Tag Archives: vulnerability

TV5 Monde, Russia and the CyberCaliphate

Image credit Steven Depolo used under Creative Commons

Image credit Steven Depolo used under Creative Commons

Yesterday evening French magazine L’Express published a report linking an attack against TV5 Monde very firmly to the Russian state. The attack, which knocked 11 of its global channels off air for a period of time and resulted in a compromised website and Facebook page, took place back in April.

At the time when the attack took place, a group calling itself CyberCaliphate immediately took responsibility for the hack and went on to publish details purportedly of serving French military personnel involved in the struggle against Islamic State or ISIS. The attribution at the time seems simple and immediate; Islamic Extremist motivated hacktivism.

L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organisations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28). What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.

Attribution in online crime is complex, more so when there may be nation-state involvement. Trend Micro’s assessment of the current possibilities, with reference to the facts as they stand today leaves us with three possibilities.

1 – We could be looking at two entirely unrelated incidents, a Pawn Storm infestation and a separate hactivist compromise
2 – Perhaps the Pawn Storm group gave attack relevant data to a third party, directly or indirectly to islamic hactivists. While possible, this would seem highly unlikely as we have seen Pawn Storm actively targeting Chechen separatists and Islamic extremists in former Yugoslavia
3 – Finally, the Pawn Storm group carried out a highly visible website, Facebook and TV network compromise (which would be extremely out of character) and used it as a false flag operation to lay the blame at the door of islamic extremists.

While the false flag option is not entirely out of the question, it is at least somewhat out of character of previous operations of the Pawn Storm campaign. My spider senses right now are tingling on option one. TV5 Monde, as a media operation is a target entirely within the remit of the regular Pawn Storm operations and an infestation of Sednit malware there should perhaps not be a surprise at all. The fact that during the time of this Sednit compromise, they were also targeted by Islamic extremist hacktivists, given the contemporary news and political environment in France is perhaps also not surprising.

Attribution online is always complex, sometimes though things can be entirely as they seem.

Where’s Wally? Tracking the president with GPS

Is the security of wearable technology really a big deal? Is the security of IoT devices really such a big deal? I mean, my fridge, my light bulb, my other cliché, what use are they to an attacker? Who really cares where I am, how fast my heart is beating or what my typical pace is over any given distance?

Maybe this photo of the President of the United States sporting his shiny new fitbit Surge gives you all the answer you need. The POTUS, wearing a fitbit, with GPS, being tracked 24/7, by a third party… See where I’m going?

The Internet of Things (IoT) and even more broadly, the Internet of Everything (IoE) are still nascent areas of technology where individual physical devices with embedded electronics, software and sensors are internet connected in order to provide greater value by exchanging data without the need for direct human intervention. This rapidly expanding arc of the information technology rainbow has attracted much attention recently from security researchers; with presentations at the high profile security events, breaking the security of home security systems, cars and many others.

Whilst this research is important in practical terms, hopefully driving some manufacturers to resolve the issues identified, it is also somewhat misdirected.

IoT devices themselves are almost invariably sold as a “black box” solution,; little to no user interface and no options for aftermarket security or tweaking. They are most often low memory, low storage, low processor-power devices designed primarily to harvest data and forward it on for the actual processing. And there’s the rub. The data is sent off-device, to the cloud, where it can be processed, mined, correlated and cross-referenced. Where it can be BIG data.

It is a simple matter for a security researcher to acquire a piece of interesting technology and begin to dissect it for vulnerabilities. Of course it takes skill to do so, but there are no significant barriers aside from that. You buy the kit and you break it.

It is a far more complex minefield to navigate if you set out to test the security of the back-end to those devices. In fact, more often than not it is illegal. To probe the security of someone else’s data centre without their permission, to break in and see what treasure is there for the taking, that ventures outside the realms of research and into the criminal, so the good guys don’t do it.

The bad guys, of course, don’t have to play by those rules, targeted attacks are their stock in trade, and data centres are fast becoming targets of choice. If the President of the USA is wearing technology x, then technology x’s back-end suddenly presents a juicy looking target for criminal or state-sponsored attack and they won’t be discerning about who else’s data they make available either.

Data in general is gold dust to attackers, the more of it one can accumulate, the more tailored, credible and successful one’s attacks can become. All too often devices destined to be connected and used online are designed and produced either by traditional organisations who have typically not had to pay attention to digital security during the manufacture and design process or by entrepreneurs who are too interested in getting their first product to market to be slowed down by some nagging security concern.

It is becoming a significant challenge to regulatory bodies and to governments to ensure that safety standards, which have previously focused on the physical risks of a product and its components, accurately and clearly identify digital risks and outline the minimum safety criteria.  Perhaps in the near future we can hope for a kind of digital kite-mark, offering at least some assurance that physical goods and their supporting infrastructure have been designed and built to a defined standard of digital security, that security was baked -in, not glossed over and that none of the small parts may cause choking. The need for this becomes ever more urgent as pretty much every £100+ good becomes connected in some way, in fact Gartner estimated in 2013 that by the year 2020 (have you watched our award-winning web series yet?) there will be more than 30 billion “connected devices”.

Superfish (and chips) or Super Phish?

 

Image credit: seekeraftertruth[.]com

UPDATE: The private key and associated password which enable 3rd party (i.e. attacker) MITM attacks have successfully been extracted. This means that an attacker on the same network as a compromised machine will be able to intercept any supposedly SSL encrypted traffic.

UPDATE 2: Trend Micro detects the associated files as ADW_LOADSHOP and ADW_SUPERFISH. Compromised machines where a detection is made will still need to manually remove the Superfish certificate as detailed at the end of this post.

UPDATE 3: Lenovo have now posted their own advisory on the “Superfish vulnerability” containing details of which models are affected and removal instructions for both the application and the associated certificate.

UPDATE 4: Lenovo have made support tools available to remove both the Superfish application and the certificate

___________________________________________________________________________________________________

When the bad-guys get into the production line it’s really bad news, and rightly so. We’ve already seen stories about the e-cig charger that ships with malware preinstalled, the digital photo frame and many others. But what about when the manufacturers themselves start acting like bad-guys, whether out of malice or ignorance?

User reports are now emerging online that PC manufacturer Lenovo is shipping certain versions of its consumer laptops with the ironically named software “Superfish Visual Discovery” preinstalled at the factory, and that this software has capabilities far beyond the simple “adware” that you may have (unfortunately) come to expect from some manufacturers out there.

This spyware (we’ll discuss my use of that term in a second) has been shipping with Lenovo laptops for some time, in fact back in January a Social Media Program Manager at Lenovo confirmed that Lenovo was putting a “temporary” hold on shipping this spyware, due to “some issues”. Of course that doesn’t stop units already in the distribution chain from shipping pre-compromised.

What does Superfish do that is SO worrying?

Among it’s bag of usual adware type tricks, Superfish also installs its own self-signed Root Certificate Authority. In layman’s terms this means that Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security,  and usually only the other party in the conversation, your bank, facebook, your email account or an online store for example, is able decrypt this privileged content.

By generating self-signed certificates, Superfish is able to perform a Man-in-the-Middle attack, masquerading as any of these secure destinations, and intercepting otherwise privileged communications. All this without ringing a single visual (or other) alarm bell on your PC or in your browser because it is acting as a “trusted” root certificate authority. Worse still, the certificate they install uses SHA-1 (deprecated since 2011) and 1024 bit RSA keys (outdated since 2013), and it uses the same Root CA private key on *every* Lenovo laptop opening up the possibility of attacks against the certificate itself for widespread criminal abuse.

Images are already cropping up on Twitter showing the potential implications of this functionality.

Worse still it seems that a simple removal of Superfish does not remove this associated root certificate, leaving the computer open to further compromise such as eavesdropping or phishing, though misuse or misappropriation of the certificate’s private key.

Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate, Here is a list of root certificates that are necessary for Windows and a link to certificate removal instructions.

Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option i.e. with no operating system pre-installed. Not only would this reduce cost to the user, it would also increase freedom of choice of Operating System and hand full control back to the owner of the device.