CounterMeasures - A Security Blog � vulnerability

Don’t take shortcuts

Rik Ferguson — Tue, 20 Jul 2010 08:40:58 +0000

picture from bradleygee's Flickr photostream under Creative Commons.

On the 16th of July Microsoft released Security Advisory 2286198 confirming an as yet unpatched vulnerability in Windows Shell that exposes all users of all current versions of Microsoft Windows to very real risk of attack and infection.

According to Microsoft “The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed.” So what does that mean in plain language?

It means that if any user of Microsoft Windows opens a folder containing a shortcut which has been designed to exploit this vulnerability, they will be infected. No opening of files required, simple browsing is enough.

Although Microsoft have stated that “This vulnerability is most likely to be exploited through removable drives” users should be on their guard against all shortcut files whose authenticity they cannot guarantee. This same vulnerability could be exploited though contaminated file shares or something as simple as a malicious compressed archive such as a zip file.

Worryingly, the malware that was first exploiting this vulnerability appeared to be highly targeted, looking for Siemens WinCC SCADA systems, SCADA systems are routinely used in the control of utilities such as power and water and also in large-scale manufacturing. Siemens were warning their customers of this as early as July 14th.

The source code for this malware is now in open distribution, (and incorporated into the Metasploit framework) and we can expect to see widespread criminal adoption of this technique from this point.

For now the best defence against attacks is contained within the Microsoft Security Advisory; disable the displaying of icons for shortcuts and disable the WebClient service.

Further details on Trend Micro’s detection of the malware involved are available on the TrendLabs blog. Please be aware this is a breaking situation and further malware will take advantage of this same vulnerability.

iProtect, iEncrypt… iLeak

Rik Ferguson — Wed, 02 Jun 2010 16:03:18 +0000

or, Careful With Those Naked Snaps!

I was very interested by a blog post by Bernd Marienfeldt that I read today, which appears to illustrate a serious security weakness in Apple’s iPhone data encryption implementation.

A flaw that allows an unauthorised backup to be made? Shurely shome mishtake...

The iPhone 3GS offers Full Disk Encryption using 256 bit AES encoding which should (theoretically) keep your sensitive data safe from prying eyes. It has been public for almost a year that this encryption does not stand up to even the most basic hacking or forensics tools. This latest flaw however will seemingly expose your data to anyone capable of simply booting the device; even if you have set a security PIN.

Bernd Marienfeldt has discovered that by booting a PIN protected iPhone, while it is connected to the USB port of an Ubuntu system, he could access

“music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker.”

This access was through the Ubuntu interface and did not require any PIN at all, furthermore the access was not simply read-only, but read/write.

Even on a standard Windows Vista, it's PIN not required

Further testing by heise Security has shown that it is also possible to trick an iPhone into pairing with a PC running iTunes in the same way. This is a phenomenon that I have been able to reproduce, again using a PIN protected, hardware encrypted iPhone.

This related vulnerability is even more worrying than the first. If an attacker manages to pair an iPhone with an unauthorised PC they can make a full back up the phone which would include notes, messages and even plain text passwords.

Testing indicates that this unauthorised pairing and folder access only occurs when the phone has been shut down in an unlocked state, which does serve to mitigate the risk somewhat.

However when a supposed hardware implementation of full disk encryption surrenders any data *at all* in the absence of credentials, something, somewhere is very broken.

Mr. Marienfeldt reports that Apple have acknowledged the flaw but not yet made any indications of a fix schedule.

You just can’t trust a drunk

Rik Ferguson — Sat, 08 May 2010 22:01:36 +0000

I was very interested to read an article on The Register yesterday and then try to wrap my brain around the associated research paper from matuosec.com.

Image from dr1066's Flickr photostream (Creative Commons License)

The research paper details a method by which the researchers claim to be able to bypass every anti-malware product they tested against and the list of the 34 products they tested is impressive; covering every major vendor.

The method as described in the research paper involves something called an “argument switch” attack which they have dubbed KHOBE, an acronym for Kernel Hook Bypassing Engine. The paper details how; because of the way that security software hooks into the Windows operating system, an anti-malware program can be asked to check “innocent” code before being fooled into passing malicious code off for execution; this is the so-called “argument switch”. The attack relies on this switch happening at exactly the right time, after the “innocent” code has been checked and before the responsibility is handed to the Operating System, this is what is known as a race condition.

The research is certainly interesting and I’m sure will be very widely referenced in the anti-malware industry as they re-engineer to overcome the issue. However for me, it sheds more light on a wider and maybe more concerning issue. Simply that in standard endpoint security architecture, protection engines run in the same context as the malware they try to protect against.

If the title and content of the matsuosec.com research article “Earthquake for Windows desktop security software” have you worried, then it is worth noting that this problem of context is not something that Trend Micro have been ignoring. In fact we have been developing different technologies to overcome just such an issue.

One important outcome of this is manifested in work that Trend Micro have been doing with VMware which will allow us to offer agentless anti-malware to virtual machines; protection which operates in an entirely different context to the malware itself and which could not be subverted by an attack such as the one described by matsuosec.com. Another manifestation of a response to this same issue, this time in the non-virtualised world, is Threat Management Services in which all detection operates out-of-band and pattern-free cleanup happens at the endpoint.

So while matsuosec.com’s research is absolutely important and significant in the short term (if you’re still using Windows XP); longer term solutions need to build on increasing the possibility of moving effective protection off-box. After all, the drunk guy is always going to tell you he’s OK.

GORDON’S ALIVE?! Tory online campaign fail.

Rik Ferguson — Mon, 22 Mar 2010 17:11:05 +0000

The Conservative party this weekend unveiled a social media marketing campaign aimed at embarassing the Labour Party. The plan has backfired quite spectacularly…

The “Cash Gordon” web site was highly dynamic and tied in with many popular social networking sites and tools. It capitalised on user generated content and relied on organic sharing and interaction. In a blog post on the Conservative home page Samuel Coates said

“Once users have connected to the Cash-Gordon campaign, they can start accruing “action points” for reading briefings about the issue, getting their friends involved, donating, or even for directly asking Charlie Whelan a question.”

However today it’s the Conservatives that have been left with red faces, after a web site configuration error (or maybe just a lack of planning) saw the site abused to the point of being taken offline.

The Cash Gordon website was set up to collect any message posted on Twitter that contained the hashtag #cashgordon and republish it in a live stream in a widget on the home page of Cash Gordon.

Obviously this was duly noted and passed around. It was soon discovered that if you tweeted HTML or JavaScript instead of standard messages, this content would be interpreted and rendered by the visitor’s browser as legitimate part of the Cash Gordon site, allowing pranksters to redirect visitors to any site of the miscreant’s choosing.

The screen shot below shows the steady stream of tweets that ensured that visitors to the web site were constantly redirected to many different, sometimes salacious, destinations.

Tweets containing JavaScript and #cashgordon hashtag

This isn’t all fun and games though, configuration oversights can lead to serious harm. This latest in a line of social media marketing related fails is a salutary warning not to underestimate the technical know-how of the world wide audience you are inviting.

In reality this poor configuration could have posed a serious risk to the Tory party’s own supporters as well as any other curious visitor. Those responsible for the page should have been filtering incoming Tweets or simply sanitising the code before it was reposted. This could just as easily been used as a means to infect visitors by redirecting them to malicious web sites.

YES the partner friendly exploit system.

Rik Ferguson — Thu, 11 Mar 2010 16:01:31 +0000

The Russian crimeware “YES Exploit System” is a fully manageable system that generates malicious code for injecting into compromised pages or malicious web sites. This code is designed to redirect victims to files on your own hosted exploit server allowing you to push out malicious files invisibly and instantly, and it just got a major version update.

The advertisement for the latest version boasts:

“Hacked all Windows version 9x to 7 32 bit and 64 bit
Hacked all browsers running a vulnerable plug-in”

Using the built in TDS (Traffic Direction System) criminals can specify which malware they want to push out by country, by browser and by OS. It is clearly designed to support the inter-related vendor infrastructure of the criminal economy. YES Exploit System is a fully fledged platform for delivering malware on behalf of other criminal enterprises, perhaps to seed a new ZeuS campaign or maybe to push out some scareware. As previous blog posts have shown YES is often bundled into full service underground ZeuS offerings. As you can see from the screen shot below, projects can be divided on a per-customer basis.

click to enlarge

One feature that really stood out for me in this new version, in light of other recent blog postings, was the addition of a module that automates testing against AV vendors to ensure the malware remains undetected. This is in addition to URL checking functionality already released in earlier versions of YES.

In another illustration of cloud adoption in online crime, the module is priced on a subscription basis at $70USD per month (including support of course) and tests malicious files against 26 of the biggest security companies out there. All processing is offloaded so as not to overburden your own server.

click to enlarge

As is so often the case, the first step in this chain of compromise is a malicious script inserted into an otherwise innocent website, my previous blog gives you a few tips on securing your browser against these types of attack.

Google, China, Chicken Little and Cyber Armageddon.

Rik Ferguson — Tue, 19 Jan 2010 14:00:10 +0000

Foxy Loxy by Gustaf Tenggren

In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.

How much of this is real, justified and proportionate?

So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.

Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.

Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.

The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc

“Changing the world”? I say not.

The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.

The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.

The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!

This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.

This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.

There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.

Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.

What can companies and individuals do to try to avoid falling victim to these kinds of attack?

Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

Don’t let Chicken Little run your security.

Pakistani National Response Center for Cyber Crimes… Hacked!

Rik Ferguson — Fri, 08 Jan 2010 11:45:13 +0000

It seems to be the season for defacements and hacktivity. The week began with the Cross Site Scripting attack on the Spanish EU website and the defacement hack of Iranian President Ahmadinejad’s Official site and it closes with a high profile hack of the Pakistani National Response Center for Cyber Crimes, part of the Federal Investigation Authority.

The web site was compromised and defaced as below

Click for larger image

Unfortunately for the Pakistani FIA though this attack appears to go beyond a simple defacement. The hacker “zombie_ksa” also states on the defaced page

“your whole database and e-mails are leaked …. i was really excited to read, see what the f__k is private in here lOl“

At first glance this could well seem like idle l33t H4x0r bragging so I did a bit of digging to see if the boast could be substantiated. In a forum posting, zombie_ksa said

“I was Browsing! today Propakistani.pk So i saw post about” how to register complaint with fia cyber crime”! so i feel to check there Security, and i started Penetration Test On there Webserver, unfortunately I GOT access!! And they got Pwned!! !! thats Sounds crazy ! I got whole database! and e-mail Backup! everything!”

The hacker then posted two screen shots, one of the hacked site and second one, below demonstrating his access to their email database (I have sanitised the email addresses here)

Screen shot posted by the hacker

So it seems that from an amateur penetration test a hacker has access at least to the full email database and possibly the backups, of a National Response Center for Cyber Crimes in a highly politically sensitive country. The forum post was made at 4 in the afternoon yesterday and the hack is still live at the time of writing. To say this hack has national security implications would not be overstating the matter.

Any organisation holding material this sensitive should, as a priority, make sure all Internet facing servers are hardened and fully patched, the servers should also be regularly audited, preferably daily to look for evidence of new vulnerabilities as they arise. Web application firewalls should be used to look for evidence of and block anomalous or malicious behaviour.

But perhaps most importantly emails dealing with matters this sensitive should not be connected with, or stored on your public web server and they should always be stored in a secure encrypted format.

Mr Bean comes out of retirement, takes over Spain

Rik Ferguson — Tue, 05 Jan 2010 10:01:34 +0000

As reported by Reuters and the BBC, the official website set up by the Spanish government to mark it’s six-month presidency of the EU was briefly compromised yesterday afternoon.

Image Courtesy of El Mundo

Mischievous hackers reportedly took advantage of Cross-Site Scripting (XSS) vulnerabilities on www.eu2010.es and replaced an image of Spanish Prime Minister Jose Luis Rodriguez Zapatero with the smiling face of Rowan Atkinson in his Mr. Bean guise, complete with friendly greeting “Hi there!” Perhaps the hackers were hoping the attack would go unnoticed, as apparently there is a physical resemblance between Mr. Zapatero and Mr. Bean (of course I couldn’t possibly comment). The compromise only lasted a few hours until the original content was restored, by 4pm GMT yesterday afternoon, the site administrators were reportedly working on a fix.

In this instance there does not appear to have been any malicious intent, but the dangers of XSS vulnerabilities should not be underestimated. Cross Site Scripting vulnerabilities allow attackers to inject code into innocent web pages in which it would not otherwise appear. This can be used to steal information such as logins or banking credentials, redirect users to malicious web sites or even to directly infect visitors to the site. The real problem is that many web site admins are unaware of the dangers, and even some security companies continue to underestimate and downplay the importance of XSS vulnerabilities and attacks.

On an interesting side note, El Mundo also reported recently that more then 12 million Euros had been spent on “technical assistance and security for the website of the Spanish Presidency [of the EU]“. Again, I couldn’t possibly comment, but SecureSite and Web Application Security are both an awful lot cheaper than that…

Twitter (not) hacked by Iranian Cyber Army

Rik Ferguson — Fri, 18 Dec 2009 09:03:37 +0000

UPDATE: I was asked to talk to Channel 4 news in the UK about this incident this evening and they have been good enough to share the full content of my interview and a subsequent interview on the same subject with Tim Stevens from King’s College London.

_________________________________________________________________________________________

Original post:

Banner from hacked site

At about 6am GMT Twitter fell victim to a DNS hijacking attack by a group calling itself the “Iranian Cyber Army” (I wonder if they noticed the CIA irony)? The site was affected for the best part of an hour.

Full hacked page

The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says

“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”

This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.

Twitter was not the only web site affected by thsi compromise, a quick search revealed one other site displaying the same content.

Google search result

When it comes to attacking high profile targets it can often be that the registrar is the chink in the security armour. In fact Zone-H, the defacement archive, has previously noted that registrars have been “one of the main aims of the past months“.

If attacks like this can be said to serve any purpose at all, then perhaps they can serve as a reminder that we all need to absolutely ensure that our business partners meet our own high security standards, and that stands in both the on and offline worlds.

A whole new meaning to Phishing.

Rik Ferguson — Mon, 07 Dec 2009 10:58:10 +0000

UPDATE: At the suggestion of Dan Raywood from SC Magazine I am now offering up a prize to the first person to mail me all the fish I have (kind of) hidden in the blog entry. You can win my splendid USB fridge to keep your prize catch cool.

UPDATE 2: This competition has now closed and the prize been claimed. The lucky recipient of a Trend Micro USB fridge is The Harmony Guy, congratulations and may you have many happy hours together, and many thanks to all who played.

________________________________________________________________________________________

Good Cod! Sometimes it feels as though I am endlessly carping on about web site security and the value of personal information and while I realise that this is no plaice for levity, this most recent hake is noteworthy enough to cover. Most recent victims of the cybercriminal in their pursuit of gold, fishkeepers are not immune.

The web site Practical Fishkeeping has been compromised and the details of their forum users have been put at risk. Practical Fishkeeping is no sprat, boasting almost 24,000 registered users. The site is currently offline as the damage is repaired.

Practical Fishkeeping have not left their members floundering, an email from Matt Clarke, Editor-in-Chief of the Practical Fishkeeping magazine was sent to all forum members on Friday evening. It is not immediately clear how the hack came to light, but the mail noted

“We have been made aware that hackers have breached our website security. This is a criminal offence, and information on our register about our readers (usernames, passwords, email addresses, postal addresses and in some cases telephone numbers) may have been viewed or taken.“

The mail goes on to say “If you used your password for practicalfishkeeping.co.uk for other websites, you should change those passwords.”

It may be easy from my perch to criticise. but if passwords truly were visible to attackers, then the web site was not applying even the most bassic secure design principles such as storing passwords in an encrypted format (along with other personally identifiable information). This would ensure they are not made available to any john dory.

In all seriousness, this attack is highly reminiscent of the recent hack of the Richard Dawkins forum and is very much a trend I expect to see increasing over the coming months and years. Gaining access to the database of a popular website offers potential high returns for relatively little effort. If this phenomenon is in need of a new name, I offer up the term Phlatphishing.

There are several ways that your details can be exposed when they are stored by third parties; misconfiguration, poor coding or unpatched systems for example. This will only increase in importance as cloud services are more widely adopted. Remember, when you are registering for a community such as an online forum, you are under no obligation to give either complete or accurate personal information.

Only give whatever information is essential for the use of the service you are registering.

If the service requires more details than you are willing to share, you don’t necessarily have to be truthful, there’s always room for a red herring.

Consider using disposable email addresses for online services, that way if there is a compromise you can simply delete the address.

If you are concerned that you may have been affected by this attack and have not yet received a notification from Practical Fishkeeping, you could try contacting the publishing house Bauer Media in the first instance.

You may have noted I am not one to let the chance for a good pun goby, and if any of these have been crappie, I offer my sincere apologies.