has a net worth of $25 Million. Alexandre Cazes’ net worth, by contrast, was about the same, coming in at $23 Million. When police launched operation ‘Bayonet’, they basically followed the trail from Cazes’ compromised email address to his PayPal account and a front company, EBX Technologies. Eventually, this led them to Cazes himself in Bangkok, Thailand. A raid on the swashbuckling entrepreneurs house procured the laptop Cazes used to run AlphaBay, which was unencrypted and logged into the AlphaBay site at the time of its seizure. The lesson here? Encrypt your hard drive and traffic. Also, have an extremely short inactivity lockout, especially if you are on the wrong side of the law.

“Have no fear of perfection – you’ll never reach it.”

Salvador Dali, mustachioed master of Surrealism, knew that perfection can never be achieved; the same is true in security. Navigating the digital world around us takes caution and a hefty amount of risk acceptance or mitigation. It was not some grand marvel of network subversion that took down AlphaBay, but human carelessness. It is an ironic cautionary tale that those on the wrong side of the light, legally speaking, are just as susceptible to hacking as we are in bountiful lands of the mapped Internet. Basic awareness and caution should be globally embraced by anyone engaged in digital activities, because all it takes, is an email address.

Growing Devil’s Ivy in the Internet of Things.

By Rob Medley

Linux is becoming a larger target for malicious actors these days. If you’re unfamiliar with Linux, it’s a different flavor of operating system, like Windows or MacOS. Don’t think you own anything that runs Linux? Think again. The odds are heavily in favor of you owning a gadget that is connected to the web, otherwise known as the Internet of Things (IoT). Gadgets, like Amazon’s Echo, security cameras, Internet-enabled dimmable lights, and so on, all comprise the IoT.
While the Echo and other high-end gadgets may be less vulnerable to attack, the bargain hunter in us is driving the purchase of cheaper items, those that may do the same thing as the Echo, from places like China. As manufacturers tend to care more about shipping product than the security of the product itself, cheaper does not equal better. Dozens of manufacturers use the same Linux code or stripped down operating systems to make their gadgets work well enough to get it to market. After the fact security support is often left to the user or a poorly manned customer service center.

Devil’s Ivy, the name of an exploitable software flaw discovered by the research company Senrio, is endemic to a Simple Object Access Protocol (SOAP) that allows a gadget to communicate with the network. Companies that use the code in their product are part of the ONVIF consortium, a “forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products,” per the ONVIF website. Who are the members? Canon, TP-Link, BAE, Cisco, D-Link, Honeywell, JVC, Mitsubishi, Panasonic, & Samsung are all prominent names on the list of members. As a caveat to prevent a lawsuit, I must add that these companies may provide excellent support and timely security patches; but your TV and security cameras are part of the IoT and, well, you know.

Senrio estimates that the range of vulnerable devices is in the tens of millions, based on the statistics provided by SourceForge indicating that the SOAP development code has been downloaded just under 38,000 times in 2017 alone. Therefore, the odds of having a vulnerable device in your business or home are extremely good.

So, what can you do? Take an inventory of web-connected devices in your home or business (if you haven’t already), then look on each manufacturers support website to see if there is an update available. If an update doesn’t yet exist, you must weigh the risk of running the device on your network, and its impact on other computer resources, should malware use it as a pivot point to attack other nodes behind your firewall. The safer option is to either put your IoT devices on their own subnet (for the technical types) or not use the device until a patch is made available. Now that your attention is on your network, it may also be a good time to enable (sigh) or change those router passwords, as well as update all your operating systems and programs.

Sources:

http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions

Home

https://sourceforge.net/projects/gsoap2/files/stats/timeline?dates=2017-01-01+to+2017-07-12

A Simply Interesting (Pun Intended) Man-in-the-Middle Attack

I read about an interesting attack today. An Israeli study by Senia Kalma, Bar Magnezi, Hen Porcilan, and Nethanel Gelernter of the College of Management Academic Studies, Israel and a company that Mr. Gelernter works for called Cyberpion, suggests that a version of the Man in the Middle attack exists that traditional countermeasures fail to detect.

The attack, called Password Reset Man in the Middle Attack (PRitM), takes advantage of our curiosity and love of anything ‘free’; or, at least, my love of anything free. This attack, from my perspective, is especially applicable to the cybersecurity profession; wherein tech companies are consistently offering whitepapers or other valuable material in exchange for entering a little bit of data about ourselves. Our curiosity over the latest trend leads us to register for a site in exchange for access to the goodies. Granted, most of us know that the site is collecting the data for marketing and other less nefarious purposes, but do we really think it’s a lapse in security to exchange our email address for a white-paper? The answer is now a resounding “Yes”.

The PRitM attack is particularly beautiful in its simplicity; Malevich, Judd, and Pawson would be honored to have this attributed to them. Typically, a website, let’s say a security website by a new tech company, offers a white-paper that vows to teach us total security our information systems. We can also use, say, a recipe for an awesome desert that is only 10 calories. This is the bait, and our curiosity is the hook. We go to view the file, only to be confronted by a login or registration dialogue. After the initial eye-roll, we reflexively type in our email address.

As soon as the email address hits the website, however, the attack begins. By entering our email, we’ve given the attacker (who has control of the website) the information she needs to begin a password reset on our email account. Once initiated, one of three things will happen:

1) The server will generate a CAPTCHA request to make sure a human is interacting with the service;

2) The server will send an SMS code; or

3) The server will begin the process of a reset via recovery questions.

The beauty in the attack is that all this information is passed on to us as we are registering to download / view that file. For example, if our email provider needs a CAPTCHA answer to initiate a reset, the attacker merely forwards the CAPTCHA to us while we are filling out the information form. The same applies with security questions and SMS two-factor authentication. Using a two or three step sign-up process allows the script the attacker writes to efficiently pass the information between our email provider and ourselves, with minimal overhead.

Who’s affected? The researchers effectively ran their test cases against Google, Facebook, LinkedIn, PayPal, eBay, Baidu, Yahoo, Twitter, and a host of others; so, everybody. Websites that email links to reset passwords were not affected by the PRitM attack.

How do we protect ourselves against the PRitM attack? First, be sure we want to give out our email address, and if we do, use a throw-away address that is not linked to financial or other sensitive accounts. If an attack is in progress using SMS messages, be sure to closely read what the message says, as registering for a site won’t generate a message from our email provider.

To read more about this interesting attack, a PDF of the study is available below, no sign-up required 😀

Click to access 207.pdf

2017 Cybersecurity Vulnerability Trends

Looking at the state of Cybersecurity by news headlines, one would logically assume that ransomware is all security professionals must worry about in their day-to-day operations. The nemesis of the moment is Petya. Petya is a ransomware variant that is built on the chassis of a leaked National Security Agency exploit called Eternal Blue. The ransomware looks for unpatched Windows machines of all flavors running SMB 1.0.SMB stands for Server Message Block It’s an outmoded application layer file-sharing protocol that has been superseded by Active Directory and later versions of SMB. Petya encrypts your Master Boot Record, so that you can’t do anything while it works to encrypt the rest of your files. The result? You can either pay $300 in Bitcoin to some shadowy Russian hacking group and maybe get a decryption key for your files, or turn off SMB 1.0. To turn off SMB, you’ll need to navigate to your windows features setting, uncheck the offending service, and reboot.

But Ransomware isn’t the nightmare that should keep security professionals up at night. Indeed, a good backup policy mitigates any lapses in patch management. What should keep us up at night is our own state of being human. As humans, we are imperfect creatures. As much as we strive for greatness, there is always that one thing we might not have accomplished while juggling the many tasks of our daily rituals. Statistically, the vulnerabilities we see reflect the state of our profession.

Per the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), the greatest threat of 2017 isn’t Ransomware, it’s buffer-errors, followed by improper access controls, information leaks / disclosure, cross-site scripting, and permission, privileges and access control weaknesses.

Buffer-overflows? Okay, I get it. The development world is complex, and errors are going to happen. One of the beauties of our human condition is that we can always find better ways to do things, or, on the malevolent side, ways to exploit things. Luckily, protections against buffer-overflows are evolving using safe libraries, stack and executable containment strategies.

Cross-site scripting (XSS) has been on the security radar for a while now, yet it has declined from its height of 14.3% of all vulnerabilities in 2009, to its current 9.2%. XSS is a legitimate attack vector, and its decline in prevalence shows that developers and admins have been waging an effective battle against the threat. The industry focus on web threats has led to some interesting countermeasures, including containerization (essentially running a browser in its own virtual machine), JavaScript sandboxing, and Content Security Policies (CSP); all leading to effective mitigation of the threat.

What should give security folks pause, is the rise in threats that stab at the very heart of our job description. Ensuring the confidentiality, integrity, and availability of information resources is what we do for a living. On a personal level, each of us should take offense that vulnerabilities exploiting access controls, permissions, and privileges even exist, let alone rank among the top threats to our networks. To be sure, buffer-overflows can lead to escalation of privilege, but we must not assume that security faults in controls and privileges are solely the result of software weaknesses. Certainly, NIST doesn’t take this approach as they have made buffer-overflows its own category, separate from access and privilege threats.

So, what do we do? First and foremost, we should let go of our ego. Don’t assume that every security detail has been taken care of. Get in the habit of double-checking yourself, make sure those privileges and controls are properly set, and most important, still relevant. If security needs are not being met, double-down on ensuring your settings are up to date. Use those checklists, validate your templates, and adopt habits that put security first.

Let’s make it a community goal to not see security essentials on the NVD vulnerability trends for 2018.

This Isn’t Your Daddy’s Malware

How do you feel about paying up to $50 dollars a year to an antivirus vendor in order to protect your computer, network and other IT assets in your home? Do you grumble that it’s a necessary bill? Or do you think that it’s the best thing since sliced bread? Turns out, your antivirus is likely akin to one of those old guards you see in the movies, physically there, but sound asleep when the intruders come for the bonds in the Nakatomi vault.

A couple years back, executives at Symantec declared the end of the age of the antivirus[i]. The security industry laughed and said, “You think?” But the average home user has been unaware of the advancements in malware construction that led to the death of this noble service; being left to put blind trust in products that do little more than to act as doorman to the threats from outside.

One of the biggest advances in malware manufacturing was the creation of the ‘crypting’ cottage industry. What is crypting? It’s a service provided to malware producers on the back-channels of the Internet; wherein the creator of the malware will send his code to a third-party. The third-party will take the code and run it against all the established anti-virus manufacturers’ products. If a particular product detects the code a malicious, the third party will write encryption to render the code undetectable to the product. It’s much like the antithesis of virus submission to antivirus vendors. The process is called FUD, or ‘fully undetectable’; and also goes under the acronym CAV, or ‘Counter-Antivirus.[ii]’

Have no doubt that these crypting services are big business, with enterprise setups in the deep, dark-web that rival some legitimate corporations. With appropriate encryption retained, the malware can have features included in the design such as sandboxing, virtual machine checks, creation of auto-run executables, among other things[iii]

Truly, the age of cyber-crime as a service has arrived. Malware writers these days can even legitimize their malware, e.g. have it digitally signed, through the creation of forged certificates from seemingly legitimate sources. The additions of these forged certificates allow the malware to operate within the affected network environment for longer periods of time prior to detection[iv].

So now that the boogey man is out of the closet, so to speak. Do you, as a consumer, need to pay for an antivirus solution? The answer is ‘no[v].’ It’s nice to look at the box in the toolbar and see that icon, but honestly, if a hacker is going to target your system, they are going to use something new, or turn a detectable threat into a FUD threat. You can stop wasting your money and just use the free alternatives provided with your Windows platform, and free services can be obtained for other platforms.

The better way to protect your network rests not with your antivirus, but within you. Your parents always warned you not to take candy from strangers, and it still applies today. Don’t open suspicious or ‘too good to be true’ emails; watch were you dangle your line in the dark waters of the Internet; check certificates, and have a healthy suspicion of activities on your system. Learn to spot out of the ordinary occurrences, network slow-down, resource hogging, funny command windows popping up on your screen, and quirky processes in your task manager. All of these options will lead to a decreased attack surface on your system or home network. You also have a few extra bucks in your pocket.
Rob Medley – 6.3.16

[i] Krebs, B. Q. (14, May 14). Antivirus is Dead: Long Live Antivirus! Retrieved June 03, 2016, from http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

[ii] Digital Shadows. (2015, December 18). Retrieved June 03, 2016, from https://www.digitalshadows.com/blog-and-research/criminal-services-crypting/

[iii] Kharouni, L. (2015, October 12). Ties Between Corebot and Darknet Crypt Service. Retrieved June 03, 2016, from https://www.damballa.com/corebot-and-darknet/

[iv] Kharouni, L. (2015, September 21). The Darknet is Thriving & Diversifying with Cybercrime-as-a-Service. Retrieved June 03, 2016, from https://www.damballa.com/the-darknet-is-thriving/

[v] McMillan, R. (2012, March 2). Is Antivirus Software a Waste of Money? Retrieved June 03, 2016, from http://www.wired.com/2012/03/antivirus/